acpid: CVE-2009-4235: weak permissions on /var/log/acpid

Debian Bug report logs - #560771
acpid: CVE-2009-4235: weak permissions on /var/log/acpid

Toggle useless messages

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: submit@bugs.debian.org

Subject: acpid: CVE-2009-4235: weak permissions on /var/log/acpid

Date: Fri, 11 Dec 2009 21:23:58 -0600

Package: acpid
Version: 1.0.4-5
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for acpid.

CVE-2009-4235[0]:
| acpid 1.0.4 sets an unrestrictive umask, which might allow local users
| to leverage weak permissions on /var/log/acpid, and obtain sensitive
| information by reading this file or cause a denial of service by
| overwriting this file, a different vulnerability than CVE-2009-4033.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

The vulnerability only seems to affect oldstable, but I noticed that none of 
the versions remove the log file, so the permissions of the file need to be 
fixed by all the other versions.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4235
    http://security-tracker.debian.org/tracker/CVE-2009-4235

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Message #8 received at 560771@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: Raphael Geissert <geissert@debian.org>, 560771@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: Bug#560771: acpid: CVE-2009-4235: weak permissions on /var/log/acpid

Date: Sat, 12 Dec 2009 19:53:09 +0100

[Message part 1 (text/plain, inline)]

severity 560771 important
thanks

* Raphael Geissert <geissert@debian.org> [2009-12-12 13:23]:
> Package: acpid
> Version: 1.0.4-5
> Severity: grave
> Tags: security
> 
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for acpid.
> 
> CVE-2009-4235[0]:
> | acpid 1.0.4 sets an unrestrictive umask, which might allow local users
> | to leverage weak permissions on /var/log/acpid, and obtain sensitive
> | information by reading this file or cause a denial of service by
> | overwriting this file, a different vulnerability than CVE-2009-4033.
> 
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
> 
> The vulnerability only seems to affect oldstable, but I noticed that none of 
> the versions remove the log file, so the permissions of the file need to be 
> fixed by all the other versions.

Lowering the severity as in a typical use case this file does not carry 
sensitive information and is probably also not used in many scenarios where 
the DoS vector is of great relevance.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #15 received at 560771@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: Nico Golde <nion@debian.org>

Cc: 560771@bugs.debian.org

Subject: Re: Bug#560771: acpid: CVE-2009-4235: weak permissions on /var/log/acpid

Date: Sat, 12 Dec 2009 13:10:38 -0600

2009/12/12 Nico Golde <nion@debian.org>:
> severity 560771 important
> thanks
>
> * Raphael Geissert <geissert@debian.org> [2009-12-12 13:23]:
>> Package: acpid
>> Version: 1.0.4-5
>> Severity: grave
>> Tags: security
>>
>> Hi,
>> the following CVE (Common Vulnerabilities & Exposures) id was
>> published for acpid.
>>
>> CVE-2009-4235[0]:
>> | acpid 1.0.4 sets an unrestrictive umask, which might allow local users
>> | to leverage weak permissions on /var/log/acpid, and obtain sensitive
>> | information by reading this file or cause a denial of service by
>> | overwriting this file, a different vulnerability than CVE-2009-4033.
>>
>> If you fix the vulnerability please also make sure to include the
>> CVE id in your changelog entry.
>>
>> The vulnerability only seems to affect oldstable, but I noticed that none of
>> the versions remove the log file, so the permissions of the file need to be
>> fixed by all the other versions.
>
> Lowering the severity as in a typical use case this file does not carry
> sensitive information and is probably also not used in many scenarios where
> the DoS vector is of great relevance.

Ok, although it can still be (ab)used to fill the partition where the
log file is stored.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Message #20 received at 560771@bugs.debian.org (full text, mbox, reply):

From: Michael Meskes <meskes@debian.org>

To: Raphael Geissert <geissert@debian.org>, 560771@bugs.debian.org

Subject: Re: [Pkg-acpi-devel] Bug#560771: acpid: CVE-2009-4235: weak permissions on /var/log/acpid

Date: Sat, 12 Dec 2009 20:13:09 +0100

On Fri, Dec 11, 2009 at 09:23:58PM -0600, Raphael Geissert wrote:
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for acpid.
> 
> CVE-2009-4235[0]:
> | acpid 1.0.4 sets an unrestrictive umask, which might allow local users
> | to leverage weak permissions on /var/log/acpid, and obtain sensitive
> | information by reading this file or cause a denial of service by
> | overwriting this file, a different vulnerability than CVE-2009-4033.

This functonality was removed when going to version 1.0.6 which happened on
September 18th, 2007.

> The vulnerability only seems to affect oldstable, but I noticed that none of 
> the versions remove the log file, so the permissions of the file need to be 
> fixed by all the other versions.

The file hasn't been used for more than 2 years and probably does not contain
sensible information at all. Anyway all information therein is probably
outdated. Shall we still release a new version deleting that file for
all versions?

Besides, I do not have an etch system anymore, so help is needed. 

Michael
-- 
Michael Meskes
Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org)
Michael at BorussiaFan dot De, Meskes at (Debian|Postgresql) dot Org
ICQ: 179140304, AIM/Yahoo/Skype: michaelmeskes, Jabber: meskes@jabber.org
VfL Borussia! Forca Barca! Go SF 49ers! Use: Debian GNU/Linux, PostgreSQL

Message #25 received at 560771@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: 560771@bugs.debian.org

Subject: Re: [Pkg-acpi-devel] Bug#560771: acpid: CVE-2009-4235: weak permissions on /var/log/acpid

Date: Sat, 12 Dec 2009 13:22:41 -0600

2009/12/12 Michael Meskes <meskes@debian.org>:
> On Fri, Dec 11, 2009 at 09:23:58PM -0600, Raphael Geissert wrote:
>> the following CVE (Common Vulnerabilities & Exposures) id was
>> published for acpid.
>>
>> CVE-2009-4235[0]:
>> | acpid 1.0.4 sets an unrestrictive umask, which might allow local users
>> | to leverage weak permissions on /var/log/acpid, and obtain sensitive
>> | information by reading this file or cause a denial of service by
>> | overwriting this file, a different vulnerability than CVE-2009-4033.
>
> This functonality was removed when going to version 1.0.6 which happened on
> September 18th, 2007.
>
>> The vulnerability only seems to affect oldstable, but I noticed that none of
>> the versions remove the log file, so the permissions of the file need to be
>> fixed by all the other versions.
>
> The file hasn't been used for more than 2 years and probably does not contain
> sensible information at all. Anyway all information therein is probably
> outdated. Shall we still release a new version deleting that file for
> all versions?

The problem is not just the information it may (or not) contain, but
the file permissions.
If the file isn't removed, or the permissions corrected, it is
possible for a local user to fill the file until the partition runs
out of space. This could lead to missing log entries from other
daemons as there's no space left.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Message #30 received at 560771@bugs.debian.org (full text, mbox, reply):

From: Ted Felix <ted@tedfelix.com>

To: Raphael Geissert <geissert@debian.org>, 560771@bugs.debian.org

Subject: Re: Bug#560771: [Pkg-acpi-devel] Bug#560771: acpid: CVE-2009-4235: weak permissions on /var/log/acpid

Date: Sat, 12 Dec 2009 20:57:56 -0500

 Looks like the problem is in this line from open_logs():

logfd = open(logfile, O_WRONLY|O_CREAT|O_APPEND);

 It should be this:

logfd = open(logfile, O_WRONLY|O_CREAT|O_APPEND, 0640);

 And (theoretically, as I've not tested it) the problem is solved.

 As mentioned, this doesn't fix any existing log files that are hanging 
around, so maybe we need more code to destroy any old log file that has 
questionable permissions?  Is etch still even supported?  I'm not 
running etch, but if someone else is, perhaps they can test my releases?

 What would you like me to do?

Ted.

Raphael Geissert wrote:
> 2009/12/12 Michael Meskes <meskes@debian.org>:
>   
>> On Fri, Dec 11, 2009 at 09:23:58PM -0600, Raphael Geissert wrote:
>>     
>>> the following CVE (Common Vulnerabilities & Exposures) id was
>>> published for acpid.
>>>
>>> CVE-2009-4235[0]:
>>> | acpid 1.0.4 sets an unrestrictive umask, which might allow local users
>>> | to leverage weak permissions on /var/log/acpid, and obtain sensitive
>>> | information by reading this file or cause a denial of service by
>>> | overwriting this file, a different vulnerability than CVE-2009-4033.
>>>       
>> This functonality was removed when going to version 1.0.6 which happened on
>> September 18th, 2007.
>>
>>     
>>> The vulnerability only seems to affect oldstable, but I noticed that none of
>>> the versions remove the log file, so the permissions of the file need to be
>>> fixed by all the other versions.
>>>       
>> The file hasn't been used for more than 2 years and probably does not contain
>> sensible information at all. Anyway all information therein is probably
>> outdated. Shall we still release a new version deleting that file for
>> all versions?
>>     
>
> The problem is not just the information it may (or not) contain, but
> the file permissions.
> If the file isn't removed, or the permissions corrected, it is
> possible for a local user to fill the file until the partition runs
> out of space. This could lead to missing log entries from other
> daemons as there's no space left.
>
> Cheers,
>   

Message #35 received at 560771@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: 560771@bugs.debian.org

Subject: Re: Bug#560771: [Pkg-acpi-devel] Bug#560771: acpid: CVE-2009-4235: weak permissions on /var/log/acpid

Date: Sun, 13 Dec 2009 21:42:58 -0600

Hi,

2009/12/12 Ted Felix <ted@tedfelix.com>:
>  Looks like the problem is in this line from open_logs():
>
> logfd = open(logfile, O_WRONLY|O_CREAT|O_APPEND);
>
>  It should be this:
>
> logfd = open(logfile, O_WRONLY|O_CREAT|O_APPEND, 0640);
>
>  And (theoretically, as I've not tested it) the problem is solved.

Yes, the third argument is needed when using O_CREAT.

>
>  As mentioned, this doesn't fix any existing log files that are hanging
> around, so maybe we need more code to destroy any old log file that has
> questionable permissions?

I don't think removing it is appropriate. Logs are never removed by packages.

> Is etch still even supported?

Yes, security support ends in February next year.

> I'm not running
> etch, but if someone else is, perhaps they can test my releases?
>

I don't have a machine with etch at hand, but I guess I still have a
vm with acpid installed on another machine.

>  What would you like me to do?
>

I think the best approach is to prepare uploads for unstable and
stable (via stable-proposed-updates) fixing the permissions of the
file, and an upload for oldstable (via oldstable-security) that fixes
both the permissions and the open(2) call.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Message #40 received at 560771@bugs.debian.org (full text, mbox, reply):

From: Michael Meskes <meskes@debian.org>

To: Raphael Geissert <geissert@debian.org>, 560771@bugs.debian.org

Cc: Ted Felix <ted@tedfelix.com>

Subject: Re: Bug#560771: [Pkg-acpi-devel] Bug#560771: acpid: CVE-2009-4235: weak permissions on /var/log/acpid

Date: Mon, 14 Dec 2009 20:33:50 +0100

On Sun, Dec 13, 2009 at 09:42:58PM -0600, Raphael Geissert wrote:
> I think the best approach is to prepare uploads for unstable and
> stable (via stable-proposed-updates) fixing the permissions of the

Why only proposed-updates and not security?

> file, and an upload for oldstable (via oldstable-security) that fixes
> both the permissions and the open(2) call.

But security here?

Michael
-- 
Michael Meskes
Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org)
Michael at BorussiaFan dot De, Meskes at (Debian|Postgresql) dot Org
ICQ: 179140304, AIM/Yahoo/Skype: michaelmeskes, Jabber: meskes@jabber.org
VfL Borussia! Forca Barca! Go SF 49ers! Use: Debian GNU/Linux, PostgreSQL

Message #45 received at 560771-close@bugs.debian.org (full text, mbox, reply):

From: Michael Meskes <meskes@debian.org>

To: 560771-close@bugs.debian.org

Subject: Bug#560771: fixed in acpid 1.0.10-5

Date: Tue, 15 Dec 2009 12:32:07 +0000

Source: acpid
Source-Version: 1.0.10-5

We believe that the bug you reported is fixed in the latest version of
acpid, which is due to be installed in the Debian FTP archive:

acpid_1.0.10-5.diff.gz
  to main/a/acpid/acpid_1.0.10-5.diff.gz
acpid_1.0.10-5.dsc
  to main/a/acpid/acpid_1.0.10-5.dsc
acpid_1.0.10-5_amd64.deb
  to main/a/acpid/acpid_1.0.10-5_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 560771@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Meskes <meskes@debian.org> (supplier of updated acpid package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 15 Dec 2009 13:11:29 +0100
Source: acpid
Binary: acpid
Architecture: source amd64
Version: 1.0.10-5
Distribution: unstable
Urgency: high
Maintainer: Debian Acpi Team <pkg-acpi-devel@lists.alioth.debian.org>
Changed-By: Michael Meskes <meskes@debian.org>
Description: 
 acpid      - Advanced Configuration and Power Interface event daemon
Closes: 560771
Changes: 
 acpid (1.0.10-5) unstable; urgency=high
 .
   * Correct permissions that were incorrectly set by very old acpid versions.
     This fixes CVE-2009-4235. (Closes: #560771)
Checksums-Sha1: 
 9be3654400e005733a4e843538ca86078ded5512 1273 acpid_1.0.10-5.dsc
 96788bd3e7c5d3c9bb5b78425928a78d236edca9 39172 acpid_1.0.10-5.diff.gz
 9358c24b09079327af9dd4637f63b0400267e78c 49440 acpid_1.0.10-5_amd64.deb
Checksums-Sha256: 
 dfeceac24a116fb4e1404e264bdfc99dc615f5695f691879fcf4ffd0ef380d57 1273 acpid_1.0.10-5.dsc
 782255453c8733c1e3df9979431e2c028170d9ba107766a9c532878560f1a1c1 39172 acpid_1.0.10-5.diff.gz
 b7a6edd668840bc6d1f6e467acfbd3401af98607b063e6e6ef88fe2d32469af8 49440 acpid_1.0.10-5_amd64.deb
Files: 
 f7c47e8370b7ce5ec24d119b8f9d9340 1273 admin optional acpid_1.0.10-5.dsc
 4d1e6a71ca00095fb649e75e5708c7af 39172 admin optional acpid_1.0.10-5.diff.gz
 560ff0844de98d852536629fd6c7ccfb 49440 admin optional acpid_1.0.10-5_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFLJ32GVkEm8inxm9ERAjeSAJ9OjkDy3DFxXgU+l0YwF6fplogaHwCeIuaH
nFD+FeA0n3WRssT8Zrqqe2c=
=zY3e
-----END PGP SIGNATURE-----

Message #50 received at 560771@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: 560771@bugs.debian.org

Subject: Re: Bug#560771: [Pkg-acpi-devel] Bug#560771: acpid: CVE-2009-4235: weak permissions on /var/log/acpid

Date: Tue, 15 Dec 2009 14:56:19 -0600

2009/12/14 Michael Meskes <meskes@debian.org>:
> On Sun, Dec 13, 2009 at 09:42:58PM -0600, Raphael Geissert wrote:
>> I think the best approach is to prepare uploads for unstable and
>> stable (via stable-proposed-updates) fixing the permissions of the
>
> Why only proposed-updates and not security?
>
>> file, and an upload for oldstable (via oldstable-security) that fixes
>> both the permissions and the open(2) call.
>
> But security here?
>

Reconsidering, both are going through the security repository.

Could you please prepare the packages and send the debdiff to team@?

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Message #55 received at 560771@bugs.debian.org (full text, mbox, reply):

From: Michael Meskes <meskes@debian.org>

To: Raphael Geissert <geissert@debian.org>, 560771@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: [Pkg-acpi-devel] Bug#560771: Bug#560771: acpid: CVE-2009-4235: weak permissions on /var/log/acpid

Date: Wed, 16 Dec 2009 09:22:08 +0100

[Message part 1 (text/plain, inline)]

On Tue, Dec 15, 2009 at 02:56:19PM -0600, Raphael Geissert wrote:
> Reconsidering, both are going through the security repository.

I already uploaded the Lenny version to proposed-updates. Should I re-up?

> Could you please prepare the packages and send the debdiff to team@?

The Lenny debdiff is attached.

Michael
-- 
Michael Meskes
Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org)
Michael at BorussiaFan dot De, Meskes at (Debian|Postgresql) dot Org
ICQ: 179140304, AIM/Yahoo/Skype: michaelmeskes, Jabber: meskes@jabber.org
VfL Borussia! Forca Barca! Go SF 49ers! Use: Debian GNU/Linux, PostgreSQL

[acpid_lenny.diff (text/x-diff, attachment)]

Message #60 received at 560771@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: Michael Meskes <meskes@debian.org>

Cc: 560771@bugs.debian.org, team@security.debian.org

Subject: Re: [Pkg-acpi-devel] Bug#560771: Bug#560771: acpid: CVE-2009-4235: weak permissions on /var/log/acpid

Date: Wed, 16 Dec 2009 23:40:54 -0600

Hi,

2009/12/16 Michael Meskes <meskes@debian.org>:
> On Tue, Dec 15, 2009 at 02:56:19PM -0600, Raphael Geissert wrote:
>> Reconsidering, both are going through the security repository.
>
> I already uploaded the Lenny version to proposed-updates. Should I re-up?
>

I already requested its rejection.

>> Could you please prepare the packages and send the debdiff to team@?
>
> The Lenny debdiff is attached.
>

Thanks.

The DSA should be released any time soon.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Send a report that this bug log contains spam.