Your message dated Thu, 24 Mar 2011 07:26:56 +0000
with message-id <[email protected]>
and subject line Bug#615103: fixed in lilo 1:23.1-2
has caused the Debian Bug report #615103,
regarding Converting /etc/lilo.conf to UUID scheme generates world-readable file
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
615103: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=615103
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: lilo
Version: 1:23.1-1
Severity: grave
Tags: security
Justification: user security hole
Hello,
Today update of LiLo to version 1:23.1-1 also brought the conversion ot the old
/dev/sdX
paths in /etc/lilo.conf to libata compatible paths. While the installation
itself went,
well, I stumbled about a warning message from lilo after parsing the newly
generated conffile:
|Warning: /etc/lilo.conf should be readable only for root if using PASSWORD
When checking file permissions afterwards, I found the file being
world-readable:
|blechtrottel:/etc# ls -l lilo.conf
|-rw-r--r-- 1 root root 4617 25. Feb 19:18 lilo.conf
This makes the protection via PASSWORD completely useless - if any logged in
user can read
/etc/lilo.conf, he could also change boot parameters of the system, e.g.
booting his own OS.
Best regards,
Edgar
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1,
'experimental')
Architecture: i386 (x86_64)
Kernel: Linux 2.6.32-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages lilo depends on:
ii debconf [debconf-2.0] 1.5.38 Debian configuration management sy
ii dpkg 1.15.8.10 Debian package management system
ii libc6 2.11.2-11 Embedded GNU C Library: Shared lib
ii libdevmapper1.02.1 2:1.02.48-5 The Linux Kernel Device Mapper use
ii mbr 1.1.10-2 Master Boot Record for IBM-PC comp
lilo recommends no packages.
Versions of packages lilo suggests:
ii lilo-doc 1:23.1-1 LInux LOader - Documentation for t
-- debconf information:
liloconfig/fstab_broken:
liloconfig/banner:
liloconfig/use_lba32: true
liloconfig/configuring_base:
* lilo/diskid_uuid: true
* lilo/runme: = false
liloconfig/wipe_old_liloconf: false
liloconfig/activate_error:
lilo/new-config:
lilo/link2:
liloconfig/maintitle:
liloconfig/mbr_error:
liloconfig/lilo_warning:
liloconfig/no_changes:
* lilo/add_large_memory: false
liloconfig/liloconf_incompatible:
lilo/bad_bitmap:
lilo/upgrade:
liloconfig/liloconf_exists:
* lilo/link1:
liloconfig/use_current_lilo: true
liloconfig/instruction:
liloconfig/select_bitmap: /boot/debian.bmp
liloconfig/lilo_error:
liloconfig/odd_fstab:
liloconfig/install_from_root_device: true
liloconfig/make_active_partition: true
liloconfig/install_mbr: false
--- End Message ---
--- Begin Message ---
Source: lilo
Source-Version: 1:23.1-2
We believe that the bug you reported is fixed in the latest version of
lilo, which is due to be installed in the Debian FTP archive:
lilo-doc_23.1-2_all.deb
to main/l/lilo/lilo-doc_23.1-2_all.deb
lilo_23.1-2.debian.tar.gz
to main/l/lilo/lilo_23.1-2.debian.tar.gz
lilo_23.1-2.dsc
to main/l/lilo/lilo_23.1-2.dsc
lilo_23.1-2_i386.deb
to main/l/lilo/lilo_23.1-2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Joachim Wiedorn <[email protected]> (supplier of updated lilo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 20 Mar 2011 14:37:18 +0100
Source: lilo
Binary: lilo lilo-doc
Architecture: source i386 all
Version: 1:23.1-2
Distribution: unstable
Urgency: medium
Maintainer: Joachim Wiedorn <[email protected]>
Changed-By: Joachim Wiedorn <[email protected]>
Description:
lilo - LInux LOader - the classic OS boot loader
lilo-doc - LInux LOader - Documentation for the classic OS boot loader
Closes: 258472 312451 445264 504733 613753 615103 615936 616691 617282 618004
618253 618620 618711 618738 618801 618813 618886
Changes:
lilo (1:23.1-2) unstable; urgency=medium
.
[ Joachim Wiedorn ]
* debian/control:
- Remove dependency to lilo in package lilo-doc. (Closes: #613753)
* Fix: save errno for second command (device.c).
* Fix: save file permissions for converted lilo.conf (Closes: #615103)
and fix some typos in script lilo-uuid-diskid.
* Fix: missleading error message in geometry.c. (Closes: #445264)
* Reformatting of mkrescue manpage (thanks to M.E. Schauer).
(Closes: #617282)
* debconf scripts:
- Fix typos in some debconf translation files. (Closes: #504733)
- Use better style in debconf translations. (Closes: #312451, #504733)
- Remove debconf code for managing old boot/boot.b and similar files.
- Remove no more needed debian/lilo.lintian-overrides file.
- Remove script liloconfig and all appropriate debconf code.
- Update of German translation (de.po).
- Update of French translation (fr.po). (Closes: #615936)
- Update of Russian translation (ru.po). (Closes: #616691)
- Update of Galician translation (gl.po).
- Update of Danish translation (da.po). (Closes: #618004)
- Update of Basque translation (eu.po). (Closes: #618253)
- Update of Czech translation (cs.po). (Closes: #618711)
- Update of Spanish translation (es.po). (Closes: #618813)
- Update of Finnish translation (fi.po). (Closes: #618886)
- Update of Italian translation (it.po). (Closes: #618801)
- Update of Brazilian Portuguese translation. (Closes: #618738)
- Update of Swedish translation (sv.po). (Closes: #618620)
* Add new script liloconfig, using template with comments,
works with UUID, LABEL and disk-id for root and boot options.
* Add new manpage for liloconfig, update of other manpages.
* Fix typos and phrases in manpage of lilo.conf. (Closes: #258472)
.
[ Niels Thykier ]
* Added Depends on perl-modules, since liloconfig needs it.
Checksums-Sha1:
2588ea24b17975d85b36d72a0b3ebb879bd29ce5 1903 lilo_23.1-2.dsc
50e5f1a6deac7902032508c6dda4f34f0793603a 70032 lilo_23.1-2.debian.tar.gz
1aaca839b2e1f851c2a9b38f7dba5721b53900c0 287264 lilo_23.1-2_i386.deb
ac564a0885eb9cc78c786314de73416dc616fb57 677734 lilo-doc_23.1-2_all.deb
Checksums-Sha256:
16a3c0388600c5b87a3cef0faeaf099b573ae513f93cb48d544330412b79779d 1903
lilo_23.1-2.dsc
900536da5e1e8d24d01f8e095a3c93c694b9e4489e7e7941e7ab50fa17bc8cc2 70032
lilo_23.1-2.debian.tar.gz
90ace992ce3992db8624f2841790f20c4b26efa7c9f09043330e81f7754aa282 287264
lilo_23.1-2_i386.deb
2c459322f694fedc3be570adfc868076d617a3e9251c7e4a826dcd813c2f77a5 677734
lilo-doc_23.1-2_all.deb
Files:
2b3fc67881f1f7c9cb5af48fdad08434 1903 admin optional lilo_23.1-2.dsc
000aabb8406677b99b3b32dbccfba234 70032 admin optional lilo_23.1-2.debian.tar.gz
bbd1537e1c42462fe638b678c5ec2716 287264 admin optional lilo_23.1-2_i386.deb
23c5a1aa47c07283b393ad08e4ba295c 677734 doc optional lilo-doc_23.1-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBCAAGBQJNinEBAAoJEAVLu599gGRC8uUQAKWf5jtNL+0Yzl5YFFWniySd
MwZBxGxqB43bBwIWC84/IXUjInpY0nak8NniUv2cdS+TbINPCiGadRV9O9AXQmSI
mnpcYZVIXw+cW5WIMgZxcA9BZYWXGQvXxIa0oWSdcHbnp5+EkZqMtqAS3SXEBT/D
vlxOAECnAc+wOHz39JCAgEOnEVN6qrUNMQPuLwbkdH8jGshOavEdHhq9JZSAV7EL
3/UYQ02a4aHZL2gNs8MaihO1cyxW48AWpZRvcEaogXy3AWmmpOjQnecRTc+MmDR6
ackfp6ZsQFPRAYJtPX/IljTny8YfnKx+TZK7Ig0PTQ+jnbtbkPb1AR6tMbs//sw9
2wBAv4malOy2rTU7IA1qjFA1sWnnp/SO/dC6H43hcT/bXvgCmVzM14keQBuKTxtx
ImDouMetp0SoV4u5gvJfeT9AcDExKRQ58gCKJmnHLW6FqgqgdyIAXeBas46O02TF
qTRDNc5wrRG75z7bsW+GH/N5b3JO1QCL3td/NEYp4OK+kI+ZVPTY+/K8nFvhI6Tk
iNIkW/QBeP9dJC14NW8QKNwB6b3/9ZXV700P+QbSM9y7gyf/DIV19tsFtxLJcKKN
WKNHq1AHWGe3gHiBVbNLaWmMeG3RWhOQ7JhDdva3HhorZIW0JW6Wi3IoGveFbYJ9
VhxCH+p10zQLu+zWtAzc
=LHA0
-----END PGP SIGNATURE-----
--- End Message ---
