Debian Bug report logs -
#527952
system-tools-backends: CVE-2008-6792 limiting effective password length to 8 characters
Reported by: Nico Golde <nion@debian.org>
Date: Sat, 9 May 2009 16:45:02 UTC
Severity: grave
Tags: patch, security
Fixed in versions system-tools-backends/2.6.0-6.1, system-tools-backends/2.6.0-2lenny3
Done: Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Jose Carlos Garcia Sogo <jsogo@debian.org>:
Bug#527952; Package system-tools-backends.
(Sat, 09 May 2009 16:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Jose Carlos Garcia Sogo <jsogo@debian.org>.
(Sat, 09 May 2009 16:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: system-tools-backends
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for system-tools-backends.
CVE-2008-6792[0]:
| system-tools-backends before 2.6.0-1ubuntu1.1 in Ubuntu 8.10, as used
| by "Users and Groups" in GNOME System Tools, hashes account passwords
| with 3DES and consequently limits effective password lengths to eight
| characters, which makes it easier for context-dependent attackers to
| successfully conduct brute-force password attacks.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Patch:
http://launchpadlibrarian.net/19037678/system-tools-backends_2.6.0-1ubuntu1.1.diff
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6792
http://security-tracker.debian.net/tracker/CVE-2008-6792
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Jose Carlos Garcia Sogo <jsogo@debian.org>:
Bug#527952; Package system-tools-backends.
(Sat, 09 May 2009 17:15:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>:
Extra info received and forwarded to list. Copy sent to Jose Carlos Garcia Sogo <jsogo@debian.org>.
(Sat, 09 May 2009 17:15:02 GMT) (full text, mbox, link).
Message #10 received at 527952@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
while you're at it, there is another bug in that small perl
function: do_get_use_md5() recurses when it encounters an
'@include' line and overwrites its $use_md5 variable with
the result. Therefore the following /etc/pam.d/passwd would
make the function return 0:
required pam_unix.so md5
@include empty_file
Regards,
Jan
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Jose Carlos Garcia Sogo <jsogo@debian.org>:
Bug#527952; Package system-tools-backends.
(Mon, 18 May 2009 16:36:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>:
Extra info received and forwarded to list. Copy sent to Jose Carlos Garcia Sogo <jsogo@debian.org>.
(Mon, 18 May 2009 16:36:02 GMT) (full text, mbox, link).
Message #15 received at 527952@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
NMU is about to hit unstable and s-p-u. I've added the attached
patch to the quilt series.
Regards,
Jan
[08_use_md5.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>:
You have taken responsibility.
(Mon, 18 May 2009 17:21:18 GMT) (full text, mbox, link).
Notification sent
to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(Mon, 18 May 2009 17:21:18 GMT) (full text, mbox, link).
Message #20 received at 527952-close@bugs.debian.org (full text, mbox, reply):
Source: system-tools-backends
Source-Version: 2.6.0-6.1
We believe that the bug you reported is fixed in the latest version of
system-tools-backends, which is due to be installed in the Debian FTP archive:
system-tools-backends-dev_2.6.0-6.1_all.deb
to pool/main/s/system-tools-backends/system-tools-backends-dev_2.6.0-6.1_all.deb
system-tools-backends_2.6.0-6.1.diff.gz
to pool/main/s/system-tools-backends/system-tools-backends_2.6.0-6.1.diff.gz
system-tools-backends_2.6.0-6.1.dsc
to pool/main/s/system-tools-backends/system-tools-backends_2.6.0-6.1.dsc
system-tools-backends_2.6.0-6.1_i386.deb
to pool/main/s/system-tools-backends/system-tools-backends_2.6.0-6.1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 527952@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de> (supplier of updated system-tools-backends package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 18 May 2009 17:55:01 +0200
Source: system-tools-backends
Binary: system-tools-backends system-tools-backends-dev
Architecture: source all i386
Version: 2.6.0-6.1
Distribution: unstable
Urgency: high
Maintainer: Jose Carlos Garcia Sogo <jsogo@debian.org>
Changed-By: Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>
Description:
system-tools-backends - System Tools to manage computer configuration -- scripts
system-tools-backends-dev - System Tools to manage computer configuration -- development file
Closes: 527952
Changes:
system-tools-backends (2.6.0-6.1) unstable; urgency=high
.
* Security NMU.
* Fix CVE-2008-6792 "limiting effective password length to 8 characters"
and another related bug in do_get_use_md5(). Closes: #527952.
Checksums-Sha1:
a8ca08cba61d1fec0f920e80b8b4cc78f0480f06 1686 system-tools-backends_2.6.0-6.1.dsc
7b9f0e6923a2a3e818d8314a30b6495edaf0f5c8 10144 system-tools-backends_2.6.0-6.1.diff.gz
74f440b0085bafd56a7dc5be10a188f0e3558a1c 77944 system-tools-backends-dev_2.6.0-6.1_all.deb
081361eae4de16d621897f6b5e1175f27fc2a3a5 173892 system-tools-backends_2.6.0-6.1_i386.deb
Checksums-Sha256:
fe2ffb518335413d810629308cfad1de00b80568fcb43aafa7ae4d63a724369f 1686 system-tools-backends_2.6.0-6.1.dsc
418e878d06021850e65a5ede7de982a5b29fff586dfd237b46007d9c08af9d77 10144 system-tools-backends_2.6.0-6.1.diff.gz
ea3a1ae82de5849ed723596929d5d1d1a130ba34462bfbbc1f6ded5f96146119 77944 system-tools-backends-dev_2.6.0-6.1_all.deb
43aeeea2ca1204d2a50a47e4b2d85ee9655c7aeaa3b59f3765293cedf474bf85 173892 system-tools-backends_2.6.0-6.1_i386.deb
Files:
3a1515344dad21250ed2267c4c529fa9 1686 admin optional system-tools-backends_2.6.0-6.1.dsc
d7b80e9cdcc3ba681d2510ee79215d2c 10144 admin optional system-tools-backends_2.6.0-6.1.diff.gz
38ce0df5ceca9bf88f31cf478a8f3fa0 77944 devel optional system-tools-backends-dev_2.6.0-6.1_all.deb
7057cb5e9989732a28f7f461fb2086d7 173892 admin optional system-tools-backends_2.6.0-6.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkoRjEAACgkQHYflSXNkfP89dACgqHDEnrxsfBkciIVxAaC8tK8r
aIcAoJX8Kk7TtoNxjPzM7qtvEYFevPFP
=Kc1w
-----END PGP SIGNATURE-----
Reply sent
to Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>:
You have taken responsibility.
(Mon, 08 Jun 2009 22:39:06 GMT) (full text, mbox, link).
Notification sent
to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(Mon, 08 Jun 2009 22:39:06 GMT) (full text, mbox, link).
Message #25 received at 527952-close@bugs.debian.org (full text, mbox, reply):
Source: system-tools-backends
Source-Version: 2.6.0-2lenny3
We believe that the bug you reported is fixed in the latest version of
system-tools-backends, which is due to be installed in the Debian FTP archive:
system-tools-backends-dev_2.6.0-2lenny3_all.deb
to pool/main/s/system-tools-backends/system-tools-backends-dev_2.6.0-2lenny3_all.deb
system-tools-backends_2.6.0-2lenny3.diff.gz
to pool/main/s/system-tools-backends/system-tools-backends_2.6.0-2lenny3.diff.gz
system-tools-backends_2.6.0-2lenny3.dsc
to pool/main/s/system-tools-backends/system-tools-backends_2.6.0-2lenny3.dsc
system-tools-backends_2.6.0-2lenny3_i386.deb
to pool/main/s/system-tools-backends/system-tools-backends_2.6.0-2lenny3_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 527952@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de> (supplier of updated system-tools-backends package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 18 May 2009 21:29:21 +0200
Source: system-tools-backends
Binary: system-tools-backends system-tools-backends-dev
Architecture: source all i386
Version: 2.6.0-2lenny3
Distribution: stable
Urgency: high
Maintainer: Jose Carlos Garcia Sogo <jsogo@debian.org>
Changed-By: Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>
Description:
system-tools-backends - System Tools to manage computer configuration -- scripts
system-tools-backends-dev - System Tools to manage computer configuration -- development file
Closes: 527952
Changes:
system-tools-backends (2.6.0-2lenny3) stable; urgency=high
.
* NMU.
* Fix CVE-2008-6792 "limiting effective password length to 8 characters"
and another related bug in do_get_use_md5(). Closes: #527952.
Checksums-Sha1:
4513a65c132a7ad299d23ccd261b90d313bb5377 1452 system-tools-backends_2.6.0-2lenny3.dsc
22bcdd28f1115b979e91ce853777c1ce406525a4 11344 system-tools-backends_2.6.0-2lenny3.diff.gz
f0a1412e1f4656a6b3c309890aaeae404822a830 77466 system-tools-backends-dev_2.6.0-2lenny3_all.deb
a17466f7eb852888afda9804241995b67c84c4f2 174382 system-tools-backends_2.6.0-2lenny3_i386.deb
Checksums-Sha256:
3b2e94be5bfb008e0dff7634b842a503e4b909dd10c23e1cda07889918c8e53c 1452 system-tools-backends_2.6.0-2lenny3.dsc
03dd57fd9f135b8b14aa612d3c89343f5c98db645d6f1c709555fea615ee2300 11344 system-tools-backends_2.6.0-2lenny3.diff.gz
12dc12442b1a08ab8f41af2cfdb25e64520206492b41d48fdc894ef31417f813 77466 system-tools-backends-dev_2.6.0-2lenny3_all.deb
8aec0d951fb383e4e6fc89c089f41b6feeaf660c9f981a1eab28d850005a893b 174382 system-tools-backends_2.6.0-2lenny3_i386.deb
Files:
c8088c6d2fa6e7e22d074002115711d2 1452 admin optional system-tools-backends_2.6.0-2lenny3.dsc
d2c8fe0545eba944c4be1661f959b4bc 11344 admin optional system-tools-backends_2.6.0-2lenny3.diff.gz
db49df2a3d6388c4e2c336f8321e0b8b 77466 devel optional system-tools-backends-dev_2.6.0-2lenny3_all.deb
19cd725d4bcd2ee1008c7ed3ed712afe 174382 admin optional system-tools-backends_2.6.0-2lenny3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkoRwEgACgkQHYflSXNkfP+aYgCgmzzexmoj9QJnpXexD+6CBCLK
kvQAn0b3L5YJembCkVEhsiyVTrSqC0dp
=1TNl
-----END PGP SIGNATURE-----
Reply sent
to Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>:
You have taken responsibility.
(Sat, 27 Jun 2009 16:30:07 GMT) (full text, mbox, link).
Notification sent
to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(Sat, 27 Jun 2009 16:30:07 GMT) (full text, mbox, link).
Message #30 received at 527952-close@bugs.debian.org (full text, mbox, reply):
Source: system-tools-backends
Source-Version: 2.6.0-2lenny3
We believe that the bug you reported is fixed in the latest version of
system-tools-backends, which is due to be installed in the Debian FTP archive:
system-tools-backends-dev_2.6.0-2lenny3_all.deb
to pool/main/s/system-tools-backends/system-tools-backends-dev_2.6.0-2lenny3_all.deb
system-tools-backends_2.6.0-2lenny3.diff.gz
to pool/main/s/system-tools-backends/system-tools-backends_2.6.0-2lenny3.diff.gz
system-tools-backends_2.6.0-2lenny3.dsc
to pool/main/s/system-tools-backends/system-tools-backends_2.6.0-2lenny3.dsc
system-tools-backends_2.6.0-2lenny3_i386.deb
to pool/main/s/system-tools-backends/system-tools-backends_2.6.0-2lenny3_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 527952@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de> (supplier of updated system-tools-backends package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 18 May 2009 21:29:21 +0200
Source: system-tools-backends
Binary: system-tools-backends system-tools-backends-dev
Architecture: source all i386
Version: 2.6.0-2lenny3
Distribution: stable
Urgency: high
Maintainer: Jose Carlos Garcia Sogo <jsogo@debian.org>
Changed-By: Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>
Description:
system-tools-backends - System Tools to manage computer configuration -- scripts
system-tools-backends-dev - System Tools to manage computer configuration -- development file
Closes: 527952
Changes:
system-tools-backends (2.6.0-2lenny3) stable; urgency=high
.
* NMU.
* Fix CVE-2008-6792 "limiting effective password length to 8 characters"
and another related bug in do_get_use_md5(). Closes: #527952.
Checksums-Sha1:
4513a65c132a7ad299d23ccd261b90d313bb5377 1452 system-tools-backends_2.6.0-2lenny3.dsc
22bcdd28f1115b979e91ce853777c1ce406525a4 11344 system-tools-backends_2.6.0-2lenny3.diff.gz
f0a1412e1f4656a6b3c309890aaeae404822a830 77466 system-tools-backends-dev_2.6.0-2lenny3_all.deb
a17466f7eb852888afda9804241995b67c84c4f2 174382 system-tools-backends_2.6.0-2lenny3_i386.deb
Checksums-Sha256:
3b2e94be5bfb008e0dff7634b842a503e4b909dd10c23e1cda07889918c8e53c 1452 system-tools-backends_2.6.0-2lenny3.dsc
03dd57fd9f135b8b14aa612d3c89343f5c98db645d6f1c709555fea615ee2300 11344 system-tools-backends_2.6.0-2lenny3.diff.gz
12dc12442b1a08ab8f41af2cfdb25e64520206492b41d48fdc894ef31417f813 77466 system-tools-backends-dev_2.6.0-2lenny3_all.deb
8aec0d951fb383e4e6fc89c089f41b6feeaf660c9f981a1eab28d850005a893b 174382 system-tools-backends_2.6.0-2lenny3_i386.deb
Files:
c8088c6d2fa6e7e22d074002115711d2 1452 admin optional system-tools-backends_2.6.0-2lenny3.dsc
d2c8fe0545eba944c4be1661f959b4bc 11344 admin optional system-tools-backends_2.6.0-2lenny3.diff.gz
db49df2a3d6388c4e2c336f8321e0b8b 77466 devel optional system-tools-backends-dev_2.6.0-2lenny3_all.deb
19cd725d4bcd2ee1008c7ed3ed712afe 174382 admin optional system-tools-backends_2.6.0-2lenny3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkoRwEgACgkQHYflSXNkfP+aYgCgmzzexmoj9QJnpXexD+6CBCLK
kvQAn0b3L5YJembCkVEhsiyVTrSqC0dp
=1TNl
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 26 Jul 2009 07:33:17 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:55:28 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon