Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 215705 (CVE-2008-1628)

Summary: sys-process/audit <1.7.3 audit_log_user_command() Buffer Overflow (CVE-2008-1628)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: robbat2
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/29617/
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2008-04-01 14:08:36 UTC
Secunia:
A vulnerability has been reported in Linux Audit, which potentially can be exploited by malicious, local users to gain escalated privileges.

The vulnerability is caused due to a boundary error within the "audit_log_user_command()" function in lib/audit_logging.c. This can be exploited to cause a stack-based buffer overflow via an overly long "command" argument and potentially execute arbitrary code with the privileges of the application using libaudit.

The vulnerability is reported in versions prior to 1.7.


Original Advisory: http://people.redhat.com/sgrubb/audit/ChangeLog
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-04-02 01:01:10 UTC
ebuild in the tree. the stock audit.rules probably need some work on Gentoo, the last item remaining from bug 184563.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-04-02 14:23:27 UTC
(In reply to comment #1)
> ebuild in the tree. the stock audit.rules probably need some work on Gentoo,
> the last item remaining from bug 184563.

Do you want to fix that before we do a security stabling, or should we just go ahead now?
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-04-02 14:40:42 UTC
arches, sorry for spam
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-12 11:51:35 UTC
Any news here? Can we go ahead and CC arches for stabling 1.7?
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-05-14 23:43:55 UTC
Please bump to 1.7.1 (or 1.7.3)

1.7.1
- Remove LSB headers info for init scripts
- Fix buffer overflow in audit_log_user_command, again (#438840)
Comment 7 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-05-22 17:50:22 UTC
1.7.3 in the tree now. I knew 1.7 had some troubles. We do need to update the Gentoo-bundled rules however, but I think that shouldn't hold back stabling - anybody making serious use of audit would have their own rulesets.
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-05-22 18:15:49 UTC
Arches, please test and mark stable:
=sys-process/audit-1.7.3
Target keywords : "amd64 hppa ia64 ppc release sparc x86"
Comment 9 Christian Faulhammer (RETIRED) gentoo-dev 2008-05-23 08:15:22 UTC
install: omitting directory `contrib/plugin'
bzip2: Can't open input file /var/tmp/portage/sys-process/audit-1.7.3/image/usr/share/doc/audit-1.7.3/contrib/plugin: No such file or directory.
>>> Completed installing audit-1.7.3 into /var/tmp/portage/sys-process/audit-1.7.3/image/
[...]
>>> Original instance of package unmerged safely.
 * Byte compiling python modules for python-2.4 .. ...
Listing /usr/lib/python2.4 ...
Listing /usr/lib/portage/pym ...
Listing /usr/lib/python24.zip ...
Can't list /usr/lib/python24.zip
Listing /usr/lib/python2.4 ...
Listing /usr/lib/python2.4/plat-linux2 ...
Listing /usr/lib/python2.4/lib-tk ...
Listing /usr/lib/python2.4/lib-dynload ...
Listing /usr/lib/python2.4/site-packages ...
Compiling /usr/lib/python2.4/site-packages/BicycleRepairMan_Idle.py ...
  File "/usr/lib/python2.4/site-packages/BicycleRepairMan_Idle.py", line 303
    \ufffd\ufffd\ufffd def confirm_buffer_is_saved(self, editwin):
    ^
SyntaxError: invalid syntax

Compiling /usr/lib/python2.4/site-packages/audit.py ...
Listing /usr/lib/python2.4 ...
Listing /usr/lib/portage/pym ...
Listing /usr/lib/python24.zip ...
Can't list /usr/lib/python24.zip
Listing /usr/lib/python2.4 ...
Listing /usr/lib/python2.4/plat-linux2 ...
Listing /usr/lib/python2.4/lib-tk ...
Listing /usr/lib/python2.4/lib-dynload ...
Listing /usr/lib/python2.4/site-packages ...
Compiling /usr/lib/python2.4/site-packages/BicycleRepairMan_Idle.py ...
  File "/usr/lib/python2.4/site-packages/BicycleRepairMan_Idle.py", line 303
    \ufffd\ufffd\ufffd def confirm_buffer_is_saved(self, editwin):
    ^
SyntaxError: invalid syntax

Compiling /usr/lib/python2.4/site-packages/audit.py 

Portage 2.1.4.4 (default-linux/x86/2007.0/desktop, gcc-4.1.2, glibc-2.6.1-r0, 2.6.24-gentoo-r8 i686)
=================================================================
System uname: 2.6.24-gentoo-r8 i686 AMD Athlon(tm) X2 Dual Core Processor BE-2400
Timestamp of tree: Fri, 23 May 2008 05:11:01 +0000
app-shells/bash:     3.2_p33
dev-java/java-config: 1.3.7, 2.1.6
dev-lang/python:     2.4.4-r9
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /opt/openfire/resources/security/ /opt/openjms/config /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /var/lib/hsqldb /var/vpopmail/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache distlocks metadata-transfer parallel-fetch sandbox sfperms strict unmerge-orphans userfetch userpriv"
GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo/"
LANG="de_DE.utf8"
LC_ALL="de_DE.utf8"
LINGUAS="de"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/layman/sunrise"
SYNC="rsync://rsync.informatik.rwth-aachen.de/gentoo-portage"
-USE="3dnow 3dnowext X a52 acl acpi aiglx alsa apache2 apm applet artworkextra asf audiofile avahi bash-completion beagle berkdb bidi bogofilter bootsplash branding bzip2 cairo ccache cdda cddb cdparanoia cdr cli console cracklib crypt css cups curl custom-cflags dbus dga directfb divx4linux dri dts dvd dvdr dvdread dvi eds emacs emboss encode esd evince evo exif fam fat fbcon fdftk ffmpeg firefox flac foomaticdb fortran ftp gb gcj gdbm gif glitz gnome gpm gsf gstreamer gtk gtk2 gtkhtml hal howl iconv icq idn imagemagick imap imlib immqt-bc isdnlog java javascript jpeg jpeg2k kde ldap libnotify lirc lm_sensors mad maildir matroska mbox mdnsresponder-compat midi mikmod mime mmx mmxext mng mono mp3 mpeg mpeg2 mudflap mule mysql nautilus ncurses nforce2 nls nocardbus nptl nptlonly nsplugin nvidia objc objc++ objc-gc offensive ogg opengl openmp pam pango pcre pdf perl php plotutils pmu png ppds pppd prediction preview-latex print python qt3 qt3support qt4 quicktime readline reflection samba sdk session slang spell spl sse ssl svg svga t1lib tcl tcpd tetex theora threads thumbnailing tiff tk toolkit-scroll-bars totem tracker truetype truetype-fonts type1-fonts udev unicode usb userlocales vcd videos vorbis win32codecs wmf wxwindows x86 xface xft xine xml xorg xosd xpm xv xvid zlib" ALSA_CARDS="intel8x0" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CAMERAS="canon ptp2" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="de" LIRC_DEVICES="atiusb" USERLAND="GNU" VIDEO_CARDS="vesa fbdev fglrx"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 10 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-05-23 21:38:23 UTC
opfer: look at the path of the python compile error - /usr/lib/python2.4/site-packages/BicycleRepairMan_Idle.py. That's COMPLETELY unrelated to sys-process/audit.
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2008-05-24 06:30:41 UTC
Stable for HPPA.
Comment 12 Christian Faulhammer (RETIRED) gentoo-dev 2008-05-24 15:11:33 UTC
x86 stable, @robbat2: Ooops
Comment 13 Markus Meier gentoo-dev 2008-05-25 12:29:06 UTC
amd64 stable
Comment 14 Raúl Porcel (RETIRED) gentoo-dev 2008-05-26 08:46:16 UTC
ia64/sparc stable
Comment 15 Tobias Scherbaum (RETIRED) gentoo-dev 2008-05-26 19:44:33 UTC
ppc stable
Comment 16 Tobias Heinlein (RETIRED) gentoo-dev 2008-05-26 20:27:01 UTC
Ready for vote, I vote YES.
Comment 17 Peter Volkov (RETIRED) gentoo-dev 2008-05-28 12:14:29 UTC
Fixed in release snapshot.
Comment 18 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-07-21 20:08:26 UTC
voting YES too, GLSA draft filed.
Comment 19 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-07-31 18:33:28 UTC
GLSA 200807-14