Re: Stop reporting non-bugs as bugs!
John Goerzen wrote:
> One thing that REALLY bothers me is that each bug he reported contains
> this at the end:
>
> "This message is hastily written . . . Its contents may be
> deliberately or accidentally untrue."
>
> Deliberately untrue??? When reporting a bug?
Another thing that really bothers me is that he sent critical bugs
maintonly. That's really counterproductive, it means that a few hundred
pairs of eyes don't immediatly get to see the bugs and devise fixes.
> Now let's take a look at most of the other bugs:
All of these should be closed. You've given fine explinations that can be
used in closing them.
> #24897 has changes to documentation. Not a bug. Send it upstream.
Well, I think this is a valid wishlist bug, though I haven't read it.
> Now then, that leaves two bugs that may indeed be serious (one of
> which doesn't have any useful information in it, the other seems to
> have a misunderstanding of the setuid mechanism) and one or two that I
> skipped because I'm not familiar enough with cfingerd's extra features
> to comment.
Since these bugs were sent maintonly, every debian developer who normally
subscribes to debian-bugs-dist was denied the opportunity to look at them.
So I will post the full text to them here.
Bug #24898:
Package: cfingerd
Version: 1.3.2-11
Severity: critical
This is an upstream security bug.
cfingerd version 1.3.2 contains at least 3 buffer overruns which
occur while running with root privileges. Although an exploit
has not been developed this is likely to be a security hole.
The bug has been confirmed through source code review and
testing on a single machine. Independent confirmation should
be obtained just in case I am mistaken anyway.
Details of the bug are being deliberately withheld to give
sysadmins time to replace the program before the bug is
exploited.
The details will be mailed directly to the maintainers upon
request, please send e-mail to jbj@image.dk and state why
you have a legitimate interest in this sensitive information.
2 of the bugs are enabled in the default Debian configuration.
I am now using Debian 2.0 kernel 2.0.33 (compiled by me) libc-2.0.7.
I have abstained from running cfingerd at this time, but am keeping
a copy in a non-executable form.
--
This message is hastily written, please ignore any unpleasant wordings,
do not consider it a binding commitment, even if its phrasing may
indicate so. Its contents may be deliberately or accidentally untrue.
Trademarks and other things belong to their owners, if any.
---------------------
Bug #24905
Package: cfingerd
Version: 1.3.2-11
Severity: important
This is an upstream security bug.
cfingerd version 1.3.2 runs all external executables and
scripts with root privileges. This includes fake user
scripts, user invoked scripts and all helper applications.
This is likely to open up all kinds of security holes
because these scripts were never written to be run
as suid root.
The bug has been confirmed through source code review and
testing on a single machine. Independent confirmation should
be obtained just in case I am mistaken anyway.
For more information, please read privs.h in the cfingerd
source and understand, that as long as cfingerd can issue
a sequence of system calls to regain root privileges, so
can any script invoked from cfingerd, as well as any
code a hacker may fool cfingerd into executing (e.g. by
means of a buffer overrun).
Luckily most, but not all external scripts have been disabled
in the default Debian configuration. One of the remaining
scripts is a pipe invoked when fingering userlist-only@hostname.
As a simple test, enable a fakeuser and modify the script to look
like this:
#!/bin/bash
echo ${UID} ${EUID}
Then finger the fakeuser and notice that the output looks like
this:
0 0
meaning root root!
I am now using Debian 2.0 kernel 2.0.33 (compiled by me) libc-2.0.7.
I am not currently running cfingerd, but am keeping a copy in
non-executable form.
--
This message is hastily written, please ignore any unpleasant wordings,
do not consider it a binding commitment, even if its phrasing may
indicate so. Its contents may be deliberately or accidentally untrue.
Trademarks and other things belong to their owners, if any.
-----------
I'd like to bring up a final point. Whether these bug submissions were done
in good faith or not (and I have my doubts..), this has shown that a third
party can use the BTS to stall a major debian relelase by just releasing
vague severity critical bugs. I find that frightening.
--
see shy jo
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: