CVE-2009-4411: Physical walk no longer ignores all symlinks

Debian Bug report logs - #499076
CVE-2009-4411: Physical walk no longer ignores all symlinks

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Kevin Shanahan <kmshanah@ucwb.org.au>

To: submit@bugs.debian.org

Subject: Physical walk no longer ignores all symlinks

Date: Tue, 16 Sep 2008 10:20:47 +0930

Package: acl
Version: 2.2.47-2

After upgrading a system from Etch to Lenny, we are having some problems
with our backup scripts which rely on getfacl/getfattr.

Previously we had been using "getfacl -RP ..." to recursively dump all
the ACLs in a number of directories which are also Samba shares. Because
we use the DFS features of Samba, we have numerous intentional
"dangling" symlinks in these directories. However, now this is causing
getfacl to exit with non-zero status and spew lots of unwanted output to
stderr.

A simple test case to reproduce the problem:

  #!/bin/sh
  ln -f -s no_such_file foo
  getfacl -RP . > dev/null
  echo $?

Output on Etch:
  0

Output on Lenny:
  getfacl: ./foo: No such file or directory
  1

I realise that upstream changed the behaviour at some point there, as
the manpage description of the -P option differs between Etch/Lenny.
However, we still need a way to ignore all symlinks - if the current
behaviour is be design (I don't understand why this would be desirable),
then can we have another option to completely ignore symlinks?

Thanks,
Kevin.

Message #10 received at 499076@bugs.debian.org (full text, mbox, reply):

From: Nathan Scott <nscott@aconex.com>

To: Kevin Shanahan <kmshanah@ucwb.org.au>, 499076@bugs.debian.org

Subject: Re: Bug#499076: Physical walk no longer ignores all symlinks

Date: Tue, 16 Sep 2008 11:22:51 +1000

On Tue, 2008-09-16 at 10:20 +0930, Kevin Shanahan wrote:
> Package: acl
> Version: 2.2.47-2
> ...
> I realise that upstream changed the behaviour at some point there, as
> the manpage description of the -P option differs between Etch/Lenny.
> However, we still need a way to ignore all symlinks - if the current
> behaviour is be design (I don't understand why this would be desirable),
> then can we have another option to completely ignore symlinks?

Thanks for reporting the problem.  I'll discuss with upstream.

cheers.

--
Nathan

Message #15 received at 499076@bugs.debian.org (full text, mbox, reply):

From: Matthijs Kooijman <matthijs@stdin.nl>

To: 499076@bugs.debian.org

Subject: Fixed in CVS

Date: Thu, 6 Nov 2008 11:36:32 +0100

[Message part 1 (text/plain, inline)]

Hi,

it seems this problem was introduced in 2.2.46, during the tree_walk rewrite
in the acl tools. Upstream has a report for this as well [1].

According to CVS logs [2], this bugs was fixed in upstream CVS two months ago.
However, I do not think another release has happened since then. I'm not sure
about upstream's release plans in this area, but if no release happens soon,
perhaps Debian should include the patch [3] separately?

Since the bug also applies to setfacl, not just getfacl, I would also consider
this bug to be more severe than "normal", probably even a release-critical
regression (due to the security implications of unexpected acl changes).

Gr.

Matthijs

[1]: http://oss.sgi.com/bugzilla/show_bug.cgi?id=790
[2]: http://oss.sgi.com/cgi-bin/cvsweb.cgi/xfs-cmds/acl/libmisc/walk_tree.c
[3]: http://oss.sgi.com/cgi-bin/cvsweb.cgi/xfs-cmds/acl/libmisc/walk_tree.c.diff?r1=1.2;r2=1.3

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 499076@bugs.debian.org (full text, mbox, reply):

From: Marcus Husar <marcus.husar@rose.uni-heidelberg.de>

To: 499076@bugs.debian.org

Subject: Endless recursion can also appear

Date: Thu, 08 Jan 2009 11:06:07 +0100

[Message part 1 (text/plain, inline)]

Hi,

a lot users and admins use these tiny scripts to backup their ACLs.

e.g.:
#!/bin/bash
mkdir -p /root/files
getfacl -R / | gzip -c -9 > /root/files/aclbackup.gz

But with acl from lenny these scripts will not work anymore. The
behaviour of getfacl changed. So I get a maybe endless recursion in
/sys. Even 'getfacl -R -P' doesn't solve this.

You can change the last line to
'getfacl -R /sys | gzip -c -9 > /root/files/aclbackup.gz'
to gain a lot of data within minutes (here 3,5 megabytes in a few
minutes). On one machine I get output to stderr which notes that there
are "Too many levels of symbolic links". An example is attached.

A possible suggestion: Don't backup the ACLs of /sys. But what if I run
into these problems with more important data?

Regards,
Marcus

[example.gz (application/x-gzip, attachment)]

Message #25 received at 499076@bugs.debian.org (full text, mbox, reply):

From: Matthijs Kooijman <matthijs@stdin.nl>

To: 499076@bugs.debian.org

Subject: Any progress?

Date: Sun, 26 Apr 2009 15:37:00 +0200

[Message part 1 (text/plain, inline)]

Hi Nathan,

any progress on this issue? Any news from upstream, or should the patch
perhaps be backported to Debian?

Gr.

Matthijs

[signature.asc (application/pgp-signature, inline)]

Message #30 received at 499076@bugs.debian.org (full text, mbox, reply):

From: Brandon Philips <brandon@ifup.org>

To: Matthijs Kooijman <matthijs@stdin.nl>

Cc: 499076@bugs.debian.org

Subject: Re: Any progress?

Date: Wed, 23 Dec 2009 11:38:43 -0800

On 15:37 Sun 26 Apr 2009, Matthijs Kooijman wrote:
> any progress on this issue? Any news from upstream, or should the patch
> perhaps be backported to Debian?

Upstream has fixed the issue:
 http://git.savannah.gnu.org/cgit/acl.git/commit/?id=63451a0

New releases here that include the fix here:
 https://savannah.nongnu.org/files/?group=acl

Also, upstream for acl and attr has moved from SGI ->
savannah.gnu.org.

Releases are found here:
 https://savannah.nongnu.org/files/?group=attr
 https://savannah.nongnu.org/files/?group=acl

Mailing list here:
 http://lists.nongnu.org/mailman/listinfo/acl-devel

Thanks,

	Brandon

Message #35 received at 499076@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <iuculano@debian.org>

To: 499076@bugs.debian.org

Cc: control@bugs.debian.org

Subject: CVE-2009-4411

Date: Sat, 26 Dec 2009 18:42:15 +0100

[Message part 1 (text/plain, inline)]

retitle 499076 CVE-2009-4411: Physical walk no longer ignores all symlinks
tags 499076 security
severity 499076 serious
thanks

Hi,

this issue got a CVE id:

CVE-2009-4411[0]:
| The (1) setfacl and (2) getfacl commands in XFS acl 2.2.47, when
| running in recursive (-R) mode, follow symbolic links even when the
| --physical (aka -P) or -L option is specified, which might allow local
| users to modify the ACL for arbitrary files or directories via a
| symlink attack.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4411
    http://security-tracker.debian.org/tracker/CVE-2009-4411

[signature.asc (application/pgp-signature, attachment)]

Message #46 received at 499076-done@bugs.debian.org (full text, mbox, reply):

From: Aníbal Monsalve Salazar <anibal@debian.org>

To: Giuseppe Iuculano <iuculano@debian.org>

Cc: 499076-done@bugs.debian.org

Subject: Re: CVE-2009-4411

Date: Sun, 27 Dec 2009 05:04:24 +0000

[Message part 1 (text/plain, inline)]

Version 2.2.49-1

On Sat, Dec 26, 2009 at 06:42:15PM +0100, Giuseppe Iuculano wrote:
>retitle 499076 CVE-2009-4411: Physical walk no longer ignores all symlinks
>tags 499076 security
>severity 499076 serious
>thanks
>
>Hi,
>
>this issue got a CVE id:
>
>CVE-2009-4411[0]:
>| The (1) setfacl and (2) getfacl commands in XFS acl 2.2.47, when
>| running in recursive (-R) mode, follow symbolic links even when the
>| --physical (aka -P) or -L option is specified, which might allow local
>| users to modify the ACL for arbitrary files or directories via a
>| symlink attack.
>
>If you fix the vulnerability please also make sure to include the
>CVE id in your changelog entry.
>
>For further information see:
>
>[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4411
>    http://security-tracker.debian.org/tracker/CVE-2009-4411
>

Already fixed in 2.2.49-1, which was uploaded on 24 Nov 2009, more than
a month ago.

[signature.asc (application/pgp-signature, inline)]

Message #51 received at 499076@bugs.debian.org (full text, mbox, reply):

From: Markus Steinborn <gnugv_maintainer@yahoo.de>

To: 499076@bugs.debian.org

Subject: Re: CVE-2009-4411: Physical walk no longer ignores all symlinks

Date: Sun, 27 Dec 2009 11:04:04 +0100

Just for your information:

version 2.2.49 improves the situation, that's right. But it does not fix 
the bug.

For a test case that does not work and a working patch that I 
contributed see

https://savannah.nongnu.org/bugs/?28131


Additional information is on:

https://bugzilla.redhat.com/show_bug.cgi?id=488674

Message #58 received at 499076-close@bugs.debian.org (full text, mbox, reply):

From: Anibal Monsalve Salazar <anibal@debian.org>

To: 499076-close@bugs.debian.org

Subject: Bug#499076: fixed in acl 2.2.49-2

Date: Wed, 03 Feb 2010 06:47:13 +0000

Source: acl
Source-Version: 2.2.49-2

We believe that the bug you reported is fixed in the latest version of
acl, which is due to be installed in the Debian FTP archive:

acl_2.2.49-2.debian.tar.bz2
  to main/a/acl/acl_2.2.49-2.debian.tar.bz2
acl_2.2.49-2.dsc
  to main/a/acl/acl_2.2.49-2.dsc
acl_2.2.49-2_amd64.deb
  to main/a/acl/acl_2.2.49-2_amd64.deb
libacl1-dev_2.2.49-2_amd64.deb
  to main/a/acl/libacl1-dev_2.2.49-2_amd64.deb
libacl1_2.2.49-2_amd64.deb
  to main/a/acl/libacl1_2.2.49-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 499076@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <anibal@debian.org> (supplier of updated acl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 02 Feb 2010 11:40:55 +1100
Source: acl
Binary: acl libacl1-dev libacl1
Architecture: source amd64
Version: 2.2.49-2
Distribution: unstable
Urgency: low
Maintainer: Nathan Scott <nathans@debian.org>
Changed-By: Anibal Monsalve Salazar <anibal@debian.org>
Description: 
 acl        - Access control list utilities
 libacl1    - Access control list shared library
 libacl1-dev - Access control list static libraries and headers
Closes: 499076
Changes: 
 acl (2.2.49-2) unstable; urgency=low
 .
   * Debian source format is 3.0 (quilt)
     Add 01-Makefile.patch
   * Fix CVE-2009-4411
     Refer to https://savannah.nongnu.org/bugs/?28131
     Add 02-499076-physical-walk.patch
     Patch by Markus Steinborn
     Closes: 499076
   * Fix debhelper-but-no-misc-depends
   * Fix out-of-date-standards-version
   * Fix no-upstream-changelog
Checksums-Sha1: 
 96df8d8914069820fa18fb35c96b900b3fbf9fe2 1877 acl_2.2.49-2.dsc
 151c9f0918e3c2a009377b1642f02b68e6a7ed0b 6381 acl_2.2.49-2.debian.tar.bz2
 3f918a194af9b1ff3701bb6388150bc1d73b096e 64480 acl_2.2.49-2_amd64.deb
 28feace19539a9f9fb8e3a23d347845d4b746d8d 90282 libacl1-dev_2.2.49-2_amd64.deb
 c8fe41a31927de984fe81e9c6706fa417bab3009 28164 libacl1_2.2.49-2_amd64.deb
Checksums-Sha256: 
 1d87ce4533f0eb3d7b5a113f1343ad96fc51f560a082bf94948825dab486d0e8 1877 acl_2.2.49-2.dsc
 8af6f97cde3288a77ca7d0d78f29fb4c5b8f1e0a8ed0d15d2711d3521532f18a 6381 acl_2.2.49-2.debian.tar.bz2
 fae89b3fbdc91916501d358208db2b1223bc018296defdc47c9112d99bd26734 64480 acl_2.2.49-2_amd64.deb
 5821a2dcb9c6cedbfcc1f6a42d1ee8e266d4982400afa1d6630dcb16a0668a8b 90282 libacl1-dev_2.2.49-2_amd64.deb
 9c0a5d07d278689b558579262141d8e00b08299ba895aa78a75fd4e7784a940c 28164 libacl1_2.2.49-2_amd64.deb
Files: 
 4ba53c3be66f9241927aa8b5ca119ce9 1877 utils optional acl_2.2.49-2.dsc
 98f9c3ff5b03addd1f2ee7f6e603b75a 6381 utils optional acl_2.2.49-2.debian.tar.bz2
 447955e3e7c4ecddcd25c62eb80e6404 64480 utils optional acl_2.2.49-2_amd64.deb
 f12bd013c27a5233af60ab5cdbb2199b 90282 libdevel extra libacl1-dev_2.2.49-2_amd64.deb
 cfa7d4646dda9be7d8f285f8d3f6473f 28164 libs required libacl1_2.2.49-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQIcBAEBCAAGBQJLaRoCAAoJEHxWrP6UeJfY0/EQALuJbqBREP2gteNFtiRJrbX/
dIdUMpsDbZd10Cn2naFMT6xw9sa2/vkvO24lgxJfRCW0F9QQCF+fAF5jOHg+WJ4g
VhVAMlYIbh0waEwNkFcGyi4CLJ4Q2RJBYI4TAoTgXyD4TGWMy1RkFnVFrUbM4Nhb
15xIs2j/+rvRsaWThlYwh/GtJtJmKQCRdS8u7M+hyEKp85QfxU1LZ85/dre01dQC
Ja80fMCsNxIhxuzCuYHV3tKKiDfz/hkXVlo+6sRrziVEIIZhSVjzEpNbTm+rm+u4
UavIP7CxqHxfKfVF67dzff3VjMK+gA0F3JGQIxCZVXn9oePWVmDC7Lu7NFhpcpjp
iXJ9cn2Wpu3h6SqM6i+Gr9DIeVDrAljYVtU+hOprowVJ9ZxOBf7EgUWJaEGWKnYf
hZ46XWQiJOO7IJJJVBEf2hh0SPu5uiWfgPn4GpOmW4UqMyJSF1UzLYrCUFqWsEOl
gfaAWxqSM1/Ka2zJTlGs7cBhnf1wuTYdAxwMpujoeF+2UpRF7TxDRqHr2ojBLXrl
zYW48VgzJ+YuVZeIM96VAF8gi++uYzIhsQzNB6ijCoHXyPq/VwEFbOS+ErgBtGx6
hTKljRwnQLoWRCEyoEY45Aq8nivM+9PPM5T8dm6huM/KydSQpsDCWRd9l8pXFGfN
sIRZuQZvItfgC0ir2AiD
=//QU
-----END PGP SIGNATURE-----

Message #63 received at 499076@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: anibal@debian.org

Cc: 499076@bugs.debian.org, Markus Steinborn <gnugv_maintainer@yahoo.de>

Subject: Re: CVE-2009-4411: Physical walk no longer ignores all symlinks

Date: Wed, 3 Feb 2010 21:25:46 +0100

Markus Steinborn wrote:
> Just for your information:
> 
> version 2.2.49 improves the situation, that's right. But it does not fix 
> the bug.
> 
> For a test case that does not work and a working patch that I 
> contributed see
> 
> https://savannah.nongnu.org/bugs/?28131
> 
> Additional information is on:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=488674

Anibal, please fix this bug through a stable point update for
Lenny.

Cheers,
        Moritz

Message #68 received at 499076@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: 499076@bugs.debian.org

Cc: anibal@debian.org

Subject: Re: Bug#499076: Physical walk no longer ignores all symlinks

Date: Sat, 19 Feb 2011 22:51:01 +0000

[Message part 1 (text/plain, inline)]

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

lenny (5.0.9)

Please arrange to backport your fix and liase with the release team for
permission to upload. I will happily assist you if the patch is
straightforward and you need help or lack time.

For details of this process and the rationale, please see the original
announcement [1] and my blog post [2].

1: <201101232332.11736.thijs@debian.org>
2: http://deb.li/prsc

Thanks,

with his security hat on:
-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.