Debian Bug report logs -
#379174
shadow: CVE-2006-3378
Reported by: Henry Jensen <jensen@scan-plus.de>
Date: Fri, 21 Jul 2006 23:04:02 UTC
Severity: grave
Tags: security
Found in versions shadow/1:4.0.3-31sarge5, 4.0.3-31sarge5
Fixed in versions 4.0.14-1, 1:4.0.14-1
Done: Junichi Uekawa <dancer@netfort.gr.jp>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
:
Bug#379174
; Package passwd
.
(full text, mbox, link).
Acknowledgement sent to Henry Jensen <jensen@scan-plus.de>
:
New Bug report received and forwarded. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: passwd
Version: 1:4.0.3-31sarge5
Severity: grave
I just checked the source. From there it seems that the Debian passwd
is affected by CVE-2006-3378 (USN-308-1 in Ubuntu), too.
Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
:
Bug#379174
; Package passwd
.
(full text, mbox, link).
Acknowledgement sent to Christian Perrier <bubulle@debian.org>
:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #10 received at 379174@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hello dear Security team (and ftpmasters, and shadow package maintainers),
Being back from 2 days holiday I discover CVE-2006-3378 which has just
been revealed to our attention (#359174 in the BTS).
As far as I can tell, this is is locally exploitable root
vulnerability. Passwd is vulnerable in sarge.
At this very moment, I haven't seen a fix. Nicolas François is working
on one.
Our main problem is that we have another update (namely
4.0.3-31sarge7) which is pending for passwd, related to #356939. That
update is *not* handled throught the security updates queue but rather
through the proposed-updates queue as I explained you a few days ago.
It goes this way because it has to be synced with a base-config update
that Joey Hess uploaded in proposed-updates.
The update is named 4.0.3-31sarge7 because a 4.0.3-31sarge6 was not
accepted by the SRM team....and we (SRM and I) didn't want to wait for
ftpmasters action....
CVE-2006-3378 complicates the whole thing a little bit....:-(
What I propose to you, as soon as we have a fix for CVE-2006-3378:
-urgently destroy 4.0.3-31sarge6 and 31sarge7 from the
proposed-updates queue. Need ftpmasters collaboration with high urgency
-the security team, or the shadow package team, prepares
4.0.3-31sarge6 with the fix for CVE-2006-3378 *ALONE*
-the shadow package team prepares 4.0.3-31sarge7 with BOTH updates and
sends it to the proposed-updates queue so that it can be picked by the
SRM team when they're ready to update sarge
PS: neither testing nor unstable are affected by this bug as the
culprit options of passwd have been removed in shadow 4.0.14
--
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
:
Bug#379174
; Package passwd
.
(full text, mbox, link).
Acknowledgement sent to Christian Perrier <bubulle@debian.org>
:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #15 received at 379174@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 379174security
thanks
Quoting Henry Jensen (jensen@scan-plus.de):
> Package: passwd
> Version: 1:4.0.3-31sarge5
> Severity: grave
>
> I just checked the source. From there it seems that the Debian passwd
> is affected by CVE-2006-3378 (USN-308-1 in Ubuntu), too.
>
Thanks for reporting this. This is currently being investigated.
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
:
Bug#379174
; Package passwd
.
(full text, mbox, link).
Acknowledgement sent to Steve Kemp <skx@debian.org>
:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #20 received at 379174@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sun, Jul 23, 2006 at 06:16:00PM +0200, Christian Perrier wrote:
> Hello dear Security team (and ftpmasters, and shadow package maintainers),
>
> Being back from 2 days holiday I discover CVE-2006-3378 which has just
> been revealed to our attention (#359174 in the BTS).
I guess you mean #379174 here?
> What I propose to you, as soon as we have a fix for CVE-2006-3378:
>
>
> -urgently destroy 4.0.3-31sarge6 and 31sarge7 from the
> proposed-updates queue. Need ftpmasters collaboration with high urgency
> -the security team, or the shadow package team, prepares
> 4.0.3-31sarge6 with the fix for CVE-2006-3378 *ALONE*
> -the shadow package team prepares 4.0.3-31sarge7 with BOTH updates and
> sends it to the proposed-updates queue so that it can be picked by the
> SRM team when they're ready to update sarge
>
Sounds fine from the security point of view. Once a patch is
available at least.
Steve
--
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
:
Bug#379174
; Package passwd
.
(full text, mbox, link).
Acknowledgement sent to Christian Perrier <bubulle@debian.org>
:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #25 received at 379174@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Quoting Steve Kemp (skx@debian.org):
> On Sun, Jul 23, 2006 at 06:16:00PM +0200, Christian Perrier wrote:
> > Hello dear Security team (and ftpmasters, and shadow package maintainers),
> >
> > Being back from 2 days holiday I discover CVE-2006-3378 which has just
> > been revealed to our attention (#359174 in the BTS).
>
> I guess you mean #379174 here?
Yeah, sorry. The stress of discovering this after a quiet 2-days
week-end can explain, I think.
>
> > What I propose to you, as soon as we have a fix for CVE-2006-3378:
> >
> >
> > -urgently destroy 4.0.3-31sarge6 and 31sarge7 from the
> > proposed-updates queue. Need ftpmasters collaboration with high urgency
> > -the security team, or the shadow package team, prepares
> > 4.0.3-31sarge6 with the fix for CVE-2006-3378 *ALONE*
> > -the shadow package team prepares 4.0.3-31sarge7 with BOTH updates and
> > sends it to the proposed-updates queue so that it can be picked by the
> > SRM team when they're ready to update sarge
> >
>
> Sounds fine from the security point of view. Once a patch is
> available at least.
Waiting for it, yes.
The first key point is the ftpmaster action...It will make things
clearer and avoid a big mess.
[signature.asc (application/pgp-signature, inline)]
Tags added: security
Request was from Christian Perrier <bubulle@debian.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
:
Bug#379174
; Package passwd
.
(full text, mbox, link).
Acknowledgement sent to Nicolas François <nicolas.francois@centraliens.net>
:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #32 received at 379174@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hello,
On Sat, Jul 22, 2006 at 12:59:59AM +0200, Henry Jensen wrote:
>
> I just checked the source. From there it seems that the Debian passwd
> is affected by CVE-2006-3378 (USN-308-1 in Ubuntu), too.
Here is a patch for this issue (taken from the ubuntu package).
Its changelog could be:
* SECURITY UPDATE: CVE-2006-3378: Root privilege escalation.
* src/passwd.c:
- Check for failing setuid() (which can happen if user hits PAM
limits). Before, passwd continued to run as root and executed
chfn/chsh/gpasswd as root instead of as the user.
- Thanks to Sune Kloppenborg Jeppesen for pointing this out.
Please note also that (because of #356939) there are other shadow packages
being processed (which do not fix this vulnerability):
1:4.0.3-31sarge6 (in the security queue) and 1:4.0.3-31sarge7 (in the
proposed-update queue)
Security team, what should we do?
* Ask the FTP masters to drop the current 1:4.0.3-31sarge6 and
1:4.0.3-31sarge7 and upload a new 1:4.0.3-31sarge6 (with only this
security fix?, with both?)
* Upload a new 1:4.0.3-31sarge8 (where? with only this security fix?,
with both?)
Thanks in advance,
--
Nekral
[shadow_CVE-2006-3378.patch (text/plain, attachment)]
Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
:
Bug#379174
; Package passwd
.
(full text, mbox, link).
Acknowledgement sent to Christian Perrier <bubulle@debian.org>
:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #37 received at 379174@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Quoting Nicolas François (nicolas.francois@centraliens.net):
> Hello,
>
> On Sat, Jul 22, 2006 at 12:59:59AM +0200, Henry Jensen wrote:
> >
> > I just checked the source. From there it seems that the Debian passwd
> > is affected by CVE-2006-3378 (USN-308-1 in Ubuntu), too.
>
> Here is a patch for this issue (taken from the ubuntu package).
From this patch, I built (but did not upload) a 4.0.3-31sarge6
version.
This version *only* includes the fix for #370714, NOT the fix for
#356939
Attached is the diff.gz file. I leave up to the security team to
handle this as I'm not skilled enough to decide whether Nicolas patch
(which is indeed the Ubuntu patch) is OK or not.
[shadow_4.0.3-31sarge6.diff.gz (application/octet-stream, attachment)]
[signature.asc (application/pgp-signature, inline)]
Bug marked as found in version 4.0.3-31sarge5.
Request was from Christian Perrier <bubulle@debian.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Reply sent to Christian Perrier <bubulle@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Henry Jensen <jensen@scan-plus.de>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #44 received at 379174-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 4.0.14-1
found 379174 4.0.3-31sarge5
This security bug is fixed in shadow upstream 4.0.14. So, in Debian,
only the sarge version is vulnerable, namely 4.0.3-31sarge5.
This combination of the -done instruction and control commands should
put the bug in the right state.
--
[signature.asc (application/pgp-signature, inline)]
Bug marked as fixed in version 1:4.0.14-1, send any further explanations to Henry Jensen <jensen@scan-plus.de>
Request was from Junichi Uekawa <dancer@netfort.gr.jp>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 26 Jun 2007 13:50:32 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:03:09 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.