zoo: CVE-2006-1269: local arbitrary code execution

Debian Bug report logs - #367858
zoo: CVE-2006-1269: local arbitrary code execution

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Alec Berryman <alec@thened.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: zoo: CVE-2006-1269: local arbitrary code execution

Date: Thu, 18 May 2006 14:41:57 +0100

[Message part 1 (text/plain, inline)]

Package: zoo
Severity: normal
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2006-1269: "Buffer overflow in the parse function in parse.c in zoo
2.10 might allow local users to execute arbitrary code via long filename
command line arguments, which are not properly handled during archive
creation.  NOTE: since this issue is local and not setuid, the set of
attack scenarios is limited, although is reasonable to expect that there
are some situations in which the zoo user might automatically list
attacker-controlled filenames to add to the zoo archive."

- From https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=183426:

  Here is how to reproduce this issue:

  mkdir `perl -e 'print "A"x254'`
  cd `perl -e 'print "A"x254'`
  mkdir `perl -e 'print "A"x254'`
  cd `perl -e 'print "A"x254'`
  touch feh
  cd ../..
  zoo a arch.zoo `perl -e 'print "A"x254 . "/" . "A"x254 . "/feh"'`

I have confirmed that Debian's zoo_2.10-17 is vulnerable and do not see
that this issue has been fixed for sarge/woody.  A dpatch for the fix
(created from instructions in the Red Hat bugzilla entry) is included.
After building with the patch, the test case no longer causes zoo to
segfault.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEbHmkAud/2YgchcQRAoPgAJ4555MCCfeXVOCobjAqVo+mEZJttwCgnEP9
cJcitceTeZmZxn/5LhAABAY=
=FOHb
-----END PGP SIGNATURE-----

[05_CVE-2006-1269.dpatch (application/x-shellscript, attachment)]

Message #10 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Alec Berryman <alec@thened.net>, 367858@bugs.debian.org

Cc: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Re: Bug#367858: zoo: CVE-2006-1269: local arbitrary code execution

Date: Thu, 18 May 2006 18:27:29 +0200

Alec Berryman wrote:
> Package: zoo
> Severity: normal
> Tags: security patch
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> CVE-2006-1269: "Buffer overflow in the parse function in parse.c in zoo
> 2.10 might allow local users to execute arbitrary code via long filename
> command line arguments, which are not properly handled during archive
> creation.  NOTE: since this issue is local and not setuid, the set of
> attack scenarios is limited, although is reasonable to expect that there
> are some situations in which the zoo user might automatically list
> attacker-controlled filenames to add to the zoo archive."

For stable we decided this to be an unrealistic attack vector, as zoo
is not used in automated setups like e.g. tar would be used.

Cheers,
        Moritz

Message #20 received at 367858@bugs.debian.org (full text, mbox, reply):

From: "Jose Carlos Medeiros" <jose@psabs.com.br>

To: "Alec Berryman" <alec@thened.net>, 367858@bugs.debian.org

Subject: Re: Bug#367858: zoo: CVE-2006-1269: local arbitrary code execution

Date: Fri, 19 May 2006 19:27:05 -0300

Ho,  Alec


Thanks a Lot for your submit.

Ive patched and will upload zoo to testing

Regards
Jose Carlos

2006/5/18, Alec Berryman <alec@thened.net>:
> Package: zoo
> Severity: normal
> Tags: security patch
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> CVE-2006-1269: "Buffer overflow in the parse function in parse.c in zoo
> 2.10 might allow local users to execute arbitrary code via long filename
> command line arguments, which are not properly handled during archive
> creation.  NOTE: since this issue is local and not setuid, the set of
> attack scenarios is limited, although is reasonable to expect that there
> are some situations in which the zoo user might automatically list
> attacker-controlled filenames to add to the zoo archive."
>
> - From https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=183426:
>
>   Here is how to reproduce this issue:
>
>   mkdir `perl -e 'print "A"x254'`
>   cd `perl -e 'print "A"x254'`
>   mkdir `perl -e 'print "A"x254'`
>   cd `perl -e 'print "A"x254'`
>   touch feh
>   cd ../..
>   zoo a arch.zoo `perl -e 'print "A"x254 . "/" . "A"x254 . "/feh"'`
>
> I have confirmed that Debian's zoo_2.10-17 is vulnerable and do not see
> that this issue has been fixed for sarge/woody.  A dpatch for the fix
> (created from instructions in the Red Hat bugzilla entry) is included.
> After building with the patch, the test case no longer causes zoo to
> segfault.
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (GNU/Linux)
>
> iD8DBQFEbHmkAud/2YgchcQRAoPgAJ4555MCCfeXVOCobjAqVo+mEZJttwCgnEP9
> cJcitceTeZmZxn/5LhAABAY=
> =FOHb
> -----END PGP SIGNATURE-----
>
>
>


-- 
[]'s
José Carlos

Message #25 received at 367858-close@bugs.debian.org (full text, mbox, reply):

From: Jose Carlos Medeiros <debian@psabs.com.br>

To: 367858-close@bugs.debian.org

Subject: Bug#367858: fixed in zoo 2.10-18

Date: Mon, 29 May 2006 14:19:21 -0700

Source: zoo
Source-Version: 2.10-18

We believe that the bug you reported is fixed in the latest version of
zoo, which is due to be installed in the Debian FTP archive:

zoo_2.10-18.diff.gz
  to pool/main/z/zoo/zoo_2.10-18.diff.gz
zoo_2.10-18.dsc
  to pool/main/z/zoo/zoo_2.10-18.dsc
zoo_2.10-18_i386.deb
  to pool/main/z/zoo/zoo_2.10-18_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 367858@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jose Carlos Medeiros <debian@psabs.com.br> (supplier of updated zoo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 19 May 2006 19:23:24 -0300
Source: zoo
Binary: zoo
Architecture: source i386
Version: 2.10-18
Distribution: unstable
Urgency: low
Maintainer: Jose Carlos Medeiros <debian@psabs.com.br>
Changed-By: Jose Carlos Medeiros <debian@psabs.com.br>
Description: 
 zoo        - manipulate zoo archives
Closes: 367858
Changes: 
 zoo (2.10-18) unstable; urgency=low
 .
   * Added patch to solve "CVE-2006-1269: local arbitrary code execution",
     thanks to Alec Berryman <alec@thened.net> (closes: #367858)
   * Updated to DH_COMPAT 5
Files: 
 4f595715e57f07260c36a94384e2a152 617 utils optional zoo_2.10-18.dsc
 6668fcfe3e09edc44b8600eeade74974 12333 utils optional zoo_2.10-18.diff.gz
 8d4f8ed69c09caa1531bd0d632960005 62986 utils optional zoo_2.10-18_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEe0eHGKGxzw/lPdkRAuCbAKCGScQ/OIQ+FLg4ISh9btj0tvv46QCffYsG
DC0s7Dy9Uhyutc9HWfly3iI=
=GYeU
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.