[Pkg-shadow-devel] Pre-approval for shadow 1:4.1.1-6

Fri Nov 14 23:59:18 UTC 2008

Hello,

I would like to upload a new version of shadow to fix a security bug.
(symlink attack, #505271)

I intend to fix at the same time 2 documentation fixes.

The debdiff is attached.

In #505071, a possible login DOS is reported.
It could be fixed in a few dozen lines, but I don't think the threat is
strong enough to get a freeze exception.
It could lead to blocking login (not ssh, not gdm, login as used on
consoles or telnet) under some circumstances:
 1) the attacker can forge entries in /var/run/utmp
 2) the attacker can guess the PID of login

1) would probably mean that the attacker can make other DOS
   (reboot would also fix this)
2) probably needs to be done by filling a large numbers of utmp entries,
   otherwise the DOS efficiency is pretty low.

Release Managers, Security Team:
Do you want 505071 to be fixed also for Lenny?

Best Regards,
-- 
Nekral
-------------- next part --------------
diff -u shadow-4.1.1/debian/changelog shadow-4.1.1/debian/changelog

--- shadow-4.1.1/debian/changelog
+++ shadow-4.1.1/debian/changelog
@@ -1,3 +1,16 @@
+shadow (1:4.1.1-6) unstable; urgency=medium
+
+  * The "Rollot" release.
+  * debian/patches/303_login_symlink_attack: Fix a race condition that could
+    lead to gaining ownership or changing mode of arbitrary files.
+    Closes: #505271 
+  * debian/patches/304_su.1_synopsis: Fix the su synopsis. username is
+    referenced in the manpage, not LOGIN. Closes: #501353
+  * debian/patches/305_login.1_japanese: Fix the path of the utmp and wtmp
+    files. Closes: #501353
+
+ -- Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net>  Fri, 14 Nov 2008 21:52:42 +0100
+
 shadow (1:4.1.1-5) unstable; urgency=low
 
   * The "Bergues" release.
diff -u shadow-4.1.1/debian/patches/series shadow-4.1.1/debian/patches/series
--- shadow-4.1.1/debian/patches/series
+++ shadow-4.1.1/debian/patches/series
@@ -36,0 +37,3 @@
+303_login_symlink_attack
+304_su.1_synopsis
+305_login.1_japanese
only in patch2:
unchanged:
--- shadow-4.1.1.orig/debian/patches/304_su.1_synopsis
+++ shadow-4.1.1/debian/patches/304_su.1_synopsis
@@ -0,0 +1,18 @@
+Goal: Fix the su synopsis. username is referenced in the manpage, not
+      LOGIN
+
+Fixes: 501353
+
+Status wrt upstream: Will be fixed in 4.1.3
+
+--- a/man/su.1.xml
++++ b/man/su.1.xml
+@@ -38,7 +38,7 @@
+       </arg>
+       <arg choice='opt'>
+ 	<arg choice='plain'>
+-	  <replaceable>LOGIN</replaceable>
++	  <replaceable>username</replaceable>
+ 	</arg>
+       </arg>
+     </cmdsynopsis>
only in patch2:
unchanged:
--- shadow-4.1.1.orig/debian/patches/303_login_symlink_attack
+++ shadow-4.1.1/debian/patches/303_login_symlink_attack
@@ -0,0 +1,23 @@
+Goal: Fix a symlink attack
+
+Fixes: 505271
+
+Status wrt upstream: Fixed upstream
+
+--- a/libmisc/chowntty.c
++++ b/libmisc/chowntty.c
+@@ -119,8 +119,12 @@
+ 		exit (1);
+ 	}
+ 
+-	if (chown (tty, info->pw_uid, gid) ||
+-	    chmod (tty, getdef_num ("TTYPERM", 0600))) {
++	/* is_my_tty above ensure that tty is the same device as stdin.
++	 * there could be a race condition between the above check, and
++	 * changing the ownership/mode.
++	 */
++	if (fchown (STDIN_FILENO, info->pw_uid, gid) ||
++	    fchmod (STDIN_FILENO, getdef_num ("TTYPERM", 0600))) {
+ 		int err = errno;
+ 
+ 		snprintf (buf, sizeof buf, _("Unable to change tty %s"), tty);
only in patch2:
unchanged:
--- shadow-4.1.1.orig/debian/patches/305_login.1_japanese
+++ shadow-4.1.1/debian/patches/305_login.1_japanese
@@ -0,0 +1,20 @@
+Goal: fix the path of the utmp and wtmp files
+
+Fixes: 501353
+
+Status wrt upstream: Will be fixed in 4.1.3
+
+--- a/man/ja/login.1
++++ b/man/ja/login.1
+@@ -112,9 +112,9 @@
+ .PP
+ ?????????????????????????????
+ .SH ????
+-\fI/var/log/utmp\fR		\- ????????????????
++\fI/var/run/utmp\fR		\- ????????????????
+ .br
+-\fI/var/run/wtmp\fR		\- ????????????????
++\fI/var/log/wtmp\fR		\- ????????????????
+ .br
+ \fI/etc/passwd\fR		\- ??????????
+ .br
