shadow: CVE-2006-3378

Debian Bug report logs - #379174
shadow: CVE-2006-3378

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Henry Jensen <jensen@scan-plus.de>

To: submit@bugs.debian.org

Subject: shadow: CVE-2006-3378

Date: Sat, 22 Jul 2006 00:59:59 +0200

Package: passwd
Version: 1:4.0.3-31sarge5
Severity: grave

I just checked the source. From there it seems that the Debian passwd 
is affected by CVE-2006-3378 (USN-308-1 in Ubuntu), too.

Message #10 received at 379174@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: team@security.debian.org

Cc: pkg-shadow-devel@lists.alioth.debian.org, 379174@bugs.debian.org, ftpmaster@debian.org

Subject: Shadow security update for CVE-2006-3378

Date: Sun, 23 Jul 2006 18:16:00 +0200

[Message part 1 (text/plain, inline)]

Hello dear Security team (and ftpmasters, and shadow package maintainers),

Being back from 2 days holiday I discover CVE-2006-3378 which has just
been revealed to our attention (#359174 in the BTS).

As far as I can tell, this is is locally exploitable root
vulnerability. Passwd is vulnerable in sarge.

At this very moment, I haven't seen a fix. Nicolas François is working
on one.

Our main problem is that we have another update (namely
4.0.3-31sarge7) which is pending for passwd, related to #356939. That
update is *not* handled throught the security updates queue but rather
through the proposed-updates queue as I explained you a few days ago.

It goes this way because it has to be synced with a base-config update
that Joey Hess uploaded in proposed-updates.

The update is named 4.0.3-31sarge7 because a 4.0.3-31sarge6 was not
accepted by the SRM team....and we (SRM and I) didn't want to wait for
ftpmasters action....


CVE-2006-3378 complicates the whole thing a little bit....:-(


What I propose to you, as soon as we have a fix for CVE-2006-3378:



-urgently destroy 4.0.3-31sarge6 and 31sarge7 from the
 proposed-updates queue. Need ftpmasters collaboration with high urgency
-the security team, or the shadow package team, prepares
 4.0.3-31sarge6 with the fix for CVE-2006-3378 *ALONE*
-the shadow package team prepares 4.0.3-31sarge7 with BOTH updates and
 sends it to the proposed-updates queue so that it can be picked by the
 SRM team when they're ready to update sarge



PS: neither testing nor unstable are affected by this bug as the
culprit options of passwd have been removed in shadow 4.0.14



-- 

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 379174@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: Henry Jensen <jensen@scan-plus.de>, 379174@bugs.debian.org

Subject: Re: [Pkg-shadow-devel] Bug#379174: shadow: CVE-2006-3378

Date: Sun, 23 Jul 2006 18:18:21 +0200

[Message part 1 (text/plain, inline)]

tags 379174security
thanks

Quoting Henry Jensen (jensen@scan-plus.de):
> Package: passwd
> Version: 1:4.0.3-31sarge5
> Severity: grave
> 
> I just checked the source. From there it seems that the Debian passwd 
> is affected by CVE-2006-3378 (USN-308-1 in Ubuntu), too.
> 


Thanks for reporting this. This is currently being investigated.

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 379174@bugs.debian.org (full text, mbox, reply):

From: Steve Kemp <skx@debian.org>

To: Christian Perrier <bubulle@debian.org>

Cc: team@security.debian.org, pkg-shadow-devel@lists.alioth.debian.org, 379174@bugs.debian.org, ftpmaster@debian.org

Subject: Re: Shadow security update for CVE-2006-3378

Date: Sun, 23 Jul 2006 17:24:06 +0100

[Message part 1 (text/plain, inline)]

On Sun, Jul 23, 2006 at 06:16:00PM +0200, Christian Perrier wrote:
> Hello dear Security team (and ftpmasters, and shadow package maintainers),
> 
> Being back from 2 days holiday I discover CVE-2006-3378 which has just
> been revealed to our attention (#359174 in the BTS).

  I guess you mean #379174 here?

> What I propose to you, as soon as we have a fix for CVE-2006-3378:
> 
> 
> -urgently destroy 4.0.3-31sarge6 and 31sarge7 from the
>  proposed-updates queue. Need ftpmasters collaboration with high urgency
> -the security team, or the shadow package team, prepares
>  4.0.3-31sarge6 with the fix for CVE-2006-3378 *ALONE*
> -the shadow package team prepares 4.0.3-31sarge7 with BOTH updates and
>  sends it to the proposed-updates queue so that it can be picked by the
>  SRM team when they're ready to update sarge
> 

  Sounds fine from the security point of view.  Once a patch is
 available at least.

Steve
-- 

[signature.asc (application/pgp-signature, inline)]

Message #25 received at 379174@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: pkg-shadow-devel@lists.alioth.debian.org, team@security.debian.org, 379174@bugs.debian.org, ftpmaster@debian.org

Subject: Re: [Pkg-shadow-devel] Re: Shadow security update for CVE-2006-3378

Date: Sun, 23 Jul 2006 18:31:54 +0200

[Message part 1 (text/plain, inline)]

Quoting Steve Kemp (skx@debian.org):
> On Sun, Jul 23, 2006 at 06:16:00PM +0200, Christian Perrier wrote:
> > Hello dear Security team (and ftpmasters, and shadow package maintainers),
> > 
> > Being back from 2 days holiday I discover CVE-2006-3378 which has just
> > been revealed to our attention (#359174 in the BTS).
> 
>   I guess you mean #379174 here?

Yeah, sorry. The stress of discovering this after a quiet 2-days
week-end can explain, I think.

> 
> > What I propose to you, as soon as we have a fix for CVE-2006-3378:
> > 
> > 
> > -urgently destroy 4.0.3-31sarge6 and 31sarge7 from the
> >  proposed-updates queue. Need ftpmasters collaboration with high urgency
> > -the security team, or the shadow package team, prepares
> >  4.0.3-31sarge6 with the fix for CVE-2006-3378 *ALONE*
> > -the shadow package team prepares 4.0.3-31sarge7 with BOTH updates and
> >  sends it to the proposed-updates queue so that it can be picked by the
> >  SRM team when they're ready to update sarge
> > 
> 
>   Sounds fine from the security point of view.  Once a patch is
>  available at least.


Waiting for it, yes.

The first key point is the ftpmaster action...It will make things
clearer and avoid a big mess.

[signature.asc (application/pgp-signature, inline)]

Message #32 received at 379174@bugs.debian.org (full text, mbox, reply):

From: Nicolas François <nicolas.francois@centraliens.net>

To: team@security.debian.org

Cc: Henry Jensen <jensen@scan-plus.de>, 379174@bugs.debian.org

Subject: Re: Bug#379174: shadow: CVE-2006-3378

Date: Sun, 23 Jul 2006 19:18:54 +0200

[Message part 1 (text/plain, inline)]

Hello,

On Sat, Jul 22, 2006 at 12:59:59AM +0200, Henry Jensen wrote:
> 
> I just checked the source. From there it seems that the Debian passwd 
> is affected by CVE-2006-3378 (USN-308-1 in Ubuntu), too.

Here is a patch for this issue (taken from the ubuntu package).

Its changelog could be:

  * SECURITY UPDATE: CVE-2006-3378: Root privilege escalation.
  * src/passwd.c:
    - Check for failing setuid() (which can happen if user hits PAM
      limits). Before, passwd continued to run as root and executed
      chfn/chsh/gpasswd as root instead of as the user.
    - Thanks to Sune Kloppenborg Jeppesen for pointing this out.

Please note also that (because of #356939) there are other shadow packages
being processed (which do not fix this vulnerability):
1:4.0.3-31sarge6 (in the security queue) and 1:4.0.3-31sarge7 (in the
proposed-update queue)


Security team, what should we do?
 * Ask the FTP masters to drop the current 1:4.0.3-31sarge6 and
   1:4.0.3-31sarge7 and upload a new 1:4.0.3-31sarge6 (with only this
   security fix?, with both?)
 * Upload a new 1:4.0.3-31sarge8 (where? with only this security fix?,
   with both?)

Thanks in advance,
-- 
Nekral

[shadow_CVE-2006-3378.patch (text/plain, attachment)]

Message #37 received at 379174@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: Nicolas François <nicolas.francois@centraliens.net>, 379174@bugs.debian.org

Cc: team@security.debian.org, Henry Jensen <jensen@scan-plus.de>

Subject: Re: [Pkg-shadow-devel] Bug#379174: shadow: CVE-2006-3378

Date: Sun, 23 Jul 2006 22:16:25 +0200

[Message part 1 (text/plain, inline)]

Quoting Nicolas François (nicolas.francois@centraliens.net):
> Hello,
> 
> On Sat, Jul 22, 2006 at 12:59:59AM +0200, Henry Jensen wrote:
> > 
> > I just checked the source. From there it seems that the Debian passwd 
> > is affected by CVE-2006-3378 (USN-308-1 in Ubuntu), too.
> 
> Here is a patch for this issue (taken from the ubuntu package).


From this patch, I built (but did not upload) a 4.0.3-31sarge6
version.

This version *only* includes the fix for #370714, NOT the fix for
#356939

Attached is the diff.gz file. I leave up to the security team to
handle this as I'm not skilled enough to decide whether Nicolas patch
(which is indeed the Ubuntu patch) is OK or not.

[shadow_4.0.3-31sarge6.diff.gz (application/octet-stream, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #44 received at 379174-done@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: 379174-done@bugs.debian.org

Subject: Closing with version control

Date: Mon, 24 Jul 2006 20:25:29 +0200

[Message part 1 (text/plain, inline)]

Version: 4.0.14-1

found 379174 4.0.3-31sarge5

This security bug is fixed in shadow upstream 4.0.14. So, in Debian,
only the sarge version is vulnerable, namely 4.0.3-31sarge5.

This combination of the -done instruction and control commands should
put the bug in the right state.

-- 

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.