Bug#852990: marked as done (unblock: s-nail/14.8.16-1)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 28 Jan 2017 18:25:58 +0000
with message-id <20170128182558.ewk3oul7mnjsyxnb@powdarrmonkey.net>
and subject line Re: Bug#852990: unblock: s-nail/14.8.16-1
has caused the Debian Bug report #852990,
regarding unblock: s-nail/14.8.16-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
852990: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852990
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: s-nail/14.8.16-1
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Sat, 28 Jan 2017 19:03:15 +0100
• Message-id: <[🔎] 148562659584.12680.7256696866125096999.reportbug@eldamar.local>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi

Please unblock package s-nail

The upload to unstable with a new upstream version (but only
containing the changes to fix this issue), address #852934, a local
root privilege escalation.

Details were posted at
http://www.openwall.com/lists/oss-security/2017/01/27/7

>s-nail (14.8.16-1) unstable; urgency=medium
>
>  * New upstream version 14.8.16
>    - Fixes local root privilege escalation (Closes: #852934)
>
> -- Hilko Bengen <bengen@debian.org>  Sat, 28 Jan 2017 12:32:17 +0100

I'm attaching the debdiff from the current version in unstable. The
previous version should have mgirated to testing in time before the
release. But I can as well attach the debdiff to that version if
needed.

unblock s-nail/14.8.16-1

Regards,
Salvatore

diff -Nru s-nail-14.8.15/debian/changelog s-nail-14.8.16/debian/changelog
--- s-nail-14.8.15/debian/changelog	2017-01-19 16:40:01.000000000 +0100
+++ s-nail-14.8.16/debian/changelog	2017-01-28 12:32:17.000000000 +0100
@@ -1,3 +1,10 @@
+s-nail (14.8.16-1) unstable; urgency=medium
+
+  * New upstream version 14.8.16
+    - Fixes local root privilege escalation (Closes: #852934)
+
+ -- Hilko Bengen <bengen@debian.org>  Sat, 28 Jan 2017 12:32:17 +0100
+
 s-nail (14.8.15-1) unstable; urgency=medium
 
   * New upstream version 14.8.15
diff -Nru s-nail-14.8.15/nail.1 s-nail-14.8.16/nail.1
--- s-nail-14.8.15/nail.1	2017-01-17 15:38:05.000000000 +0100
+++ s-nail-14.8.16/nail.1	2017-01-27 21:33:45.000000000 +0100
@@ -34,9 +34,9 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\"@ S-nail(1): v14.8.15 / 2017-01-17
-.Dd Jan 17, 2017
-.ds VV \\%v14.8.15
+.\"@ S-nail(1): v14.8.16 / 2017-01-27
+.Dd Jan 27, 2017
+.ds VV \\%v14.8.16
 .\"--MKMAN-START--
 .ds UU \\%S-NAIL
 .ds UA \\%S-nail
diff -Nru s-nail-14.8.15/nail.rc s-nail-14.8.16/nail.rc
--- s-nail-14.8.15/nail.rc	2017-01-17 15:38:05.000000000 +0100
+++ s-nail-14.8.16/nail.rc	2017-01-27 21:33:45.000000000 +0100
@@ -1,7 +1,7 @@
 #--MKRC-START--
 # /etc/s-nail.rc - configuration file for S-nail(1)
 #--MKRC-END--
-#@ S-nail(1): v14.8.15 / 2017-01-17
+#@ S-nail(1): v14.8.16 / 2017-01-27
 
 ## The standard POSIX 2008/Cor 1-2013 mandates the following initial settings:
 # (Keep in sync: ./main.c:_startup(), ./nail.rc, ./nail.1:"Initial settings"!)
diff -Nru s-nail-14.8.15/NEWS s-nail-14.8.16/NEWS
--- s-nail-14.8.15/NEWS	2017-01-17 15:38:05.000000000 +0100
+++ s-nail-14.8.16/NEWS	2017-01-27 21:33:45.000000000 +0100
@@ -1,6 +1,28 @@
 S - n a i l  N e w s
 ====================
 
+v14.8.16 ("Copris lunaris"), 2017-01-27
+---------------------------------------
+
+Fixes an at least theoretical security vulnerability of the
+privilege-separated child, which does not strip path separators
+from arguments.
+
+It thus can be forced (by a local attacker) to create an exclusive
+file for a very short time -- if that happens to be in a PolicyKit
+directory, and if the supervising program is capable to inject
+some PolicyKit directives, and if PolicyKit reads those directives
+before the file is unlink(2)ed again (after an fchown(2) followed
+by link(2)), then the written directives could force PolicyKit to
+do bad things.
+
+Anyway inotifyd hooks could be triggered when they shouldn't.
+Sorry.
+
+Thanks to wapiflapi for reporting this issue!
+
+We welcome wapiflapi in THANKS!
+
 v14.8.15 ("Scarabaeus sacer"), 2017-01-17
 -----------------------------------------
 
diff -Nru s-nail-14.8.15/privsep.c s-nail-14.8.16/privsep.c
--- s-nail-14.8.15/privsep.c	2017-01-17 15:38:05.000000000 +0100
+++ s-nail-14.8.16/privsep.c	2017-01-27 21:33:45.000000000 +0100
@@ -44,6 +44,7 @@
 int
 main(int argc, char **argv)
 {
+   char hostbuf[64];
    struct dotlock_info di;
    struct stat stb;
    sigset_t nset, oset;
@@ -58,6 +59,7 @@
          strcmp(argv[ 4], "name") ||
          strcmp(argv[ 6], "hostname") ||
          strcmp(argv[ 8], "randstr") ||
+         strchr(argv[ 9], '/') != NULL /* Seal path injection vector */ ||
          strcmp(argv[10], "pollmsecs") ||
          fstat(STDIN_FILENO, &stb) == -1 || !S_ISFIFO(stb.st_mode) ||
          fstat(STDOUT_FILENO, &stb) == -1 || !S_ISFIFO(stb.st_mode)) {
@@ -70,6 +72,21 @@
          "  fewest lines of code in order to reduce attack surface.\n"
          "  It cannot be run by itself.\n");
       exit(EXIT_USE);
+   }else{
+      /* Prevent one more path injection attack vector, but be friendly */
+      char const *ccp;
+      size_t i;
+      char *cp, c;
+
+      for(ccp = argv[7], cp = hostbuf, i = 0; (c = *ccp) != '\0'; ++cp, ++ccp){
+         *cp = (c == '/' ? '_' : c);
+         if(++i == sizeof(hostbuf) -1)
+            break;
+      }
+      *cp = '\0';
+      if(cp == hostbuf)
+         goto jeuse;
+      argv[7] = hostbuf;
    }
 
    di.di_file_name = argv[3];
diff -Nru s-nail-14.8.15/THANKS s-nail-14.8.16/THANKS
--- s-nail-14.8.15/THANKS	2017-01-17 15:38:05.000000000 +0100
+++ s-nail-14.8.16/THANKS	2017-01-27 21:33:45.000000000 +0100
@@ -55,6 +55,7 @@
 Tim                       trondd at kagu-tsuchi dot com
 Gavin Troy                gavtroy at fastmail dot fm
 Paul Vojta                vojta at math dot berkeley dot edu
+wapiflapi                 wapiflapi at yahoo dot fr
 William Yodlowsky         william at OpenBSD dot org
 Ypnose                    ypnx at mailoo dot org
 
diff -Nru s-nail-14.8.15/version.h s-nail-14.8.16/version.h
--- s-nail-14.8.15/version.h	2017-01-17 15:38:05.000000000 +0100
+++ s-nail-14.8.16/version.h	2017-01-27 21:33:45.000000000 +0100
@@ -1,4 +1,4 @@
-#define VERSION "v14.8.15"
+#define VERSION "v14.8.16"
 #define VERSION_MAJOR "14"
 #define VERSION_MINOR "8"
-#define VERSION_UPDATE "15"
+#define VERSION_UPDATE "16"

--- End Message ---

--- Begin Message ---

• To: Salvatore Bonaccorso <carnil@debian.org>, 852990-done@bugs.debian.org
• Subject: Re: Bug#852990: unblock: s-nail/14.8.16-1
• From: Jonathan Wiltshire <jmw@debian.org>
• Date: Sat, 28 Jan 2017 18:25:58 +0000
• Message-id: <20170128182558.ewk3oul7mnjsyxnb@powdarrmonkey.net>
• In-reply-to: <[🔎] 148562659584.12680.7256696866125096999.reportbug@eldamar.local>
• References: <[🔎] 148562659584.12680.7256696866125096999.reportbug@eldamar.local>

Hi,

On Sat, Jan 28, 2017 at 07:03:15PM +0100, Salvatore Bonaccorso wrote:
> Please unblock package s-nail
> 
> The upload to unstable with a new upstream version (but only
> containing the changes to fix this issue), address #852934, a local
> root privilege escalation.

Aged to two days instead, given the context.  

Thanks,

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

--- End Message ---