busybox: CVE-2014-9645: modprobe wrongly accepts paths as module names

Debian Bug report logs - #776186
busybox: CVE-2014-9645: modprobe wrongly accepts paths as module names

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: busybox: CVE-2014-9645: modprobe wrongly accepts paths as module names

Date: Sun, 25 Jan 2015 08:04:17 +0100

Source: busybox
Version: 1:1.20.0-7
Severity: normal
Tags: security patch upstream fixed-upstream

Hi,

the following vulnerability was published for busybox.

CVE-2014-9645[0]:
modprobe wrongly accepts paths as module names

Upstream report is at [1] with fix at [2].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2014-9645
[1] https://bugs.busybox.net/show_bug.cgi?id=7652
[2] http://git.busybox.net/busybox/commit/?id=4e314faa0aecb66717418e9a47a4451aec59262b

Regards,
Salvatore

Message #10 received at 776186@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: 776186@bugs.debian.org

Subject: re: busybox: CVE-2014-9645

Date: Sun, 25 Jan 2015 22:30:04 -0500

[Message part 1 (text/plain, inline)]

control: tag -1 patch, pending

Hi,

I uploaded an nmu fixing this issue to delayed/15.  Please let me know
if I can shorten or if you want to do a maintainer upload instead.
See proposed patch attached.

Best wishes,
Mike

[busybox.patch (text/x-patch, attachment)]

Message #17 received at 776186@bugs.debian.org (full text, mbox, reply):

From: Cyril Brulebois <kibi@debian.org>

To: Michael Gilbert <mgilbert@debian.org>, 776186@bugs.debian.org

Subject: Re: Bug#776186: busybox: CVE-2014-9645

Date: Mon, 26 Jan 2015 04:49:27 +0100

[Message part 1 (text/plain, inline)]

Michael Gilbert <mgilbert@debian.org> (2015-01-25):
> control: tag -1 patch, pending
> 
> Hi,
> 
> I uploaded an nmu fixing this issue to delayed/15.  Please let me know
> if I can shorten or if you want to do a maintainer upload instead.
> See proposed patch attached.

NACK, it won't make it into testing this way.

See <20150106090747.GC27249@ugent.be> and mails before that.

Haven't had a chance to upload what I proposed, but I can look at
including your changes on top of mine, somewhen today. (It was
basically waiting on the d-i release, which happened earlier.)

Mraw,
KiBi.

[signature.asc (application/pgp-signature, inline)]

Message #22 received at 776186@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: Cyril Brulebois <kibi@debian.org>

Cc: 776186@bugs.debian.org

Subject: Re: Bug#776186: busybox: CVE-2014-9645

Date: Sun, 25 Jan 2015 23:48:43 -0500

On Sun, Jan 25, 2015 at 10:49 PM, Cyril Brulebois wrote:
>> I uploaded an nmu fixing this issue to delayed/15.  Please let me know
>> if I can shorten or if you want to do a maintainer upload instead.
>> See proposed patch attached.
>
> NACK, it won't make it into testing this way.

Ok, cancelled.

Best wishes,
Mike

Message #27 received at 776186@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Cyril Brulebois <kibi@debian.org>

Cc: Michael Gilbert <mgilbert@debian.org>, 776186@bugs.debian.org

Subject: Re: Bug#776186: busybox: CVE-2014-9645

Date: Mon, 2 Mar 2015 16:28:13 +0100

On Mon, Jan 26, 2015 at 04:49:27AM +0100, Cyril Brulebois wrote:
> Michael Gilbert <mgilbert@debian.org> (2015-01-25):
> > control: tag -1 patch, pending
> > 
> > Hi,
> > 
> > I uploaded an nmu fixing this issue to delayed/15.  Please let me know
> > if I can shorten or if you want to do a maintainer upload instead.
> > See proposed patch attached.
> 
> NACK, it won't make it into testing this way.
> 
> See <20150106090747.GC27249@ugent.be> and mails before that.
> 
> Haven't had a chance to upload what I proposed, but I can look at
> including your changes on top of mine, somewhen today. (It was
> basically waiting on the d-i release, which happened earlier.)

I'm slightly confused here. Is 1:1.22.0-9+deb8u1 different from
the upload you mentioned above? 

jessie has CVE-2014-4607 fixed, but not CVE-2014-9645 (which isn't
terribly severe and which could be tagged no-dsa if no further
busybox upload is planned for jessie).

Cheers,
        Moritz

Message #32 received at 776186@bugs.debian.org (full text, mbox, reply):

From: Cyril Brulebois <kibi@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: Michael Gilbert <mgilbert@debian.org>, 776186@bugs.debian.org

Subject: Re: Bug#776186: busybox: CVE-2014-9645

Date: Mon, 2 Mar 2015 17:53:57 +0100

[Message part 1 (text/plain, inline)]

Moritz Muehlenhoff <jmm@inutil.org> (2015-03-02):
> > NACK, it won't make it into testing this way.
> > 
> > See <20150106090747.GC27249@ugent.be> and mails before that.
> > 
> > Haven't had a chance to upload what I proposed, but I can look at
> > including your changes on top of mine, somewhen today. (It was
> > basically waiting on the d-i release, which happened earlier.)
> 
> I'm slightly confused here. Is 1:1.22.0-9+deb8u1 different from
> the upload you mentioned above? 

It's basically the same thing as I proposed initially, but with
different changes in the git history because 1. the maintainer was
calling me a liar; and 2. the uploader didn't want to touch git, so the
end result is a single commit stating that the NMU was imported, with
the bug closure.

> jessie has CVE-2014-4607 fixed, but not CVE-2014-9645 (which isn't
> terribly severe and which could be tagged no-dsa if no further
> busybox upload is planned for jessie).

I guess someone with enough time could stack this extra change on top of
the jessie branch, and either let it stay there, or upload the package
at the same time.

Sorry, I lost track of that extra fix and didn't think of it when Mehdi
proposed NMUing it for the first CVE fix.

Mraw,
KiBi.

[signature.asc (application/pgp-signature, inline)]

Message #37 received at 776186@bugs.debian.org (full text, mbox, reply):

From: Michael Tokarev <mjt@tls.msk.ru>

To: Cyril Brulebois <kibi@debian.org>, 776186@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>

Cc: Michael Gilbert <mgilbert@debian.org>

Subject: Re: Bug#776186: busybox: CVE-2014-9645

Date: Wed, 04 Mar 2015 12:10:37 +0300

02.03.2015 19:53, Cyril Brulebois wrote:
> Moritz Muehlenhoff <jmm@inutil.org> (2015-03-02):
[]
>> I'm slightly confused here. Is 1:1.22.0-9+deb8u1 different from
>> the upload you mentioned above? 
> 
> It's basically the same thing as I proposed initially, but with
> different changes in the git history because 1. the maintainer was
> calling me a liar; and 2. the uploader didn't want to touch git, so the
> end result is a single commit stating that the NMU was imported, with
> the bug closure.

I was calling you that because of a single word you used - intrusive -
for changes which are a) very localized to d/rules (touching a little
place of it) and b) not affecting anything you care, and especially
not affecting the resulting binaries in any way. And the changes which
were made way before freeze, the package hasn't been unblocked because
of old/buggy glibc installed on some buildds.  And ofcourse I stand
by my words.  Note that much bigger and more intrusive changes were
accepted after the freeze.

>> jessie has CVE-2014-4607 fixed, but not CVE-2014-9645 (which isn't
>> terribly severe and which could be tagged no-dsa if no further
>> busybox upload is planned for jessie).
> 
> I guess someone with enough time could stack this extra change on top of
> the jessie branch, and either let it stay there, or upload the package
> at the same time.
> 
> Sorry, I lost track of that extra fix and didn't think of it when Mehdi
> proposed NMUing it for the first CVE fix.

And now someone please tell me why to do all this.  From a package with
a willing maintainer who cared about the package, from a package which
was in good shape and with all the changes carefully selected for jessie,
to basically an unmaintained package with no one having time to maintain
and no one who cares, exactly the way it was over the years, and which
required a lot of work to get it in some more or less good shape.

Oh well.

/mjt

Message #42 received at 776186@bugs.debian.org (full text, mbox, reply):

From: Cyril Brulebois <kibi@debian.org>

To: Michael Tokarev <mjt@tls.msk.ru>

Cc: 776186@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>, Michael Gilbert <mgilbert@debian.org>

Subject: Re: Bug#776186: busybox: CVE-2014-9645

Date: Wed, 4 Mar 2015 17:10:26 +0100

[Message part 1 (text/plain, inline)]

Michael Tokarev <mjt@tls.msk.ru> (2015-03-04):
> 02.03.2015 19:53, Cyril Brulebois wrote:
> > […]
> I was calling you that because of a single word you used - intrusive -
> for changes which are a) very localized to d/rules (touching a little
> place of it) and b) not affecting anything you care, and especially
> not affecting the resulting binaries in any way. And the changes which
> were made way before freeze, the package hasn't been unblocked because
> of old/buggy glibc installed on some buildds.  And ofcourse I stand
> by my words.  Note that much bigger and more intrusive changes were
> accepted after the freeze.

Meh.

> > I guess someone with enough time could stack this extra change on top of
> > the jessie branch, and either let it stay there, or upload the package
> > at the same time.
> > 
> > Sorry, I lost track of that extra fix and didn't think of it when Mehdi
> > proposed NMUing it for the first CVE fix.
> 
> And now someone please tell me why to do all this.  From a package with
> a willing maintainer who cared about the package, from a package which
> was in good shape and with all the changes carefully selected for jessie,
> to basically an unmaintained package with no one having time to maintain
> and no one who cares, exactly the way it was over the years, and which
> required a lot of work to get it in some more or less good shape.

Looking at the just uploaded -15, I don't understand what you tried to
do there.

In the meanwhile I had been included Michael's proposed fix for
CVE-2014-9645 aka. #776186, as opposed to CVE-2014-4607 aka. #768945,
and successfully testing it in a d-i context.

Since you updated the master branch with what got uploaded, I've pushed
my local branch as pu/776186. I have the same changes for the jessie
branch, and initially planned on first getting stuff into unstable, let
it be tested for a while there, then consider tpu-ing.

Feel free to incorporate bits of the said branch and upload again to
unstable; I can then deal with the jessie part later.


Mraw,
KiBi.

[signature.asc (application/pgp-signature, inline)]

Message #47 received at 776186@bugs.debian.org (full text, mbox, reply):

From: Michael Tokarev <mjt@tls.msk.ru>

To: Cyril Brulebois <kibi@debian.org>

Cc: 776186@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>, Michael Gilbert <mgilbert@debian.org>

Subject: Re: Bug#776186: busybox: CVE-2014-9645

Date: Wed, 04 Mar 2015 19:20:29 +0300

04.03.2015 19:10, Cyril Brulebois wrote:

> Looking at the just uploaded -15, I don't understand what you tried to
> do there.

I didn't upload -15, I just tried to clean up what's left
before I retire, and - unintentionally - pushed things to
git.d.o.  It was my mistake.  More, we have 2 branches, one
master and one debian-unstable, I now don't remember anymore
which is which, my local debian-unstable was set to track
master, yet the d-unstable changes were in debian-unstable
branch, not in master branch.

Now, since you apparently pulled the changes already, should
I keep it this (unreleased but committed) way, or should I
push -f without my last changes?

> In the meanwhile I had been included Michael's proposed fix for
> CVE-2014-9645 aka. #776186, as opposed to CVE-2014-4607 aka. #768945,
> and successfully testing it in a d-i context.
> 
> Since you updated the master branch with what got uploaded, I've pushed

I updated debian-unstable branch long time ago.  I don't remember
why I didn't use master, -- probably because previous maintainer
left it that way, when all development happens in debian-unstable
branch not in master branch.  It was my mistake.  I just wanted
to ensure nothing's left in my local repo before I officially step
out of busybox maintainership.

> my local branch as pu/776186. I have the same changes for the jessie
> branch, and initially planned on first getting stuff into unstable, let
> it be tested for a while there, then consider tpu-ing.
> 
> Feel free to incorporate bits of the said branch and upload again to
> unstable; I can then deal with the jessie part later.

I don't understand what you're saying.  I created a mess in git repo
today which I didn't want to create, I apologize for that and am asking
for advise about what to do with it.  It is not a new upload, I didn't
plan to make uploads really.  But I completely lost understanding of
your intentions, -- it was already completely unclear for me why do
you do all this complex things (branching off some earlier revision
rewriting history, etc) when the solution is much much simpler.  Now
I don't understand anything at all.

Thanks,

/mjt

Message #52 received at 776186@bugs.debian.org (full text, mbox, reply):

From: Cyril Brulebois <kibi@debian.org>

To: Michael Tokarev <mjt@tls.msk.ru>, 776186@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@inutil.org>, Michael Gilbert <mgilbert@debian.org>

Subject: Re: Bug#776186: busybox: CVE-2014-9645

Date: Wed, 4 Mar 2015 17:49:23 +0100

[Message part 1 (text/plain, inline)]

Michael Tokarev <mjt@tls.msk.ru> (2015-03-04):
> > Looking at the just uploaded -15, I don't understand what you tried
> > to do there.

Woops, I clearly erred here, sorry about that. Got bitten by the
"uploading 1.22.0-15 to unstable" commit…

> I didn't upload -15, I just tried to clean up what's left before I
> retire, and - unintentionally - pushed things to git.d.o.  It was my
> mistake.  More, we have 2 branches, one master and one
> debian-unstable, I now don't remember anymore which is which, my local
> debian-unstable was set to track master, yet the d-unstable changes
> were in debian-unstable branch, not in master branch.
> 
> Now, since you apparently pulled the changes already, should I keep it
> this (unreleased but committed) way, or should I push -f without my
> last changes?

I've been yelled at last time I wanted to push -f stuff in d-i, because
there are a lot of automated systems using it, so I'm now considering it
as something that shouldn't be done.

> > In the meanwhile I had been included Michael's proposed fix for
> > CVE-2014-9645 aka. #776186, as opposed to CVE-2014-4607 aka. #768945,
> > and successfully testing it in a d-i context.
> > 
> > Since you updated the master branch with what got uploaded, I've pushed
> 
> I updated debian-unstable branch long time ago.  I don't remember
> why I didn't use master, -- probably because previous maintainer
> left it that way, when all development happens in debian-unstable
> branch not in master branch.  It was my mistake.  I just wanted
> to ensure nothing's left in my local repo before I officially step
> out of busybox maintainership.
> 
> > my local branch as pu/776186. I have the same changes for the jessie
> > branch, and initially planned on first getting stuff into unstable, let
> > it be tested for a while there, then consider tpu-ing.
> > 
> > Feel free to incorporate bits of the said branch and upload again to
> > unstable; I can then deal with the jessie part later.
> 
> I don't understand what you're saying.  I created a mess in git repo
> today which I didn't want to create, I apologize for that and am asking
> for advise about what to do with it.  It is not a new upload, I didn't
> plan to make uploads really.  But I completely lost understanding of
> your intentions, -- it was already completely unclear for me why do
> you do all this complex things (branching off some earlier revision
> rewriting history, etc) when the solution is much much simpler.  Now
> I don't understand anything at all.

I've fixed the master branch without rewriting it (git merge -s ours),
and uploaded -15 to unstable; after a while there, -9+deb8u2 will get
uploaded to jessie.

Mraw,
KiBi.

[signature.asc (application/pgp-signature, inline)]

Message #57 received at 776186-close@bugs.debian.org (full text, mbox, reply):

From: Cyril Brulebois <kibi@debian.org>

To: 776186-close@bugs.debian.org

Subject: Bug#776186: fixed in busybox 1:1.22.0-15

Date: Wed, 04 Mar 2015 17:33:43 +0000

Source: busybox
Source-Version: 1:1.22.0-15

We believe that the bug you reported is fixed in the latest version of
busybox, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 776186@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Cyril Brulebois <kibi@debian.org> (supplier of updated busybox package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 04 Mar 2015 17:46:34 +0100
Source: busybox
Binary: busybox busybox-static busybox-udeb busybox-syslogd udhcpc udhcpd
Architecture: source amd64 all
Version: 1:1.22.0-15
Distribution: unstable
Urgency: medium
Maintainer: Debian Install System Team <debian-boot@lists.debian.org>
Changed-By: Cyril Brulebois <kibi@debian.org>
Description:
 busybox    - Tiny utilities for small and embedded systems
 busybox-static - Standalone rescue shell with tons of builtin utilities
 busybox-syslogd - Provides syslogd and klogd using busybox
 busybox-udeb - Tiny utilities for the debian-installer (udeb)
 udhcpc     - Provides the busybox DHCP client implementation
 udhcpd     - Provides the busybox DHCP server implementation
Closes: 776186
Changes:
 busybox (1:1.22.0-15) unstable; urgency=medium
 .
   [ Michael Gilbert ]
   * Fix CVE-2014-9645: modprobe accepts paths as modules (closes: #776186).
Checksums-Sha1:
 476e15966fe4480bb8507f93a76408eaca540f4f 2269 busybox_1.22.0-15.dsc
 d880ef7426cc2532724afaef51f177cedec962c6 54840 busybox_1.22.0-15.debian.tar.xz
 809222ba11fa504e328555bb8ec97f83ad2b3426 392008 busybox_1.22.0-15_amd64.deb
 cd618d63bcbdaf4139e63f39a49a5e259026ea27 841108 busybox-static_1.22.0-15_amd64.deb
 afbb4a59f1d4420cb44cf5575753010259409f81 175156 busybox-udeb_1.22.0-15_amd64.udeb
 b5a7c9a542beb20aae6bd8c02eec7fbc370212f0 23886 busybox-syslogd_1.22.0-15_all.deb
 042926601d28c14bf86fa34ec818ff55b86c7be5 22034 udhcpc_1.22.0-15_amd64.deb
 cd34db7a870ed959f9acb5ade3875d5774347bab 24768 udhcpd_1.22.0-15_amd64.deb
Checksums-Sha256:
 78b9442cd75b2cd6e063a34c5fd460e3219b1e4453f802f4d3f97122312f7886 2269 busybox_1.22.0-15.dsc
 bb4bddb5560f336c18871b44c6a325282e30ebf11416b79aa692e16a0a7f6574 54840 busybox_1.22.0-15.debian.tar.xz
 dbf5678f363a1b622b4c24fa20cc64854c6f80b2c02ba6c584f822405ca280b1 392008 busybox_1.22.0-15_amd64.deb
 22fda404294a8988ca7c1ad7330e8a1246c19f7393d3c5072c7e8b78eb4c9321 841108 busybox-static_1.22.0-15_amd64.deb
 ce5eb35b3a08592c7b5097bafb66690aa8fb11986941e83b4391ff1597991abc 175156 busybox-udeb_1.22.0-15_amd64.udeb
 d86f531955c8a2faede6c1a0280f8e4faa532c00abbe63812a2e6a5fd3dde55f 23886 busybox-syslogd_1.22.0-15_all.deb
 3622bd8b03fe5019d371a67eb24bff232d526e1136cf83a5b57917f883ce1ad2 22034 udhcpc_1.22.0-15_amd64.deb
 1713105f6db33b019077b095e883477ae8207a6dcfbb01767444e0478643cfab 24768 udhcpd_1.22.0-15_amd64.deb
Files:
 f041e9d25455417ffc64b1f0f11da84f 2269 utils optional busybox_1.22.0-15.dsc
 2a47c430b62ddbbd37a9a76abe455cda 54840 utils optional busybox_1.22.0-15.debian.tar.xz
 874ee77d5f9ae29d974f8af73dbda193 392008 utils optional busybox_1.22.0-15_amd64.deb
 762946ce727d0a1e537298a70d29736c 841108 shells extra busybox-static_1.22.0-15_amd64.deb
 9a34ab474279aad48e7d7883491194c2 175156 debian-installer extra busybox-udeb_1.22.0-15_amd64.udeb
 43ac9a8513d71b0677ed4cdc026cec67 23886 utils optional busybox-syslogd_1.22.0-15_all.deb
 5754e07a50ab4dd67a1cfc226623ad5e 22034 net optional udhcpc_1.22.0-15_amd64.deb
 7f68d7f497d05dfcd73afab9f838953e 24768 net optional udhcpd_1.22.0-15_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJU90CbAAoJEP+RSvDCs1UgENUP/32KGkNTGD5fNy0PKppbZocw
Mql14o2dfmGMnwQYpggeon4GKVaCZcniu/w66u76/SadZzbbivD5/04hZ2Cv3IIE
O5sI4JbZbityMiUn3aT1h6Jd4Ts3XnEfFcjvPcsxd0Pu3o06FWu+9EaicuuBxxMC
qVYyY4fau25UEbjbnIgF9we1rV772jJ2C0rK1XrubMo3SO3Le8Nb9kdibmn69RSZ
ZLkw/Z3JUeF1Uj+v5QNY+XMG3CyOb+nwpG488pprrM4B3Kh/0IIy8cW5KEZY5TiK
v7OEHzNKrTNkCeK1cxaOEEIiq1znJ/t1ReuLXSlsgbOpLLiqdjyoaa61ZyY5XRkK
L9EpbumdzbYEabeuh4HNs3kzRt++p+TKTYuM/17+C0uPP1XMZusTVWzp6UDuYPW8
C7cqyvUNlq45alxj6+QedSDKLyC4s0mrpkLDNxtj3HkGR0WwpdR3HdcQnIOKb+Uc
OCW7Y0jJhzEcR6DLHnJK0/DKshKlbqzDoAPIMt35ZpyWhJA0Fzc4lEDN0Hb8u11/
qMJqDSMA814e6xpsBax9nVAnY16en4SQSFyHr0uWGu93gQjQS3lw85StnFtxCw/B
RtA5L0DkO2obmJ9KdyPjBEK7swsQVD2Y5JDpBjYxtN3oR3jhu8f2RM+woOIIkrJj
E1BdoYuo/lc+fD3y/pMb
=pt6u
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.