Re: privilege escalation and potential data loss in logrotate
Hi, On Samstag, 11. Dezember 2010, Florian Zumbiehl wrote: > I was up to, plus anyone on d-qa who read my mail there also could have > pointed me in the right direction, so I won't take the blame for that. I've read your mail to debian-qa some weeks ago and I've read the bug report. Which stated, that the bug in logrotate was fixed in squeeze and that there was no issue in the default setup in lenny neither: "In the default setup, this, of course, shouldn't be a problem, since logrotate is run with an effective group of root, and any member of that group will usually have access to the log files anyway. When logrotate is used by normal users, though, this could be a security problem." (from the initial mail to 388608, 3rd text paragraph) And so I thought, so what? cheers, Holger signature.asc Description: This is a digitally signed message part.
Planet subscriptions
Hey, below a diff I just committed, removing a number of (dead) feeds from planets config. If you are one of them, feel free to enable your entry again as soon as it is working again, if you know one of them you might want to let them know. And the reasons for the removal is simply that each of the feeds had either error 404, 403, 500, NXDOMAIN or a "simple" timeout for their feed entry[1]. As this does hold up planet runs (we have to wait for all timeouts to trigger), we prefer a config of working feeds. :) (Note: The only one uninteresting change in this diff is the feed of Emilio. That was just a double entry). [1] This is true for at least the last 14 planet runs (we dont keep logs any longer) and for right now, as I also tested using my browser. Index: config.ini === --- config.ini (Revision 1357) +++ config.ini (Arbeitskopie) @@ -136,9 +136,10 @@ facewidth = 100 faceheight = 100 -[http://log.schmehl.info/Debian/index.rss] -name = Alexander Reichle-Schmehl -face = tolimar.png +# 2010-12-11 - joerg - 500 +# [http://log.schmehl.info/Debian/index.rss] +# name = Alexander Reichle-Schmehl +# face = tolimar.png [http://www.asoftsite.org/s9y/feeds/categories/1-Debian-OS.rss] name = Alexander Sack @@ -167,8 +168,9 @@ [http://www.progsoc.org/~wildfire/aum/index.rss] name = Anand Kumria -[http://www.andrelop.org/blog/category/debian/feed/] -name = Andre Luis Lopes +# 2010-12-11 - joerg - timeout +# [http://www.andrelop.org/blog/category/debian/feed/] +# name = Andre Luis Lopes [http://debsanity.wordpress.com/feed/] name = Andrea De Iacovo @@ -187,11 +189,12 @@ [http://www.bebt.de/blog/debian/rss.xml] name = Andreas Metzler -[http://rottylog.yi.org/wp-rss2.php] -name = Andreas Rottmann -face = rotty.jpg -facewidth = 95 -faceheight = 115 +# 2010-12-11 - joerg - timeout +# [http://rottylog.yi.org/wp-rss2.php] +# name = Andreas Rottmann +# face = rotty.jpg +# facewidth = 95 +# faceheight = 115 [http://schuldei.blogspot.com/atom.xml] name = Andreas Schuldei @@ -231,8 +234,9 @@ #facewidth= 85 #faceheight = 99 -[http://blog.anselms.net/debian/index.rss] -name = Anselm Lingnau +# 2010-12-11 - joerg - 500 +# [http://blog.anselms.net/debian/index.rss] +# name = Anselm Lingnau [http://antti-juhani.kaijanaho.fi/newblog/archives/tag/debian/feed] name = Antti-Juhani Kaijanaho @@ -240,11 +244,12 @@ facewidth = 79 faceheight = 96 -[http://nohar.t1r.net/mlog/rss] -name = Arnaud Cornet -face = nohar.png -facewidth = 81 -faceheight = 85 +# 2010-12-11 - joerg - 404 +# [http://nohar.t1r.net/mlog/rss] +# name = Arnaud Cornet +# face = nohar.png +# facewidth = 81 +# faceheight = 85 [http://blogs.hurdfr.org/xmlsrv/rss2.php?blog=9] name = Arnaud Fontaine @@ -270,11 +275,12 @@ facewidth = 102 faceheight = 104 -[http://www.yepthatsme.com/wp-feed.php?feed=rss2&cat=9] -name = Barry Hawkins -face = barryh.png -facewidth = 65 -faceheight = 85 +# 2010-12-11 - joerg - 404 +# [http://www.yepthatsme.com/wp-feed.php?feed=rss2&cat=9] +# name = Barry Hawkins +# face = barryh.png +# facewidth = 65 +# faceheight = 85 [http://jabba.pl/rss?fenio] name = Bartosz Feński @@ -341,8 +347,9 @@ # facewidth= = 90 # faceheight = 90 -[http://brad-smith.co.uk/blog_tags/debian.rss] -name = Bradley Smith +# 2010-12-11 - joerg - Error 500 +#[http://brad-smith.co.uk/blog_tags/debian.rss] +#name = Bradley Smith # 2008-12-13 - joerg - 404 #[http://necrotic.deadbeast.net/~branden/blog/exuberance?flav=rss] @@ -351,11 +358,12 @@ #facewidth = 90 #faceheight = 103 -[http://www.brandonholtsclaw.com/feeds/atom.xml] -name = Brandon Holtsclaw -face = imbrandon.png -facewidth = 85 -faceheight = 85 +# 2010-12-11 - joerg - 404 +# [http://www.brandonholtsclaw.com/feeds/atom.xml] +# name = Brandon Holtsclaw +# face = imbrandon.png +# facewidth = 85 +# faceheight = 85 [http://www.sommitrealweird.co.uk/blog/?flav=atom] name = Brett Parker @@ -399,8 +407,9 @@ #[http://cek.bitacoras.com/archivos/category/english/feed/] #name = César Gómez Martín -[http://debian.nullcode.org/b/index.rss] -name = Chris Anderson +# 2010-12-11 - joerg - NXDOMAIN +# [http://debian.nullcode.org/b/index.rss] +# name = Chris Anderson [http://crispygoth.livejournal.com/data/rss?tag=planet] name = Chris Butler @@ -518,11 +527,12 @@ [http://www.wgdd.de/?feed=rss2&cat=2] name = Daniel Leidert -[http://www.flexserv.de/blog/index.rss] -name = Daniel J. Priem -face = codebreaker.png -facewidth = 66 -faceheight = 91 +# 2010-12-11 - joerg - NXDOMAIN +# [http://www.flexserv.de/blog/index.rss] +# name = Daniel J. Priem +# face = codebreaker.png +# facewidth = 66 +# faceheight = 91 [http://blog.digital-scurf.org/?flav=atom] name = Daniel Silverstone @@ -541,8 +551,9 @@ facewidth = 64 faceheight = 89 -[http://mrdaven.mine.nu/cgi-bin/blosxom/index.rss] -name = Dave Noble +# 2010-12-11 - joerg - timeout +# [http://mrdaven.mine.nu/cgi-bin/blosxom/index.rss] +# name = Da
Bug#606750: ITP: liblognorm -- Log normalizing library
Package: wnpp Severity: wishlist Owner: Pierre Chifflier * Package name: liblognorm Version : 0.1.0 Upstream Author : Rainer Gerhards * URL : http://liblognorm.sourceforge.net/ * License : LGPL 2.1 Programming Lang: C Description : Log normalizing library Liblognorm is a log normalizing library with a small tool called “the normalizer”. With this tool you can normalize all your logs. All you need is liblognorm, its dependencies and a rulebase that fits the logs you want to normalize. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101211134152.6901.41278.report...@ks26688.kimsufi.com
Bug#606752: ITP: libestr -- Helper functions for handling strings
Package: wnpp Severity: wishlist Owner: Pierre Chifflier * Package name: libestr Version : 0.1.0 Upstream Author : Rainer Gerhards * URL : http://libestr.sourceforge.net/ * License : LGPL 2.1 Programming Lang: C Description : Helper functions for handling strings The 'libestr' library implements some helper functions to handle strings and easily, escaping special characters etc. This package is required for libee and liblognorm. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101211133536.4491.3276.report...@ks26688.kimsufi.com
Bug#606754: ITP: libee -- Event expression library inspired by CEE
Package: wnpp Severity: wishlist Owner: Pierre Chifflier * Package name: libee Version : 0.1.0 Upstream Author : Rainer Gerhards * URL : http://libee.sourceforge.net/ * License : LGPL 2.1 Programming Lang: C Description : Event expression library inspired by CEE Libee is an event expression library which is inspired by the upcoming CEE standard. It provides capabilities to generate and emit messages in a set of standard format and read a set of different input formats. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101211133929.5939.84119.report...@ks26688.kimsufi.com
Re: List of FTBFS in Ubuntu
On Fri, Dec 10, 2010 at 7:52 PM, Vincent Danjean wrote: > Here, you are wrong. If I want to use the 'filesystem' part of boost, > I (as a user of the library) must be able to find all required info > only from the part of boost that I want to use. > "pkg-config --libs boost_filesystem" is one standard way to do it. It's a way, it's not a standard. > 'boost-config --libs filesystem' can be another one. > autolink could also be a solution (but I'm not convinced at all by > this feature as described in this thread) > But hardcoding in sources the fact that you need > "-lboost_filesystem -lboost_system" (ie what must be done currently) is > a wrong approach (in my opinion). I agree it's not optimal, hence my push for auto linking. Olaf -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktinz=0k8uwx3jnq7e-e_lwfpujydfcf4zls...@mail.gmail.com
Re: List of FTBFS in Ubuntu
On la, 2010-12-11 at 17:04 +0100, Olaf van der Spek wrote: > I agree it's not optimal, hence my push for auto linking. Can you provide a link to a page giving a description of this auto-linking stuff? -- Blog/wiki/website hosting with ikiwiki (free for free software): http://www.branchable.com/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1292088313.2611.7.ca...@havelock.lan
Bug#606775: ITP: libgit-wrapper-perl -- Wrap git command-line interface
Package: wnpp Severity: wishlist Owner: Alessandro Ghedini * Package name: libgit-wrapper-perl Version : 0.014 Upstream Author : Hans Dieter Pearcey Chris Prather * URL : http://search.cpan.org/dist/Git-Wrapper/ * License : GPL or Artistic (same as Perl5) Programming Lang: Perl Description : Wrap git command-line interface Git::Wrapper provides an API for git that uses Perl data structures for argument passing, instead of CLI-style --options as Git does. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101211170747.16742.12617.report...@pc-ale.rete
Re: Re: apt-diff: a tool to diff filesystem content against APT
> The *.conffiles files in /var/lib/dpkg/info have the checksums of all
Don't seem to ...
$ cat /var/lib/dpkg/info/*.conffiles | head
/etc/a2ps.cfg
/etc/a2ps-site.cfg
/etc/emacs/site-start.d/50a2ps.el
/etc/bash_completion.d/ack-grep
/etc/acpi/events/powerbtn
/etc/acpi/powerbtn.sh
/etc/init/acpid.conf
/etc/default/acpid
/etc/acpi/events/ac
/etc/acpi/events/asus-brightness-down
No md5sums there.
> See also dpkg-query -f '${Conffiles}' -W .
Aha! It gets them from /var/lib/dpkg/status. Should be easy to tap into.
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1292092333.14733.6.ca...@tinygod3
Re: apt-diff: a tool to diff filesystem content against APT
On Fri, Dec 10, 2010 at 10:30:02PM -0600, Peter Samuelson wrote: > [Osamu Aoki] > > As I read manpage of dh_md5sums, it states: > >-x, --include-conffiles > >Include conffiles in the md5sums list. Note that this > > information is redundant since it is included elsewhere in debian > > packages. > > "Note that this information is redundant" - that's rich. As though > the entire md5sums file weren't redundant. (I.e., could easily be > generated at unpack time.) People seem to hold on to their reasons > why it's important to have these integrity checks in the .deb itself, > not just on the installed system, but ... yeah. Shipping md5sums of > conffiles is only a little bit more redundant than shipping md5sums > of the rest of the files. IIRC, the reason md5sums of conffiles are shipped is to determine whether they have been changed by the administrator so that dpkg knows whether to automatically replace them with newer versions or not. As for integrity checks, which serve a different purpose, MD5 is completely inadequate for this, since it is possible to generate arbitrary collisions for it. For integrity purposes, SHA512 would be a better choice, or maybe SHA256 for 32-bit systems[0]. [0] On 64-bit systems, SHA512 is actually faster than SHA256. SHA384 and SHA224 are not good choices because they are computationally equivalent to SHA512 and SHA256 but have less security. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature
Re: privilege escalation and potential data loss in logrotate
Hi, > On Samstag, 11. Dezember 2010, Florian Zumbiehl wrote: > > I was up to, plus anyone on d-qa who read my mail there also could have > > pointed me in the right direction, so I won't take the blame for that. > > I've read your mail to debian-qa some weeks ago and I've read the bug report. > Which stated, that the bug in logrotate was fixed in squeeze and that there > was no issue in the default setup in lenny neither: > > "In the default setup, this, of course, shouldn't be a problem, since > logrotate is run with an effective group of root, and any member of that > group will usually have access to the log files anyway. When logrotate > is used by normal users, though, this could be a security problem." (from the > initial mail to 388608, 3rd text paragraph) > > And so I thought, so what? Good point. The scope of this bug report drifted/widened a bit over time, partly due to changes in current versions of logrotate, so it seems that the original bug report can be quite a bit misleading regarding the scope of the problem. And actually I think that the problem is wider than what's currently covered by that bug report and some more fundamental changes should be made to logrotate to ensure security under a wider range of circumstances. But for now I am trying to focus on getting fixed what is known to be exploitable. When that's done, I may also try to get some public discussion started on further improvements I suggested to the maintainer a year ago. So, let me clarify that the first point of my mail to d-qa refers to the default setup after you install postgres in the specific case I tested and most likely also in case of all the other packages affected: | 1. There is a privilege escalation vulnerability in stable's logrotate, |verified to work for switching from the postgres user to root, probably |affecting the system users of about 40 packages. A fix for this has |been in testing for about a year now, the original bug report and a |first patch have been in the bug tracker for about four years now. Florian -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101211221900.gl3...@florz.florz.dyndns.org
Cara efektif promosi ke Facebook
Teman2 sekalian, Kita baru saja launcing Alfasoft Facebook Bomber Software untuk kirim pesan (promo) ke facebook dengan cara send message (masuk inbox) calon pelanggan kita. Sangat efektif untuk pemasaran karena kita bisa ambil data facebooker sesuai dengan target market kita, dengan berdasarkan wilayah tertentu atau jenis bisnis tertentu. Berbeda dengan kebanyakan software 'Facebook Tool' lainnya yang hanya serampangan mengirim pesan ke facebooker, Alfasoft Facebook Bomber dibuat bisa mengelola promosi iklan kita dengan baik. Kita bisa mengetahui dengan jelas siapa saja yang akan kita kirimi pesan dan juga bisa men-tracking siapa saja facebooker yang sudah menerima pesan kita. Dengan Alfasoft Facebook Bomber, kita dapat menjalankan promosi kita secara otomatis sehingga kita lebih punya waktu, tenaga dan pikiran untuk mengembangkan ide-ide brilian kita. Lihat video demonya dan download installernya : http:// www.youtube .com/watch?v=SCZ2l7JvYus&feature=mhum http:// konsultanpemasaraninternet .com/dl/soft_fbbomber.zip Copy paste alamat diatas ke browser lalu hilangkan spasinya setelah http:// dan sebelum .com untuk bisa akses webnya. Salam, PT Alfasoft -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/svrinternet002d4895f5ed413dbb01d5c8cc15c...@svrinternet
Bug#606812: ITP: libregexp-ipv6-perl -- Regular expression for IPv6 addresses
Package: wnpp Severity: wishlist Owner: Dominic Hargreaves * Package name: libregexp-ipv6-perl Version : 0.03 Upstream Author : Salvador Fandiño (sfand...@yahoo.com) * URL : http://search.cpan.org/dist/Regexp-IPv6/ * License : Perl Programming Lang: Perl Description : Regular expression for IPv6 addresses This module exports the $IPv6_re regular expression that matches any valid IPv6 address as described in "RFC 2373 - 2.2 Text Representation of Addresses" but ::. Any string not compliant with such RFC will be rejected. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101211223649.17983.38192.report...@urchin.earth.li
Bug#606813: ITP: libjavascript-minifier-perl -- Perl extension for minifying JavaScript code
Package: wnpp Severity: wishlist Owner: Dominic Hargreaves * Package name: libjavascript-minifier-perl Version : 1.05 Upstream Author : Peter Michaux, Eric Herrera, * URL : http://search.cpan.org/dist/Javascript-Minifier/ * License : Perl Programming Lang: Perl Description : Perl extension for minifying JavaScript code This module removes unnecessary whitespace from JavaScript code. The primary requirement developing this module is to not break working code: if working JavaScript is in input then working JavaScript is output. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101211224126.18895.93808.report...@urchin.earth.li
Bug#606816: ITP: libcgi-psgi-perl -- Adapt CGI.pm to the PSGI protocol
Package: wnpp Severity: wishlist Owner: Dominic Hargreaves * Package name: libcgi-psgi-perl Version : 0.13 Upstream Author : Tatsuhiko Miyagawa * URL : http://search.cpan.org/dist/CGI-PSGI/ * License : Perl Programming Lang: Perl Description : Adapt CGI.pm to the PSGI protocol This module is for web application framework developers who currently use CGI to handle query parameters, and would like the frameworks to comply with the PSGI protocol. Only slight modifications should be required if the framework already collects the body content to print to STDOUT in one place (rather using the print-as-you-go approach). -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101211225153.20730.53936.report...@urchin.earth.li
Bug#606818: ITP: libhtml-mason-psgihandler-perl -- PSGI handler for HTML::Mason
Package: wnpp Severity: wishlist Owner: Dominic Hargreaves * Package name: libhtml-mason-psgihandler-perl Version : 0.52 Upstream Author : Ask Bjørn Hansen * URL : http://search.cpan.org/dist/HTML-Mason-PSGIHandler/ * License : Perl Programming Lang: Perl Description : PSGI handler for HTML::Mason HTML::Mason::PSGIHandler is a PSGI handler for HTML::Mason. It's based on HTML::Mason::CGIHandler and allows you to process Mason templates on any web servers that support PSGI. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101211225704.21648.56481.report...@urchin.earth.li
Bug#606831: ITP: libfreenect -- open source driver for kinect camera
Package: wnpp Severity: wishlist Owner: Arne Bernin * Package name: libfreenect Version : 0.0.1+20101211 Upstream Author : Freenect Team * URL : http://openkinect.org/ * License : Apache2 Programming Lang: C Description : open source driver for kinect camera libfreenect is the core library for accessing the Microsoft Kinect USB camera. Currently, the library supports access to: - RGB and Depth Images - Motors - Accelerometer - LED Audio is currently being worked on. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101212024447.12837.27211.report...@novo.onerussian.com
Re: apt-diff: a tool to diff filesystem content against APT
> On Fri, Dec 10, 2010 at 10:30:02PM -0600, Peter Samuelson wrote: > > "Note that this information is redundant" - that's rich. As though > > the entire md5sums file weren't redundant. (I.e., could easily be > > generated at unpack time.) People seem to hold on to their reasons > > why it's important to have these integrity checks in the .deb itself, > > not just on the installed system, but ... yeah. [brian m. carlson] > IIRC, the reason md5sums of conffiles are shipped is to determine > whether they have been changed by the administrator so that dpkg > knows whether to automatically replace them with newer versions or > not. Yes, I know. But the fact that these checksums are needed for dpkg's conffile functionality doesn't make them any less redundant. dpkg could just as well generate them just-in-time, at unpack time. That is, after all, what ucf does. And same for the md5sums file that covers the non-conffiles. It's such an unimportant issue that I'm not volunteering to do the work to make dpkg do this md5summing so the rest of us don't have to. Just getting some amusement out of someone having implied that shipping md5s of non-conffiles is _not_ redundant. > As for integrity checks, which serve a different purpose, MD5 is > completely inadequate for this, since it is possible to generate > arbitrary collisions for it. Oh, this wasn't about whether the checksums that are under control of the same person who provided the rest of the .deb file are useful for security purposes. Either you trust the entire .deb file (by, e.g., tracing it back to a Release.gpg file) or you don't. Whether this file which you do or don't trust happens to contain internal checksums using MD5 or CRC32 or SHA-65536 doesn't even enter into it. Unless there's also an external source for these checksums, similar to the Contents files, that won't be under control of the same attacker who corrupted your .debs. -- Peter Samuelson | org-tld!p12n!peter | http://p12n.org/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101212074138.gd13...@p12n.org
