Debian Bug report logs -
#343264
[CVE-2004-0564] attackers can overwrite any files when run with setuid root
Reported by: FX <gentoo@sbcglobal.net>
Date: Wed, 14 Dec 2005 01:33:02 UTC
Severity: grave
Tags: security
Done: Christian Hudon <chrish@pianocktail.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Christian Hudon <chrish@debian.org>:
Bug#343264; Package pppoe.
(full text, mbox, link).
Acknowledgement sent to FX <gentoo@sbcglobal.net>:
New Bug report received and forwarded. Copy sent to Christian Hudon <chrish@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
package: pppoe
severity: grave
tags: security
Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet
driver from Roaring Penguin. When the program is running setuid root, an
attacker could overwrite any file on the file system.
CVE-2004-0564: Roaring Penguin pppoe (rp-ppoe), if installed or
configured to run setuid root contrary to its design, allows local users
to overwrite arbitrary files.
NOTE: the developer has publicly disputed the claim that this is a
vulnerability because pppoe "is NOT designed to run setuid-root."
Therefore this identifier applies *only* to those configurations and
installations under which pppoe is run setuid root despite the
developer's warnings.
This was fixed in Redhat a month ago despite their default configuration
not using suid. See [FLSA-2005:152794]
In Debian Sarge, both /usr/sbin/pppd and /usr/sbin/pppoe files are
"-rwsr-xr-- root dip".
Reply sent to Christian Hudon <chrish@pianocktail.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to FX <gentoo@sbcglobal.net>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #10 received at 343264-done@bugs.debian.org (full text, mbox, reply):
FX wrote:
> Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet
> driver from Roaring Penguin. When the program is running setuid root,
> an attacker could overwrite any file on the file system.
This is rather old and was fixed more than a year ago in Debian:
Date: Wed, 29 Sep 2004 22:08:20 -0400
Source: rp-pppoe
Binary: pppoe
Architecture: source i386
Version: 3.5-4
Distribution: unstable
Urgency: high
Maintainer: Christian Hudon <chrish@debian.org>
Changed-By: Christian Hudon <chrish@debian.org>
Description:
pppoe - PPP over Ethernet driver
Changes:
rp-pppoe (3.5-4) unstable; urgency=high
.
* Added patch by Max Vozeler <max@hinterhof.net> to ignore -D and -p
when pppoe is not running as root to prevent a potential root
compromise by users in group dip when pppoe is running setuid root.
[src/pppoe.c, CAN-2004-0564] Note that group dip is empty by default
on Debian installs.
Christian
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 18 Jun 2007 12:49:53 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:19:08 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon