Debian Bug report logs -
#440411
checkrestart: arbitrary root-privileged command execution
Reported by: Thomas de Grenier de Latour <degrenier@easyconnect.fr>
Date: Sat, 1 Sep 2007 10:45:02 UTC
Severity: grave
Tags: security
Found in versions debian-goodies/0.33, debian-goodies/0.27, 0.23
Fixed in versions debian-goodies/0.34, debian-goodies/0.23+sarge1, debian-goodies/0.27+etch4
Done: Thijs Kinkhorst <thijs@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Javier Fernandez-Sanguino Pen~a <jfs@debian.org>:
Bug#440411; Package debian-goodies.
(full text, mbox, link).
Acknowledgement sent to Thomas de Grenier de Latour <degrenier@easyconnect.fr>:
New Bug report received and forwarded. Copy sent to Javier Fernandez-Sanguino Pen~a <jfs@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: debian-goodies
Version: 0.33
Severity: grave
Tags: security
Hi,
The checkrestart program from debian-goodies (both latest 0.33 and
stable 0.27) allows arbitrary command execution with root privileges.
Example:
$ cp /bin/sleep "; OWNED"
$ ./"; OWNED" 1000 &
$ rm "; OWNED"
$ sudo checkrestart
...
sh: OWNED: command not found
...
Since this program is likely launched as a daily root cron job on some
systems, I think this is a grave security hole.
The cause of the problem is the way "dpkg --search" is spawned
from the main() function:
...
dpkgQuery = 'dpkg --search ' + ' '.join(programs.keys())
for line in os.popen(dpkgQuery).readlines():
...
In my above example, one of the programs.keys() is "; OWNED", and thus
the executed command is "dpkg --search ... ; OWNED ...".
Fixing this should be as easy as:
...
import subprocess
...
dpkgQuery = ["dpkg", "--search"] + programs.keys()
dpkgProc = subprocess.Popen(dpkgQuery, stdout=subprocess.PIPE)
for line in dpkgProc.stdout.readlines():
...
This way, the command arguments are all well separated, without any
shell interpretation.
PS: sorry for any mistake i may have done in the way i've reported this
bug. I'm not a Debian user, so i'm not used to your system. Actually,
i just happened to come accross this "checkrestart" script reading a
gentoo-dev@ post:
http://article.gmane.org/gmane.linux.gentoo.devel/51366/
--
TGL.
Bug marked as found in version 0.27.
Request was from Thomas de Grenier de Latour <degrenier@easyconnect.fr>
to control@bugs.debian.org.
(Sat, 01 Sep 2007 11:45:01 GMT) (full text, mbox, link).
Bug marked as found in version 0.23.
Request was from Thomas de Grenier de Latour <degrenier@easyconnect.fr>
to control@bugs.debian.org.
(Sat, 01 Sep 2007 11:57:02 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Javier Fernandez-Sanguino Pen~a <jfs@debian.org>:
Bug#440411; Package debian-goodies.
(full text, mbox, link).
Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Extra info received and forwarded to list. Copy sent to Javier Fernandez-Sanguino Pen~a <jfs@debian.org>.
(full text, mbox, link).
Message #14 received at 440411@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sat, Sep 01, 2007 at 12:42:19PM +0200, Thomas de Grenier de Latour wrote:
> The checkrestart program from debian-goodies (both latest 0.33 and
> stable 0.27) allows arbitrary command execution with root privileges.
Thanks. I was not aware of this bug.
> Since this program is likely launched as a daily root cron job on some
> systems, I think this is a grave security hole.
Actually, it should not be executed as a daily cron job, but should be run
manually by an admin.
> This way, the command arguments are all well separated, without any
> shell interpretation.
Thanks, I will test out the patch and fix this as soon as possible.
> PS: sorry for any mistake i may have done in the way i've reported this
> bug. I'm not a Debian user, so i'm not used to your system. Actually,
(...)
The bug has been reported just fine.
Regards
Javier
[signature.asc (application/pgp-signature, inline)]
Reply sent to Javier Fernandez-Sanguino Pen~a <jfs@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Thomas de Grenier de Latour <degrenier@easyconnect.fr>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #19 received at 440411-close@bugs.debian.org (full text, mbox, reply):
Source: debian-goodies
Source-Version: 0.34
We believe that the bug you reported is fixed in the latest version of
debian-goodies, which is due to be installed in the Debian FTP archive:
debian-goodies_0.34.dsc
to pool/main/d/debian-goodies/debian-goodies_0.34.dsc
debian-goodies_0.34.tar.gz
to pool/main/d/debian-goodies/debian-goodies_0.34.tar.gz
debian-goodies_0.34_all.deb
to pool/main/d/debian-goodies/debian-goodies_0.34_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 440411@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Javier Fernandez-Sanguino Pen~a <jfs@debian.org> (supplier of updated debian-goodies package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 02 Sep 2007 23:07:30 +0200
Source: debian-goodies
Binary: debian-goodies
Architecture: source all
Version: 0.34
Distribution: unstable
Urgency: high
Maintainer: Javier Fernandez-Sanguino Pen~a <jfs@debian.org>
Changed-By: Javier Fernandez-Sanguino Pen~a <jfs@debian.org>
Description:
debian-goodies - Small toolbox-style utilities for Debian systems
Closes: 440411
Changes:
debian-goodies (0.34) unstable; urgency=high
.
* Fix security bug that enables users to generate files in the
filesystem with shell metacharacters and have the checkrestart
script run external code (as root, since the script will only
run as admin) (Closes: 440411)
Files:
ba71a7cecbfb0c053fb3bdd5c5d1444b 530 utils optional debian-goodies_0.34.dsc
5377a64b6065c5b96e7409554754eadf 37345 utils optional debian-goodies_0.34.tar.gz
80ded012d3d83b6552171206df57f7bd 44854 utils optional debian-goodies_0.34_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFG2yajsandgtyBSwkRAkPaAJkBRYtUTlKPSbnFA4t0bspZloB61QCcDWBt
N9hG19lBaOIfiR+cqtSr8sQ=
=pOLa
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Javier Fernandez-Sanguino Pen~a <jfs@debian.org>:
Bug#440411; Package debian-goodies.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Javier Fernandez-Sanguino Pen~a <jfs@debian.org>.
(full text, mbox, link).
Message #24 received at 440411@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
This is CVE-2007-3912.
Please add it (retroactively) to the changelog.
Thijs
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Javier Fernandez-Sanguino Pen~a <jfs@debian.org>:
Bug#440411; Package debian-goodies.
(full text, mbox, link).
Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Extra info received and forwarded to list. Copy sent to Javier Fernandez-Sanguino Pen~a <jfs@debian.org>.
(full text, mbox, link).
Message #29 received at 440411@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Tue, Sep 04, 2007 at 10:20:47AM +0200, Thijs Kinkhorst wrote:
> Hi,
>
> This is CVE-2007-3912.
> Please add it (retroactively) to the changelog.
Done, will commit it in 0.35
Javier
[signature.asc (application/pgp-signature, inline)]
Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Thomas de Grenier de Latour <degrenier@easyconnect.fr>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #34 received at 440411-close@bugs.debian.org (full text, mbox, reply):
Source: debian-goodies
Source-Version: 0.23+sarge1
We believe that the bug you reported is fixed in the latest version of
debian-goodies, which is due to be installed in the Debian FTP archive:
debian-goodies_0.23+sarge1.dsc
to pool/main/d/debian-goodies/debian-goodies_0.23+sarge1.dsc
debian-goodies_0.23+sarge1.tar.gz
to pool/main/d/debian-goodies/debian-goodies_0.23+sarge1.tar.gz
debian-goodies_0.23+sarge1_all.deb
to pool/main/d/debian-goodies/debian-goodies_0.23+sarge1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 440411@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated debian-goodies package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 24 Mar 2008 15:13:00 +0100
Source: debian-goodies
Binary: debian-goodies
Architecture: source all
Version: 0.23+sarge1
Distribution: oldstable-security
Urgency: high
Maintainer: Matt Zimmerman <mdz@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
debian-goodies - Small toolbox-style utilities for Debian systems
Closes: 440411
Changes:
debian-goodies (0.23+sarge1) oldstable-security; urgency=high
.
* Non-maintainer upload by the security team.
* Fix security bug that enables users to generate files in the
filesystem with shell metacharacters and have the checkrestart
script run external code (as root, since the script will only
run as admin). (CVE-2007-3912, closes: 440411)
Files:
37eb124fef7c9897ea41ec861ec740ff 819 utils optional debian-goodies_0.23+sarge1.dsc
e0834e7e962fabc65362a60c73362585 11779 utils optional debian-goodies_0.23+sarge1.tar.gz
c8bc8eab12c7e3f29e53f4172ee837a4 22488 utils optional debian-goodies_0.23+sarge1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBR+e5Y2z0hbPcukPfAQLBLAgAjN7dJp97Yis19s5xaPKcxKDfFUWD5Fcf
w4RFo1Y9v/A0ra0oP4zQMijI8og2kyMhcYQPDQyaQU5nr4oihjVqb/b5hpYDhe2Y
T0ErjGTHkBdgYJf6+NX3DNmCbvAnhSKkk7hsCP1r0q/PJQW7cVupah8JpesmysE2
+9ULUqWK1iP6sfeGh6OfC7qonj8va2Gq1uYaxbLd8wHgs53qkaiZZjdcTGRTwKUy
DSNwJVGz6KNFeiqFIsYDQz6HPtCMNhP/5UKquF2hvol6UHZXyNy89Feci544fIY9
p7MIE/hzPy30HxzR560rgDaZPHaOvqNpsqx7TdoIhkadNWO9paj2MA==
=pm4Q
-----END PGP SIGNATURE-----
Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Thomas de Grenier de Latour <degrenier@easyconnect.fr>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #39 received at 440411-close@bugs.debian.org (full text, mbox, reply):
Source: debian-goodies
Source-Version: 0.27+etch4
We believe that the bug you reported is fixed in the latest version of
debian-goodies, which is due to be installed in the Debian FTP archive:
debian-goodies_0.27+etch4.dsc
to pool/main/d/debian-goodies/debian-goodies_0.27+etch4.dsc
debian-goodies_0.27+etch4.tar.gz
to pool/main/d/debian-goodies/debian-goodies_0.27+etch4.tar.gz
debian-goodies_0.27+etch4_all.deb
to pool/main/d/debian-goodies/debian-goodies_0.27+etch4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 440411@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated debian-goodies package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 24 Mar 2008 15:25:59 +0100
Source: debian-goodies
Binary: debian-goodies
Architecture: source all
Version: 0.27+etch4
Distribution: stable-security
Urgency: high
Maintainer: Javier Fernandez-Sanguino Pen~a <jfs@computer.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
debian-goodies - Small toolbox-style utilities for Debian systems
Closes: 440411
Changes:
debian-goodies (0.27+etch4) stable-security; urgency=high
.
* Fix security bug that enables users to generate files in the
filesystem with shell metacharacters and have the checkrestart
script run external code (as root, since the script will only
run as admin). Thanks to Thomas de Grenier de Latour for spotting
this and providing a patch. (CVE-2007-3912, Closes: 440411)
Files:
8653d033f9e6b9f0949fab2cc1813970 836 utils optional debian-goodies_0.27+etch4.dsc
089ff8f154eb3fe4bc47dd85f1581a65 28708 utils optional debian-goodies_0.27+etch4.tar.gz
2739973911e8b0d9ec12559507f6a708 36868 utils optional debian-goodies_0.27+etch4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBR+e62mz0hbPcukPfAQJYoAf/Vpo+8A6hntrKOR7jDp4pGT9v7HWhhJDS
wltzzk4odJkE4OFrIi69roUACp6O46xRAvCi1KJjj/JizXjmcNGPsYoXq7sSUPNS
uK7GZ0/Cnf70ArAM8hvu7m1+nggs7DEB/LdhJWvItYKufD4oBAP7XihDQPVe5kIr
TCufoECwlt/Xd38bKR3dDWoP/Iu39JJ6vhVL84lKxt5d1viQ3cetajGzkWqnESdj
srmuwclluK+gq68/va2blvgcKaZRweD8FI2YM5mF1P3OHdzPn2fGN7vK7YfsGZBh
x8MYgNVkI5LGZE9QnDKLtF9ag5xPvWaPTo1PRcgITwdlyABaHI8CTQ==
=3f0S
-----END PGP SIGNATURE-----
Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Thomas de Grenier de Latour <degrenier@easyconnect.fr>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #44 received at 440411-close@bugs.debian.org (full text, mbox, reply):
Source: debian-goodies
Source-Version: 0.23+sarge1
We believe that the bug you reported is fixed in the latest version of
debian-goodies, which is due to be installed in the Debian FTP archive:
debian-goodies_0.23+sarge1.dsc
to pool/main/d/debian-goodies/debian-goodies_0.23+sarge1.dsc
debian-goodies_0.23+sarge1.tar.gz
to pool/main/d/debian-goodies/debian-goodies_0.23+sarge1.tar.gz
debian-goodies_0.23+sarge1_all.deb
to pool/main/d/debian-goodies/debian-goodies_0.23+sarge1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 440411@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated debian-goodies package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 24 Mar 2008 15:13:00 +0100
Source: debian-goodies
Binary: debian-goodies
Architecture: source all
Version: 0.23+sarge1
Distribution: oldstable-security
Urgency: high
Maintainer: Matt Zimmerman <mdz@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
debian-goodies - Small toolbox-style utilities for Debian systems
Closes: 440411
Changes:
debian-goodies (0.23+sarge1) oldstable-security; urgency=high
.
* Non-maintainer upload by the security team.
* Fix security bug that enables users to generate files in the
filesystem with shell metacharacters and have the checkrestart
script run external code (as root, since the script will only
run as admin). (CVE-2007-3912, closes: 440411)
Files:
37eb124fef7c9897ea41ec861ec740ff 819 utils optional debian-goodies_0.23+sarge1.dsc
e0834e7e962fabc65362a60c73362585 11779 utils optional debian-goodies_0.23+sarge1.tar.gz
c8bc8eab12c7e3f29e53f4172ee837a4 22488 utils optional debian-goodies_0.23+sarge1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBR+e5Y2z0hbPcukPfAQLBLAgAjN7dJp97Yis19s5xaPKcxKDfFUWD5Fcf
w4RFo1Y9v/A0ra0oP4zQMijI8og2kyMhcYQPDQyaQU5nr4oihjVqb/b5hpYDhe2Y
T0ErjGTHkBdgYJf6+NX3DNmCbvAnhSKkk7hsCP1r0q/PJQW7cVupah8JpesmysE2
+9ULUqWK1iP6sfeGh6OfC7qonj8va2Gq1uYaxbLd8wHgs53qkaiZZjdcTGRTwKUy
DSNwJVGz6KNFeiqFIsYDQz6HPtCMNhP/5UKquF2hvol6UHZXyNy89Feci544fIY9
p7MIE/hzPy30HxzR560rgDaZPHaOvqNpsqx7TdoIhkadNWO9paj2MA==
=pm4Q
-----END PGP SIGNATURE-----
Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Thomas de Grenier de Latour <degrenier@easyconnect.fr>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #49 received at 440411-close@bugs.debian.org (full text, mbox, reply):
Source: debian-goodies
Source-Version: 0.27+etch4
We believe that the bug you reported is fixed in the latest version of
debian-goodies, which is due to be installed in the Debian FTP archive:
debian-goodies_0.27+etch4.dsc
to pool/main/d/debian-goodies/debian-goodies_0.27+etch4.dsc
debian-goodies_0.27+etch4.tar.gz
to pool/main/d/debian-goodies/debian-goodies_0.27+etch4.tar.gz
debian-goodies_0.27+etch4_all.deb
to pool/main/d/debian-goodies/debian-goodies_0.27+etch4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 440411@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated debian-goodies package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 24 Mar 2008 15:25:59 +0100
Source: debian-goodies
Binary: debian-goodies
Architecture: source all
Version: 0.27+etch4
Distribution: stable-security
Urgency: high
Maintainer: Javier Fernandez-Sanguino Pen~a <jfs@computer.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
debian-goodies - Small toolbox-style utilities for Debian systems
Closes: 440411
Changes:
debian-goodies (0.27+etch4) stable-security; urgency=high
.
* Fix security bug that enables users to generate files in the
filesystem with shell metacharacters and have the checkrestart
script run external code (as root, since the script will only
run as admin). Thanks to Thomas de Grenier de Latour for spotting
this and providing a patch. (CVE-2007-3912, Closes: 440411)
Files:
8653d033f9e6b9f0949fab2cc1813970 836 utils optional debian-goodies_0.27+etch4.dsc
089ff8f154eb3fe4bc47dd85f1581a65 28708 utils optional debian-goodies_0.27+etch4.tar.gz
2739973911e8b0d9ec12559507f6a708 36868 utils optional debian-goodies_0.27+etch4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBR+e62mz0hbPcukPfAQJYoAf/Vpo+8A6hntrKOR7jDp4pGT9v7HWhhJDS
wltzzk4odJkE4OFrIi69roUACp6O46xRAvCi1KJjj/JizXjmcNGPsYoXq7sSUPNS
uK7GZ0/Cnf70ArAM8hvu7m1+nggs7DEB/LdhJWvItYKufD4oBAP7XihDQPVe5kIr
TCufoECwlt/Xd38bKR3dDWoP/Iu39JJ6vhVL84lKxt5d1viQ3cetajGzkWqnESdj
srmuwclluK+gq68/va2blvgcKaZRweD8FI2YM5mF1P3OHdzPn2fGN7vK7YfsGZBh
x8MYgNVkI5LGZE9QnDKLtF9ag5xPvWaPTo1PRcgITwdlyABaHI8CTQ==
=3f0S
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 Aug 2008 07:26:53 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:46:16 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon