Debian Bug report logs -
#367858
zoo: CVE-2006-1269: local arbitrary code execution
Reported by: Alec Berryman <alec@thened.net>
Date: Thu, 18 May 2006 14:03:15 UTC
Severity: normal
Tags: patch, security
Fixed in version zoo/2.10-18
Done: Jose Carlos Medeiros <debian@psabs.com.br>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, security@debian.org, secure-testing-team@lists.alioth.debian.org, Debian Security Team <team@security.debian.org>, Jose Carlos Medeiros <debian@psabs.com.br>
:
Bug#367858
; Package zoo
.
(full text, mbox, link).
Acknowledgement sent to Alec Berryman <alec@thened.net>
:
New Bug report received and forwarded. Copy sent to security@debian.org, secure-testing-team@lists.alioth.debian.org, Debian Security Team <team@security.debian.org>, Jose Carlos Medeiros <debian@psabs.com.br>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: zoo
Severity: normal
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2006-1269: "Buffer overflow in the parse function in parse.c in zoo
2.10 might allow local users to execute arbitrary code via long filename
command line arguments, which are not properly handled during archive
creation. NOTE: since this issue is local and not setuid, the set of
attack scenarios is limited, although is reasonable to expect that there
are some situations in which the zoo user might automatically list
attacker-controlled filenames to add to the zoo archive."
- From https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=183426:
Here is how to reproduce this issue:
mkdir `perl -e 'print "A"x254'`
cd `perl -e 'print "A"x254'`
mkdir `perl -e 'print "A"x254'`
cd `perl -e 'print "A"x254'`
touch feh
cd ../..
zoo a arch.zoo `perl -e 'print "A"x254 . "/" . "A"x254 . "/feh"'`
I have confirmed that Debian's zoo_2.10-17 is vulnerable and do not see
that this issue has been fixed for sarge/woody. A dpatch for the fix
(created from instructions in the Red Hat bugzilla entry) is included.
After building with the patch, the test case no longer causes zoo to
segfault.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEbHmkAud/2YgchcQRAoPgAJ4555MCCfeXVOCobjAqVo+mEZJttwCgnEP9
cJcitceTeZmZxn/5LhAABAY=
=FOHb
-----END PGP SIGNATURE-----
[05_CVE-2006-1269.dpatch (application/x-shellscript, attachment)]
Information forwarded to debian-bugs-dist@lists.debian.org, Jose Carlos Medeiros <debian@psabs.com.br>
:
Bug#367858
; Package zoo
.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Jose Carlos Medeiros <debian@psabs.com.br>
.
(full text, mbox, link).
Message #10 received at submit@bugs.debian.org (full text, mbox, reply):
Alec Berryman wrote:
> Package: zoo
> Severity: normal
> Tags: security patch
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> CVE-2006-1269: "Buffer overflow in the parse function in parse.c in zoo
> 2.10 might allow local users to execute arbitrary code via long filename
> command line arguments, which are not properly handled during archive
> creation. NOTE: since this issue is local and not setuid, the set of
> attack scenarios is limited, although is reasonable to expect that there
> are some situations in which the zoo user might automatically list
> attacker-controlled filenames to add to the zoo archive."
For stable we decided this to be an unrealistic attack vector, as zoo
is not used in automated setups like e.g. tar would be used.
Cheers,
Moritz
Information forwarded to debian-bugs-dist@lists.debian.org, Jose Carlos Medeiros <debian@psabs.com.br>
:
Bug#367858
; Package zoo
.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Jose Carlos Medeiros <debian@psabs.com.br>
.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Jose Carlos Medeiros <debian@psabs.com.br>
:
Bug#367858
; Package zoo
.
(full text, mbox, link).
Acknowledgement sent to "Jose Carlos Medeiros" <jose@psabs.com.br>
:
Extra info received and forwarded to list. Copy sent to Jose Carlos Medeiros <debian@psabs.com.br>
.
(full text, mbox, link).
Message #20 received at 367858@bugs.debian.org (full text, mbox, reply):
Ho, Alec
Thanks a Lot for your submit.
Ive patched and will upload zoo to testing
Regards
Jose Carlos
2006/5/18, Alec Berryman <alec@thened.net>:
> Package: zoo
> Severity: normal
> Tags: security patch
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> CVE-2006-1269: "Buffer overflow in the parse function in parse.c in zoo
> 2.10 might allow local users to execute arbitrary code via long filename
> command line arguments, which are not properly handled during archive
> creation. NOTE: since this issue is local and not setuid, the set of
> attack scenarios is limited, although is reasonable to expect that there
> are some situations in which the zoo user might automatically list
> attacker-controlled filenames to add to the zoo archive."
>
> - From https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=183426:
>
> Here is how to reproduce this issue:
>
> mkdir `perl -e 'print "A"x254'`
> cd `perl -e 'print "A"x254'`
> mkdir `perl -e 'print "A"x254'`
> cd `perl -e 'print "A"x254'`
> touch feh
> cd ../..
> zoo a arch.zoo `perl -e 'print "A"x254 . "/" . "A"x254 . "/feh"'`
>
> I have confirmed that Debian's zoo_2.10-17 is vulnerable and do not see
> that this issue has been fixed for sarge/woody. A dpatch for the fix
> (created from instructions in the Red Hat bugzilla entry) is included.
> After building with the patch, the test case no longer causes zoo to
> segfault.
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (GNU/Linux)
>
> iD8DBQFEbHmkAud/2YgchcQRAoPgAJ4555MCCfeXVOCobjAqVo+mEZJttwCgnEP9
> cJcitceTeZmZxn/5LhAABAY=
> =FOHb
> -----END PGP SIGNATURE-----
>
>
>
--
[]'s
José Carlos
Reply sent to Jose Carlos Medeiros <debian@psabs.com.br>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Alec Berryman <alec@thened.net>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #25 received at 367858-close@bugs.debian.org (full text, mbox, reply):
Source: zoo
Source-Version: 2.10-18
We believe that the bug you reported is fixed in the latest version of
zoo, which is due to be installed in the Debian FTP archive:
zoo_2.10-18.diff.gz
to pool/main/z/zoo/zoo_2.10-18.diff.gz
zoo_2.10-18.dsc
to pool/main/z/zoo/zoo_2.10-18.dsc
zoo_2.10-18_i386.deb
to pool/main/z/zoo/zoo_2.10-18_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 367858@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jose Carlos Medeiros <debian@psabs.com.br> (supplier of updated zoo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 19 May 2006 19:23:24 -0300
Source: zoo
Binary: zoo
Architecture: source i386
Version: 2.10-18
Distribution: unstable
Urgency: low
Maintainer: Jose Carlos Medeiros <debian@psabs.com.br>
Changed-By: Jose Carlos Medeiros <debian@psabs.com.br>
Description:
zoo - manipulate zoo archives
Closes: 367858
Changes:
zoo (2.10-18) unstable; urgency=low
.
* Added patch to solve "CVE-2006-1269: local arbitrary code execution",
thanks to Alec Berryman <alec@thened.net> (closes: #367858)
* Updated to DH_COMPAT 5
Files:
4f595715e57f07260c36a94384e2a152 617 utils optional zoo_2.10-18.dsc
6668fcfe3e09edc44b8600eeade74974 12333 utils optional zoo_2.10-18.diff.gz
8d4f8ed69c09caa1531bd0d632960005 62986 utils optional zoo_2.10-18_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFEe0eHGKGxzw/lPdkRAuCbAKCGScQ/OIQ+FLg4ISh9btj0tvv46QCffYsG
DC0s7Dy9Uhyutc9HWfly3iI=
=GYeU
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 26 Jun 2007 01:31:57 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:32:52 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.