Debian Bug report logs -
#560771
acpid: CVE-2009-4235: weak permissions on /var/log/acpid
Reported by: Raphael Geissert <geissert@debian.org>
Date: Sat, 12 Dec 2009 03:34:02 UTC
Severity: important
Tags: security
Found in version acpid/1.0.4-5
Fixed in version acpid/1.0.10-5
Done: Michael Meskes <meskes@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Acpi Team <pkg-acpi-devel@lists.alioth.debian.org>
:
Bug#560771
; Package acpid
.
(Sat, 12 Dec 2009 03:34:05 GMT) (full text, mbox, link).
Message #3 received at submit@bugs.debian.org (full text, mbox, reply):
Package: acpid
Version: 1.0.4-5
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for acpid.
CVE-2009-4235[0]:
| acpid 1.0.4 sets an unrestrictive umask, which might allow local users
| to leverage weak permissions on /var/log/acpid, and obtain sensitive
| information by reading this file or cause a denial of service by
| overwriting this file, a different vulnerability than CVE-2009-4033.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
The vulnerability only seems to affect oldstable, but I noticed that none of
the versions remove the log file, so the permissions of the file need to be
fixed by all the other versions.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4235
http://security-tracker.debian.org/tracker/CVE-2009-4235
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Acpi Team <pkg-acpi-devel@lists.alioth.debian.org>
:
Bug#560771
; Package acpid
.
(Sat, 12 Dec 2009 19:03:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Acpi Team <pkg-acpi-devel@lists.alioth.debian.org>
.
(Sat, 12 Dec 2009 19:03:05 GMT) (full text, mbox, link).
Message #8 received at 560771@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
severity 560771 important
thanks
* Raphael Geissert <geissert@debian.org> [2009-12-12 13:23]:
> Package: acpid
> Version: 1.0.4-5
> Severity: grave
> Tags: security
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for acpid.
>
> CVE-2009-4235[0]:
> | acpid 1.0.4 sets an unrestrictive umask, which might allow local users
> | to leverage weak permissions on /var/log/acpid, and obtain sensitive
> | information by reading this file or cause a denial of service by
> | overwriting this file, a different vulnerability than CVE-2009-4033.
>
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
>
> The vulnerability only seems to affect oldstable, but I noticed that none of
> the versions remove the log file, so the permissions of the file need to be
> fixed by all the other versions.
Lowering the severity as in a typical use case this file does not carry
sensitive information and is probably also not used in many scenarios where
the DoS vector is of great relevance.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Severity set to 'important' from 'grave'
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org
.
(Sat, 12 Dec 2009 19:03:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Acpi Team <pkg-acpi-devel@lists.alioth.debian.org>
:
Bug#560771
; Package acpid
.
(Sat, 12 Dec 2009 19:12:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Raphael Geissert <geissert@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Acpi Team <pkg-acpi-devel@lists.alioth.debian.org>
.
(Sat, 12 Dec 2009 19:12:02 GMT) (full text, mbox, link).
Message #15 received at 560771@bugs.debian.org (full text, mbox, reply):
2009/12/12 Nico Golde <nion@debian.org>:
> severity 560771 important
> thanks
>
> * Raphael Geissert <geissert@debian.org> [2009-12-12 13:23]:
>> Package: acpid
>> Version: 1.0.4-5
>> Severity: grave
>> Tags: security
>>
>> Hi,
>> the following CVE (Common Vulnerabilities & Exposures) id was
>> published for acpid.
>>
>> CVE-2009-4235[0]:
>> | acpid 1.0.4 sets an unrestrictive umask, which might allow local users
>> | to leverage weak permissions on /var/log/acpid, and obtain sensitive
>> | information by reading this file or cause a denial of service by
>> | overwriting this file, a different vulnerability than CVE-2009-4033.
>>
>> If you fix the vulnerability please also make sure to include the
>> CVE id in your changelog entry.
>>
>> The vulnerability only seems to affect oldstable, but I noticed that none of
>> the versions remove the log file, so the permissions of the file need to be
>> fixed by all the other versions.
>
> Lowering the severity as in a typical use case this file does not carry
> sensitive information and is probably also not used in many scenarios where
> the DoS vector is of great relevance.
Ok, although it can still be (ab)used to fill the partition where the
log file is stored.
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Acpi Team <pkg-acpi-devel@lists.alioth.debian.org>
:
Bug#560771
; Package acpid
.
(Sat, 12 Dec 2009 19:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Meskes <meskes@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Acpi Team <pkg-acpi-devel@lists.alioth.debian.org>
.
(Sat, 12 Dec 2009 19:15:03 GMT) (full text, mbox, link).
Message #20 received at 560771@bugs.debian.org (full text, mbox, reply):
On Fri, Dec 11, 2009 at 09:23:58PM -0600, Raphael Geissert wrote:
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for acpid.
>
> CVE-2009-4235[0]:
> | acpid 1.0.4 sets an unrestrictive umask, which might allow local users
> | to leverage weak permissions on /var/log/acpid, and obtain sensitive
> | information by reading this file or cause a denial of service by
> | overwriting this file, a different vulnerability than CVE-2009-4033.
This functonality was removed when going to version 1.0.6 which happened on
September 18th, 2007.
> The vulnerability only seems to affect oldstable, but I noticed that none of
> the versions remove the log file, so the permissions of the file need to be
> fixed by all the other versions.
The file hasn't been used for more than 2 years and probably does not contain
sensible information at all. Anyway all information therein is probably
outdated. Shall we still release a new version deleting that file for
all versions?
Besides, I do not have an etch system anymore, so help is needed.
Michael
--
Michael Meskes
Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org)
Michael at BorussiaFan dot De, Meskes at (Debian|Postgresql) dot Org
ICQ: 179140304, AIM/Yahoo/Skype: michaelmeskes, Jabber: meskes@jabber.org
VfL Borussia! Forca Barca! Go SF 49ers! Use: Debian GNU/Linux, PostgreSQL
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Acpi Team <pkg-acpi-devel@lists.alioth.debian.org>
:
Bug#560771
; Package acpid
.
(Sat, 12 Dec 2009 19:24:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Raphael Geissert <geissert@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Acpi Team <pkg-acpi-devel@lists.alioth.debian.org>
.
(Sat, 12 Dec 2009 19:24:03 GMT) (full text, mbox, link).
Message #25 received at 560771@bugs.debian.org (full text, mbox, reply):
2009/12/12 Michael Meskes <meskes@debian.org>:
> On Fri, Dec 11, 2009 at 09:23:58PM -0600, Raphael Geissert wrote:
>> the following CVE (Common Vulnerabilities & Exposures) id was
>> published for acpid.
>>
>> CVE-2009-4235[0]:
>> | acpid 1.0.4 sets an unrestrictive umask, which might allow local users
>> | to leverage weak permissions on /var/log/acpid, and obtain sensitive
>> | information by reading this file or cause a denial of service by
>> | overwriting this file, a different vulnerability than CVE-2009-4033.
>
> This functonality was removed when going to version 1.0.6 which happened on
> September 18th, 2007.
>
>> The vulnerability only seems to affect oldstable, but I noticed that none of
>> the versions remove the log file, so the permissions of the file need to be
>> fixed by all the other versions.
>
> The file hasn't been used for more than 2 years and probably does not contain
> sensible information at all. Anyway all information therein is probably
> outdated. Shall we still release a new version deleting that file for
> all versions?
The problem is not just the information it may (or not) contain, but
the file permissions.
If the file isn't removed, or the permissions corrected, it is
possible for a local user to fill the file until the partition runs
out of space. This could lead to missing log entries from other
daemons as there's no space left.
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Acpi Team <pkg-acpi-devel@lists.alioth.debian.org>
:
Bug#560771
; Package acpid
.
(Sun, 13 Dec 2009 02:00:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Ted Felix <ted@tedfelix.com>
:
Extra info received and forwarded to list. Copy sent to Debian Acpi Team <pkg-acpi-devel@lists.alioth.debian.org>
.
(Sun, 13 Dec 2009 02:00:03 GMT) (full text, mbox, link).
Message #30 received at 560771@bugs.debian.org (full text, mbox, reply):
Looks like the problem is in this line from open_logs():
logfd = open(logfile, O_WRONLY|O_CREAT|O_APPEND);
It should be this:
logfd = open(logfile, O_WRONLY|O_CREAT|O_APPEND, 0640);
And (theoretically, as I've not tested it) the problem is solved.
As mentioned, this doesn't fix any existing log files that are hanging
around, so maybe we need more code to destroy any old log file that has
questionable permissions? Is etch still even supported? I'm not
running etch, but if someone else is, perhaps they can test my releases?
What would you like me to do?
Ted.
Raphael Geissert wrote:
> 2009/12/12 Michael Meskes <meskes@debian.org>:
>
>> On Fri, Dec 11, 2009 at 09:23:58PM -0600, Raphael Geissert wrote:
>>
>>> the following CVE (Common Vulnerabilities & Exposures) id was
>>> published for acpid.
>>>
>>> CVE-2009-4235[0]:
>>> | acpid 1.0.4 sets an unrestrictive umask, which might allow local users
>>> | to leverage weak permissions on /var/log/acpid, and obtain sensitive
>>> | information by reading this file or cause a denial of service by
>>> | overwriting this file, a different vulnerability than CVE-2009-4033.
>>>
>> This functonality was removed when going to version 1.0.6 which happened on
>> September 18th, 2007.
>>
>>
>>> The vulnerability only seems to affect oldstable, but I noticed that none of
>>> the versions remove the log file, so the permissions of the file need to be
>>> fixed by all the other versions.
>>>
>> The file hasn't been used for more than 2 years and probably does not contain
>> sensible information at all. Anyway all information therein is probably
>> outdated. Shall we still release a new version deleting that file for
>> all versions?
>>
>
> The problem is not just the information it may (or not) contain, but
> the file permissions.
> If the file isn't removed, or the permissions corrected, it is
> possible for a local user to fill the file until the partition runs
> out of space. This could lead to missing log entries from other
> daemons as there's no space left.
>
> Cheers,
>
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Acpi Team <pkg-acpi-devel@lists.alioth.debian.org>
:
Bug#560771
; Package acpid
.
(Mon, 14 Dec 2009 03:45:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Raphael Geissert <geissert@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Acpi Team <pkg-acpi-devel@lists.alioth.debian.org>
.
(Mon, 14 Dec 2009 03:45:02 GMT) (full text, mbox, link).
Message #35 received at 560771@bugs.debian.org (full text, mbox, reply):
Hi,
2009/12/12 Ted Felix <ted@tedfelix.com>:
> Looks like the problem is in this line from open_logs():
>
> logfd = open(logfile, O_WRONLY|O_CREAT|O_APPEND);
>
> It should be this:
>
> logfd = open(logfile, O_WRONLY|O_CREAT|O_APPEND, 0640);
>
> And (theoretically, as I've not tested it) the problem is solved.
Yes, the third argument is needed when using O_CREAT.
>
> As mentioned, this doesn't fix any existing log files that are hanging
> around, so maybe we need more code to destroy any old log file that has
> questionable permissions?
I don't think removing it is appropriate. Logs are never removed by packages.
> Is etch still even supported?
Yes, security support ends in February next year.
> I'm not running
> etch, but if someone else is, perhaps they can test my releases?
>
I don't have a machine with etch at hand, but I guess I still have a
vm with acpid installed on another machine.
> What would you like me to do?
>
I think the best approach is to prepare uploads for unstable and
stable (via stable-proposed-updates) fixing the permissions of the
file, and an upload for oldstable (via oldstable-security) that fixes
both the permissions and the open(2) call.
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Acpi Team <pkg-acpi-devel@lists.alioth.debian.org>
:
Bug#560771
; Package acpid
.
(Mon, 14 Dec 2009 19:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Meskes <meskes@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Acpi Team <pkg-acpi-devel@lists.alioth.debian.org>
.
(Mon, 14 Dec 2009 19:36:03 GMT) (full text, mbox, link).
Message #40 received at 560771@bugs.debian.org (full text, mbox, reply):
On Sun, Dec 13, 2009 at 09:42:58PM -0600, Raphael Geissert wrote:
> I think the best approach is to prepare uploads for unstable and
> stable (via stable-proposed-updates) fixing the permissions of the
Why only proposed-updates and not security?
> file, and an upload for oldstable (via oldstable-security) that fixes
> both the permissions and the open(2) call.
But security here?
Michael
--
Michael Meskes
Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org)
Michael at BorussiaFan dot De, Meskes at (Debian|Postgresql) dot Org
ICQ: 179140304, AIM/Yahoo/Skype: michaelmeskes, Jabber: meskes@jabber.org
VfL Borussia! Forca Barca! Go SF 49ers! Use: Debian GNU/Linux, PostgreSQL
Reply sent
to Michael Meskes <meskes@debian.org>
:
You have taken responsibility.
(Tue, 15 Dec 2009 12:36:12 GMT) (full text, mbox, link).
Notification sent
to Raphael Geissert <geissert@debian.org>
:
Bug acknowledged by developer.
(Tue, 15 Dec 2009 12:36:12 GMT) (full text, mbox, link).
Message #45 received at 560771-close@bugs.debian.org (full text, mbox, reply):
Source: acpid
Source-Version: 1.0.10-5
We believe that the bug you reported is fixed in the latest version of
acpid, which is due to be installed in the Debian FTP archive:
acpid_1.0.10-5.diff.gz
to main/a/acpid/acpid_1.0.10-5.diff.gz
acpid_1.0.10-5.dsc
to main/a/acpid/acpid_1.0.10-5.dsc
acpid_1.0.10-5_amd64.deb
to main/a/acpid/acpid_1.0.10-5_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 560771@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Meskes <meskes@debian.org> (supplier of updated acpid package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 15 Dec 2009 13:11:29 +0100
Source: acpid
Binary: acpid
Architecture: source amd64
Version: 1.0.10-5
Distribution: unstable
Urgency: high
Maintainer: Debian Acpi Team <pkg-acpi-devel@lists.alioth.debian.org>
Changed-By: Michael Meskes <meskes@debian.org>
Description:
acpid - Advanced Configuration and Power Interface event daemon
Closes: 560771
Changes:
acpid (1.0.10-5) unstable; urgency=high
.
* Correct permissions that were incorrectly set by very old acpid versions.
This fixes CVE-2009-4235. (Closes: #560771)
Checksums-Sha1:
9be3654400e005733a4e843538ca86078ded5512 1273 acpid_1.0.10-5.dsc
96788bd3e7c5d3c9bb5b78425928a78d236edca9 39172 acpid_1.0.10-5.diff.gz
9358c24b09079327af9dd4637f63b0400267e78c 49440 acpid_1.0.10-5_amd64.deb
Checksums-Sha256:
dfeceac24a116fb4e1404e264bdfc99dc615f5695f691879fcf4ffd0ef380d57 1273 acpid_1.0.10-5.dsc
782255453c8733c1e3df9979431e2c028170d9ba107766a9c532878560f1a1c1 39172 acpid_1.0.10-5.diff.gz
b7a6edd668840bc6d1f6e467acfbd3401af98607b063e6e6ef88fe2d32469af8 49440 acpid_1.0.10-5_amd64.deb
Files:
f7c47e8370b7ce5ec24d119b8f9d9340 1273 admin optional acpid_1.0.10-5.dsc
4d1e6a71ca00095fb649e75e5708c7af 39172 admin optional acpid_1.0.10-5.diff.gz
560ff0844de98d852536629fd6c7ccfb 49440 admin optional acpid_1.0.10-5_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFLJ32GVkEm8inxm9ERAjeSAJ9OjkDy3DFxXgU+l0YwF6fplogaHwCeIuaH
nFD+FeA0n3WRssT8Zrqqe2c=
=zY3e
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Acpi Team <pkg-acpi-devel@lists.alioth.debian.org>
:
Bug#560771
; Package acpid
.
(Tue, 15 Dec 2009 20:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Raphael Geissert <geissert@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Acpi Team <pkg-acpi-devel@lists.alioth.debian.org>
.
(Tue, 15 Dec 2009 20:57:05 GMT) (full text, mbox, link).
Message #50 received at 560771@bugs.debian.org (full text, mbox, reply):
2009/12/14 Michael Meskes <meskes@debian.org>:
> On Sun, Dec 13, 2009 at 09:42:58PM -0600, Raphael Geissert wrote:
>> I think the best approach is to prepare uploads for unstable and
>> stable (via stable-proposed-updates) fixing the permissions of the
>
> Why only proposed-updates and not security?
>
>> file, and an upload for oldstable (via oldstable-security) that fixes
>> both the permissions and the open(2) call.
>
> But security here?
>
Reconsidering, both are going through the security repository.
Could you please prepare the packages and send the debdiff to team@?
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Acpi Team <pkg-acpi-devel@lists.alioth.debian.org>
:
Bug#560771
; Package acpid
.
(Wed, 16 Dec 2009 08:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Meskes <meskes@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Acpi Team <pkg-acpi-devel@lists.alioth.debian.org>
.
(Wed, 16 Dec 2009 08:27:03 GMT) (full text, mbox, link).
Message #55 received at 560771@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Tue, Dec 15, 2009 at 02:56:19PM -0600, Raphael Geissert wrote:
> Reconsidering, both are going through the security repository.
I already uploaded the Lenny version to proposed-updates. Should I re-up?
> Could you please prepare the packages and send the debdiff to team@?
The Lenny debdiff is attached.
Michael
--
Michael Meskes
Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org)
Michael at BorussiaFan dot De, Meskes at (Debian|Postgresql) dot Org
ICQ: 179140304, AIM/Yahoo/Skype: michaelmeskes, Jabber: meskes@jabber.org
VfL Borussia! Forca Barca! Go SF 49ers! Use: Debian GNU/Linux, PostgreSQL
[acpid_lenny.diff (text/x-diff, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Acpi Team <pkg-acpi-devel@lists.alioth.debian.org>
:
Bug#560771
; Package acpid
.
(Thu, 17 Dec 2009 05:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Raphael Geissert <geissert@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Acpi Team <pkg-acpi-devel@lists.alioth.debian.org>
.
(Thu, 17 Dec 2009 05:42:03 GMT) (full text, mbox, link).
Message #60 received at 560771@bugs.debian.org (full text, mbox, reply):
Hi,
2009/12/16 Michael Meskes <meskes@debian.org>:
> On Tue, Dec 15, 2009 at 02:56:19PM -0600, Raphael Geissert wrote:
>> Reconsidering, both are going through the security repository.
>
> I already uploaded the Lenny version to proposed-updates. Should I re-up?
>
I already requested its rejection.
>> Could you please prepare the packages and send the debdiff to team@?
>
> The Lenny debdiff is attached.
>
Thanks.
The DSA should be released any time soon.
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 18 Jan 2010 07:37:50 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:23:35 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.