Debian Bug report logs -
#499076
CVE-2009-4411: Physical walk no longer ignores all symlinks
Reported by: Kevin Shanahan <kmshanah@ucwb.org.au>
Date: Tue, 16 Sep 2008 00:54:02 UTC
Severity: serious
Tags: security
Found in version acl/2.2.47-2
Fixed in version acl/2.2.49-2
Done: Anibal Monsalve Salazar <anibal@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Nathan Scott <nathans@debian.org>
:
Bug#499076
; Package acl
.
(full text, mbox, link).
Acknowledgement sent to Kevin Shanahan <kmshanah@ucwb.org.au>
:
New Bug report received and forwarded. Copy sent to Nathan Scott <nathans@debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: acl
Version: 2.2.47-2
After upgrading a system from Etch to Lenny, we are having some problems
with our backup scripts which rely on getfacl/getfattr.
Previously we had been using "getfacl -RP ..." to recursively dump all
the ACLs in a number of directories which are also Samba shares. Because
we use the DFS features of Samba, we have numerous intentional
"dangling" symlinks in these directories. However, now this is causing
getfacl to exit with non-zero status and spew lots of unwanted output to
stderr.
A simple test case to reproduce the problem:
#!/bin/sh
ln -f -s no_such_file foo
getfacl -RP . > dev/null
echo $?
Output on Etch:
0
Output on Lenny:
getfacl: ./foo: No such file or directory
1
I realise that upstream changed the behaviour at some point there, as
the manpage description of the -P option differs between Etch/Lenny.
However, we still need a way to ignore all symlinks - if the current
behaviour is be design (I don't understand why this would be desirable),
then can we have another option to completely ignore symlinks?
Thanks,
Kevin.
Information forwarded to debian-bugs-dist@lists.debian.org, Nathan Scott <nathans@debian.org>
:
Bug#499076
; Package acl
.
(full text, mbox, link).
Acknowledgement sent to Nathan Scott <nscott@aconex.com>
:
Extra info received and forwarded to list. Copy sent to Nathan Scott <nathans@debian.org>
.
(full text, mbox, link).
Message #10 received at 499076@bugs.debian.org (full text, mbox, reply):
On Tue, 2008-09-16 at 10:20 +0930, Kevin Shanahan wrote:
> Package: acl
> Version: 2.2.47-2
> ...
> I realise that upstream changed the behaviour at some point there, as
> the manpage description of the -P option differs between Etch/Lenny.
> However, we still need a way to ignore all symlinks - if the current
> behaviour is be design (I don't understand why this would be desirable),
> then can we have another option to completely ignore symlinks?
Thanks for reporting the problem. I'll discuss with upstream.
cheers.
--
Nathan
Information forwarded
to debian-bugs-dist@lists.debian.org, Nathan Scott <nathans@debian.org>
:
Bug#499076
; Package acl
.
(Thu, 06 Nov 2008 10:39:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Matthijs Kooijman <matthijs@stdin.nl>
:
Extra info received and forwarded to list. Copy sent to Nathan Scott <nathans@debian.org>
.
(Thu, 06 Nov 2008 10:39:05 GMT) (full text, mbox, link).
Message #15 received at 499076@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
it seems this problem was introduced in 2.2.46, during the tree_walk rewrite
in the acl tools. Upstream has a report for this as well [1].
According to CVS logs [2], this bugs was fixed in upstream CVS two months ago.
However, I do not think another release has happened since then. I'm not sure
about upstream's release plans in this area, but if no release happens soon,
perhaps Debian should include the patch [3] separately?
Since the bug also applies to setfacl, not just getfacl, I would also consider
this bug to be more severe than "normal", probably even a release-critical
regression (due to the security implications of unexpected acl changes).
Gr.
Matthijs
[1]: http://oss.sgi.com/bugzilla/show_bug.cgi?id=790
[2]: http://oss.sgi.com/cgi-bin/cvsweb.cgi/xfs-cmds/acl/libmisc/walk_tree.c
[3]: http://oss.sgi.com/cgi-bin/cvsweb.cgi/xfs-cmds/acl/libmisc/walk_tree.c.diff?r1=1.2;r2=1.3
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Nathan Scott <nathans@debian.org>
:
Bug#499076
; Package acl
.
(Thu, 08 Jan 2009 10:21:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Marcus Husar <marcus.husar@rose.uni-heidelberg.de>
:
Extra info received and forwarded to list. Copy sent to Nathan Scott <nathans@debian.org>
.
(Thu, 08 Jan 2009 10:21:02 GMT) (full text, mbox, link).
Message #20 received at 499076@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
a lot users and admins use these tiny scripts to backup their ACLs.
e.g.:
#!/bin/bash
mkdir -p /root/files
getfacl -R / | gzip -c -9 > /root/files/aclbackup.gz
But with acl from lenny these scripts will not work anymore. The
behaviour of getfacl changed. So I get a maybe endless recursion in
/sys. Even 'getfacl -R -P' doesn't solve this.
You can change the last line to
'getfacl -R /sys | gzip -c -9 > /root/files/aclbackup.gz'
to gain a lot of data within minutes (here 3,5 megabytes in a few
minutes). On one machine I get output to stderr which notes that there
are "Too many levels of symbolic links". An example is attached.
A possible suggestion: Don't backup the ACLs of /sys. But what if I run
into these problems with more important data?
Regards,
Marcus
[example.gz (application/x-gzip, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Nathan Scott <nathans@debian.org>
:
Bug#499076
; Package acl
.
(Sun, 26 Apr 2009 13:42:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Matthijs Kooijman <matthijs@stdin.nl>
:
Extra info received and forwarded to list. Copy sent to Nathan Scott <nathans@debian.org>
.
(Sun, 26 Apr 2009 13:42:02 GMT) (full text, mbox, link).
Message #25 received at 499076@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Nathan,
any progress on this issue? Any news from upstream, or should the patch
perhaps be backported to Debian?
Gr.
Matthijs
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Nathan Scott <nathans@debian.org>
:
Bug#499076
; Package acl
.
(Wed, 23 Dec 2009 19:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Brandon Philips <brandon@ifup.org>
:
Extra info received and forwarded to list. Copy sent to Nathan Scott <nathans@debian.org>
.
(Wed, 23 Dec 2009 19:42:03 GMT) (full text, mbox, link).
Message #30 received at 499076@bugs.debian.org (full text, mbox, reply):
On 15:37 Sun 26 Apr 2009, Matthijs Kooijman wrote:
> any progress on this issue? Any news from upstream, or should the patch
> perhaps be backported to Debian?
Upstream has fixed the issue:
http://git.savannah.gnu.org/cgit/acl.git/commit/?id=63451a0
New releases here that include the fix here:
https://savannah.nongnu.org/files/?group=acl
Also, upstream for acl and attr has moved from SGI ->
savannah.gnu.org.
Releases are found here:
https://savannah.nongnu.org/files/?group=attr
https://savannah.nongnu.org/files/?group=acl
Mailing list here:
http://lists.nongnu.org/mailman/listinfo/acl-devel
Thanks,
Brandon
Information forwarded
to debian-bugs-dist@lists.debian.org, Nathan Scott <nathans@debian.org>
:
Bug#499076
; Package acl
.
(Sat, 26 Dec 2009 17:45:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <iuculano@debian.org>
:
Extra info received and forwarded to list. Copy sent to Nathan Scott <nathans@debian.org>
.
(Sat, 26 Dec 2009 17:45:06 GMT) (full text, mbox, link).
Message #35 received at 499076@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
retitle 499076 CVE-2009-4411: Physical walk no longer ignores all symlinks
tags 499076 security
severity 499076 serious
thanks
Hi,
this issue got a CVE id:
CVE-2009-4411[0]:
| The (1) setfacl and (2) getfacl commands in XFS acl 2.2.47, when
| running in recursive (-R) mode, follow symbolic links even when the
| --physical (aka -P) or -L option is specified, which might allow local
| users to modify the ACL for arbitrary files or directories via a
| symlink attack.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4411
http://security-tracker.debian.org/tracker/CVE-2009-4411
[signature.asc (application/pgp-signature, attachment)]
Changed Bug title to 'CVE-2009-4411: Physical walk no longer ignores all symlinks' from 'Physical walk no longer ignores all symlinks'
Request was from Giuseppe Iuculano <iuculano@debian.org>
to control@bugs.debian.org
.
(Sat, 26 Dec 2009 17:45:08 GMT) (full text, mbox, link).
Added tag(s) security.
Request was from Giuseppe Iuculano <iuculano@debian.org>
to control@bugs.debian.org
.
(Sat, 26 Dec 2009 17:45:08 GMT) (full text, mbox, link).
Severity set to 'serious' from 'normal'
Request was from Giuseppe Iuculano <iuculano@debian.org>
to control@bugs.debian.org
.
(Sat, 26 Dec 2009 17:45:09 GMT) (full text, mbox, link).
Reply sent
to Aníbal Monsalve Salazar <anibal@debian.org>
:
You have taken responsibility.
(Sun, 27 Dec 2009 05:06:04 GMT) (full text, mbox, link).
Notification sent
to Kevin Shanahan <kmshanah@ucwb.org.au>
:
Bug acknowledged by developer.
(Sun, 27 Dec 2009 05:06:04 GMT) (full text, mbox, link).
Message #46 received at 499076-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version 2.2.49-1
On Sat, Dec 26, 2009 at 06:42:15PM +0100, Giuseppe Iuculano wrote:
>retitle 499076 CVE-2009-4411: Physical walk no longer ignores all symlinks
>tags 499076 security
>severity 499076 serious
>thanks
>
>Hi,
>
>this issue got a CVE id:
>
>CVE-2009-4411[0]:
>| The (1) setfacl and (2) getfacl commands in XFS acl 2.2.47, when
>| running in recursive (-R) mode, follow symbolic links even when the
>| --physical (aka -P) or -L option is specified, which might allow local
>| users to modify the ACL for arbitrary files or directories via a
>| symlink attack.
>
>If you fix the vulnerability please also make sure to include the
>CVE id in your changelog entry.
>
>For further information see:
>
>[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4411
> http://security-tracker.debian.org/tracker/CVE-2009-4411
>
Already fixed in 2.2.49-1, which was uploaded on 24 Nov 2009, more than
a month ago.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Nathan Scott <nathans@debian.org>
:
Bug#499076
; Package acl
.
(Sun, 27 Dec 2009 10:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Steinborn <gnugv_maintainer@yahoo.de>
:
Extra info received and forwarded to list. Copy sent to Nathan Scott <nathans@debian.org>
.
(Sun, 27 Dec 2009 10:15:03 GMT) (full text, mbox, link).
Message #51 received at 499076@bugs.debian.org (full text, mbox, reply):
Just for your information:
version 2.2.49 improves the situation, that's right. But it does not fix
the bug.
For a test case that does not work and a working patch that I
contributed see
https://savannah.nongnu.org/bugs/?28131
Additional information is on:
https://bugzilla.redhat.com/show_bug.cgi?id=488674
Did not alter fixed versions and reopened.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 24 Jan 2010 13:45:17 GMT) (full text, mbox, link).
Reply sent
to Anibal Monsalve Salazar <anibal@debian.org>
:
You have taken responsibility.
(Wed, 03 Feb 2010 06:48:03 GMT) (full text, mbox, link).
Notification sent
to Kevin Shanahan <kmshanah@ucwb.org.au>
:
Bug acknowledged by developer.
(Wed, 03 Feb 2010 06:48:03 GMT) (full text, mbox, link).
Message #58 received at 499076-close@bugs.debian.org (full text, mbox, reply):
Source: acl
Source-Version: 2.2.49-2
We believe that the bug you reported is fixed in the latest version of
acl, which is due to be installed in the Debian FTP archive:
acl_2.2.49-2.debian.tar.bz2
to main/a/acl/acl_2.2.49-2.debian.tar.bz2
acl_2.2.49-2.dsc
to main/a/acl/acl_2.2.49-2.dsc
acl_2.2.49-2_amd64.deb
to main/a/acl/acl_2.2.49-2_amd64.deb
libacl1-dev_2.2.49-2_amd64.deb
to main/a/acl/libacl1-dev_2.2.49-2_amd64.deb
libacl1_2.2.49-2_amd64.deb
to main/a/acl/libacl1_2.2.49-2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 499076@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <anibal@debian.org> (supplier of updated acl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 02 Feb 2010 11:40:55 +1100
Source: acl
Binary: acl libacl1-dev libacl1
Architecture: source amd64
Version: 2.2.49-2
Distribution: unstable
Urgency: low
Maintainer: Nathan Scott <nathans@debian.org>
Changed-By: Anibal Monsalve Salazar <anibal@debian.org>
Description:
acl - Access control list utilities
libacl1 - Access control list shared library
libacl1-dev - Access control list static libraries and headers
Closes: 499076
Changes:
acl (2.2.49-2) unstable; urgency=low
.
* Debian source format is 3.0 (quilt)
Add 01-Makefile.patch
* Fix CVE-2009-4411
Refer to https://savannah.nongnu.org/bugs/?28131
Add 02-499076-physical-walk.patch
Patch by Markus Steinborn
Closes: 499076
* Fix debhelper-but-no-misc-depends
* Fix out-of-date-standards-version
* Fix no-upstream-changelog
Checksums-Sha1:
96df8d8914069820fa18fb35c96b900b3fbf9fe2 1877 acl_2.2.49-2.dsc
151c9f0918e3c2a009377b1642f02b68e6a7ed0b 6381 acl_2.2.49-2.debian.tar.bz2
3f918a194af9b1ff3701bb6388150bc1d73b096e 64480 acl_2.2.49-2_amd64.deb
28feace19539a9f9fb8e3a23d347845d4b746d8d 90282 libacl1-dev_2.2.49-2_amd64.deb
c8fe41a31927de984fe81e9c6706fa417bab3009 28164 libacl1_2.2.49-2_amd64.deb
Checksums-Sha256:
1d87ce4533f0eb3d7b5a113f1343ad96fc51f560a082bf94948825dab486d0e8 1877 acl_2.2.49-2.dsc
8af6f97cde3288a77ca7d0d78f29fb4c5b8f1e0a8ed0d15d2711d3521532f18a 6381 acl_2.2.49-2.debian.tar.bz2
fae89b3fbdc91916501d358208db2b1223bc018296defdc47c9112d99bd26734 64480 acl_2.2.49-2_amd64.deb
5821a2dcb9c6cedbfcc1f6a42d1ee8e266d4982400afa1d6630dcb16a0668a8b 90282 libacl1-dev_2.2.49-2_amd64.deb
9c0a5d07d278689b558579262141d8e00b08299ba895aa78a75fd4e7784a940c 28164 libacl1_2.2.49-2_amd64.deb
Files:
4ba53c3be66f9241927aa8b5ca119ce9 1877 utils optional acl_2.2.49-2.dsc
98f9c3ff5b03addd1f2ee7f6e603b75a 6381 utils optional acl_2.2.49-2.debian.tar.bz2
447955e3e7c4ecddcd25c62eb80e6404 64480 utils optional acl_2.2.49-2_amd64.deb
f12bd013c27a5233af60ab5cdbb2199b 90282 libdevel extra libacl1-dev_2.2.49-2_amd64.deb
cfa7d4646dda9be7d8f285f8d3f6473f 28164 libs required libacl1_2.2.49-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQIcBAEBCAAGBQJLaRoCAAoJEHxWrP6UeJfY0/EQALuJbqBREP2gteNFtiRJrbX/
dIdUMpsDbZd10Cn2naFMT6xw9sa2/vkvO24lgxJfRCW0F9QQCF+fAF5jOHg+WJ4g
VhVAMlYIbh0waEwNkFcGyi4CLJ4Q2RJBYI4TAoTgXyD4TGWMy1RkFnVFrUbM4Nhb
15xIs2j/+rvRsaWThlYwh/GtJtJmKQCRdS8u7M+hyEKp85QfxU1LZ85/dre01dQC
Ja80fMCsNxIhxuzCuYHV3tKKiDfz/hkXVlo+6sRrziVEIIZhSVjzEpNbTm+rm+u4
UavIP7CxqHxfKfVF67dzff3VjMK+gA0F3JGQIxCZVXn9oePWVmDC7Lu7NFhpcpjp
iXJ9cn2Wpu3h6SqM6i+Gr9DIeVDrAljYVtU+hOprowVJ9ZxOBf7EgUWJaEGWKnYf
hZ46XWQiJOO7IJJJVBEf2hh0SPu5uiWfgPn4GpOmW4UqMyJSF1UzLYrCUFqWsEOl
gfaAWxqSM1/Ka2zJTlGs7cBhnf1wuTYdAxwMpujoeF+2UpRF7TxDRqHr2ojBLXrl
zYW48VgzJ+YuVZeIM96VAF8gi++uYzIhsQzNB6ijCoHXyPq/VwEFbOS+ErgBtGx6
hTKljRwnQLoWRCEyoEY45Aq8nivM+9PPM5T8dm6huM/KydSQpsDCWRd9l8pXFGfN
sIRZuQZvItfgC0ir2AiD
=//QU
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Nathan Scott <nathans@debian.org>
:
Bug#499076
; Package acl
.
(Wed, 03 Feb 2010 20:27:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Nathan Scott <nathans@debian.org>
.
(Wed, 03 Feb 2010 20:27:07 GMT) (full text, mbox, link).
Message #63 received at 499076@bugs.debian.org (full text, mbox, reply):
Markus Steinborn wrote:
> Just for your information:
>
> version 2.2.49 improves the situation, that's right. But it does not fix
> the bug.
>
> For a test case that does not work and a working patch that I
> contributed see
>
> https://savannah.nongnu.org/bugs/?28131
>
> Additional information is on:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=488674
Anibal, please fix this bug through a stable point update for
Lenny.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Nathan Scott <nathans@debian.org>
:
Bug#499076
; Package acl
.
(Sat, 19 Feb 2011 22:54:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>
:
Extra info received and forwarded to list. Copy sent to Nathan Scott <nathans@debian.org>
.
(Sat, 19 Feb 2011 22:54:03 GMT) (full text, mbox, link).
Message #68 received at 499076@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
lenny (5.0.9)
Please arrange to backport your fix and liase with the release team for
permission to upload. I will happily assist you if the patch is
straightforward and you need help or lack time.
For details of this process and the rationale, please see the original
announcement [1] and my blog post [2].
1: <201101232332.11736.thijs@debian.org>
2: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sat, 05 Nov 2011 07:36:50 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:15:18 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.