Debian Bug report logs -
#674715
CVE-2012-2653: initgroups() adds gid 0 to the group list
Reported by: Yves-Alexis Perez <corsac@debian.org>
Date: Sat, 26 May 2012 22:00:01 UTC
Severity: critical
Tags: security
Found in version arpwatch/2.1a15-1.1
Fixed in versions arpwatch/2.1a15-1.2, arpwatch/2.1a15-1.1+squeeze1
Done: Yves-Alexis Perez <corsac@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, KELEMEN Péter <fuji@debian.org>:
Bug#674715; Package arpwatch.
(Sat, 26 May 2012 22:00:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Yves-Alexis Perez <corsac@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, KELEMEN Péter <fuji@debian.org>.
(Sat, 26 May 2012 22:00:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: arpwatch
Version: 2.1a15-1.1
Severity: critical
Tags: security
Justification: root security hole
Hi,
as reported on oss-sec
(http://www.openwall.com/lists/oss-security/2012/05/24/12) the patch
added to arpwatch to drop privileges in fact adds the gid 0 (root) group
to the group list. This has been allocated CVE-2012-2653.
Can you prepare updates fixing this (using pw->pw_gid in the call) or
should the security team do it?
Regards,
--
Yves-Alexis
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-2-grsec-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Information forwarded
to debian-bugs-dist@lists.debian.org, KELEMEN Péter <fuji@debian.org>:
Bug#674715; Package arpwatch.
(Sun, 27 May 2012 08:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to KELEMEN Péter <fuji@debian.org>.
(Sun, 27 May 2012 08:27:03 GMT) (full text, mbox, link).
Message #10 received at 674715@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On sam., 2012-05-26 at 23:57 +0200, Yves-Alexis Perez wrote:
> Package: arpwatch
> Version: 2.1a15-1.1
> Severity: critical
> Tags: security
> Justification: root security hole
>
> Hi,
>
> as reported on oss-sec
> (http://www.openwall.com/lists/oss-security/2012/05/24/12) the patch
> added to arpwatch to drop privileges in fact adds the gid 0 (root) group
> to the group list. This has been allocated CVE-2012-2653.
>
> Can you prepare updates fixing this (using pw->pw_gid in the call) or
> should the security team do it?
>
I've uploaded the attached debdiff to DELAYED/2 and will upload the fix
(but without the hardening part) to stable soon.
Note that the arpwatch package seems in a really bad state, if you don't
have time or don't care anymore, you should orphan it.
Regards,
--
Yves-Alexis
[arpwatch_2.1a15-1.1_2.1a15-1.2.diff (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Yves-Alexis Perez <corsac@debian.org>:
You have taken responsibility.
(Tue, 29 May 2012 09:03:07 GMT) (full text, mbox, link).
Notification sent
to Yves-Alexis Perez <corsac@debian.org>:
Bug acknowledged by developer.
(Tue, 29 May 2012 09:03:07 GMT) (full text, mbox, link).
Message #15 received at 674715-close@bugs.debian.org (full text, mbox, reply):
Source: arpwatch
Source-Version: 2.1a15-1.2
We believe that the bug you reported is fixed in the latest version of
arpwatch, which is due to be installed in the Debian FTP archive:
arpwatch_2.1a15-1.2.diff.gz
to main/a/arpwatch/arpwatch_2.1a15-1.2.diff.gz
arpwatch_2.1a15-1.2.dsc
to main/a/arpwatch/arpwatch_2.1a15-1.2.dsc
arpwatch_2.1a15-1.2_amd64.deb
to main/a/arpwatch/arpwatch_2.1a15-1.2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 674715@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yves-Alexis Perez <corsac@debian.org> (supplier of updated arpwatch package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 27 May 2012 09:20:52 +0200
Source: arpwatch
Binary: arpwatch
Architecture: source amd64
Version: 2.1a15-1.2
Distribution: unstable
Urgency: high
Maintainer: KELEMEN Péter <fuji@debian.org>
Changed-By: Yves-Alexis Perez <corsac@debian.org>
Description:
arpwatch - Ethernet/FDDI station activity monitor
Closes: 674715
Changes:
arpwatch (2.1a15-1.2) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix initgroups() adding the gid 0 group to the list. Instead of dropping
privileges it was in fact adding it. This is CVE-2012-2653. closes: #674715
* debian/rules:
- enable hardening flags.
* Makefile.in: add LDFLAGS support.
Checksums-Sha1:
a99f51eb621a0dbcb1d0a7b36cfa650c52b50d0d 1714 arpwatch_2.1a15-1.2.dsc
81b57ead3e4a3d4a8c10678109dfe8e4c03c7a02 147856 arpwatch_2.1a15-1.2.diff.gz
24ba4127de1801e3d24523babb7064e06c11c7dc 193364 arpwatch_2.1a15-1.2_amd64.deb
Checksums-Sha256:
9785e1f5ecbde302e8683cbc339aa04d452d3cbf20bd35bd06ed7fff9150ff78 1714 arpwatch_2.1a15-1.2.dsc
43fa24105594e0886aaa571d3ca2cc6a5c07d540b0b134d2b5923c688cc2a8f6 147856 arpwatch_2.1a15-1.2.diff.gz
8965e768c5de971c58335c9508b0cdbb24714a9c72fa4757d569aa4f21571a79 193364 arpwatch_2.1a15-1.2_amd64.deb
Files:
628e8c1445bc87dac730fe74c344e246 1714 admin optional arpwatch_2.1a15-1.2.dsc
ea6ac9531289f04219349d0faca7cde5 147856 admin optional arpwatch_2.1a15-1.2.diff.gz
5459c8eba786e6ae3edaa3dcad3f977f 193364 admin optional arpwatch_2.1a15-1.2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCgAGBQJPweTIAAoJEDBVD3hx7wuoEAQQAIGGJEehD1DabbFnH7HAPFXm
7dYsIQqAFEHnNdu4zvSaAiqpRJqnrhL/fClmp2+jkj1W1UrTG008ypNHV+9VI+mP
JejBSfKtcyVdvXCi1uUs5IzYGkczNN4Bk4/JrdXOLE+DHcJYpDgxA+8VHdvAk2jH
vE3/bpfqtctwWOuk0gHeh62YpVe8+pLDDSzr+uMTUvqtbIbiQmo6CzHSFi4Th9WR
3MKJPoPW5OfqT9c0Y0p4rFj9giTO+kbmQFwyU3jE7laSVlJUzftmNcvG/5TDPZv3
iAIGREMrzwoh4acGM7mEt2NAg3KenMyhgA8wRuhbfbI0J9tbV6s777HCUQL5mPk5
hR4IaXroAuGyejfzjRAbt6TDA4XKNxEc97N1Qvy6m6yIMC0h0tROaK7Q44Vm+V18
Vt1gC4HpfKamqlOwXE9t6eJGnOqNc+V2CWJV8DGsPGbboqnmQ/IZ0o5OCqkKuu7C
CdtiY8ffKDMLrqWh7UKEwjx6afoNp4ZGXigkn4hHf57i692hFxK4pVCNlv7GBag+
t2omyX9I/+yS2tlLk5jNPHBtG660HHP9lKSgHwEKpzgySRZYbHtmj/iR9o0ryr7i
joD84cmSaPZFrNBp0grNKDePka8R7VQZ3xqQAwDUn/BmrI5I331ehueJTdtIeIuF
ZzBuY7VTsI40z5c7iwZl
=gN9i
-----END PGP SIGNATURE-----
Reply sent
to Yves-Alexis Perez <corsac@debian.org>:
You have taken responsibility.
(Mon, 04 Jun 2012 20:51:15 GMT) (full text, mbox, link).
Notification sent
to Yves-Alexis Perez <corsac@debian.org>:
Bug acknowledged by developer.
(Mon, 04 Jun 2012 20:51:15 GMT) (full text, mbox, link).
Message #20 received at 674715-close@bugs.debian.org (full text, mbox, reply):
Source: arpwatch
Source-Version: 2.1a15-1.1+squeeze1
We believe that the bug you reported is fixed in the latest version of
arpwatch, which is due to be installed in the Debian FTP archive:
arpwatch_2.1a15-1.1+squeeze1.diff.gz
to main/a/arpwatch/arpwatch_2.1a15-1.1+squeeze1.diff.gz
arpwatch_2.1a15-1.1+squeeze1.dsc
to main/a/arpwatch/arpwatch_2.1a15-1.1+squeeze1.dsc
arpwatch_2.1a15-1.1+squeeze1_amd64.deb
to main/a/arpwatch/arpwatch_2.1a15-1.1+squeeze1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 674715@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yves-Alexis Perez <corsac@debian.org> (supplier of updated arpwatch package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 26 May 2012 23:53:19 +0200
Source: arpwatch
Binary: arpwatch
Architecture: source amd64
Version: 2.1a15-1.1+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: KELEMEN Péter <fuji@debian.org>
Changed-By: Yves-Alexis Perez <corsac@debian.org>
Description:
arpwatch - Ethernet/FDDI station activity monitor
Closes: 674715
Changes:
arpwatch (2.1a15-1.1+squeeze1) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix initgroups() adding the gid 0 group to the list. Instead of dropping
privileges it was in fact adding it. This is CVE-2012-2653. closes: #674715
Checksums-Sha1:
7e6ecaefcf64542424499406833c9b4c1006df79 1706 arpwatch_2.1a15-1.1+squeeze1.dsc
9dffaec0f132e5bb7aedfc840c5c67068bfbce69 202729 arpwatch_2.1a15.orig.tar.gz
94161e464ce50967b71f07fe865010a4230f5fec 150105 arpwatch_2.1a15-1.1+squeeze1.diff.gz
75c9d036f5a71a1769d62cda333b827b4863c2a2 188294 arpwatch_2.1a15-1.1+squeeze1_amd64.deb
Checksums-Sha256:
d02dace3f9b3e2075efb9a7bb14b3649f16d783ba6a6e005cb2d9ed1d943f021 1706 arpwatch_2.1a15-1.1+squeeze1.dsc
c1df9737e208a96a61fa92ddad83f4b4d9be66f8992f3c917e9edf4b05ff5898 202729 arpwatch_2.1a15.orig.tar.gz
289873de4fc24a836d6219a1e272aa9df253255d5b6e1434ff74e284444f3af8 150105 arpwatch_2.1a15-1.1+squeeze1.diff.gz
e694736b69f5571a093d5cba773ea8b88cb679ee9368ec9c54019a0ed4d763bd 188294 arpwatch_2.1a15-1.1+squeeze1_amd64.deb
Files:
a8728af287fa60c61a7d89cfd9e61fb3 1706 admin optional arpwatch_2.1a15-1.1+squeeze1.dsc
cebfeb99c4a7c2a6cee2564770415fe7 202729 admin optional arpwatch_2.1a15.orig.tar.gz
ebd379d4f7f4ae7782e00e5f86aeea9f 150105 admin optional arpwatch_2.1a15-1.1+squeeze1.diff.gz
5436f25de47de028726db436def5dea8 188294 admin optional arpwatch_2.1a15-1.1+squeeze1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCgAGBQJPxnQlAAoJEDBVD3hx7wuouVAP/0x++u8um6wz9QL6v15FeeaE
Z4WZT9fg75zNZ5vVAdXX9UgZw3g7y/cJjXVF2phRvaiV1gJZueVmB8CPi07PqyNP
8tRFm3dIcoNunb4LTPakntJpqly7dQSTCxpWT4cWcdnNQM5UB4AaERxFR8kLAwSl
tp/zclODMc3LvVWgzfpFQek+6KwOnkFMuIwl46NbCResD2iFESECGd9g//RRUeDw
heWLND+xBvXkFztnk6etaGPlJ+ERW5USKwLGyTyE4lK9rfpb1ib5C97e+NYweOJy
L8DgvnxwScs632L7wGraCAXMxzqoqbyXS+st7a+mNItF3tGxWNwYnmhzSk6Rtx9r
bCejdIm92zRL4BQ9TbJ6ySk/n8c6ZXUsBzoD5jep1oK1xvuDmvmLTQtugk+QMPLn
F5/8VfX6OZBAqfTsUD2Q/qMcYeBKQEoGUcy4G9AWGJBNeHFpNFAD0mMUBiGgynSO
J0YYCCANmK8mQsRX/vdmKkSxH0P2b2AP5925DX4lEg7xEeCvsjxk6LCVZCYbk9C/
eS0gXOeX5xyuVLHTUw0fIyQnSAwqbMC4pKyEnDZIuSrYfsTZ1Y5vLirmeRP38krj
eggUovyTfCshCmnzk6U8npR3Rumxd7S5n2unzzZRHxvgqTedjQunHOrCoTVNNSEa
8tZQdsayNqPv/kJEU/c+
=+5E6
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 30 Sep 2012 07:26:28 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:27:32 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon