Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

libuser: CVE-2012-5630 CVE-2012-5644

Related Vulnerabilities: CVE-2012-5630   CVE-2012-5644  

Source

Debian Bug report logs - #705690
libuser: CVE-2012-5630 CVE-2012-5644

version graph

Package: libuser; Maintainer for libuser is Ghe Rivero <ghe@debian.org>; Source for libuser is src:libuser (PTS, buildd, popcon).

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Thu, 18 Apr 2013 15:51:02 UTC

Severity: grave

Tags: security

Fixed in version libuser/1:0.60~dfsg-1

Done: Tzafrir Cohen <tzafrir@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ghe Rivero <ghe@debian.org>:
Bug#705690; Package libuser. (Thu, 18 Apr 2013 15:51:06 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ghe Rivero <ghe@debian.org>. (Thu, 18 Apr 2013 15:51:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libuser: CVE-2012-5630 CVE-2012-5644
Date: Thu, 18 Apr 2013 17:47:28 +0200
Package: libuser
Severity: important
Tags: security

Hi,

the following vulnerabilities were published for libuser.

CVE-2012-5630[0]:
TOCTOU race conditions by copying and removing directory trees

CVE-2012-5644[1]:
(Complete) Information disclosure when moving user's home directory

The patch however looks unfortunately quite substantial, see [2], so
might be better to update for unstable directly to the new upstream
version. 

Ghe, are you still interested/maintaining the package? I wonder
because there was no upload since 2008 apart NMUs.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] http://security-tracker.debian.org/tracker/CVE-2012-5630
[1] http://security-tracker.debian.org/tracker/CVE-2012-5644
[2] https://bugzilla.redhat.com/show_bug.cgi?id=885724#c7

Regards,
Salvatore

Severity set to 'grave' from 'important' Request was from Moritz Muehlenhoff <jmm@inutil.org> to control@bugs.debian.org. (Fri, 17 Jan 2014 14:27:08 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Ghe Rivero <ghe@debian.org>:
Bug#705690; Package libuser. (Mon, 28 Apr 2014 08:27:05 GMT) (full text, mbox, link).

Acknowledgement sent to Tzafrir Cohen <tzafrir@cohens.org.il>:
Extra info received and forwarded to list. Copy sent to Ghe Rivero <ghe@debian.org>. (Mon, 28 Apr 2014 08:27:05 GMT) (full text, mbox, link).

Message #12 received at 705690@bugs.debian.org (full text, mbox, reply):

From: Tzafrir Cohen <tzafrir@cohens.org.il>
To: 705690@bugs.debian.org
Subject: up-to-date packaging for libuser
Date: Mon, 28 Apr 2014 09:46:23 +0200
Hi,

It seems that libuser has not recieved any decent maintinance in recent
years. As its removal will remove my package (mock), I tried fixing this
bug.

It turned out to be more complicated than I thought, and I ended up
recreating the packaging altogether. See libuser.git on collab-maint:

http://anonscm.debian.org/gitweb/?p=collab-maint/libuser.git


-- 
Tzafrir Cohen         | tzafrir@jabber.org | VIM is
http://tzafrir.org.il |                    | a Mutt's
tzafrir@cohens.org.il |                    |  best
tzafrir@debian.org    |                    | friend

Information forwarded to debian-bugs-dist@lists.debian.org, Ghe Rivero <ghe@debian.org>:
Bug#705690; Package libuser. (Thu, 01 May 2014 20:39:04 GMT) (full text, mbox, link).

Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to Ghe Rivero <ghe@debian.org>. (Thu, 01 May 2014 20:39:04 GMT) (full text, mbox, link).

Message #17 received at 705690@bugs.debian.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: 705690@bugs.debian.org
Cc: Tzafrir Cohen <tzafrir@cohens.org.il>
Subject: mock autorm and CVEs on libuser
Date: Thu, 01 May 2014 20:34:54 +0000
[Message part 1 (text/plain, inline)]
Hi Tzafir,

thanks for taking a look at libuser and keeping mock in Debian testing.

Do you need any help with the fixing of libuser? Let me know.

Mike

/me uses mock a lot esp. on jenkins.x2go.org and /me is also  
responsible for the mock package in wheezy-backports.

-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Ghe Rivero <ghe@debian.org>:
Bug#705690; Package libuser. (Mon, 19 May 2014 10:21:04 GMT) (full text, mbox, link).

Acknowledgement sent to Tzafrir Cohen <tzafrir@cohens.org.il>:
Extra info received and forwarded to list. Copy sent to Ghe Rivero <ghe@debian.org>. (Mon, 19 May 2014 10:21:04 GMT) (full text, mbox, link).

Message #22 received at 705690@bugs.debian.org (full text, mbox, reply):

From: Tzafrir Cohen <tzafrir@cohens.org.il>
To: 705690@bugs.debian.org
Subject: Re: up-to-date packaging for libuser
Date: Mon, 19 May 2014 11:45:34 +0200
On Mon, Apr 28, 2014 at 09:46:22AM +0200, Tzafrir Cohen wrote:
> Hi,
> 
> It seems that libuser has not recieved any decent maintinance in recent
> years. As its removal will remove my package (mock), I tried fixing this
> bug.
> 
> It turned out to be more complicated than I thought, and I ended up
> recreating the packaging altogether. See libuser.git on collab-maint:
> 
> http://anonscm.debian.org/gitweb/?p=collab-maint/libuser.git

I refreshed that repository (this will require forced update, if you
already checked out that package).

I used git-dpm this time (it looked interesting and I wanted to give it
a shot).

I marked myself as uploader in order to silent Lintian. Though if there
are any objections to that, I don't have any issues with removing it.

-- 
Tzafrir Cohen         | tzafrir@jabber.org | VIM is
http://tzafrir.org.il |                    | a Mutt's
tzafrir@cohens.org.il |                    |  best
tzafrir@debian.org    |                    | friend

Reply sent to Tzafrir Cohen <tzafrir@debian.org>:
You have taken responsibility. (Mon, 19 May 2014 16:21:13 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Mon, 19 May 2014 16:21:13 GMT) (full text, mbox, link).

Message #27 received at 705690-close@bugs.debian.org (full text, mbox, reply):

From: Tzafrir Cohen <tzafrir@debian.org>
To: 705690-close@bugs.debian.org
Subject: Bug#705690: fixed in libuser 1:0.60~dfsg-1
Date: Mon, 19 May 2014 16:19:07 +0000
Source: libuser
Source-Version: 1:0.60~dfsg-1

We believe that the bug you reported is fixed in the latest version of
libuser, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 705690@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tzafrir Cohen <tzafrir@debian.org> (supplier of updated libuser package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 28 Apr 2014 11:03:38 +0300
Source: libuser
Binary: libuser libuser1-dev libuser1 python-libuser
Architecture: source amd64
Version: 1:0.60~dfsg-1
Distribution: unstable
Urgency: low
Maintainer: Ghe Rivero <ghe@debian.org>
Changed-By: Tzafrir Cohen <tzafrir@debian.org>
Description: 
 libuser    - user and group account administration library - utilities
 libuser1   - user and group account administration library - shared libraries
 libuser1-dev - user and group account administration library - development files
 python-libuser - user and group account administration library - Python interface
Closes: 670663 705690
Changes: 
 libuser (1:0.60~dfsg-1) unstable; urgency=low
 .
   * complete repackaging (Closes: #670663).
   * New upstream release (Closes: #705690).
   * Remove Conflict with python2.3-libuser that was never in a stable release.
   * Standard version 3.9.5.
Checksums-Sha1: 
 e2b1685999323b1b89901ef27bd41b4bcb232080 1416 libuser_0.60~dfsg-1.dsc
 a76696f6c003451decfdf3a20564605703b6790d 1524564 libuser_0.60~dfsg.orig.tar.gz
 d4e5fd9dff0c057de6bf5eefc20678cd7406397b 5684 libuser_0.60~dfsg-1.debian.tar.xz
 e407a725ffd7679f022df570db0fcfb75c353282 269272 libuser_0.60~dfsg-1_amd64.deb
 bf6be116c7dead5f4283d3c0412d006b59044f0a 40838 libuser1-dev_0.60~dfsg-1_amd64.deb
 8947866ab221205d9b5ffcd878a0d9435a2fe122 84850 libuser1_0.60~dfsg-1_amd64.deb
 39e55dc54ba6a363d8f87aaab542fcb190932b0d 47746 python-libuser_0.60~dfsg-1_amd64.deb
Checksums-Sha256: 
 6d1d9a2b61b72f75b2b76074f45a3174202ade08af62f55ba7973540f06a2a58 1416 libuser_0.60~dfsg-1.dsc
 26eba9171a059651161074ce38d1aaf259206392dcdb0d6deb838d3a31500e54 1524564 libuser_0.60~dfsg.orig.tar.gz
 e2595d9bab114f161148ff485ef55b45a7ee5477238f7bc1cb0e82aba22884cf 5684 libuser_0.60~dfsg-1.debian.tar.xz
 f97eb0c9f24a5c57b25b732a3180b5b07321b84c0768bc838e8eba4901ed3ee2 269272 libuser_0.60~dfsg-1_amd64.deb
 d69d85455c047bebeb5e1dac18ac49d30d802c0789757573c2cb9ed8df9e154d 40838 libuser1-dev_0.60~dfsg-1_amd64.deb
 14d3c3d8a7d2d3d708c5fd7fef69a829321ac1880084f1bc459a98f07f0efa49 84850 libuser1_0.60~dfsg-1_amd64.deb
 f3ede2e8f45b1f375d98a243da35f78af52ebbc34e48fad572bf77596a16314f 47746 python-libuser_0.60~dfsg-1_amd64.deb
Files: 
 f46dc86b07cca824e25ff9c5b555bb4e 269272 admin optional libuser_0.60~dfsg-1_amd64.deb
 c3b43059490b59da741a9681fe859679 40838 libdevel optional libuser1-dev_0.60~dfsg-1_amd64.deb
 e555516a5b27d2d17392e19d76a995bb 84850 libs optional libuser1_0.60~dfsg-1_amd64.deb
 2fde0f1d1da316bb82e4d9ca799c9eb9 47746 admin optional python-libuser_0.60~dfsg-1_amd64.deb
 ffb6619636226c60433a8696b6138119 1416 admin optional libuser_0.60~dfsg-1.dsc
 b75e1f3947c3f3c6cdb037103aa8229f 1524564 admin optional libuser_0.60~dfsg.orig.tar.gz
 f6f07787ec6c10db03cd0617f7cceda2 5684 admin optional libuser_0.60~dfsg-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlN6K2cACgkQZttaNibwIPeoXQCg3GvU1+8Tz7ZJodooRyCPdoZw
SacAn13iNNnuY3a96z2UtfaC5w+5lLhK
=BoAH
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 May 2015 08:08:22 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:53:08 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started