Your message dated Mon, 06 Feb 2006 04:02:07 -0800 with message-id <[EMAIL PROTECTED]> and subject line Bug#344418: fixed in scponly 4.6-1 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message --->From [EMAIL PROTECTED] Thu Dec 22 07:56:42 2005 Received: (at submit) by bugs.debian.org; 22 Dec 2005 15:56:42 +0000 Return-path: <[EMAIL PROTECTED]> Received: from mx01.hinterhof.net ([83.137.99.114]) by spohr.debian.org with esmtp (Exim 4.50) id 1EpSo6-0001VG-LK for [EMAIL PROTECTED]; Thu, 22 Dec 2005 07:56:42 -0800 Received: from localhost (localhost [127.0.0.1]) by mx01.hinterhof.net (Postfix) with ESMTP id 761F5FFBF for <[EMAIL PROTECTED]>; Thu, 22 Dec 2005 17:00:59 +0100 (CET) Received: from dp.roam.decl.org (p54A7C266.dip0.t-ipconnect.de [84.167.194.102]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "dp.roam.decl.org", Issuer "ca.decl.org" (verified OK)) by mx01.hinterhof.net (Postfix) with ESMTP id B88C8FFB4 for <[EMAIL PROTECTED]>; Thu, 22 Dec 2005 17:00:57 +0100 (CET) Received: by dp.roam.decl.org (Postfix, from userid 1000) id 86166DF91A; Thu, 22 Dec 2005 16:56:55 +0100 (CET) Date: Thu, 22 Dec 2005 16:56:55 +0100 From: Max Vozeler <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: scponlyc: local privilege escalation in versions < 4.2 Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2005_01_02 Package: scponly Version: 4.1-1 Severity: critical Hey Thomas, scponly 4.2 has been released with a fix for the privilege escalation we've mailed about. http://lists.ccs.neu.edu/pipermail/scponly/2005-December/001027.html: > ... > Problem Description: If ALL the following conditions are true, > administrators using scponly-4.1 or older may be at risk of a local > privilege escalation exploit: > > - the chrooted setuid scponlyc binary is installed > - regular non-scponly users have interactive shell access to the box > - a user executable dynamically linked setuid binary (such as ping) > exists on the same file system mount as the user's home directory > ... > > Fix: > The new release of scponly-4.2 disallows chrooting to any directory that: > - is owned by someone other than the superuser (UID 0) > - is writeable by group or other Some notes: Having scponly installed and scponlyc setuid root is enough for bug to be exploitable, hence severity critical. cheers, Max
--- End Message ---
--- Begin Message --->From [EMAIL PROTECTED] Mon Feb 06 04:10:12 2006 Received: (at 344418-close) by bugs.debian.org; 6 Feb 2006 12:10:12 +0000 Return-path: <[EMAIL PROTECTED]> Received: from katie by spohr.debian.org with local (Exim 4.50) id 1F654J-0006Is-C0; Mon, 06 Feb 2006 04:02:07 -0800 From: Thomas Wana <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] X-Katie: $Revision: 1.65 $ Subject: Bug#344418: fixed in scponly 4.6-1 Message-Id: <[EMAIL PROTECTED]> Sender: Archive Administrator <[EMAIL PROTECTED]> Date: Mon, 06 Feb 2006 04:02:07 -0800 X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02 Source: scponly Source-Version: 4.6-1 We believe that the bug you reported is fixed in the latest version of scponly, which is due to be installed in the Debian FTP archive: scponly_4.6-1.diff.gz to pool/main/s/scponly/scponly_4.6-1.diff.gz scponly_4.6-1.dsc to pool/main/s/scponly/scponly_4.6-1.dsc scponly_4.6-1_i386.deb to pool/main/s/scponly/scponly_4.6-1_i386.deb scponly_4.6.orig.tar.gz to pool/main/s/scponly/scponly_4.6.orig.tar.gz A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thomas Wana <[EMAIL PROTECTED]> (supplier of updated scponly package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Mon, 6 Feb 2006 12:40:18 +0100 Source: scponly Binary: scponly Architecture: source i386 Version: 4.6-1 Distribution: unstable Urgency: high Maintainer: Thomas Wana <[EMAIL PROTECTED]> Changed-By: Thomas Wana <[EMAIL PROTECTED]> Description: scponly - Restricts the commands available to scp- and sftp-users Closes: 324918 330537 342701 344418 350964 Changes: scponly (4.6-1) unstable; urgency=high . * New upstream version 4.6. (Closes: #342701, #324918) * Fixes two critical security bugs: - CVE-2005-4532: unsafe directory permissions allow authenticated users to break out of the chroot jail (Closes: #344418) - CVE-2005-4533: insufficient command line argument checks allow authenticated users to run arbitrary programs (Closes: #350964) * Added Swedish translation (Closes: #330537) Files: 8d69d368b2f54f2e156b6c05b6dc9df8 588 utils optional scponly_4.6-1.dsc 0425cb868cadd026851238452f1db907 96578 utils optional scponly_4.6.orig.tar.gz ccd04e76d514b08ccdf295ad361f8a45 27834 utils optional scponly_4.6-1.diff.gz 5eb4a2933d5969731ae8268f14eaaaf0 33392 utils optional scponly_4.6-1_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFD5zdeQyJdaY/AMSgRAprkAJ0fbp/a/0pZhjCKvcjp1JK0Iv5wYwCfbL7/ rKdvlVg/+56p2BBt2IuzbCQ= =ziXU -----END PGP SIGNATURE-----
--- End Message ---
