Your message dated Tue, 13 Dec 2005 20:59:35 -0500
with message-id <[EMAIL PROTECTED]>
and subject line Bug#343264: [CVE-2004-0564] attackers can overwrite any files
when run with setuid root
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 14 Dec 2005 01:31:08 +0000
>From [EMAIL PROTECTED] Tue Dec 13 17:31:08 2005
Return-path: <[EMAIL PROTECTED]>
Received: from smtp108.sbc.mail.re2.yahoo.com ([68.142.229.97])
by spohr.debian.org with smtp (Exim 4.50)
id 1EmLU4-0005vU-Ew
for [EMAIL PROTECTED]; Tue, 13 Dec 2005 17:31:08 -0800
Received: (qmail 48010 invoked from network); 14 Dec 2005 01:30:37 -0000
Received: from unknown (HELO ?192.168.0.2?) ([EMAIL PROTECTED]@64.108.215.162
with plain)
by smtp108.sbc.mail.re2.yahoo.com with SMTP; 14 Dec 2005 01:30:36 -0000
Message-ID: <[EMAIL PROTECTED]>
Date: Tue, 13 Dec 2005 19:30:33 -0600
From: FX <[EMAIL PROTECTED]>
User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: [EMAIL PROTECTED]
Subject: [CVE-2004-0564] attackers can overwrite any files when run with setuid
root
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.5 required=4.0 tests=BAYES_01,HAS_PACKAGE,
RCVD_IN_SORBS autolearn=no version=2.60-bugs.debian.org_2005_01_02
package: pppoe
severity: grave
tags: security
Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet
driver from Roaring Penguin. When the program is running setuid root, an
attacker could overwrite any file on the file system.
CVE-2004-0564: Roaring Penguin pppoe (rp-ppoe), if installed or
configured to run setuid root contrary to its design, allows local users
to overwrite arbitrary files.
NOTE: the developer has publicly disputed the claim that this is a
vulnerability because pppoe "is NOT designed to run setuid-root."
Therefore this identifier applies *only* to those configurations and
installations under which pppoe is run setuid root despite the
developer's warnings.
This was fixed in Redhat a month ago despite their default configuration
not using suid. See [FLSA-2005:152794]
In Debian Sarge, both /usr/sbin/pppd and /usr/sbin/pppoe files are
"-rwsr-xr-- root dip".
---------------------------------------
Received: (at 343264-done) by bugs.debian.org; 14 Dec 2005 01:59:53 +0000
>From [EMAIL PROTECTED] Tue Dec 13 17:59:53 2005
Return-path: <[EMAIL PROTECTED]>
Received: from pianocktail.org ([66.11.160.92])
by spohr.debian.org with smtp (Exim 4.50)
id 1EmLvt-00042n-59
for [EMAIL PROTECTED]; Tue, 13 Dec 2005 17:59:53 -0800
Received: (qmail 3457 invoked from network); 14 Dec 2005 01:58:39 -0000
Received: from unknown (HELO ?10.0.10.2?) (10.0.10.2)
by pianocktail.org with SMTP; 14 Dec 2005 01:58:39 -0000
Message-ID: <[EMAIL PROTECTED]>
Date: Tue, 13 Dec 2005 20:59:35 -0500
From: Christian Hudon <[EMAIL PROTECTED]>
User-Agent: Thunderbird 1.5 (Windows/20051025)
MIME-Version: 1.0
To: FX <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Subject: Re: Bug#343264: [CVE-2004-0564] attackers can overwrite any files
when run with setuid root
References: <[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
FX wrote:
> Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet
> driver from Roaring Penguin. When the program is running setuid root,
> an attacker could overwrite any file on the file system.
This is rather old and was fixed more than a year ago in Debian:
Date: Wed, 29 Sep 2004 22:08:20 -0400
Source: rp-pppoe
Binary: pppoe
Architecture: source i386
Version: 3.5-4
Distribution: unstable
Urgency: high
Maintainer: Christian Hudon <[EMAIL PROTECTED]>
Changed-By: Christian Hudon <[EMAIL PROTECTED]>
Description:
pppoe - PPP over Ethernet driver
Changes:
rp-pppoe (3.5-4) unstable; urgency=high
.
* Added patch by Max Vozeler <[EMAIL PROTECTED]> to ignore -D and -p
when pppoe is not running as root to prevent a potential root
compromise by users in group dip when pppoe is running setuid root.
[src/pppoe.c, CAN-2004-0564] Note that group dip is empty by default
on Debian installs.
Christian
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
