Debian Bug report logs -
#349303
lsh-server: lshd leaks fd:s to user shells
Reported by: Stefan Pfetzing <dreamind@dreamind.de>
Date: Sun, 22 Jan 2006 05:18:04 UTC
Severity: grave
Tags: confirmed, sarge, security
Found in version lsh-server/2.0.1cdbs-3
Fixed in version lsh-utils/2.0.1cdbs-4
Done: Stefan Pfetzing <dreamind@dreamind.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Simon Law <sfllaw@debian.org>:
Bug#349303; Package lsh-server.
(full text, mbox, link).
Acknowledgement sent to Stefan Pfetzing <dreamind@dreamind.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Simon Law <sfllaw@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: lsh-server
Version: 2.0.1cdbs-3
Severity: grave
Tags: security
Tags: sarge
Tags: confirmed
Tags: pending
Justification: denial of service
As reported by Niels Möller, the author of lsh-utils, a user is able to
access fd:s used by lsh.
When logging in through lsh-server a user is able to tamper with
/var/spool/yarrow-seed-file, which can be used to prevent the server
from starting or allow the user guesses about the encryption used by
lsh-server.
Therefore its strongly suggested to apply the patch from Niels.
http://lists.lysator.liu.se/pipermail/lsh-bugs/2006q1/000467.html
Unstable will get a new version including the fix soon.
-- system information excluded
-- debconf information excluded
bye
Stefan Pfetzing
--
http://www.dreamind.de/
Oroborus and Debian GNU/Linux Developer.
Information forwarded to debian-bugs-dist@lists.debian.org, Simon Law <sfllaw@debian.org>:
Bug#349303; Package lsh-server.
(full text, mbox, link).
Acknowledgement sent to Stefan Pfetzing <dreamind@dreamind.de>:
Extra info received and forwarded to list. Copy sent to Simon Law <sfllaw@debian.org>.
(full text, mbox, link).
Message #10 received at 349303@bugs.debian.org (full text, mbox, reply):
Tags: security sarge confirmed
Thanks.
bye
Stefan
--
http://www.dreamind.de/
Oroborus and Debian GNU/Linux Developer.
Tags added: security, sarge, confirmed
Request was from Stefan Pfetzing <dreamind@dreamind.de>
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to Stefan Pfetzing <dreamind@dreamind.de>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Stefan Pfetzing <dreamind@dreamind.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #17 received at 349303-close@bugs.debian.org (full text, mbox, reply):
Source: lsh-utils
Source-Version: 2.0.1cdbs-4
We believe that the bug you reported is fixed in the latest version of
lsh-utils, which is due to be installed in the Debian FTP archive:
lsh-client_2.0.1cdbs-4_i386.deb
to pool/main/l/lsh-utils/lsh-client_2.0.1cdbs-4_i386.deb
lsh-server_2.0.1cdbs-4_i386.deb
to pool/main/l/lsh-utils/lsh-server_2.0.1cdbs-4_i386.deb
lsh-utils-doc_2.0.1cdbs-4_all.deb
to pool/main/l/lsh-utils/lsh-utils-doc_2.0.1cdbs-4_all.deb
lsh-utils_2.0.1cdbs-4.diff.gz
to pool/main/l/lsh-utils/lsh-utils_2.0.1cdbs-4.diff.gz
lsh-utils_2.0.1cdbs-4.dsc
to pool/main/l/lsh-utils/lsh-utils_2.0.1cdbs-4.dsc
lsh-utils_2.0.1cdbs-4_i386.deb
to pool/main/l/lsh-utils/lsh-utils_2.0.1cdbs-4_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 349303@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Pfetzing <dreamind@dreamind.de> (supplier of updated lsh-utils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 22 Jan 2006 06:30:43 +0100
Source: lsh-utils
Binary: lsh-utils lsh-client lsh-utils-doc lsh-server
Architecture: source all i386
Version: 2.0.1cdbs-4
Distribution: unstable
Urgency: high
Maintainer: Simon Law <sfllaw@debian.org>
Changed-By: Stefan Pfetzing <dreamind@dreamind.de>
Description:
lsh-client - Secure Shell v2 (SSH2) protocol client
lsh-server - Secure Shell v2 (SSH2) protocol server
lsh-utils - Secure Shell v2 (SSH2) protocol utilities
lsh-utils-doc - Secure Shell v2 (SSH2) client / server / utilities documentation
Closes: 337026 348822 348844 349180 349303
Changes:
lsh-utils (2.0.1cdbs-4) unstable; urgency=high
.
* Remove silly debconf questions and correct others. (Closes: Bug#337026)
* Switch to dpatch.
* Make lsh-utils build on a grsecurity system.
* Remove /var/spool/lsh upon purge.
* Update Vietnamese debconf translation.
* Update German debconf translation.
* Update Danish debconf translation.
* Update Czech debconf translation.
* Update Dutch debconf translation.
* Update Russian debconf translation. (Closes: Bug#349180)
* Update French debconf translation. (Closes: Bug#348822)
* Have lsh-server provide ssh-server. (Closes: Bug#348844)
* Update the watch file format version to the latest (3).
* Have uscan remove the "cdbs" version extension.
* Fix fd leak in the lsh-server.
This is to be security related, so upload it with a high urgency.
(Closes: Bug#349303)
Files:
91eb4d44578221b8730c089188cccc58 929 net extra lsh-utils_2.0.1cdbs-4.dsc
6b7233c922cde42f71f69183edced51a 39596 net extra lsh-utils_2.0.1cdbs-4.diff.gz
30c201de019f9080b987cc61e03c4863 105566 doc extra lsh-utils-doc_2.0.1cdbs-4_all.deb
958f2a7676eb9f03d031c82c9d4ab9d6 726476 net extra lsh-utils_2.0.1cdbs-4_i386.deb
12cd4839061a6c8bb549c1bc7145dfe1 203794 net extra lsh-server_2.0.1cdbs-4_i386.deb
9c98e5855e91d484f1d10ddae35c50f8 244636 net extra lsh-client_2.0.1cdbs-4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFD0x/hi50xCpfDmMsRAiEgAJ9cqgz/rFsup8Bh4Lx+ouM5s5SfswCdH3gK
Lvt291GQtGxIa70k/wnmu9Y=
=ZYU5
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Simon Law <sfllaw@debian.org>:
Bug#349303; Package lsh-server.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Simon Law <sfllaw@debian.org>.
(full text, mbox, link).
Message #22 received at 349303@bugs.debian.org (full text, mbox, reply):
Stefan Pfetzing wrote:
> Package: lsh-server
> Version: 2.0.1cdbs-3
> Severity: grave
> Tags: security
> Tags: sarge
> Tags: confirmed
> Tags: pending
> Justification: denial of service
>
> As reported by Niels Möller, the author of lsh-utils, a user is able to
> access fd:s used by lsh.
>
> When logging in through lsh-server a user is able to tamper with
> /var/spool/yarrow-seed-file, which can be used to prevent the server
> from starting or allow the user guesses about the encryption used by
> lsh-server.
>
> Therefore its strongly suggested to apply the patch from Niels.
>
> http://lists.lysator.liu.se/pipermail/lsh-bugs/2006q1/000467.html
>
> Unstable will get a new version including the fix soon.
Please let us know which version in sid will fix the problem.
I've requested a CVE name and will provide it asap.
Regards,
Joey
--
Have you ever noticed that "General Public Licence" contains the word "Pub"?
Please always Cc to me when replying to me on the lists.
Information forwarded to debian-bugs-dist@lists.debian.org, Simon Law <sfllaw@debian.org>:
Bug#349303; Package lsh-server.
(full text, mbox, link).
Acknowledgement sent to Stefan Pfetzing <dreamind@dreamind.de>:
Extra info received and forwarded to list. Copy sent to Simon Law <sfllaw@debian.org>.
(full text, mbox, link).
Message #27 received at 349303@bugs.debian.org (full text, mbox, reply):
Hi Joey,
Am 22.01.2006 um 09:52 schrieb Martin Schulze:
> Please let us know which version in sid will fix the problem.
>
> I've requested a CVE name and will provide it asap.
lsh-utilis 2.0.1cdbs-4 includes a dpatch file in debian/patches which
fixes the problem.
bye
Stefan
--
http://www.dreamind.de/
Oroborus and Debian GNU/Linux Developer.
Information forwarded to debian-bugs-dist@lists.debian.org, Simon Law <sfllaw@debian.org>:
Bug#349303; Package lsh-server.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Simon Law <sfllaw@debian.org>.
(full text, mbox, link).
Message #32 received at 349303@bugs.debian.org (full text, mbox, reply):
Stefan Pfetzing wrote:
> >Please let us know which version in sid will fix the problem.
> >
> >I've requested a CVE name and will provide it asap.
>
> lsh-utilis 2.0.1cdbs-4 includes a dpatch file in debian/patches which
> fixes the problem.
Please use CVE-2006-0353 for this vulnerability.
Regards,
Joey
--
Have you ever noticed that "General Public Licence" contains the word "Pub"?
Please always Cc to me when replying to me on the lists.
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 Jun 2007 09:34:14 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:58:28 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon