[Pkg-shadow-devel] Bug#307259: marked as done (Insecure mailbox generation due to incomplete open() call)

Debian Bug Tracking System owner@bugs.debian.org
Sat, 11 Jun 2005 08:18:13 -0700 

Your message dated Sat, 11 Jun 2005 17:05:53 +0200
with message-id <20050611150552.GA4547@papagos>
and subject line Bug#307259: [Pkg-shadow-devel] Bug#307259: Patch
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 2 May 2005 07:06:07 +0000
>From muehlenhoff@univention.de Mon May 02 00:06:07 2005
Return-path: <muehlenhoff@univention.de>
Received: from moutng.kundenserver.de [212.227.126.171] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DSV0J-0002TE-00; Mon, 02 May 2005 00:06:07 -0700
Received: from bitz8.bitz.briteline.de[195.90.9.8] (helo=anton)
	by mrelayeu.kundenserver.de with ESMTP (Nemesis),
	id 0MKwpI-1DSV053qr7-0003Co; Mon, 02 May 2005 09:05:53 +0200
Received: by anton (Postfix, from userid 2028)
	id 6CF59B6ECA; Mon,  2 May 2005 09:05:53 +0200 (CEST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Moritz Muehlenhoff <muehlenhoff@univention.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Insecure mailbox generation due to incomplete open() call
X-Mailer: reportbug 2.26.1.1.200308291454
Date: Mon, 02 May 2005 09:05:53 +0200
Message-Id: <20050502070553.6CF59B6ECA@anton>
X-Provags-ID: kundenserver.de abuse@kundenserver.de login:4ad79d65ac46f2345c6ef2e856c1d9ef
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: passwd
Severity: normal
Tags: security

The 4.0.8 changelog points to a change with minor security implications:
| useradd: fixes a potential security problem when mailbox is created in
| useradd.
| Patch and comment by Koblinger Egmont <egmont@uhulinux.hu>:
| Only two arguments are passed to the open() call though it expects three
| because O_CREAT is present. Hence the permission of the file first becomes
| some random garbage found on the stack, and an attacker can perhaps open
| this file and hold it open for reading or writing before the proper
| fchmod() is executed. (Actually, we could also pass the final "mode" to
| the open() call and then save the consequent fchmod().)

Cheers,
        Moritz

-- System Information:
Debian Release: 3.0
Architecture: i386
Kernel: Linux anton 2.4.29-univention.1 #1 SMP Thu Jan 27 17:08:46 CET 2005 i686
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro

Versions of packages passwd depends on:
ii  libc6          2.3.2-9                   GNU C Library: Shared libraries an
ii  libpam-modules 0.76-14.4.200410080708    Pluggable Authentication Modules f
ii  libpam0g       0.76-14.4.200410080708    Pluggable Authentication Modules l
ii  login          1:4.0.3-17.6.200402110832 System login tools

-- debconf-show failed


---------------------------------------
Received: (at 307259-close) by bugs.debian.org; 11 Jun 2005 15:06:08 +0000
>From martin.quinson@loria.fr Sat Jun 11 08:06:08 2005
Return-path: <martin.quinson@loria.fr>
Received: from imag.imag.fr [129.88.30.1] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1Dh7Ym-0000Df-00; Sat, 11 Jun 2005 08:06:08 -0700
Received: from pamunkey.imag.fr (pamunkey.imag.fr [129.88.69.8])
	by imag.imag.fr (8.13.0/8.13.0) with ESMTP id j5BF648c004771
	for <307259-close@bugs.debian.org>; Sat, 11 Jun 2005 17:06:04 +0200 (CEST)
Received: from navajo.imag.fr (navajo.imag.fr [129.88.69.1])
	by pamunkey.imag.fr (8.11.6/8.11.3/ImagV2) with ESMTP id j5BExie14628
	for <307259-close@bugs.debian.org>; Sat, 11 Jun 2005 16:59:46 +0200 (CEST)
Received: from localhost.imag.fr ([127.0.0.1] helo=localhost)
	by navajo.imag.fr with smtp (Exim 3.36 #1 (Debian))
	id 1Dh7fY-00077x-00
	for <307259-close@bugs.debian.org>; Sat, 11 Jun 2005 17:13:08 +0200
Received: from mquinson by localhost with local (Exim 3.36 #1 (Debian))
	id 1Dh7YX-0001ov-00
	for <307259-close@bugs.debian.org>; Sat, 11 Jun 2005 17:05:53 +0200
Date: Sat, 11 Jun 2005 17:05:53 +0200
To: 307259-close@bugs.debian.org
Subject: Re: Bug#307259: [Pkg-shadow-devel] Bug#307259: Patch
Message-ID: <20050611150552.GA4547@papagos>
References: <20050504151333.GA14052@univention.de> <20050505074441.GE6700@mykerinos.kheops.frmug.org> <20050517222412.GA6058@nekral.homelinux.net>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="a8Wt8u1KmwUX3Y2C"
Content-Disposition: inline
In-Reply-To: <20050517222412.GA6058@nekral.homelinux.net>
User-Agent: Mutt/1.5.9i
From: Martin Quinson <martin.quinson@loria.fr>
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.6 (imag.imag.fr [129.88.30.1]); Sat, 11 Jun 2005 17:06:04 +0200 (CEST)
X-IMAG-MailScanner: Found to be clean
X-IMAG-MailScanner-Information: Please contact the ISP for more information
Delivered-To: 307259-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 


--a8Wt8u1KmwUX3Y2C
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, May 18, 2005 at 12:24:13AM +0200, Nicolas Fran=E7ois wrote:
> Hi!
>=20
> On Thu, May 05, 2005 at 09:44:41AM +0200, Christian Perrier wrote:
> > Quoting Moritz M=FChlenhoff (muehlenhoff@univention.de):
> > > Hi,
> > > attached you can find the relevant patch hunk from upstream's
> > > 4.0.7->4.0.8 patch. The practical security impact is very small, thou=
gh.
> >=20
> >=20
> > Thanks, Moritz, for isolating the upstream patch....
> >=20
> > Security Team, what is suggestion about this bug? As said, the
> > security impact is very small, but you may still want us to upload a
> > fix for testing (I'm not sure about woody update...it's in your
> > hands).
>=20
> I had a look at the patch yesterday, and it applies to the create_mail
> function of useradd.c, which was introduced after 4.0.3.
>=20
> It seems to me that our outdated shadow does not have this bug.
> I will close this bug before the end of the week, but would like other
> eyes on it.
>=20
> I checked other appearance of O_CREAT in the trunk and sarge branch, and
> it seems OK to me.
>=20
> Thanks anyway Moritz, it pointed me to the upstream changelog and to this
> kind of issues.

Indeed. I double checked, and since I came to the same conclusion, I close
this bug.

Bye, Mt.

--a8Wt8u1KmwUX3Y2C
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCqv3QIiC/MeFF8zQRAiidAKC7NEeiCTioRX64/WooRjBtOfKFUQCdH6ev
FDQeR/FZ1VlAv5Rfu7dBPIk=
=bDdq
-----END PGP SIGNATURE-----

--a8Wt8u1KmwUX3Y2C--