Bug#280872: marked as done (xlibs: I have no idea what I'm talking about)
Your message dated Tue, 7 Dec 2004 13:53:38 -0500
with message-id <20041207185338.GK29501@redwald.deadbeast.net>
and subject line closing bug with extreme prejudice
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 12 Nov 2004 09:32:32 +0000
>From djoume@taket.org Fri Nov 12 01:32:32 2004
Return-path: <djoume@taket.org>
Received: from krepost.taket.org (localhost) [82.227.166.100]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CSXnD-0002fX-00; Fri, 12 Nov 2004 01:32:32 -0800
Received: from djoume by localhost with local (Exim 4.34)
id 1CSXn2-0001yb-CW; Fri, 12 Nov 2004 10:32:20 +0100
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Djoume SALVETTI <djoume@taket.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: xfree86: is Woody XFree86 still vulnerable to libX11.so Local Privilege
Escalation?
X-Mailer: reportbug 3.2
Date: Fri, 12 Nov 2004 10:32:20 +0100
X-Debbugs-Cc: djoume@taket.org
Message-Id: <E1CSXn2-0001yb-CW@localhost>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
X_DEBBUGS_CC autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
Package: xfree86
Severity: critical
Tags: security
Justification: root security hole
Good day,
I'm reviewing the list of 2002 CVEs to check if there is still
some known vulnerables packages in testing.
In CVE-2002-1472 it is written :
| libX11.so in xfree86, when used in setuid or setgid programs, allows
| local users to gain root privileges via a modified LD_PRELOAD
| environment variable that points to a malicious module.
According to http://www.securityfocus.com/bid/5735/info/
this was fixed in xfree86 4.2.1 so testing and unstable are not
vulnerable.
As I can't see any reference to this issue in stable changelog I
think woody version is still vulnerable.
Regards.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: powerpc (ppc)
Kernel: Linux 2.6.9-rfb-swsusp
Locale: LANG=fr_FR@euro, LC_CTYPE=fr_FR@euro (charmap=ISO-8859-15)
---------------------------------------
Received: (at 280872-done) by bugs.debian.org; 7 Dec 2004 18:53:41 +0000
>From branden@redwald.deadbeast.net Tue Dec 07 10:53:41 2004
Return-path: <branden@redwald.deadbeast.net>
Received: from dhcp065-026-182-085.indy.rr.com (sisyphus.deadbeast.net) [65.26.182.85]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CbkSy-00009P-00; Tue, 07 Dec 2004 10:53:40 -0800
Received: by sisyphus.deadbeast.net (Postfix, from userid 1000)
id BD5D768C070; Tue, 7 Dec 2004 13:53:38 -0500 (EST)
Date: Tue, 7 Dec 2004 13:53:38 -0500
From: Branden Robinson <branden@debian.org>
To: 280872-done@bugs.debian.org, control@bugs.debian.org
Subject: closing bug with extreme prejudice
Message-ID: <20041207185338.GK29501@redwald.deadbeast.net>
References: <E1CSXn2-0001yb-CW@localhost>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="fz0LNKsoEivY4NpG"
Content-Disposition: inline
In-Reply-To: <E1CSXn2-0001yb-CW@localhost>
Mail-Copies-To: nobody
X-No-CC: I subscribe to this list; do not CC me on replies.
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: 280872-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.0 required=4.0 tests=BAYES_00,VALID_BTS_CONTROL
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
X-CrossAssassin-Score: 2
--fz0LNKsoEivY4NpG
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
severity 280872 normal
retitle 280872 xlibs: I have no idea what I'm talking about
reassign 280872 xlibs
tag 280872 + unreproducible
thanks
On Fri, Nov 12, 2004 at 10:32:20AM +0100, Djoume SALVETTI wrote:
> Package: xfree86
> Severity: critical
> Tags: security
> Justification: root security hole
>=20
> Good day,
>=20
> I'm reviewing the list of 2002 CVEs to check if there is still
> some known vulnerables packages in testing.
>=20
> In CVE-2002-1472 it is written :
>=20
> | libX11.so in xfree86, when used in setuid or setgid programs, allows
> | local users to gain root privileges via a modified LD_PRELOAD
> | environment variable that points to a malicious module.
>=20
> According to http://www.securityfocus.com/bid/5735/info/=20
> this was fixed in xfree86 4.2.1 so testing and unstable are not
> vulnerable.
>=20
> As I can't see any reference to this issue in stable changelog I
> think woody version is still vulnerable.
I'm not even going to try to put this politely:
This was a moronic bug report.
Why?
Because you filed a bug that you're not even sure exists, and gave it
CRITICAL severity.
Here's a tip: if you don't know that a bug exists, it can't be
release-critical. If you don't know that a bug exists, you shouldn't even
be filing a bug at all. You should be asking questions on a mailing list
instead.
Furthermore, you do not appear to comprehend the original vulnerability.
The flaw was in unsafe module loading by the X11 library. The X11 library
in XFree86 4.1.0 had no modules. They weren't added until nearly 4.2.0:
XFree86 4.1.99.2 (12 December 2001)
[...]
479. Move much of the I18N code in Xlib into separately loadable
modules (#4965, 5043, Ernie Coskrey, from X11R6.6).
In the future, you should do more research into how to communicate with
Free Software projects, before cluttering their issue-tracking systems with
topics marked as high-severity that actually turn out to be non-issues.
It is also worth noting that not all security flaws found in software were
present from the very first revision of the code. Experienced programmers
know that bugs are frequently introduced along with new functionality, as
was the case here. It is therefore completely erroneous to assume that
because a changelog has "no mention" of a vulnerability being fixed, that
the vulnerability is present.
We do not need bots grepping our package changelogs and filing critical
bugs for every CVE ID that isn't mentioned. What we need are intelligent,
informed people who are willing to help fix problems instead of mindlessly
crying wolf. If you can contribute productively, we welcome your
contributions.
Closing this utterly mistaken bug report.
--=20
G. Branden Robinson | Intellectual property is neither
Debian GNU/Linux | intellectual nor property.
branden@debian.org | Discuss.
http://people.debian.org/~branden/ | -- Linda Richman
--fz0LNKsoEivY4NpG
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iEYEARECAAYFAkG1/DIACgkQ6kxmHytGonxrzwCffyuzGTD5fbxr7UoUpvagFaUt
D3IAnRSOwluV3lLc2DnWKi2XuesdmF65
=Kyfu
-----END PGP SIGNATURE-----
--fz0LNKsoEivY4NpG--
Reply to: