[Pkg-shadow-devel] Bug#262453: marked as forwarded ([EXPERT] login: su, sudo: Local security hole -- arbitrary character injection)

Debian Bug Tracking System owner at bugs.debian.org
Sun Sep 11 10:33:49 UTC 2005


Your message dated Sun, 11 Sep 2005 12:31:06 +0200
with message-id <20050911103105.GI11006 at mykerinos.kheops.frmug.org>
has caused the Debian Bug report #262453,
regarding [EXPERT]  login: su, sudo: Local security hole -- arbitrary character injection
to be marked as having been forwarded to the upstream software
author(s) Tomasz KÅ‚oczko <kloczek at zie.pg.gda.pl>.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

---------------------------------------
Received: (at 262453-forwarded) by bugs.debian.org; 11 Sep 2005 10:31:39 +0000
>From bubulle at kheops.frmug.org Sun Sep 11 03:31:39 2005
Return-path: <bubulle at kheops.frmug.org>
Received: from perrier.eu.org (kheops.perrier.eu.org) [81.56.227.253] 
	by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
	id 1EEP7a-00023J-00; Sun, 11 Sep 2005 03:31:39 -0700
Received: from localhost (localhost [127.0.0.1])
	by kheops.perrier.eu.org (Postfix) with ESMTP id 496EF4F977;
	Sun, 11 Sep 2005 12:31:07 +0200 (CEST)
Received: from kheops.perrier.eu.org ([127.0.0.1])
	by localhost (kheops [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 02450-06; Sun, 11 Sep 2005 12:31:06 +0200 (CEST)
Received: from mykerinos.kheops.frmug.org (mykerinos.kheops.frmug.org [192.168.1.3])
	by kheops.perrier.eu.org (Postfix) with ESMTP id 791C34F899;
	Sun, 11 Sep 2005 12:31:06 +0200 (CEST)
Received: by mykerinos.kheops.frmug.org (Postfix, from userid 7426)
	id 478CD2325E; Sun, 11 Sep 2005 12:31:06 +0200 (CEST)
Date: Sun, 11 Sep 2005 12:31:06 +0200
From: Christian Perrier <bubulle at debian.org>
To: Tomasz =?utf-8?Q?K=C5=82oczko?= <kloczek at zie.pg.gda.pl>
Cc: 262453-forwarded at bugs.debian.org, 262455-done at bugs.debian.org
Subject: Bug 262453: Marking one of these bugs as wontfix and closing one of both as duplicate
Message-ID: <20050911103105.GI11006 at mykerinos.kheops.frmug.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
User-Agent: Mutt/1.5.10i
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at kheops.frmug.org
Content-Transfer-Encoding: quoted-printable
Delivered-To: 262453-forwarded at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-5.0 required=4.0 tests=BAYES_00,VALID_BTS_CONTROL 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 3

severity 262453 normal
tags 262453 wontfix
thanks

Tomasz, at least could you have a look at http://bugs.debian.org/cgi-bin/=
bugreport.cgi?bug=3D262453=A0?

All advices in these bug logs actually show that su/sudo is probably
not the right place to fix the issue.

Having no clue about the right place to fix this, I hereby close one
of the bugs. The other one will probably seat forever in passwd bug
log, unless Tomasz fixes it upstream.

As this may be unlikely, I tag the bug as "wontfix". At least, for
sure, we won't fix this alone in the Debian package.

Last comments from IRC:

11:52 < rleigh> bubulle: It's not something I'm all that familiar with, b=
ut it seems somewhat
                theoretical: if you are the same UID, you could ptrace() =
in any case.  I can't see
                it being possible to fix in su/sudo, because the most com=
mon use cases involve
                being part of an existing sesion (no setsid() allowed) an=
d being either interactive
                or at least requiring stdin/stdout/stderr (so the file de=
scriptors can't be
                closed).  It looks like it could be fixed in
11:52 < rleigh> start-stop-daemon, though.  For the others, I think it ne=
eds fixing in the init
                scripts so it's not vulnerable to start with.
11:57 < bubulle> well given that advice and mdz comments in the bug log I=
'm very tempted to
                 actually close these bugs as "rhetorical" nitpicking
12:01 < rleigh> bubulle: I'm not saying it's not exploitable, but I don't=
 think su/sudo is the
                right place to fix it, unless (for example) you added an =
option to tell it it was
                running in "daemon mode", in which case it would be safe =
to setsid() and clean up
                the file descriptors.



--=20







More information about the Pkg-shadow-devel mailing list