Debian Bug report logs -
#840357
CVE-2015-1336
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Mon, 10 Oct 2016 21:33:02 UTC
Severity: important
Tags: security
Found in version man-db/2.7.5-1
Fixed in version man-db/2.7.6-1
Done: Colin Watson <cjwatson@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Colin Watson <cjwatson@debian.org>
:
Bug#840357
; Package man-db
.
(Mon, 10 Oct 2016 21:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Colin Watson <cjwatson@debian.org>
.
(Mon, 10 Oct 2016 21:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: man-db
Version: 2.7.5-1
Severity: important
Tags: security
Please see
http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#840357
; Package man-db
.
(Sun, 11 Dec 2016 16:48:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Colin Watson <cjwatson@debian.org>
:
Extra info received and forwarded to list.
(Sun, 11 Dec 2016 16:48:05 GMT) (full text, mbox, link).
Message #10 received at 840357@bugs.debian.org (full text, mbox, reply):
Apologies for my long delay in dealing with these bugs, both reported by
halfdog. Fixes turned out to be quite complicated, since in part they
involved unwinding incorrect logic from nearly 20 years ago and ensuring
that everything else built on that was appropriately adjusted.
Here are the relevant sections from my release announcement, which
should appear at
https://lists.nongnu.org/archive/html/man-db-announce/2016-12/msg00000.html
in the near future:
* SECURITY: Eliminate dangerous setgid-root directories. In the default
configuration, cache files and directories are now owned by man:man
rather than man:root; man and mandb are now setgid man as well as
setuid man (except in the --disable-setuid case). This is a much
simpler and safer solution to the original problem that caused my
predecessor to make directories setgid root, and doesn't introduce any
interesting new privilege since the man group's only real purpose is
to be the man user's primary group and nothing in cache directories is
group-writeable.
Maintainers of distribution packagers should take care to review their
installation rules in light of this change.
As far as I know this has no CVE ID, but it is described here:
http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/
[...]
Notes for distributors
======================
The security fix above was quite involved. If you're trying to backport
it to a stable release, then you should probably consider at least these
commits:
e62b9edafe00c51e52863718cb2eb1e29385230e Rename some anomalous x* functions
9ab9f3dd9b0d5f290c635995559332c1710e5b4d man(1): Fix gcc warnings
0f8b5518949866075c25787bdc4e9c064597c21e Separate cache owner from --enable-setuid option
94b9d1e2a14ce8790d7c73df00d0bbd9e40cd437 Handle cleanup stack more safely
c7f7daa9b2ffbbf4c45a2b168802a51acc2263c0 Make --disable-cache-owner imply --disable-setuid
31552334cecee82809059ec598a37d9ea82683f0 Eliminate dangerous setgid-root directories
755a9551c45da82f99d0ad8e46ef756afbeafb3f Fix distcheck following cache-owner/setuid changes
75701f7fd9a00108abeb851792231b3d9bc2a67d Fix systemd tmpfiles group/perms of /var/cache/man
Feel free to contact me if you have difficulty. You should also
consider
http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/,
which could not be fixed without fixing the above bug first; while this
bug was in Debian-specific cron jobs, others may have copied them.
I've uploaded 2.7.6-1 to unstable with fixes for these vulnerabilities.
I'd be happy to help out the Debian and Ubuntu security teams with
backports if they need it, although hopefully the above list of git
commits is enough to get started.
--
Colin Watson [cjwatson@debian.org]
Reply sent
to Colin Watson <cjwatson@debian.org>
:
You have taken responsibility.
(Sun, 11 Dec 2016 17:06:19 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>
:
Bug acknowledged by developer.
(Sun, 11 Dec 2016 17:06:19 GMT) (full text, mbox, link).
Message #15 received at 840357-close@bugs.debian.org (full text, mbox, reply):
Source: man-db
Source-Version: 2.7.6-1
We believe that the bug you reported is fixed in the latest version of
man-db, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 840357@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated man-db package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 11 Dec 2016 16:27:19 +0000
Source: man-db
Binary: man-db
Architecture: source
Version: 2.7.6-1
Distribution: unstable
Urgency: medium
Maintainer: Colin Watson <cjwatson@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
man-db - on-line manual pager
Closes: 813665 840357
Changes:
man-db (2.7.6-1) unstable; urgency=medium
.
* New upstream release:
- Note that "man -K" searches page source (closes: #813665).
- SECURITY: Eliminate dangerous setgid-root directories.
- man now understands the <page>.<section> form on its command line, so
for example 'man chmod.2' is now the same as 'man 2 chmod'.
* Adjust various bits of packaging to account for changed ownership and
permissions of /usr/bin/man, /usr/bin/mandb, and /var/cache/man.
* SECURITY: Remove recursive chown of /var/cache/man from cron.daily job,
which introduced a vulnerability and is no longer needed now that man-db
is more careful about ensuring appropriate ownership of its cache files
(closes: #840357, LP: #1482786).
Checksums-Sha1:
9506519ae5b29f353f1b230c249146b93018e984 2012 man-db_2.7.6-1.dsc
35a10f80d5cf6411d5c73376fcddcec1539e788a 1541288 man-db_2.7.6.orig.tar.xz
6e7f67a37e208da9e63d319a289f0ff56eace11d 257884 man-db_2.7.6-1.debian.tar.xz
Checksums-Sha256:
0ed464a4bbcab998150dea9ae2cc08740787059088af850f15d2b4446b732251 2012 man-db_2.7.6-1.dsc
c68cffa6b93f6362beb1d1259f9ad5b65af2aee9a7d9910086082ea4b75f5da2 1541288 man-db_2.7.6.orig.tar.xz
142f09add127f9b6ff1373c18c2ed7c5ab085734a7b02a950d0237aa387932bd 257884 man-db_2.7.6-1.debian.tar.xz
Files:
2240affefb0adec02af793c6bc7d60f7 2012 doc important man-db_2.7.6-1.dsc
e0aa460ab00b047f3784d70ae8ccfcab 1541288 doc important man-db_2.7.6.orig.tar.xz
1e506856b4d35ca013e5e70051442d7d 257884 doc important man-db_2.7.6-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer
iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAlhNgSAACgkQOTWH2X2G
UAt4ow//avGdgedG/34/fxBaEQrxFPXlvv2sq03Tq1qQCm3Z19DY3sDlp6/LMl06
4XXDrM7B/sxk/tDUy3djidyrEXNDNC+d2YYOWlF4CN/+7zPt6Gg5FzJg4lBFawOy
l7WL8QUB7qRtXao7Vdsub1hVZVj/l7jge6vYbkJ+4+NfZ2XXs1s5ITtbKJrq7jI+
UCpgNDJIs+B1AlAB3CYyAuJZl+dJudi2S4OCcSsE8eLxRQsDi2tsjCyXS0qGiPPf
ClWMXELByhXzetQraRt3vjsWmQY3KfXo5GScZ9ZdOmI2eSt42L4yVcCto43hAgL3
XmsGfJPtgHxkuKJq5935uOuF01zooK3ETuDWvZRYMkJdOP8gtBK6yc+olahJq7Ky
cQyOUdK767Ofal7IP4xLVnpTyJ/X7EJmvJyHUGuXNU4DmuauwRFvmpfChTKz2HMW
yGcbmdXpnCnsUVe2D9U0jsI3cFpriPJM0nDABiwCkZTlM0e+X/yrnzJWZk1ywoiK
ouvknT31hV9c+wpz1lGg56tcFskgszTWZq5XoEJrZfqwY6/3e2FzD71yp5NePbYJ
iTn3FW1JiuT4WslDYA9GTMYWVRqIFxLEUAVgM0+OgoYpy2nFXuGRUTLKpXk6wnN8
jw9X7pM7S1BSOw63FrcD6K/FHhyoLzG8PE51j3C67N+6k8vCQAI=
=xHt8
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Wed, 07 Nov 2018 07:37:33 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:14:36 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.