Please unblock remctl 2.2-3 (security)

Sat, 03 Feb 2007 23:50:38 -0800 

In internal testing, I discovered a long-standing logic bug in remctl (a
client/server system for remote Kerberos-authenticated command execution)
that would cause the server to treat a non-existant ACL file as
authorization success, allowing any authenticated user to execute the
command supposedly protected by that missing ACL file.

In normal operation, all the ACL files referred to in the remctld
configuration obviously exist, but given how easy of a mistake this is to
make, I think this warrants a security update to the version in etch.  The
version in stable is not affected.

I've just now uploaded 2.2-3 packages with the minimal fix (the current
upstream version is 2.6) with urgency high.  Attached is a diff.  Assuming
that it builds properly on all arches, could you unblock?

Thanks!

diff -u remctl-2.2/debian/changelog remctl-2.2/debian/changelog
--- remctl-2.2/debian/changelog
+++ remctl-2.2/debian/changelog
@@ -1,3 +1,17 @@
+remctl (2.2-3) unstable; urgency=high
+
+  * Remove extraneous changes to Automake files.
+
+ -- Russ Allbery <[EMAIL PROTECTED]>  Sat,  3 Feb 2007 23:42:05 -0800
+
+remctl (2.2-2) unstable; urgency=high
+
+  * SECURITY: Apply upstream patch to prevent a non-existent ACL file from
+    being considered authorization success instead of failure.
+  * Build-depend on and run quilt to apply the patch.
+
+ -- Russ Allbery <[EMAIL PROTECTED]>  Sat,  3 Feb 2007 23:21:02 -0800
+
 remctl (2.2-1) unstable; urgency=low
 
   * New upstream release.
diff -u remctl-2.2/debian/control remctl-2.2/debian/control
--- remctl-2.2/debian/control
+++ remctl-2.2/debian/control
@@ -2,7 +2,7 @@
 Section: net
 Priority: optional
 Maintainer: Russ Allbery <[EMAIL PROTECTED]>
-Build-Depends: debhelper (>= 4.0.0), libkrb5-dev
+Build-Depends: debhelper (>= 4.0.0), libkrb5-dev, quilt (>= 0.40)
 Standards-Version: 3.7.2
 
 Package: libremctl1
diff -u remctl-2.2/debian/rules remctl-2.2/debian/rules
--- remctl-2.2/debian/rules
+++ remctl-2.2/debian/rules
@@ -3,6 +3,9 @@
 # GNU copyright 1997 to 1999 by Joey Hess.
 # Further updates by Russ Allbery <[EMAIL PROTECTED]>
 
+# Use quilt to manage patches.
+include /usr/share/quilt/quilt.make
+
 # Uncomment this to turn on verbose mode.
 #export DH_VERBOSE=1
 
@@ -32,13 +35,13 @@
            --enable-reduced-depends $(SYSTEM)
 
 build: build-stamp
-build-stamp: config.status
+build-stamp: patch config.status
        dh_testdir
        $(MAKE)
        $(MAKE) check
        touch build-stamp
 
-clean:
+clean: unpatch
        dh_testdir
        dh_testroot
        rm -f build-stamp
only in patch2:
unchanged:
--- remctl-2.2.orig/debian/patches/missing-acl
+++ remctl-2.2/debian/patches/missing-acl
@@ -0,0 +1,63 @@
+Index: server/config.c
+===================================================================
+--- server/config.c    (revision 2963)
++++ server/config.c    (working copy)
+@@ -367,7 +367,7 @@
+         return 1;
+     for (i = 0; acls[i] != NULL; i++) {
+         status = acl_check_file((void *) user, acls[i]);
+-        if (status != -1)
++        if (status == 0)
+             return 1;
+     }
+     return 0;
+Index: tests/data/simple.conf
+===================================================================
+--- tests/data/simple.conf     (revision 2963)
++++ tests/data/simple.conf     (working copy)
+@@ -2,5 +2,6 @@
+ test status data/cmd-status ANYUSER
+ test nonexistant data/cmd-nonexistant ANYUSER
+ test noauth data/cmd-hello data/acl-nonexistant
++test noacl data/cmd-hello data/acl-no-such-file
+ test streaming data/cmd-streaming ANYUSER
+ test env data/cmd-env ANYUSER
+Index: tests/client/remctl-t
+===================================================================
+--- tests/client/remctl-t      (revision 2963)
++++ tests/client/remctl-t      (working copy)
+@@ -54,7 +54,7 @@
+ }
+ 
+ # Print the number of tests.
+-echo 7
++echo 8
+ 
+ # Find the client program.
+ if [ -f ../data/test.keytab ] ; then
+@@ -65,7 +65,7 @@
+     fi
+ fi
+ if [ ! -f data/test.keytab ] ; then
+-    for n in 1 2 3 4 5 6 7 ; do
++    for n in 1 2 3 4 5 6 7 8 ; do
+         echo ok $n \# skip -- no Kerberos configuration
+     done
+     exit 0
+@@ -100,7 +100,7 @@
+         kill -HUP `cat data/pid`
+     fi
+     rm -f data/pid
+-    for n in 1 2 3 4 5 6 7 ; do
++    for n in 1 2 3 4 5 6 7 8 ; do
+         echo ok $n \# skip -- no Kerberos configuration
+     done
+     exit 0
+@@ -117,6 +117,7 @@
+ runfailure 1 "" test status 1
+ runfailure 2 "" test status 2
+ runfailure 255 "Access denied" test noauth
++runfailure 255 "Access denied" test noacl
+ runfailure 1 "" test nonexistant
+ runfailure 255 "Unknown command" test bad-command
+ 
only in patch2:
unchanged:
--- remctl-2.2.orig/debian/patches/series
+++ remctl-2.2/debian/patches/series
@@ -0,0 +1 @@
+missing-acl -p0

-- 
Russ Allbery ([EMAIL PROTECTED])               <http://www.eyrie.org/~eagle/>


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to