Debian Bug report logs -
#584257
rpm -- Fails to remove the SUID/SGID bits on package updates
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Wed, 2 Jun 2010 17:54:01 UTC
Severity: important
Found in version rpm/4.7.2-1
Fixed in version rpm/4.8.1-1
Done: Michal Čihař <nijel@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Michal Čihař <nijel@debian.org>:
Bug#584257; Package rpm.
(Wed, 02 Jun 2010 17:54:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to Michal Čihař <nijel@debian.org>.
(Wed, 02 Jun 2010 17:54:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: rpm
Version: 4.7.2-1+b2
Severity: important
Hi,
the following security issue was reported on the oss-security mailing
list. We don't need to fix this in stable, but a fix for Squeeze might
still be appropriate.
Cheers,
Moritz
Date: Wed, 02 Jun 2010 13:43:03 +0200
From: Jan Lieskovsky <jlieskov@redhat.com>
Subject: [oss-security] CVE Request -- rpm -- Fails to remove the SUID/SGID bits on package
upgrade (RH BZ#598775)
Hi Steve, vendors,
Matt McCutchen pointed out a deficiency in the way rpm handled rpm package upgrades --
it failed to clear out the SUID/SGID bits of the old file by file replacement when privileged
user performed package upgrade. Under certain circumstances, a local, authenticated user could
use this flaw to escalate their privileges.
Red Hat Bugzilla entry:
[1] https://bugzilla.redhat.com/show_bug.cgi?id=598775
Upstream changeset:
[2] http://rpm.org/gitweb?p=rpm.git;a=commit;h=ca2d6b2b484f1501eafdde02e1688409340d2383
Could you allocate CVE id for this?
Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages rpm depends on:
ii debconf [debconf-2.0] 1.5.32 Debian configuration management sy
ii libc6 2.10.2-9 Embedded GNU C Library: Shared lib
ii libelf1 0.146-1 library to read and write ELF file
ii libnss3-1d 3.12.6-2 Network Security Service libraries
ii libpopt0 1.16-1 lib for parsing cmdline parameters
ii librpm0 4.7.2-1+b2 RPM shared library
ii librpmbuild0 4.7.2-1+b2 RPM build shared library
ii librpmio0 4.7.2-1+b2 RPM IO shared library
ii perl 5.10.1-12 Larry Wall's Practical Extraction
ii rpm-common 4.7.2-1 common files for RPM
ii rpm2cpio 4.7.2-1+b2 tool to convert RPM package to CPI
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
rpm recommends no packages.
Versions of packages rpm suggests:
pn alien <none> (no description available)
ii elfutils 0.146-1 collection of utilities to handle
pn rpm-i18n <none> (no description available)
-- debconf information:
* rpm/upgrade-failed:
Information forwarded
to debian-bugs-dist@lists.debian.org, Michal Čihař <nijel@debian.org>:
Bug#584257; Package rpm.
(Wed, 02 Jun 2010 18:57:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Michal Čihař <michal@cihar.com>:
Extra info received and forwarded to list. Copy sent to Michal Čihař <nijel@debian.org>.
(Wed, 02 Jun 2010 18:57:09 GMT) (full text, mbox, link).
Message #10 received at 584257@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi
Dne Wed, 02 Jun 2010 19:52:49 +0200
Moritz Muehlenhoff <jmm@debian.org> napsal(a):
> the following security issue was reported on the oss-security mailing
> list. We don't need to fix this in stable, but a fix for Squeeze might
> still be appropriate.
I've just committed the fix into Git for 4.8.0 currently available in
experimental (it will go to unstable once Python 2.6 is default).
Using rpm on Debian for installing binary packages is discouraged in
various ways, so the risk is not that high. Because of this I will
probably delay upload when more things will pop up (eg. Python 2.6 is
default in unstable).
--
Michal Čihař | http://cihar.com | http://blog.cihar.com
[signature.asc (application/pgp-signature, attachment)]
Added tag(s) pending.
Request was from Michal Čihař <nijel@debian.org>
to control@bugs.debian.org.
(Wed, 02 Jun 2010 19:00:14 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Michal Čihař <nijel@debian.org>:
Bug#584257; Package rpm.
(Wed, 09 Jun 2010 21:39:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Michal Čihař <nijel@debian.org>.
(Wed, 09 Jun 2010 21:39:05 GMT) (full text, mbox, link).
Message #17 received at 584257@bugs.debian.org (full text, mbox, reply):
Michal ??iha?? wrote:
> Hi
>
> Dne Wed, 02 Jun 2010 19:52:49 +0200
> Moritz Muehlenhoff <jmm@debian.org> napsal(a):
>
> > the following security issue was reported on the oss-security mailing
> > list. We don't need to fix this in stable, but a fix for Squeeze might
> > still be appropriate.
>
> I've just committed the fix into Git for 4.8.0 currently available in
> experimental (it will go to unstable once Python 2.6 is default).
>
> Using rpm on Debian for installing binary packages is discouraged in
> various ways,
Using any distribution using rpm for installing binary packages is
discouraged ;-)
> so the risk is not that high. Because of this I will
> probably delay upload when more things will pop up (eg. Python 2.6 is
> default in unstable).
I agree the risk is negligable.
There's also another issue reported for rpm, which has been assigned
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2197 :
https://bugzilla.redhat.com/show_bug.cgi?id=125517
This seems like an issue which could also affect a typical use case
of rpm in Debian. However, since the attack vector is very obscure
I don't think we need to fix it in Lenny.
Cheers,
Moritz
Reply sent
to Michal Čihař <nijel@debian.org>:
You have taken responsibility.
(Mon, 14 Jun 2010 13:21:04 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Mon, 14 Jun 2010 13:21:04 GMT) (full text, mbox, link).
Message #22 received at 584257-close@bugs.debian.org (full text, mbox, reply):
Source: rpm
Source-Version: 4.8.1-1
We believe that the bug you reported is fixed in the latest version of
rpm, which is due to be installed in the Debian FTP archive:
librpm-dbg_4.8.1-1_i386.deb
to main/r/rpm/librpm-dbg_4.8.1-1_i386.deb
librpm-dev_4.8.1-1_i386.deb
to main/r/rpm/librpm-dev_4.8.1-1_i386.deb
librpm1_4.8.1-1_i386.deb
to main/r/rpm/librpm1_4.8.1-1_i386.deb
librpmbuild1_4.8.1-1_i386.deb
to main/r/rpm/librpmbuild1_4.8.1-1_i386.deb
librpmio1_4.8.1-1_i386.deb
to main/r/rpm/librpmio1_4.8.1-1_i386.deb
lsb-rpm_4.8.1-1_i386.deb
to main/r/rpm/lsb-rpm_4.8.1-1_i386.deb
python-rpm_4.8.1-1_i386.deb
to main/r/rpm/python-rpm_4.8.1-1_i386.deb
rpm-common_4.8.1-1_all.deb
to main/r/rpm/rpm-common_4.8.1-1_all.deb
rpm-i18n_4.8.1-1_all.deb
to main/r/rpm/rpm-i18n_4.8.1-1_all.deb
rpm2cpio_4.8.1-1_i386.deb
to main/r/rpm/rpm2cpio_4.8.1-1_i386.deb
rpm_4.8.1-1.debian.tar.gz
to main/r/rpm/rpm_4.8.1-1.debian.tar.gz
rpm_4.8.1-1.dsc
to main/r/rpm/rpm_4.8.1-1.dsc
rpm_4.8.1-1_i386.deb
to main/r/rpm/rpm_4.8.1-1_i386.deb
rpm_4.8.1.orig.tar.gz
to main/r/rpm/rpm_4.8.1.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 584257@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michal Čihař <nijel@debian.org> (supplier of updated rpm package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 14 Jun 2010 09:48:08 +0200
Source: rpm
Binary: rpm rpm2cpio rpm-common rpm-i18n lsb-rpm librpm-dbg librpm1 librpmio1 librpmbuild1 librpm-dev python-rpm
Architecture: source all i386
Version: 4.8.1-1
Distribution: experimental
Urgency: low
Maintainer: Michal Čihař <nijel@debian.org>
Changed-By: Michal Čihař <nijel@debian.org>
Description:
librpm-dbg - debugging symbols for RPM
librpm-dev - RPM shared library, development kit
librpm1 - RPM shared library
librpmbuild1 - RPM build shared library
librpmio1 - RPM IO shared library
lsb-rpm - RPM Package Manager for LSB package building
python-rpm - Python bindings for RPM
rpm - package manager for RPM
rpm-common - common files for RPM
rpm-i18n - localization and localized man pages for rpm
rpm2cpio - tool to convert RPM package to CPIO archive
Closes: 584257
Changes:
rpm (4.8.1-1) experimental; urgency=low
.
* New upstream release.
- Fix vulnerability in removing setuid on moved files (Closes: #584257,
CVE-2010-2059).
- Safer parsing of spec file (CVE-2010-2197).
* Build depend on python-all-dev (>= 2.6) and cleanup debian/rules to again
use all supported versions (which will anyway mean just 2.6).
Checksums-Sha1:
84ba288801b7ba933096e9ea7beb245d3ea2f8ce 1770 rpm_4.8.1-1.dsc
781abc2f532886c0ce0a10088f755938c136e768 4688362 rpm_4.8.1.orig.tar.gz
3d2e3a76886dd78885d5f0451d1651bd77a90864 65610 rpm_4.8.1-1.debian.tar.gz
597cb3273a43be12906337273efc045ebec16386 714334 rpm-common_4.8.1-1_all.deb
81de5f65f2a02a7c3c6adb520cc8f365443bb027 1183916 rpm-i18n_4.8.1-1_all.deb
c41774bcdee899af29cfdfa258b0ad673edd8f3c 840158 rpm_4.8.1-1_i386.deb
3f2a591f45dad6c2f7beb91a13b4febc2d72ed70 699036 rpm2cpio_4.8.1-1_i386.deb
697e0b8c038dffc2b3bea7d968ff7b266ae21e75 1223960 lsb-rpm_4.8.1-1_i386.deb
04cbcf39e7ca8349417f62c882db46caada46975 2640956 librpm-dbg_4.8.1-1_i386.deb
ac0cafb8966b7a1c5541bfab17f3aa9cf19e0ba3 879214 librpm1_4.8.1-1_i386.deb
9e4927b25473b4c1255dde9b725e17fea62ab50c 770306 librpmio1_4.8.1-1_i386.deb
2f70ab0db95fe1963cbaff85ee851fec5b49edbe 761648 librpmbuild1_4.8.1-1_i386.deb
80350a2f19ac6f761ce493bd2a21ee4fb8842e53 761892 librpm-dev_4.8.1-1_i386.deb
8946a10e4782a836cb08601aeb41c04f60fb1761 728026 python-rpm_4.8.1-1_i386.deb
Checksums-Sha256:
a9532cc332fb01bd2cbadad1fbd353c43782467fc5f883128f078e2957152727 1770 rpm_4.8.1-1.dsc
22ba7c2c0e0b74790f7e92c06a2d77becd9a2d5137a98902beadd768be340d44 4688362 rpm_4.8.1.orig.tar.gz
4cde01226d008271593f99c1a1db83e894ad234dce50105e5c63dfc7bc760de0 65610 rpm_4.8.1-1.debian.tar.gz
f7fce633de067daf04fc256ce0a24061b32e08a401e15afd642621a89199e75c 714334 rpm-common_4.8.1-1_all.deb
c9b5871a14efbb984682ab224d6b0ddb5fce727120cff81d0914a82cb8a9c9f4 1183916 rpm-i18n_4.8.1-1_all.deb
16d471f8f6ea8cb46c5cb6b17f0f0501ff384f83c8a0a23ee03af259d630adf5 840158 rpm_4.8.1-1_i386.deb
fd04aedb67e3bcd58850306a3a59cc6ae2051f1373d30d3c44d9748bb92fad8b 699036 rpm2cpio_4.8.1-1_i386.deb
6c9225218314db23cc20dae70376f31e6ff0597048d51144c350a5e81bb424cb 1223960 lsb-rpm_4.8.1-1_i386.deb
eb32837a8711b3744a1a2bf0cf5207e3d96aedf860671e719143d377f011ecb5 2640956 librpm-dbg_4.8.1-1_i386.deb
d69518e07ff09ddfb271e22f7d88b7e54638135e85f1618d344f851c96b8a89a 879214 librpm1_4.8.1-1_i386.deb
1d577cded14c479d8c53721a8dc15fa0c0ba0f1d346208119179d03551fa2b40 770306 librpmio1_4.8.1-1_i386.deb
c335583ccca87cdb2a0157650c8414dd2ff7e8c0c46a8bde7700423ef8baa73a 761648 librpmbuild1_4.8.1-1_i386.deb
0b942090786aa401d4586a5a5e838a8dedce3896b33b95ec8d6349f272d75dea 761892 librpm-dev_4.8.1-1_i386.deb
4cb3b2a90bc7c8de6bbf1920f7b0569652e8f4ffe8c77ffa3d1612454928180b 728026 python-rpm_4.8.1-1_i386.deb
Files:
682f46c2decf93c3398ad148cda199dc 1770 admin optional rpm_4.8.1-1.dsc
34a473e24347d4a7705ffd496539b568 4688362 admin optional rpm_4.8.1.orig.tar.gz
7a2792c2ba928680579d6e019c60759d 65610 admin optional rpm_4.8.1-1.debian.tar.gz
e6c0cfdb80a2457fcebd850424afe0a4 714334 admin optional rpm-common_4.8.1-1_all.deb
1f6faac4d40b197c6f929d512eb0ba35 1183916 localization optional rpm-i18n_4.8.1-1_all.deb
c8c18a1045fd43808b49a0049e8fd104 840158 admin optional rpm_4.8.1-1_i386.deb
95cb36d9c3a289bbf80841ebd3de69c6 699036 admin optional rpm2cpio_4.8.1-1_i386.deb
62e535a49e63227a913d077da63695bf 1223960 devel optional lsb-rpm_4.8.1-1_i386.deb
2f37118a3965b21e3c43c13a2214035c 2640956 debug extra librpm-dbg_4.8.1-1_i386.deb
c1f35bc53e90fb99199a8d29a01eb8b1 879214 libs optional librpm1_4.8.1-1_i386.deb
a82b66a8fdd22ff311c165f59c33787e 770306 libs optional librpmio1_4.8.1-1_i386.deb
f385c4a8016fa0a8aca2087e467afc62 761648 libs optional librpmbuild1_4.8.1-1_i386.deb
e357c11263ca3cd5284c6e31f2975e90 761892 libdevel extra librpm-dev_4.8.1-1_i386.deb
e540a6f0dc766205efcccda786fa661f 728026 python extra python-rpm_4.8.1-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkwWKhUACgkQ3DVS6DbnVgTxKQCgnNgtoIv2pv7rNeK7XU6qQ7r5
tB0AnAmUQVZWZafDOaZ5XOyzkrNDcsDP
=6BJK
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 25 Jul 2010 07:34:18 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:27:46 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon