Debian Bug report logs -
#475227
auditd: CVE-2008-1628 buffer overflow in audit_log_user_command function might lead to code execution
Reported by: Nico Golde <nion@debian.org>
Date: Wed, 9 Apr 2008 17:45:02 UTC
Severity: grave
Tags: patch, security
Fixed in versions audit/1.5.3-2.1, audit/1.5.3-2+lenny1
Done: Nico Golde <nion@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Philipp Matthias Hahn <pmhahn@debian.org>:
Bug#475227; Package auditd.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Philipp Matthias Hahn <pmhahn@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: auditd
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for auditd.
CVE-2008-1628[0]:
| Stack-based buffer overflow in the audit_log_user_command function in
| lib/audit_logging.c in Linux Audit before 1.7 might allow remote
| attackers to execute arbitrary code via a long command argument.
| NOTE: some of these details are obtained from third party information.
In the audit_log_user_command function the command line
passed to the kernel for example if the command is used via
sudo is copied via strcpy into a buffer without any bounds
checking and leads to stack corruption.
Patch:
--- audit_logging.c 2007-04-09 23:50:01.000000000 +0200
+++ audit_logging.c.new 2008-04-09 19:35:21.000000000 +0200
@@ -607,7 +607,11 @@
}
p = cmd;
- strcpy(commname, cmd);
+ if (len >= PATH_MAX) {
+ cmd[PATH_MAX] = 0;
+ len = PATH_MAX-1;
+ }
+
while (*p) {
if (*p == '"' || *p < 0x21 || (unsigned)*p > 0x7f) {
_audit_c2x(commname, cmd, len);
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1628
http://security-tracker.debian.net/tracker/CVE-2008-1628
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Changed Bug title to `auditd: CVE-2008-1628 buffer overflow in audit_log_user_command function might lead to code execution' from `auditd: CVE-2008-1628 code execution via crafted command'.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Wed, 09 Apr 2008 17:54:02 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Philipp Matthias Hahn <pmhahn@debian.org>:
Bug#475227; Package auditd.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Philipp Matthias Hahn <pmhahn@debian.org>.
(full text, mbox, link).
Message #12 received at 475227@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
the attached patch fixes this issue.
It will be also archived on:
http://people.debian.org/~nion/nmu-diff/audit-1.5.3-2_1.5.3-2.1.patch
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[audit-1.5.3-2_1.5.3-2.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Philipp Matthias Hahn <pmhahn@debian.org>:
Bug#475227; Package auditd.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Philipp Matthias Hahn <pmhahn@debian.org>.
(full text, mbox, link).
Message #17 received at 475227@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
looking at the MIA database, the fact that a wishlist bug
for a new upstream version is open quite some time and since
this is a security fix I'm uploading this as 0-day NMU.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #22 received at 475227-close@bugs.debian.org (full text, mbox, reply):
Source: audit
Source-Version: 1.5.3-2.1
We believe that the bug you reported is fixed in the latest version of
audit, which is due to be installed in the Debian FTP archive:
audit_1.5.3-2.1.diff.gz
to pool/main/a/audit/audit_1.5.3-2.1.diff.gz
audit_1.5.3-2.1.dsc
to pool/main/a/audit/audit_1.5.3-2.1.dsc
auditd_1.5.3-2.1_amd64.deb
to pool/main/a/audit/auditd_1.5.3-2.1_amd64.deb
libaudit-dev_1.5.3-2.1_amd64.deb
to pool/main/a/audit/libaudit-dev_1.5.3-2.1_amd64.deb
libaudit0_1.5.3-2.1_amd64.deb
to pool/main/a/audit/libaudit0_1.5.3-2.1_amd64.deb
python-audit_1.5.3-2.1_amd64.deb
to pool/main/a/audit/python-audit_1.5.3-2.1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 475227@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated audit package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 10 Apr 2008 15:06:25 +0200
Source: audit
Binary: auditd libaudit0 libaudit-dev python-audit
Architecture: source amd64
Version: 1.5.3-2.1
Distribution: unstable
Urgency: high
Maintainer: Philipp Matthias Hahn <pmhahn@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description:
auditd - User space tools for security auditing
libaudit-dev - Header files and static library for security auditing
libaudit0 - Dynamic library for security auditing
python-audit - Python bindings for security auditing
Closes: 475227
Changes:
audit (1.5.3-2.1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Added CVE-2008-1628.patch to fix a stack-based buffer overflow
in the audit_log_user_command function which can be triggered via
a command argument that is passed to that function and might lead
to execution of arbitrary code (Closes: #475227).
Checksums-Sha1:
9d9eea9b3845d3d8d87c3a89b5c0ae710cfa4178 1170 audit_1.5.3-2.1.dsc
64c74fd2476f58b2550b905a366f125a59901ef0 6402 audit_1.5.3-2.1.diff.gz
27c2681aeeb71e43a503977e3f2fa9b4160906c6 230634 auditd_1.5.3-2.1_amd64.deb
63ff7dcc815eb0ac90070b69fc17d25511e4d955 52540 libaudit0_1.5.3-2.1_amd64.deb
ed0510a690ae9124952662df836a08673443c98e 93724 libaudit-dev_1.5.3-2.1_amd64.deb
3b2300a5fc84b6d345bb1b4afae241402564bcf3 58268 python-audit_1.5.3-2.1_amd64.deb
Checksums-Sha256:
5de2bf87069ceb4a347222e4605696e0621f619e0e84375dc407511ba3df0a06 1170 audit_1.5.3-2.1.dsc
5ca8234d7f5652dd00855fbb3b48af81505c741729597c1fc358e01db7d77b73 6402 audit_1.5.3-2.1.diff.gz
9443c394379baf1b3e2509206867a1b1e799297d1f5ea4f27cc7dd7fe471cad8 230634 auditd_1.5.3-2.1_amd64.deb
dd85ac25a5054a5082df8732e1492fc08991eb125fc1e082377e64d3e542f1ef 52540 libaudit0_1.5.3-2.1_amd64.deb
24daabc2965aa259817187dd2f51c03739eca7f8aecca071434a35887e717dd7 93724 libaudit-dev_1.5.3-2.1_amd64.deb
1944fa4f5093c12cef6cf42b0747b941f6ae21aba5436462659d5be277c27813 58268 python-audit_1.5.3-2.1_amd64.deb
Files:
c01f0caf381e69b502e76c7667926f58 1170 libs extra audit_1.5.3-2.1.dsc
f70a452b51a0e9ce887ae1b656923657 6402 libs extra audit_1.5.3-2.1.diff.gz
4fe82f251a8a3b0a78d219edd8442b4f 230634 admin extra auditd_1.5.3-2.1_amd64.deb
3b4dec6fdf0f2029c84b888a1beea8fe 52540 libs extra libaudit0_1.5.3-2.1_amd64.deb
a5ce3238338a8e3544fc3477b014506a 93724 libdevel extra libaudit-dev_1.5.3-2.1_amd64.deb
266487ba269306553f11fe33f02b8c05 58268 python extra python-audit_1.5.3-2.1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIAd4YHYflSXNkfP8RAqTzAJ9aEO7p0WTSF0kVtzAtJQJkSp9q5QCfeH2n
v+GGeQ20TIdmRjN3tcEtTb4=
=3UN2
-----END PGP SIGNATURE-----
Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #27 received at 475227-close@bugs.debian.org (full text, mbox, reply):
Source: audit
Source-Version: 1.5.3-2+lenny1
We believe that the bug you reported is fixed in the latest version of
audit, which is due to be installed in the Debian FTP archive:
audit_1.5.3-2+lenny1.diff.gz
to pool/main/a/audit/audit_1.5.3-2+lenny1.diff.gz
audit_1.5.3-2+lenny1.dsc
to pool/main/a/audit/audit_1.5.3-2+lenny1.dsc
auditd_1.5.3-2+lenny1_amd64.deb
to pool/main/a/audit/auditd_1.5.3-2+lenny1_amd64.deb
libaudit-dev_1.5.3-2+lenny1_amd64.deb
to pool/main/a/audit/libaudit-dev_1.5.3-2+lenny1_amd64.deb
libaudit0_1.5.3-2+lenny1_amd64.deb
to pool/main/a/audit/libaudit0_1.5.3-2+lenny1_amd64.deb
python-audit_1.5.3-2+lenny1_amd64.deb
to pool/main/a/audit/python-audit_1.5.3-2+lenny1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 475227@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated audit package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 10 Apr 2008 15:06:25 +0200
Source: audit
Binary: auditd libaudit0 libaudit-dev python-audit
Architecture: source amd64
Version: 1.5.3-2+lenny1
Distribution: testing-security
Urgency: high
Maintainer: Philipp Matthias Hahn <pmhahn@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description:
auditd - User space tools for security auditing
libaudit-dev - Header files and static library for security auditing
libaudit0 - Dynamic library for security auditing
python-audit - Python bindings for security auditing
Closes: 475227
Changes:
audit (1.5.3-2+lenny1) testing-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Added CVE-2008-1628.patch to fix a stack-based buffer overflow
in the audit_log_user_command function which can be triggered via
a command argument that is passed to that function and might lead
to execution of arbitrary code (Closes: #475227).
Files:
130bb5a49ced5762b58a45a89cc39aea 808 libs extra audit_1.5.3-2+lenny1.dsc
e94acafeb5fe8cf581b013ee5f02d95c 293566 libs extra audit_1.5.3.orig.tar.gz
9bdf1947af741730452464f3a90e02f1 6414 libs extra audit_1.5.3-2+lenny1.diff.gz
aadb3085520ab06278c17ca200c4e8f7 230592 admin extra auditd_1.5.3-2+lenny1_amd64.deb
e73fa310bd3ae988dd28762010548081 52844 libs extra libaudit0_1.5.3-2+lenny1_amd64.deb
a83e25888b2222e7ea47215499b6c786 93728 libdevel extra libaudit-dev_1.5.3-2+lenny1_amd64.deb
2acd5ff055d84adf018e4014981fd104 58084 python extra python-audit_1.5.3-2+lenny1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIBmfyHYflSXNkfP8RAuwDAJ9jcY080nzcGFgfEAVWcPvDPHXPTwCgr1eM
wy0425rdOZf3P5wEQRGQP/4=
=BzcS
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 24 Jun 2008 07:29:39 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:26:17 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon