Debian Bug report logs -
#901572
acccheck: CVE-2018-12268: Command Injection via shell metacharacters in a username or password file
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 14 Jun 2018 21:09:01 UTC
Severity: grave
Tags: patch, security, upstream
Found in version acccheck/0.2.1-1
Fixed in version 0.2.1-3+rm
Done: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Security Tools Packaging Team <pkg-security-team@lists.alioth.debian.org>
:
Bug#901572
; Package src:acccheck
.
(Thu, 14 Jun 2018 21:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Security Tools Packaging Team <pkg-security-team@lists.alioth.debian.org>
.
(Thu, 14 Jun 2018 21:09:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: acccheck
Version: 0.2.1-1
Severity: grave
Tags: security upstream
Hi,
The following vulnerability was published for acccheck.
CVE-2018-12268[0]:
| acccheck.pl in acccheck 0.2.1 allows Command Injection via shell
| metacharacters in a username or password file, as demonstrated by
| injection into an smbclient command line.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-12268
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12268
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Security Tools Packaging Team <pkg-security-team@lists.alioth.debian.org>
:
Bug#901572
; Package src:acccheck
.
(Mon, 03 Sep 2018 07:48:05 GMT) (full text, mbox, link).
Acknowledgement sent
to phil@reseau-libre.net
:
Extra info received and forwarded to list. Copy sent to Debian Security Tools Packaging Team <pkg-security-team@lists.alioth.debian.org>
.
(Mon, 03 Sep 2018 07:48:05 GMT) (full text, mbox, link).
Message #10 received at 901572@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 901572 + patch
user phil@reseau-libre.net
usertags pkg-security-team
thanks
Hello,
I've updated the acccheck.pl behavior to correct (i hope) the
CVE-2018-12268. User and password input files are sanitized before any
use in the generated commandline string. The patch is given attached to
this mail.
Nevertheless, the package doesn't have separated branches for stretch
and unstable releases, which leads to d/changelog files being denoted as
targetting for 'unstable' even in the stetch package. In the given
patch, the only missing point is the "stretch-security" naming of the
target, as it whould be better to separate into two branches first.
Cheers,
--
Philippe Thierry.
[remote_injection_bugfix.debdiff (text/x-diff, attachment)]
Added tag(s) patch.
Request was from phil@reseau-libre.net
to control@bugs.debian.org
.
(Mon, 03 Sep 2018 07:48:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Security Tools Packaging Team <pkg-security-team@lists.alioth.debian.org>
:
Bug#901572
; Package src:acccheck
.
(Mon, 03 Sep 2018 09:09:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Raphael Hertzog <hertzog@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Security Tools Packaging Team <pkg-security-team@lists.alioth.debian.org>
.
(Mon, 03 Sep 2018 09:09:02 GMT) (full text, mbox, link).
Message #17 received at 901572@bugs.debian.org (full text, mbox, reply):
Control: affects 904200 acccheck
On Mon, 03 Sep 2018, phil@reseau-libre.net wrote:
> I've updated the acccheck.pl behavior to correct (i hope) the
> CVE-2018-12268. User and password input files are sanitized before any use
> in the generated commandline string. The patch is given attached to this
> mail.
FWIW, I requested the removal of the package a while ago:
https://bugs.debian.org/904200
And this is not the only security issue in that script... there's no point
in spending any time on this issue.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Security Tools Packaging Team <pkg-security-team@lists.alioth.debian.org>
:
Bug#901572
; Package src:acccheck
.
(Mon, 03 Sep 2018 10:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Phil." <phil@reseau-libre.net>
:
Extra info received and forwarded to list. Copy sent to Debian Security Tools Packaging Team <pkg-security-team@lists.alioth.debian.org>
.
(Mon, 03 Sep 2018 10:27:03 GMT) (full text, mbox, link).
Message #22 received at 901572@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Okay,
From what I've seen, the code is effectively just horrible !
Thanks for adding the affect tag, as I've haven't seen the removal request.
Cheers,
Le 3 septembre 2018 11:07:08 GMT+02:00, Raphael Hertzog <hertzog@debian.org> a écrit :
>Control: affects 904200 acccheck
>
>On Mon, 03 Sep 2018, phil@reseau-libre.net wrote:
>> I've updated the acccheck.pl behavior to correct (i hope) the
>> CVE-2018-12268. User and password input files are sanitized before
>any use
>> in the generated commandline string. The patch is given attached to
>this
>> mail.
>
>FWIW, I requested the removal of the package a while ago:
>https://bugs.debian.org/904200
>
>And this is not the only security issue in that script... there's no
>point
>in spending any time on this issue.
>
>Cheers,
>--
>Raphaël Hertzog ◈ Debian Developer
>
>Support Debian LTS: https://www.freexian.com/services/debian-lts.html
>Learn to master Debian: https://debian-handbook.info/get/
--
O Philippe Thierry.
/Y\/ GPG: 7010 9a3c e210 763e 6341 4581 c257 b91b cdaf c1ea
o#o
[Message part 2 (text/html, inline)]
Reply sent
to Debian FTP Masters <ftpmaster@ftp-master.debian.org>
:
You have taken responsibility.
(Tue, 09 Oct 2018 16:45:36 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Tue, 09 Oct 2018 16:45:36 GMT) (full text, mbox, link).
Message #27 received at 901572-done@bugs.debian.org (full text, mbox, reply):
Version: 0.2.1-3+rm
Dear submitter,
as the package acccheck has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/904200
The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.
Debian distribution maintenance software
pp.
Ansgar Burchardt (the ftpmaster behind the curtain)
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:35:51 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.