Your message dated Sun, 15 Mar 2015 16:33:29 +0000
with message-id <e1yxbtl-0000zn...@franck.debian.org>
and subject line Bug#780139: fixed in checkpw 1.02-1.1
has caused the Debian Bug report #780139,
regarding CVE-2015-0885
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
780139: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780139
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: checkpw
Severity: grave
Tags: security
Hi Gerrit,
please see
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0885
(feel free to lower the severity, I don't know checkpw myself)
I'm attaching a cleaned-up diff between the 1.03 and 1.02 releases.
Cheers,
Moritz
diff -Naur checkpw-1.02/checkapoppw.c checkpw-1.03/checkapoppw.c
--- checkpw-1.02/checkapoppw.c 2002-01-07 08:25:10.000000000 +0100
+++ checkpw-1.03/checkapoppw.c 2015-02-21 00:42:57.000000000 +0100
@@ -85,7 +85,7 @@
pw = getpwnam(login);
if (pw) break;
if (errno == error_txtbsy) die(111);
- for (; ext != login && *ext != '-'; --ext);
+ do {--ext;} while (ext != login && *ext != '-');
if (ext == login) die(1);
if (i) login[i] = '-';
i = ext - login;
diff -Naur checkpw-1.02/checkpw.c checkpw-1.03/checkpw.c
--- checkpw-1.02/checkpw.c 2002-01-07 08:23:51.000000000 +0100
+++ checkpw-1.03/checkpw.c 2015-02-21 00:42:33.000000000 +0100
@@ -71,7 +71,7 @@
pw = getpwnam(login);
if (pw) break;
if (errno == error_txtbsy) die(111);
- for (; ext != login && *ext != '-'; --ext);
+ do {--ext;} while (ext != login && *ext != '-');
if (ext == login) die(1);
if (i) login[i] = '-';
i = ext - login;
--- End Message ---
--- Begin Message ---
Source: checkpw
Source-Version: 1.02-1.1
We believe that the bug you reported is fixed in the latest version of
checkpw, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 780...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated checkpw package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 13 Mar 2015 14:49:55 +0100
Source: checkpw
Binary: checkpw
Architecture: source amd64
Version: 1.02-1.1
Distribution: unstable
Urgency: high
Maintainer: Gerrit Pape <p...@smarden.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Description:
checkpw - checks password which is stored in ~/Maildir/.password
Closes: 780139
Changes:
checkpw (1.02-1.1) unstable; urgency=high
.
* Non-maintainer upload.
* CVE-2015-0885: Fix denial of service via -- in usernames (Closes: #780139)
Checksums-Sha1:
3f16c419ac695ee7a9f76ba8b852217ccbaa2bf5 1577 checkpw_1.02-1.1.dsc
d726f5236c78f409871ee0a69c1757a8fe657cef 6734 checkpw_1.02-1.1.diff.gz
Checksums-Sha256:
c1510f983cec024f2d5bfe834989e9e72c6093acc69657be2adf38f2ba9cb6c8 1577
checkpw_1.02-1.1.dsc
ae4162bf3d480c4ee7f6bee5a02e3d8425292e378587f95444c8b2c4644a6056 6734
checkpw_1.02-1.1.diff.gz
Files:
6310032aa5b7d5e05606f508f6adc31a 1577 mail optional checkpw_1.02-1.1.dsc
6bee4d5ad3625fcecfee3600877440c2 6734 mail optional checkpw_1.02-1.1.diff.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVAweqAAoJEAVMuPMTQ89E+PsP/iV89KuXPHkGE7cocURAVBVl
xsf0pIXW41M+EY+BIwcUSR11p47tTeWEjDrxK7Yvlkh651zLseiF9SNimNEojvTe
6iy/7GiwrKoT6uLrCuj5mAiSPJwlVjaRhuMw03dmRXzykgjl5PUX+5QBI59CQhFL
JQACCmwah0o35mENwJHFzZF0pXXzTlh3WtLyvr5+PMnIYEslJiRJ+HmenQaxmp6O
4fgz9P/bkU7YSetAKkPYplrRcdAxUK1Nsi8ORTsJvN4GVK++LlupebNNenfI2Ngl
LmnfVfpNiCkwq4ImsQgUBW/xroMck/Wdi0iRTpTjEs3WSj+fPw37f1mmLWAUF9ry
bcTMTpTcwsDCk18jh6YA/gg/dblT7pV6uXdp8HsxfRD5AwSIx5Gzp2Slv8Hj8gfp
YPaeE328QblM4OuJrIoR4wOIX5F1EcoAp15dkK2sT30SuYlWnDpwdCGudgWcclN3
FI9WSOyiLs0L5oP9miB/B17MebuOuqEwSdlDBM9F4KCsF79GuL2s6mhS3NbY2F+L
ezSvKGtHFmiR+BSsUVSwSyWqEgOQYSptHPDo/Pe+LJyisXTklfwZAGCK/kk+49w2
w1NbtZdwyEUq5JjKv2w5ld66gsU+v4+s8c0OtUjiVStemd+O+uBR7qUNYcOlkYcV
V49x2gjAZt73gcb9jCnJ
=pbuF
-----END PGP SIGNATURE-----
--- End Message ---
