Your message dated Tue, 29 Nov 2005 10:47:11 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#329087: fixed in kernel-patch-vserver 2.3
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 19 Sep 2005 13:29:07 +0000
>From [EMAIL PROTECTED] Mon Sep 19 06:29:07 2005
Return-path: <[EMAIL PROTECTED]>
Received: from tlug.sinica.edu.tw (mail.linux.org.tw) [140.109.13.42]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EHLhj-0003zn-00; Mon, 19 Sep 2005 06:29:07 -0700
Received: from localhost (localhost [127.0.0.1])
by mail.linux.org.tw (Postfix) with ESMTP id 3ED06BC064;
Mon, 19 Sep 2005 21:29:01 +0800 (CST)
Received: from mail.linux.org.tw ([10.0.0.3])
by localhost (people [10.0.0.3]) (amavisd-new, port 10024) with LMTP
id 05029-01-4; Mon, 19 Sep 2005 21:29:01 +0800 (CST)
Received: from tnlug.linux.org.tw (tnlug.linux.org.tw [140.109.13.50])
by mail.linux.org.tw (Postfix) with ESMTP id 2ACF2BC063;
Mon, 19 Sep 2005 21:29:01 +0800 (CST)
Received: by tnlug.linux.org.tw (Postfix, from userid 1001)
id A084C7F599; Mon, 19 Sep 2005 21:29:06 +0800 (CST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Andrew Lee <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: kernel-patch-vserver: be able to do chroot escape
X-Mailer: reportbug 3.17
Date: Mon, 19 Sep 2005 21:29:06 +0800
X-Debbugs-Cc: [EMAIL PROTECTED], [EMAIL PROTECTED],
Debian Security Team <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at linux.org.tw
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02
Package: kernel-patch-vserver
Severity: critical
Tags: sarge
Justification: root security hole
Dear maintainer(s),
I found the kernel-patch-vserver and util-vserver in sarge can not pass
the testfs.sh script[1] which provide by upstream author. After some more
tests, upstream author discoveryed this is a security hole.
Here is what I did in my test:
# ls -lda /var/lib/vservers/XXXX/..
d--------- 8 root root 4096 Sep 19 19:46 /var/lib/vservers/XXXX/../
# showattr -d /var/lib/vservers/XXXX/..
---BU-- /var/lib/vservers/XXXX/..
# lsattr -d /var/lib/vservers/XXXX/..
---------------t- /var/lib/vservers/XXXX/..
ssh into a guest and then starting the root exploit[2] inside a guest now
gives: Exploit seems to work. =)
And then I can be able to access the host, can be able to read /etc/shadow
and can be able to create /test.txt in the host.
[1] http://vserver.13thfloor.at/Stuff/SCRIPT/testfs.sh-0.09
[2] http://vserver.13thfloor.at/Stuff/rootesc.c
-- System Information:
Debian Release: 3.1
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.4.27-10vserver
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
---------------------------------------
Received: (at 329087-close) by bugs.debian.org; 29 Nov 2005 18:51:23 +0000
>From [EMAIL PROTECTED] Tue Nov 29 10:51:23 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 4.50)
id 1EhAVT-0002Aa-Hf; Tue, 29 Nov 2005 10:47:11 -0800
From: Micah Anderson <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.60 $
Subject: Bug#329087: fixed in kernel-patch-vserver 2.3
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Tue, 29 Nov 2005 10:47:11 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Source: kernel-patch-vserver
Source-Version: 2.3
We believe that the bug you reported is fixed in the latest version of
kernel-patch-vserver, which is due to be installed in the Debian FTP archive:
kernel-patch-vserver_2.3.dsc
to pool/main/k/kernel-patch-vserver/kernel-patch-vserver_2.3.dsc
kernel-patch-vserver_2.3.tar.gz
to pool/main/k/kernel-patch-vserver/kernel-patch-vserver_2.3.tar.gz
kernel-patch-vserver_2.3_all.deb
to pool/main/k/kernel-patch-vserver/kernel-patch-vserver_2.3_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Micah Anderson <[EMAIL PROTECTED]> (supplier of updated kernel-patch-vserver
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 29 Nov 2005 13:29:38 -0500
Source: kernel-patch-vserver
Binary: kernel-patch-vserver
Architecture: source all
Version: 2.3
Distribution: unstable
Urgency: high
Maintainer: Micah Anderson <[EMAIL PROTECTED]>
Changed-By: Micah Anderson <[EMAIL PROTECTED]>
Description:
kernel-patch-vserver - context switching virtual private servers - kernel patch
Closes: 329087
Changes:
kernel-patch-vserver (2.3) unstable; urgency=high
.
* Previous fix was missing one IS_IMMUTABLE_FILE instance,
thanks to Alexei Chetroi (Closes: #329087)
Files:
43fb001ad50413d7f8e182ec28aab8aa 602 devel extra kernel-patch-vserver_2.3.dsc
1017bddd6201f75f5565b3f8019e31c9 1614838 devel extra
kernel-patch-vserver_2.3.tar.gz
ffc048e5a31646ddb026966986a29b18 595808 devel extra
kernel-patch-vserver_2.3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDjJ609n4qXRzy1ioRAgp3AJ9Vm+/1txKunOUmuQnhsUnQNYRRTgCfSe1B
uidD5YmoGqpEi6/O8JqFZ4o=
=d7Tq
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
