CAN-2003-0848: heap overflow in slocate
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
slocate (Debian) |
Fix Released
|
Unknown
|
|||
slocate (Ubuntu) |
Invalid
|
High
|
Unassigned |
Bug Description
Automatically imported from Debian bug report #226103 http://
In Debian Bug tracker #226103, Petter Reinholdtsen (pere-hungry) wrote : | #1 |
In Debian Bug tracker #226103, Kevin Lindsay (klindsay) wrote : Bug#226103: CAN-2003-0848: heap overflow in slocate | #2 |
This bug was the same as CAN-2003-0056 which was fixed in 2.6-1.3.1 in woody
and 2.7-1 in unstable/testing.
http://
There never was a bug report assigned to the package since it was found and
fixed quickly.
If there is a way to cause a heap overflow in these versions please let me
know, until then I know it to be safe.
-------
Kevin Lindsay
Fingerprint: 81E 58A3 B49A 580E EE3D 8CF0 519A 55F0 746C 51F4
Key Id: 746C51F4
In Debian Bug tracker #226103, Matt Zimmerman (mdz) wrote : Re: Bug#226103 acknowledged by developer (Bug#226103: CAN-2003-0848: heap overflow in slocate) | #3 |
reopen 226103
thanks
On Sun, Jan 04, 2004 at 09:49:00PM -0600, Debian Bug Tracking System wrote:
> This bug was the same as CAN-2003-0056 which was fixed in 2.6-1.3.1 in woody
> and 2.7-1 in unstable/testing.
>
> http://
>
> There never was a bug report assigned to the package since it was found and
> fixed quickly.
No, this is not the same bug. CAN-2003-0056 is about a buffer overflow
caused by a long command line argument. CAN-2003-0848 is about an overflow
caused by the contents of a user-supplied database.
--
- mdz
In Debian Bug tracker #226103, Matt Zimmerman (mdz) wrote : Re: Bug#226103: CAN-2003-0848: heap overflow in slocate | #4 |
On Mon, Jan 05, 2004 at 01:34:00AM +0100, Petter Reinholdtsen wrote:
> This bug seem to be similar to CVE-2001-0066, reported 2000-12-17 in
> DSA-005-1. <URL: http://
>
> Perhaps there are more problems with the database handling in slocate?
Probably. I think that it is not a good idea for slocate to read and
interpret a user-supplied database while running with setgid privileges.
Since slocate indexes all files on the system, I don't see why this should
be needed either.
--
- mdz
In Debian Bug tracker #226103, Kevin Lindsay (klindsay) wrote : | #5 |
On Wed, Jan 07, 2004 at 11:04:22AM -0800, Matt Zimmerman wrote:
> On Mon, Jan 05, 2004 at 01:34:00AM +0100, Petter Reinholdtsen wrote:
>
> > This bug seem to be similar to CVE-2001-0066, reported 2000-12-17 in
> > DSA-005-1. <URL: http://
> >
> > Perhaps there are more problems with the database handling in slocate?
>
> Probably. I think that it is not a good idea for slocate to read and
> interpret a user-supplied database while running with setgid privileges.
> Since slocate indexes all files on the system, I don't see why this should
> be needed either.
I agree. I took a more careful look at the advisory and I will be doing an
audit on the necessary code. User defined databases were requested to handle
lookups on remote file systems which had their own databases. I think a
good plan would be to drop privileges when searching databases which do not
have the 'slocate' group assigned. Let me know if I'm missing anything.
Kevin-
-------
Kevin Lindsay
Fingerprint: 81E 58A3 B49A 580E EE3D 8CF0 519A 55F0 746C 51F4
Key Id: 746C51F4
In Debian Bug tracker #226103, Matt Zimmerman (mdz) wrote : | #6 |
On Wed, Jan 07, 2004 at 12:56:53PM -0800, Kevin Lindsay wrote:
> On Wed, Jan 07, 2004 at 11:04:22AM -0800, Matt Zimmerman wrote:
>
> > On Mon, Jan 05, 2004 at 01:34:00AM +0100, Petter Reinholdtsen wrote:
> >
> > > This bug seem to be similar to CVE-2001-0066, reported 2000-12-17 in
> > > DSA-005-1. <URL: http://
> > >
> > > Perhaps there are more problems with the database handling in slocate?
> >
> > Probably. I think that it is not a good idea for slocate to read and
> > interpret a user-supplied database while running with setgid privileges.
> > Since slocate indexes all files on the system, I don't see why this should
> > be needed either.
>
> I agree. I took a more careful look at the advisory and I will be doing an
> audit on the necessary code. User defined databases were requested to handle
> lookups on remote file systems which had their own databases. I think a
> good plan would be to drop privileges when searching databases which do not
> have the 'slocate' group assigned. Let me know if I'm missing anything.
Ah, that makes sense. In that case, yes, it would be ideal if slocate
could:
1. Read the system slocate database
2. Drop privileges irrevocably
3. Read the user-supplied database and continue
--
- mdz
In Debian Bug tracker #226103, Matt Zimmerman (mdz) wrote : Status? | #7 |
Have you had a chance to look into this bug further? If it is not feasible
to implement relinquishing privileges, we need to at least fix the overflow.
--
- mdz
In Debian Bug tracker #226103, Kevin Lindsay (klindsay) wrote : Fixed in NMU of slocate 2.6-1.3.2 | #8 |
tag 226103 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 19 Jan 2004 06:16:54 +0000
Source: slocate
Binary: slocate
Architecture: source i386
Version: 2.6-1.3.2
Distribution: stable-security
Urgency: high
Maintainer: R Garth Wood <email address hidden>
Changed-By: Kevin Lindsay <email address hidden>
Description:
slocate - a secure locate replacement
Closes: 226103
Changes:
slocate (2.6-1.3.2) stable-security; urgency=high
.
* 'slocate' sgid privileges are now dropped when searching databases that
are not apart of the 'slocate' group. This will prevent malicious user
supplied databases from elevating user access to the 'slocate' group.
See CAN-2003-0848, (closes: #226103)
Files:
c7f271bba7c5a7
4e7a025fe5ec82
f933cdc3212314
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFADDGKArx
DDv+nkZUdDptl1/
=hO9d
-----END PGP SIGNATURE-----
In Debian Bug tracker #226103, Joey Hess (joeyh) wrote : not fixed in unstable | #10 |
tag 226103 - fixed
thanks
This bug was tagged fixed with an upload to "stable-security", whatever
that is. Since I can see no evidence of 2.6-1.3.2 in the archive, I
assume it was rejected or fell into a black hole. However, I see no
indication that CAN-2003-0848 is fixed in unstable. As noted at the top
of the bug, 2.7 is probably vulnerable. The sgid dropping should
certainly be forward ported from 2.6-1.3.2.
--
see shy jo
Debian Bug Importer (debzilla) wrote : | #11 |
Automatically imported from Debian bug report #226103 http://
Debian Bug Importer (debzilla) wrote : | #12 |
Message-ID: <email address hidden>
Date: Sun, 4 Jan 2004 01:24:25 -0800
From: Matt Zimmerman <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: CAN-2003-0848: heap overflow in slocate
Package: slocate
Version: 2.7-2
Severity: grave
Tags: security
http://
http://
http://
The strange thing is, this advisory claims that slocate 2.7 is not
vulnerable. However, I see no changelog entries, nor actual code changes,
to indicate that this bug has been fixed. Neither the advisory's suggested
change, nor any other that I can see which would affect this bug, has been
made. So, I currently have little confidence that this bug is actually
fixed in 2.7. Furthermore, we ship slocate 2.6 in woody, which would seem
to be certainly affected by this bug.
Any additional information or assistance that you can provide would be
appreciated. See:
http://
for some guidelines.
-- System Information:
Debian Release: unstable
Architecture: i386
Kernel: Linux mizar 2.4.22-
Locale: LANG=en_US, LC_CTYPE=en_US
Versions of packages slocate depends on:
ii adduser 3.51 Add and remove users and groups
ii dpkg 1.10.18 Package maintenance system for Deb
ii libc6 2.3.2.ds1-10 GNU C Library: Shared libraries an
-- no debconf information
--
- mdz
Debian Bug Importer (debzilla) wrote : | #13 |
Message-Id: <email address hidden>
Date: Mon, 05 Jan 2004 01:34:00 +0100
From: Petter Reinholdtsen <email address hidden>
To: <email address hidden>
Subject: Re: CAN-2003-0848: heap overflow in slocate
This bug seem to be similar to CVE-2001-0066, reported 2000-12-17 in
DSA-005-1. <URL: http://
Perhaps there are more problems with the database handling in slocate?
Debian Bug Importer (debzilla) wrote : | #14 |
Message-ID: <email address hidden>
Date: Sun, 4 Jan 2004 18:07:33 -0800
From: Kevin Lindsay <email address hidden>
To: <email address hidden>
Subject: Bug#226103: CAN-2003-0848: heap overflow in slocate
--6c2NcOVqGQ03X4Wi
Content-Type: text/plain; charset=us-ascii
Content-
This bug was the same as CAN-2003-0056 which was fixed in 2.6-1.3.1 in woody
and 2.7-1 in unstable/testing.
http://
There never was a bug report assigned to the package since it was found and
fixed quickly.
If there is a way to cause a heap overflow in these versions please let me
know, until then I know it to be safe.
-------
Kevin Lindsay
Fingerprint: 81E 58A3 B49A 580E EE3D 8CF0 519A 55F0 746C 51F4
Key Id: 746C51F4
--6c2NcOVqGQ03X4Wi
Content-Type: application/
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
iD8DBQE/
w3VI84M8NRb12Ag
=F/vG
-----END PGP SIGNATURE-----
--6c2NcOVqGQ03X
Debian Bug Importer (debzilla) wrote : | #15 |
Message-ID: <email address hidden>
Date: Sun, 4 Jan 2004 23:38:01 -0800
From: Matt Zimmerman <email address hidden>
To: <email address hidden>
Subject: Re: Bug#226103 acknowledged by developer (Bug#226103: CAN-2003-0848: heap overflow in
slocate)
reopen 226103
thanks
On Sun, Jan 04, 2004 at 09:49:00PM -0600, Debian Bug Tracking System wrote:
> This bug was the same as CAN-2003-0056 which was fixed in 2.6-1.3.1 in woody
> and 2.7-1 in unstable/testing.
>
> http://
>
> There never was a bug report assigned to the package since it was found and
> fixed quickly.
No, this is not the same bug. CAN-2003-0056 is about a buffer overflow
caused by a long command line argument. CAN-2003-0848 is about an overflow
caused by the contents of a user-supplied database.
--
- mdz
Debian Bug Importer (debzilla) wrote : | #16 |
Message-ID: <email address hidden>
Date: Wed, 7 Jan 2004 11:04:22 -0800
From: Matt Zimmerman <email address hidden>
To: Petter Reinholdtsen <email address hidden>, <email address hidden>
Subject: Re: Bug#226103: CAN-2003-0848: heap overflow in slocate
On Mon, Jan 05, 2004 at 01:34:00AM +0100, Petter Reinholdtsen wrote:
> This bug seem to be similar to CVE-2001-0066, reported 2000-12-17 in
> DSA-005-1. <URL: http://
>
> Perhaps there are more problems with the database handling in slocate?
Probably. I think that it is not a good idea for slocate to read and
interpret a user-supplied database while running with setgid privileges.
Since slocate indexes all files on the system, I don't see why this should
be needed either.
--
- mdz
Debian Bug Importer (debzilla) wrote : | #17 |
Message-ID: <email address hidden>
Date: Wed, 7 Jan 2004 12:56:53 -0800
From: Kevin Lindsay <email address hidden>
To: Matt Zimmerman <email address hidden>, <email address hidden>
Cc: Petter Reinholdtsen <email address hidden>
Subject: Re: Bug#226103: CAN-2003-0848: heap overflow in slocate
On Wed, Jan 07, 2004 at 11:04:22AM -0800, Matt Zimmerman wrote:
> On Mon, Jan 05, 2004 at 01:34:00AM +0100, Petter Reinholdtsen wrote:
>
> > This bug seem to be similar to CVE-2001-0066, reported 2000-12-17 in
> > DSA-005-1. <URL: http://
> >
> > Perhaps there are more problems with the database handling in slocate?
>
> Probably. I think that it is not a good idea for slocate to read and
> interpret a user-supplied database while running with setgid privileges.
> Since slocate indexes all files on the system, I don't see why this should
> be needed either.
I agree. I took a more careful look at the advisory and I will be doing an
audit on the necessary code. User defined databases were requested to handle
lookups on remote file systems which had their own databases. I think a
good plan would be to drop privileges when searching databases which do not
have the 'slocate' group assigned. Let me know if I'm missing anything.
Kevin-
-------
Kevin Lindsay
Fingerprint: 81E 58A3 B49A 580E EE3D 8CF0 519A 55F0 746C 51F4
Key Id: 746C51F4
Debian Bug Importer (debzilla) wrote : | #18 |
Message-ID: <email address hidden>
Date: Wed, 7 Jan 2004 13:20:18 -0800
From: Matt Zimmerman <email address hidden>
To: Kevin Lindsay <email address hidden>
Cc: <email address hidden>, Petter Reinholdtsen <email address hidden>
Subject: Re: Bug#226103: CAN-2003-0848: heap overflow in slocate
On Wed, Jan 07, 2004 at 12:56:53PM -0800, Kevin Lindsay wrote:
> On Wed, Jan 07, 2004 at 11:04:22AM -0800, Matt Zimmerman wrote:
>
> > On Mon, Jan 05, 2004 at 01:34:00AM +0100, Petter Reinholdtsen wrote:
> >
> > > This bug seem to be similar to CVE-2001-0066, reported 2000-12-17 in
> > > DSA-005-1. <URL: http://
> > >
> > > Perhaps there are more problems with the database handling in slocate?
> >
> > Probably. I think that it is not a good idea for slocate to read and
> > interpret a user-supplied database while running with setgid privileges.
> > Since slocate indexes all files on the system, I don't see why this should
> > be needed either.
>
> I agree. I took a more careful look at the advisory and I will be doing an
> audit on the necessary code. User defined databases were requested to handle
> lookups on remote file systems which had their own databases. I think a
> good plan would be to drop privileges when searching databases which do not
> have the 'slocate' group assigned. Let me know if I'm missing anything.
Ah, that makes sense. In that case, yes, it would be ideal if slocate
could:
1. Read the system slocate database
2. Drop privileges irrevocably
3. Read the user-supplied database and continue
--
- mdz
Debian Bug Importer (debzilla) wrote : | #19 |
Message-ID: <email address hidden>
Date: Sun, 18 Jan 2004 13:28:06 -0800
From: Matt Zimmerman <email address hidden>
To: <email address hidden>
Subject: Status?
Have you had a chance to look into this bug further? If it is not feasible
to implement relinquishing privileges, we need to at least fix the overflow.
--
- mdz
Debian Bug Importer (debzilla) wrote : | #20 |
Message-Id: <email address hidden>
Date: Tue, 20 Jan 2004 13:48:39 -0500
From: Kevin Lindsay <email address hidden>
To: <email address hidden>
Cc: Kevin Lindsay <email address hidden>, R Garth Wood <email address hidden>
Subject: Fixed in NMU of slocate 2.6-1.3.2
tag 226103 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 19 Jan 2004 06:16:54 +0000
Source: slocate
Binary: slocate
Architecture: source i386
Version: 2.6-1.3.2
Distribution: stable-security
Urgency: high
Maintainer: R Garth Wood <email address hidden>
Changed-By: Kevin Lindsay <email address hidden>
Description:
slocate - a secure locate replacement
Closes: 226103
Changes:
slocate (2.6-1.3.2) stable-security; urgency=high
.
* 'slocate' sgid privileges are now dropped when searching databases that
are not apart of the 'slocate' group. This will prevent malicious user
supplied databases from elevating user access to the 'slocate' group.
See CAN-2003-0848, (closes: #226103)
Files:
c7f271bba7c5a7
4e7a025fe5ec82
f933cdc3212314
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFADDGKArx
DDv+nkZUdDptl1/
=hO9d
-----END PGP SIGNATURE-----
Debian Bug Importer (debzilla) wrote : | #21 |
Message-Id: <email address hidden>
Date: Wed, 07 Apr 2004 13:32:22 -0400
From: Kevin Lindsay <email address hidden>
To: <email address hidden>
Cc: Kevin Lindsay <email address hidden>, R Garth Wood <email address hidden>
Subject: Fixed in NMU of slocate 2.6-1.3.2
tag 226103 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 19 Jan 2004 06:16:54 +0000
Source: slocate
Binary: slocate
Architecture: source i386
Version: 2.6-1.3.2
Distribution: stable-security
Urgency: high
Maintainer: R Garth Wood <email address hidden>
Changed-By: Kevin Lindsay <email address hidden>
Description:
slocate - a secure locate replacement
Closes: 226103
Changes:
slocate (2.6-1.3.2) stable-security; urgency=high
.
* 'slocate' sgid privileges are now dropped when searching databases that
are not apart of the 'slocate' group. This will prevent malicious user
supplied databases from elevating user access to the 'slocate' group.
See CAN-2003-0848, (closes: #226103)
Files:
c7f271bba7c5a7
4e7a025fe5ec82
f933cdc3212314
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFADDGKArx
DDv+nkZUdDptl1/
=hO9d
-----END PGP SIGNATURE-----
Debian Bug Importer (debzilla) wrote : | #22 |
Message-ID: <email address hidden>
Date: Mon, 9 Aug 2004 22:11:14 -0300
From: Joey Hess <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: not fixed in unstable
--h31gzZEtNLTqOjlF
Content-Type: text/plain; charset=us-ascii
Content-
Content-
tag 226103 - fixed
thanks
This bug was tagged fixed with an upload to "stable-security", whatever
that is. Since I can see no evidence of 2.6-1.3.2 in the archive, I
assume it was rejected or fell into a black hole. However, I see no
indication that CAN-2003-0848 is fixed in unstable. As noted at the top
of the bug, 2.7 is probably vulnerable. The sgid dropping should
certainly be forward ported from 2.6-1.3.2.
--=20
see shy jo
--h31gzZEtNLTqOjlF
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBGCCxd8H
I/eSPhKFnFnylgq
=gxJJ
-----END PGP SIGNATURE-----
--h31gzZEtNLTqO
In Debian Bug tracker #226103, Florian Ernst (florian-uni-hd) wrote : | #23 |
package slocate
tags 226103 patch
thanks
On Mon, 9 Aug 2004 22:11:14 -0300, Joey Hess wrote:
> However, I see no
> indication that CAN-2003-0848 is fixed in unstable. As noted at the top
> of the bug, 2.7 is probably vulnerable. The sgid dropping should
> certainly be forward ported from 2.6-1.3.2.
Forward porting the patch is easy, it applies cleanly (just some
offset), except for the debian/changelog part. I don't know whether
this patch will be sufficient for v2.7, though, but I'd assume so as
the attached patch and the diff between v2.6 and v2.7 don't seem to
intersect...
Find attached the patch from DSA-428-1 (diff between v2.6-1.3.1 and
v2.6-1.3.2)
Cheers,
Flo
PS: Please lart me if I went to far in tagging this bug "patch".
Debian Bug Importer (debzilla) wrote : | #24 |
Message-ID: <20040820204212
Date: Fri, 20 Aug 2004 22:42:12 +0200
From: Florian Ernst <email address hidden>
To: <email address hidden>
Subject: Re: not fixed in unstable
--HKOZ/JADkehwFk9I
Content-Type: multipart/mixed; boundary=
Content-
--2tWkrNKppd65XSnD
Content-Type: text/plain; charset=us-ascii
Content-
package slocate
tags 226103 patch
thanks
On Mon, 9 Aug 2004 22:11:14 -0300, Joey Hess wrote:
> However, I see no
> indication that CAN-2003-0848 is fixed in unstable. As noted at the top
> of the bug, 2.7 is probably vulnerable. The sgid dropping should
> certainly be forward ported from 2.6-1.3.2.
Forward porting the patch is easy, it applies cleanly (just some
offset), except for the debian/changelog part. I don't know whether
this patch will be sufficient for v2.7, though, but I'd assume so as
the attached patch and the diff between v2.6 and v2.7 don't seem to
intersect...
Find attached the patch from DSA-428-1 (diff between v2.6-1.3.1 and
v2.6-1.3.2)
Cheers,
Flo
PS: Please lart me if I went to far in tagging this bug "patch".
--2tWkrNKppd65XSnD
Content-Type: text/plain; charset=us-ascii
Content-
Content-
diff -u slocate-2.6/main.c slocate-2.6/main.c
--- slocate-2.6/main.c
+++ slocate-2.6/main.c
@@ -339,6 +339,9 @@
char *part;
int i;
int res_errno;
+ char *tmp_ptr =3D NULL;
+ int last_sgid =3D 0;
+ struct stat db_stat;
=20
/* Make sure path is not empty */
if (!path || strlen(path) =3D=3D 0) return;
@@ -382,6 +385,28 @@
=20
/* Null terminate array */
SLOCATE_PATH[i] =3D NULL;
+=09
+ /* Sort sgid slocate db's to the top */
+ for (i =3D 0; SLOCATE_PATH[i]; i++) {
+ if (stat(SLOCATE_
+ report_error(FATAL, QUIET, "%s: Could not stat DB: %s: %s\n", progna=
me, SLOCATE_PATH[i], strerror(errno));
+
+ if (db_stat.st_gid !=3D SLOC_GID)
+ continue;
+ =09
+ if (i !=3D last_sgid) {
+ tmp_ptr =3D SLOCATE_
+ SLOCATE_
+ SLOCATE_PATH[i] =3D tmp_ptr;
+ }
+ =09
+ last_sgid +=3D 1;
+ =09
+ }
+=09
+ /* for (i =3D 0; SLOCATE_PATH[i]; i++)
+ printf("%s\n", SLOCATE_PATH[i]); */
+
}
=20
/* Parse Dash */
@@ -1152,6 +1177,22 @@
char *cp=3DNULL;
#endif
char *bucket_
+ gid_t cur_gid;
+ struct stat db_stat;
+
+ cur_gid =3D getegid();
+
+ if (stat(database, &db_stat) =3D=3D -1)
+ report_error(FATAL, QUIET, "%s: Could not stat '%d': %s\n", progname,=
strerror(errno));
+=09
+ /* If the database's file group is not apart of the 'slocate' group,
+ * drop privileges. When multiple databases are specified, the ones
+ * apart of the 'slocate' group will be searched first before the
+ * privileges are dropped. */ =20
+ if (cur_gid =3D=3D SLOC_GID && db_stat.st_gid !=3D SLOC_GID) {
+ if (setgid(GID) =3D=3D -1)
+ report_error(FATAL, QUIET, "%s: Could not drop privileges.", prognam=
e);
+ }
=20
if ((fd =3D open(database,
report_
,strerror(errno));
@@ -1409,6 +145...
Matt Zimmerman (mdz) wrote : | #25 |
Fixed in 2.7-2ubuntu1
In Debian Bug tracker #226103, Kevin Lindsay (klindsay) wrote : Bug#226103: fixed in slocate 2.7-3 | #26 |
Source: slocate
Source-Version: 2.7-3
We believe that the bug you reported is fixed in the latest version of
slocate, which is due to be installed in the Debian FTP archive:
slocate_2.7-3.dsc
to pool/main/
slocate_
to pool/main/
slocate_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kevin Lindsay <email address hidden> (supplier of updated slocate package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 7 Sep 2004 03:20:42 +0000
Source: slocate
Binary: slocate
Architecture: source i386
Version: 2.7-3
Distribution: unstable
Urgency: high
Maintainer: Kevin Lindsay <email address hidden>
Changed-By: Kevin Lindsay <email address hidden>
Description:
slocate - A secure replacment of findutil's locate
Closes: 226103 234563
Changes:
slocate (2.7-3) unstable; urgency=high
.
* 'slocate' sgid privileges are now dropped when searching databases that
are not apart of the 'slocate' group. This will prevent malicious user
supplied databases from elevating user access to the 'slocate' group.
See CAN-2003-0848, (closes: #226103)
* Changed diversion /etc/cron.
/etc/
* I also made the database creation feature drop privileges so that the
SGID binary can't chown the group of the database to 'slocate' unless
the user has explicit access.
* Added a patch which caused LOCATE_PATH to be ignored when '-d' was used,
and vice versa. This also fixed an off by 1 overflow bug.
Files:
2223bfb26ade19
b5b1997b35abbd
c95e2195a2da86
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBPUSUUZp
RoAH22JMDBQeYXJ
=prVz
-----END PGP SIGNATURE-----
Debian Bug Importer (debzilla) wrote : | #27 |
Message-Id: <email address hidden>
Date: Tue, 07 Sep 2004 02:32:03 -0400
From: Kevin Lindsay <email address hidden>
To: <email address hidden>
Subject: Bug#226103: fixed in slocate 2.7-3
Source: slocate
Source-Version: 2.7-3
We believe that the bug you reported is fixed in the latest version of
slocate, which is due to be installed in the Debian FTP archive:
slocate_2.7-3.dsc
to pool/main/
slocate_
to pool/main/
slocate_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kevin Lindsay <email address hidden> (supplier of updated slocate package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 7 Sep 2004 03:20:42 +0000
Source: slocate
Binary: slocate
Architecture: source i386
Version: 2.7-3
Distribution: unstable
Urgency: high
Maintainer: Kevin Lindsay <email address hidden>
Changed-By: Kevin Lindsay <email address hidden>
Description:
slocate - A secure replacment of findutil's locate
Closes: 226103 234563
Changes:
slocate (2.7-3) unstable; urgency=high
.
* 'slocate' sgid privileges are now dropped when searching databases that
are not apart of the 'slocate' group. This will prevent malicious user
supplied databases from elevating user access to the 'slocate' group.
See CAN-2003-0848, (closes: #226103)
* Changed diversion /etc/cron.
/etc/
* I also made the database creation feature drop privileges so that the
SGID binary can't chown the group of the database to 'slocate' unless
the user has explicit access.
* Added a patch which caused LOCATE_PATH to be ignored when '-d' was used,
and vice versa. This also fixed an off by 1 overflow bug.
Files:
2223bfb26ade19
b5b1997b35abbd
c95e2195a2da86
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBPUSUUZp
RoAH22JMDBQeYXJ
=prVz
-----END PGP SIGNATURE-----
Changed in slocate: | |
status: | Unknown → Fix Released |
This bug seem to be similar to CVE-2001-0066, reported 2000-12-17 in www.debian. org/security/ 2000/20001217a >.
DSA-005-1. <URL: http://
Perhaps there are more problems with the database handling in slocate?