[Pkg-shadow-devel] Bug#262455: marked as forwarded ([EXPERT] login:
su, sudo,
super: Local security hole -- arbitrary character injection)
Debian Bug Tracking System
owner at bugs.debian.org
Sun Sep 11 10:33:49 UTC 2005
Your message dated Sun, 11 Sep 2005 12:31:06 +0200
with message-id <20050911103105.GI11006 at mykerinos.kheops.frmug.org>
has caused the Debian Bug report #262455,
regarding [EXPERT] login: su, sudo, super: Local security hole -- arbitrary character injection
to be marked as having been forwarded to the upstream software
author(s) Tomasz KÅoczko <kloczek at zie.pg.gda.pl>.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
---------------------------------------
Received: (at 262453-forwarded) by bugs.debian.org; 11 Sep 2005 10:31:39 +0000
>From bubulle at kheops.frmug.org Sun Sep 11 03:31:39 2005
Return-path: <bubulle at kheops.frmug.org>
Received: from perrier.eu.org (kheops.perrier.eu.org) [81.56.227.253]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EEP7a-00023J-00; Sun, 11 Sep 2005 03:31:39 -0700
Received: from localhost (localhost [127.0.0.1])
by kheops.perrier.eu.org (Postfix) with ESMTP id 496EF4F977;
Sun, 11 Sep 2005 12:31:07 +0200 (CEST)
Received: from kheops.perrier.eu.org ([127.0.0.1])
by localhost (kheops [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 02450-06; Sun, 11 Sep 2005 12:31:06 +0200 (CEST)
Received: from mykerinos.kheops.frmug.org (mykerinos.kheops.frmug.org [192.168.1.3])
by kheops.perrier.eu.org (Postfix) with ESMTP id 791C34F899;
Sun, 11 Sep 2005 12:31:06 +0200 (CEST)
Received: by mykerinos.kheops.frmug.org (Postfix, from userid 7426)
id 478CD2325E; Sun, 11 Sep 2005 12:31:06 +0200 (CEST)
Date: Sun, 11 Sep 2005 12:31:06 +0200
From: Christian Perrier <bubulle at debian.org>
To: Tomasz =?utf-8?Q?K=C5=82oczko?= <kloczek at zie.pg.gda.pl>
Cc: 262453-forwarded at bugs.debian.org, 262455-done at bugs.debian.org
Subject: Bug 262453: Marking one of these bugs as wontfix and closing one of both as duplicate
Message-ID: <20050911103105.GI11006 at mykerinos.kheops.frmug.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
User-Agent: Mutt/1.5.10i
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at kheops.frmug.org
Content-Transfer-Encoding: quoted-printable
Delivered-To: 262453-forwarded at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-5.0 required=4.0 tests=BAYES_00,VALID_BTS_CONTROL
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 3
severity 262453 normal
tags 262453 wontfix
thanks
Tomasz, at least could you have a look at http://bugs.debian.org/cgi-bin/=
bugreport.cgi?bug=3D262453=A0?
All advices in these bug logs actually show that su/sudo is probably
not the right place to fix the issue.
Having no clue about the right place to fix this, I hereby close one
of the bugs. The other one will probably seat forever in passwd bug
log, unless Tomasz fixes it upstream.
As this may be unlikely, I tag the bug as "wontfix". At least, for
sure, we won't fix this alone in the Debian package.
Last comments from IRC:
11:52 < rleigh> bubulle: It's not something I'm all that familiar with, b=
ut it seems somewhat
theoretical: if you are the same UID, you could ptrace() =
in any case. I can't see
it being possible to fix in su/sudo, because the most com=
mon use cases involve
being part of an existing sesion (no setsid() allowed) an=
d being either interactive
or at least requiring stdin/stdout/stderr (so the file de=
scriptors can't be
closed). It looks like it could be fixed in
11:52 < rleigh> start-stop-daemon, though. For the others, I think it ne=
eds fixing in the init
scripts so it's not vulnerable to start with.
11:57 < bubulle> well given that advice and mdz comments in the bug log I=
'm very tempted to
actually close these bugs as "rhetorical" nitpicking
12:01 < rleigh> bubulle: I'm not saying it's not exploitable, but I don't=
think su/sudo is the
right place to fix it, unless (for example) you added an =
option to tell it it was
running in "daemon mode", in which case it would be safe =
to setsid() and clean up
the file descriptors.
--=20
More information about the Pkg-shadow-devel
mailing list