First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 150292
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Carsten Lohrke <carlo@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 150292 depends on: Show dependency tree
Bug 150292 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-10-06 08:21 0000 
From Paul Szabo <psz@maths.usyd.edu.au> via full disclosure:


Seems to me that ftpd does chdir(homedir) while root, before setting
UID/GID to the user logging in. This creates difficulties if the home
directory is on another machine via NFS with root_squash, and I guess
is a security issue as in some cases you may get a current directory
that would otherwise be inaccessible.

Some more details in  http://bugs.debian.org/384454 .

------- Comment #1 From Chris White (RETIRED) 2006-10-10 18:39:14 0000 ------- 
-r4 is in portage with the debian page for whenver this gets looked at.  Target
keywords;

KEYWORDS="alpha amd64 ~ppc sparc x86"

------- Comment #2 From Matthias Geerdsen 2006-10-11 07:31:37 0000 ------- 
arches, pls test and mark stable if posisble

------- Comment #3 From Markus Meier 2006-10-11 12:50:31 0000 ------- 
1.) emerges fine on x86
2.) passes collision test
3.) works

emerge --info
Portage 2.1.1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3,
2.6.18 i686)
=================================================================
System uname: 2.6.18 i686 Genuine Intel(R) CPU           T2300  @ 1.66GHz
Gentoo Base System version 1.12.5
Last Sync: Wed, 11 Oct 2006 07:50:01 +0000
ccache version 2.3 [disabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.2.11-r1
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config
/usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/
/usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/
/usr/share/texmf/xdvi/"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig collision-protect distlocks metadata-transfer
parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://distfiles.gentoo.org
http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LINGUAS="en de en_GB de_CH"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="x86 X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom
cli crypt cups dbus divx dlloader dri dts dvd dvdr dvdread eds elibc_glibc
emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk
hal input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde
kernel_linux ldap libg++ linguas_de linguas_de_CH linguas_en linguas_en_GB mad
mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl
png ppds pppd python qt3 qt4 quicktime readline reflection rtsp samba sdl
session smp spell spl sse sse2 sse3 ssl svg tcpd tetex theora threads truetype
truetype-fonts type1-fonts udev unicode userland_GNU vcd video_cards_fbdev
video_cards_i810 video_cards_vesa vorbis win32codecs wxwindows x264 xine xml
xorg xprint xv xvid zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS,
PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

------- Comment #4 From Christian Faulhammer 2006-10-12 00:06:12 0000 ------- 
[ebuild  N    ] net-ftp/ftpd-0.17-r4  USE="ssl"

1) emerges fine so far

unpack linux-ftpd-0.17-ssl.patch: file format not recognized. Ignoring.

2) passes collision test
3) There is no init.d service because it is started by another process?
4) works

Portage 2.1.1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3,
2.6.17-gentoo-r8 i686)
=================================================================
System uname: 2.6.17-gentoo-r8 i686 AMD Athlon(tm) XP 2500+
Gentoo Base System version 1.12.5
Last Sync: Thu, 12 Oct 2006 05:20:01 +0000
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config
/usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/
/usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/
/usr/share/texmf/xdvi/"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf
/etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer
parallel-fetch sandbox sfperms strict test"
GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo/"
LANG="de_DE@euro"
LC_ALL="de_DE@euro"
LINGUAS="de"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.informatik.rwth-aachen.de/gentoo-portage"
USE="x86 3dnow 3dnowext X Xaw3d a52 alsa artworkextra asf audiofile
bash-completion beagle berkdb bidi bitmap-fonts bootsplash branding bzip2 cairo
cdda cddb cdparanoia cdr cli cracklib crypt css cups curl custom-cflags dbus
dga directfb divx4linux dlloader dri dts dvd dvdr dvdread dvi eds elibc_glibc
emacs emboss encode esd evo exif expat fam fat fbcon ffmpeg firefox fortran ftp
gb gcj gdbm gif gnome gpm gstreamer gtk gtk2 gtkhtml hal icq idn imagemagick
imap input_devices_keyboard input_devices_mouse ipv6 isdnlog java javascript
jikes jpeg jpeg2k kde kernel_linux ldap leim libg++ linguas_de lm_sensors mad
maildir matroska mbox mhash mikmod mime mmx mmxext mng mono mp3 mpeg mpeg2 mule
nautilus ncurses nforce2 nls nocardbus nptl nptlonly nsplugin nvidia objc ogg
opengl pam pcre pdf perl plotutils pmu png ppds pppd preview-latex print python
qt3 qt4 quicktime readline reflection reiserfs samba sdk session slang spell
spl sse ssl svg svga t1lib tcltk tcpd tetex theora thunderbird tiff truetype
truetype-fonts type1-fonts udev usb userland_GNU vcd video_cards_fbdev
video_cards_radeon video_cards_vesa videos vorbis win32codecs wmf wxwindows
xine xml xorg xosd xv xvid zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS,
PORTAGE_RSYNC_EXTRA_OPTS

------- Comment #5 From Paul Varner 2006-10-12 11:26:33 0000 ------- 
Stable on x86, AT's thanks for testing.

------- Comment #6 From Thomas Cort (RETIRED) 2006-10-14 09:42:16 0000 ------- 
stable on alpha and amd64.

------- Comment #7 From Jason Wever (RETIRED) 2006-10-14 19:05:52 0000 ------- 
SPARC stable

------- Comment #8 From Raphael Marichez 2006-10-18 05:47:15 0000 ------- 
Time to vote for a GLSA.

The policy says "noglsa" for C4 but :
I rated it C4 because it is not fully C1 (local root privilege escalation), but
it might be in some cases. It's not C2 (remote passive compromise) and not C3
(DoS); but C4 is a bit low IMHO.

Since it might become a root local exploit in some circumstancies, i will vote
yes.

------- Comment #9 From Wolf Giesen (RETIRED) 2006-10-19 01:50:06 0000 ------- 
I find the exploit too esoteric for my taste ... BUT it seems the patch also
fixed the unchecked setuid(getuid()), which makes some more bells ring. Yes++.

------- Comment #10 From Raphael Marichez 2006-11-10 06:50:46 0000 ------- 
GLSA 200611-05, thanks everybody
First Last Prev Next    No search results available      Search page      Enter new bug