CVE-2015-1336

Debian Bug report logs - #840357
CVE-2015-1336

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2015-1336

Date: Mon, 10 Oct 2016 23:31:16 +0200

Package: man-db
Version: 2.7.5-1
Severity: important
Tags: security

Please see
http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/

Cheers,
        Moritz

Message #10 received at 840357@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: Moritz Muehlenhoff <jmm@debian.org>, 840357@bugs.debian.org, 1482786@bugs.launchpad.net

Subject: man-db setgid-root and recursive-chown-cron-job vulnerabilities

Date: Sun, 11 Dec 2016 16:45:26 +0000

Apologies for my long delay in dealing with these bugs, both reported by
halfdog.  Fixes turned out to be quite complicated, since in part they
involved unwinding incorrect logic from nearly 20 years ago and ensuring
that everything else built on that was appropriately adjusted.

Here are the relevant sections from my release announcement, which
should appear at
https://lists.nongnu.org/archive/html/man-db-announce/2016-12/msg00000.html
in the near future:

  * SECURITY: Eliminate dangerous setgid-root directories.  In the default
    configuration, cache files and directories are now owned by man:man
    rather than man:root; man and mandb are now setgid man as well as
    setuid man (except in the --disable-setuid case).  This is a much
    simpler and safer solution to the original problem that caused my
    predecessor to make directories setgid root, and doesn't introduce any
    interesting new privilege since the man group's only real purpose is
    to be the man user's primary group and nothing in cache directories is
    group-writeable.
  
    Maintainers of distribution packagers should take care to review their
    installation rules in light of this change.
  
    As far as I know this has no CVE ID, but it is described here:
  
      http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/
  
  [...]
  
  Notes for distributors
  ======================
  
  The security fix above was quite involved.  If you're trying to backport
  it to a stable release, then you should probably consider at least these
  commits:
  
    e62b9edafe00c51e52863718cb2eb1e29385230e Rename some anomalous x* functions
    9ab9f3dd9b0d5f290c635995559332c1710e5b4d man(1): Fix gcc warnings
    0f8b5518949866075c25787bdc4e9c064597c21e Separate cache owner from --enable-setuid option
    94b9d1e2a14ce8790d7c73df00d0bbd9e40cd437 Handle cleanup stack more safely
    c7f7daa9b2ffbbf4c45a2b168802a51acc2263c0 Make --disable-cache-owner imply --disable-setuid
    31552334cecee82809059ec598a37d9ea82683f0 Eliminate dangerous setgid-root directories
    755a9551c45da82f99d0ad8e46ef756afbeafb3f Fix distcheck following cache-owner/setuid changes
    75701f7fd9a00108abeb851792231b3d9bc2a67d Fix systemd tmpfiles group/perms of /var/cache/man
  
  Feel free to contact me if you have difficulty.  You should also
  consider
  http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/,
  which could not be fixed without fixing the above bug first; while this
  bug was in Debian-specific cron jobs, others may have copied them.

I've uploaded 2.7.6-1 to unstable with fixes for these vulnerabilities.
I'd be happy to help out the Debian and Ubuntu security teams with
backports if they need it, although hopefully the above list of git
commits is enough to get started.

-- 
Colin Watson                                       [cjwatson@debian.org]

Message #15 received at 840357-close@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: 840357-close@bugs.debian.org

Subject: Bug#840357: fixed in man-db 2.7.6-1

Date: Sun, 11 Dec 2016 17:03:51 +0000

Source: man-db
Source-Version: 2.7.6-1

We believe that the bug you reported is fixed in the latest version of
man-db, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 840357@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated man-db package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 11 Dec 2016 16:27:19 +0000
Source: man-db
Binary: man-db
Architecture: source
Version: 2.7.6-1
Distribution: unstable
Urgency: medium
Maintainer: Colin Watson <cjwatson@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
 man-db     - on-line manual pager
Closes: 813665 840357
Changes:
 man-db (2.7.6-1) unstable; urgency=medium
 .
   * New upstream release:
     - Note that "man -K" searches page source (closes: #813665).
     - SECURITY: Eliminate dangerous setgid-root directories.
     - man now understands the <page>.<section> form on its command line, so
       for example 'man chmod.2' is now the same as 'man 2 chmod'.
   * Adjust various bits of packaging to account for changed ownership and
     permissions of /usr/bin/man, /usr/bin/mandb, and /var/cache/man.
   * SECURITY: Remove recursive chown of /var/cache/man from cron.daily job,
     which introduced a vulnerability and is no longer needed now that man-db
     is more careful about ensuring appropriate ownership of its cache files
     (closes: #840357, LP: #1482786).
Checksums-Sha1:
 9506519ae5b29f353f1b230c249146b93018e984 2012 man-db_2.7.6-1.dsc
 35a10f80d5cf6411d5c73376fcddcec1539e788a 1541288 man-db_2.7.6.orig.tar.xz
 6e7f67a37e208da9e63d319a289f0ff56eace11d 257884 man-db_2.7.6-1.debian.tar.xz
Checksums-Sha256:
 0ed464a4bbcab998150dea9ae2cc08740787059088af850f15d2b4446b732251 2012 man-db_2.7.6-1.dsc
 c68cffa6b93f6362beb1d1259f9ad5b65af2aee9a7d9910086082ea4b75f5da2 1541288 man-db_2.7.6.orig.tar.xz
 142f09add127f9b6ff1373c18c2ed7c5ab085734a7b02a950d0237aa387932bd 257884 man-db_2.7.6-1.debian.tar.xz
Files:
 2240affefb0adec02af793c6bc7d60f7 2012 doc important man-db_2.7.6-1.dsc
 e0aa460ab00b047f3784d70ae8ccfcab 1541288 doc important man-db_2.7.6.orig.tar.xz
 1e506856b4d35ca013e5e70051442d7d 257884 doc important man-db_2.7.6-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAlhNgSAACgkQOTWH2X2G
UAt4ow//avGdgedG/34/fxBaEQrxFPXlvv2sq03Tq1qQCm3Z19DY3sDlp6/LMl06
4XXDrM7B/sxk/tDUy3djidyrEXNDNC+d2YYOWlF4CN/+7zPt6Gg5FzJg4lBFawOy
l7WL8QUB7qRtXao7Vdsub1hVZVj/l7jge6vYbkJ+4+NfZ2XXs1s5ITtbKJrq7jI+
UCpgNDJIs+B1AlAB3CYyAuJZl+dJudi2S4OCcSsE8eLxRQsDi2tsjCyXS0qGiPPf
ClWMXELByhXzetQraRt3vjsWmQY3KfXo5GScZ9ZdOmI2eSt42L4yVcCto43hAgL3
XmsGfJPtgHxkuKJq5935uOuF01zooK3ETuDWvZRYMkJdOP8gtBK6yc+olahJq7Ky
cQyOUdK767Ofal7IP4xLVnpTyJ/X7EJmvJyHUGuXNU4DmuauwRFvmpfChTKz2HMW
yGcbmdXpnCnsUVe2D9U0jsI3cFpriPJM0nDABiwCkZTlM0e+X/yrnzJWZk1ywoiK
ouvknT31hV9c+wpz1lGg56tcFskgszTWZq5XoEJrZfqwY6/3e2FzD71yp5NePbYJ
iTn3FW1JiuT4WslDYA9GTMYWVRqIFxLEUAVgM0+OgoYpy2nFXuGRUTLKpXk6wnN8
jw9X7pM7S1BSOw63FrcD6K/FHhyoLzG8PE51j3C67N+6k8vCQAI=
=xHt8
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.