Bug#793086: me too

2016-10-18 Thread Thomas Arendsen Hein 
Hi!

I just wanted to add that I just noticed the same problem on a
machine with arpalert monitoring four network interfaces.

arpalert 2.0.11-7.1 (Debian jessie, amd64)

Regards,
Thomas Arendsen Hein

-- 
tho...@intevation.de - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A
Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner

Bug#841162: quagga: CVE-2016-1245: zebra: stack overrun in IPv6 RA receive code

2016-10-18 Thread Salvatore Bonaccorso 
Source: quagga
Version: 0.99.23.1-1
Severity: grave
Tags: security upstream patch

Hi,

the following vulnerability was published for quagga.

CVE-2016-1245[0]:
zebra: stack overrun in IPv6 RA receive code

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-1245

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Vier de Kerst met de nieuwste Rituals giftsets

2016-10-18 Thread Daniëlle | Brandhouse 

Deze email nieuwsbrief werd in grafisch HTML formaat verzonden.
Als u deze tekstversie ziet, verkiest uw email programma "gewone tekst" emails.
U kan de originele nieuwsbrief online bekijken:
http://ymlp17.com/zk4op8



Rituals heeft onlangs de gehele lijn pakketten vernieuwd. U kunt deze
prachtige giftsets nu bestellen bij Brandhouse. Wij zijn de
business-to-business partner van Rituals en leveren het complete
assortiment geschenkpakketten rechtstreeks vanuit het
distributiecentrum van Rituals. Dat betekent dat we u een breed en
aantrekkelijk assortiment kunnen bieden. Heeft u hulp nodig bij het
maken van uw keuze? Bel ons even en vraag het persoonlijk aan één
van onze adviseurs. We doen er alles aan om u zo goed mogelijk te
helpen bij uw keuze en ontzorgen u met een snelle logistieke en
administratieve afhandeling.

Lach en de wereld lacht terug (
http://www.brandhouse.nl/rituals/rituals-laughing-buddha/ )
Het wrijven over Boeddha’s buik is al eeuwenlang een symbool voor
geluk en voorspoed. De pakketten van de Laughing Buddha geurlijn
bevatten de geur van zoete sinaasappel en cederhout en zorgen voor een
moment van geluk in het dagelijks leven.
Meer info >> (
http://www.brandhouse.nl/rituals/rituals-laughing-buddha/ )

Zuiverende ceremonie voor lichaam en geest (
http://www.brandhouse.nl/rituals/rituals-hammam/ )
Haal één van de oudste reinigingstradities in huis. De geur van
eucalyptus en rozemarijn geven een authentieke stoombadervaring en
zuivert lichaam en geest. De collectie is geschikt voor zowel dames
als heren. Een prachtig en luxe Kerstgeschenk voor iedereen!
Meer info >> ( http://www.brandhouse.nl/rituals/rituals-hammam/ )

Innerlijke harmonie en schoonheid komt van nature (
http://www.brandhouse.nl/rituals/rituals-ayurveda/ )
Pure verwennerij en even helemaal tot rust komen met de heerlijke
geuren van Indiase roos en zoete amandelolie. Kom tot rust met de
heerlijke producten voor uw haar, lichaam en geest. Een geweldig
cadeau om uzelf of een ander mee te verwennen!
Meer info >> ( http://www.brandhouse.nl/rituals/rituals-ayurveda/ )

Vier elke dag als een nieuw begin (
http://www.brandhouse.nl/rituals/rituals-sakura/ )
Het Sakura Ritueel is gebaseerd op de viering van de jaarlijkse bloei
van de kersenbloesem in Japan. Het zoete aroma van de kersenbloesem
laat de zintuigen ontwaken en de essence van rijstmelk maakt de huid
zacht en soepel. Een geschenk om even helemaal te ontspannen.
Meer info >> ( http://www.brandhouse.nl/rituals/rituals-sakura/ )

Eeuwenoude kunst van rust (
http://www.brandhouse.nl/rituals/rituals-dao/ )
De Dao collectie bevat producten met een frisse en kalmerende geur
van witte lotus en yi yi ren. Dit ritueel is geïnspireerd door de
Chinese filosofie die zicht richt op het bereiken van een balans
tussen Yin en Yang. Uw relaties en medewerkers zullen zo ontspannen en
herboren het nieuwe jaar ingaan!
Meer info >> ( http://www.brandhouse.nl/rituals/rituals-dao/ )

De kunst van een perfecte verzorging (
http://www.brandhouse.nl/rituals/rituals-samurai/ )
De collectie voor mannen waarmee elke man perfect verzorgd voor de
dag komt. Verrijkt met de geur van Japanse munt en biologische bamboe
geven de producten van de Samurai collectie hernieuwde energie. Uw
relaties en medewerkers zullen hun dag fris beginnen.
Meer info >> ( http://www.brandhouse.nl/rituals/rituals-samurai/ )

_
Uitschrijven / Gegevens wijzigen: http://ymlp17.com/ughymwuwgsgjbmjegemwggusqqb
Powered door YourMailingListProvider

Bug#841192: mozplugger: mplayer2 has gone away

2016-10-18 Thread James Cowgill 
Package: mozplugger
Version: 1.14.5-2
Severity: minor

Hi,

mplayer2 no longer exists in stretch, please can you remove it from the
suggested packages.

Thanks,
James




signature.asc
Description: OpenPGP digital signature

Bug#819567: marked as done (extlinux: please sort kernels by version)

2016-10-18 Thread Debian Bug Tracking System 
Your message dated Tue, 18 Oct 2016 13:43:37 +
with message-id <20161018134337.ga23...@kos.to>
and subject line update-extlinux is no longer
has caused the Debian Bug report #819567,
regarding extlinux: please sort kernels by version
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
819567: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819567
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: extlinux
Version: 2:4.05+dfsg-6+deb7u1
Severity: normal

When extlinux-update is writing out the linux.cfg file, it uses the
following shell code:

  # Find linux versions
  _VERSIONS="$(cd /boot && ls vmlinuz-* | grep -v .dpkg-tmp | sed -e 
's|vmlinuz-||g' | sort -nr)"

Unfortunately, this results in (for instance) vmlinuz-3.2 being sorted
before vmlinuz-3.16, with the unexpected result that an unattended
reboot will still boot to the old kernel.

It should really use "sort -Vr" instead.  (I made a local diversion of
this file with this fix and it works perfectly.)

-- System Information:
Debian Release: 7.9
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-0.bpo.4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages extlinux depends on:
ii  debconf [debconf-2.0]  1.5.49
ii  libc6  2.13-38+deb7u10

Versions of packages extlinux recommends:
pn  os-prober   
ii  syslinux-common 2:4.05+dfsg-6+deb7u1
pn  syslinux-themes-debian  

extlinux suggests no packages.
--- End Message ---
--- Begin Message ---
> It should really use "sort -Vr" instead.  (I made a local diversion of
> this file with this fix and it works perfectly.)

extlinux-update has been dropped from debian as the maintainer left. 
The whole syslinux package needs a new maintainer.

https://packages.qa.debian.org/s/syslinux.html

Riku--- End Message ---

Bug#841207: apt-rdepends: When multiple versions of a package exists, apt-rdepends uses the oldest

2016-10-18 Thread spike . sp 

Package: apt-rdepends
Version: 1.3.0-3
Severity: important
Tags: patch

Dear Maintainer,

I was using apt-rdepends to build a package dependencies when I noticed 
that the dependencies were incorrect.



For instance, here is an extract of "apt-cache show ansible" (ansible 
has 2 versions available):

Package: ansible
Version: 2.1.1.0-1~bpo8+1
...
	Depends: python, python-crypto (>= 2.6), python-jinja2, 
python-paramiko, python-pkg-resources, python-yaml, python:any (<< 2.8), 
python:any (>= 2.7.5-5~), python-httplib2, python-netaddr

...

Package: ansible
Version: 1.7.2+dfsg-2
...
	Depends: python (>= 2.7), python (<< 2.8), python-paramiko, 
python-jinja2, python-yaml, python-pkg-resources, python-crypto (>= 
2.6), python-httplib2

...


Now if I run "apt-rdepends ansible":
Reading package lists... Done
Building dependency tree
Reading state information... Done
ansible
  Depends: python (<< 2.8)
  Depends: python-crypto (>= 2.6)
  Depends: python-httplib2
  Depends: python-jinja2
  Depends: python-paramiko
  Depends: python-pkg-resources
  Depends: python-yaml
...


Clearly the output if for the 1.7.2+dfsg-2 version which is the oldest.
Now if you dig into apt-rdepends code a comment says (lines 247 & 248): 
"Notice how we get the last version for our forward dependencies."

Obviously this is not working (or was working in the past ?).
A few lines after (line 253) the version used is extracted from the list 
of versions using the pop() command. Replacing with a shift() command 
solves the issue.


Here is a patch:

--- /usr/bin/apt-rdepends   2012-09-16 11:47:10.0 +0200
+++ apt-rdepends2016-10-18 14:51:10.579036849 +0200
@@ -256,7 +256,7 @@
   }
   else {
 if (my $i = $p->{VersionList}) {
-  if (my $j = pop(@$i)) {
+  if (my $j = shift(@$i)) {
return $j->{DependsList};
   }
 }

Once applied, the output of "apt-rdepends ansible" is:
Reading package lists... Done
Building dependency tree
Reading state information... Done
ansible
  Depends: python
  Depends: python-crypto (>= 2.6)
  Depends: python-httplib2
  Depends: python-jinja2
  Depends: python-netaddr
  Depends: python-paramiko
  Depends: python-pkg-resources
  Depends: python-yaml
  Depends: python:any (>= 2.7.5-5~)
...

Which corresponds to the last version.


-- System Information:
Debian Release: 8.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.16.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apt-rdepends depends on:
ii  libapt-pkg-perl  0.1.29+b2
ii  perl 5.20.2-3+deb8u6

apt-rdepends recommends no packages.

Versions of packages apt-rdepends suggests:
pn  springgraph | graphviz  
pn  vcg 

-- no debconf information

Processing of quagga_1.0.20160315-3_amd64.changes

2016-10-18 Thread Debian FTP Masters 
quagga_1.0.20160315-3_amd64.changes uploaded successfully to 
ftp-master.debian.org
along with the files:
  quagga_1.0.20160315-3.dsc
  quagga_1.0.20160315-3.debian.tar.xz
  quagga-dbg_1.0.20160315-3_amd64.deb
  quagga-doc_1.0.20160315-3_all.deb
  quagga_1.0.20160315-3_amd64.deb

Greetings,

Your Debian queue daemon (running on host coccia.debian.org)

Processing of quagga_1.0.20160315-3_amd64.changes

2016-10-18 Thread Debian FTP Masters 
quagga_1.0.20160315-3_amd64.changes uploaded successfully to localhost
along with the files:
  quagga_1.0.20160315-3.dsc
  quagga_1.0.20160315-3.debian.tar.xz
  quagga-dbg_1.0.20160315-3_amd64.deb
  quagga-doc_1.0.20160315-3_all.deb
  quagga_1.0.20160315-3_amd64.deb

Greetings,

Your Debian queue daemon (running on host franck.debian.org)

Bug#841162: marked as done (quagga: CVE-2016-1245: zebra: stack overrun in IPv6 RA receive code)

2016-10-18 Thread Debian Bug Tracking System 
Your message dated Tue, 18 Oct 2016 22:48:59 +
with message-id 
and subject line Bug#841162: fixed in quagga 1.0.20160315-3
has caused the Debian Bug report #841162,
regarding quagga: CVE-2016-1245: zebra: stack overrun in IPv6 RA receive code
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
841162: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=841162
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: quagga
Version: 0.99.23.1-1
Severity: grave
Tags: security upstream patch

Hi,

the following vulnerability was published for quagga.

CVE-2016-1245[0]:
zebra: stack overrun in IPv6 RA receive code

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-1245

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: quagga
Source-Version: 1.0.20160315-3

We believe that the bug you reported is fixed in the latest version of
quagga, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 841...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Florian Weimer  (supplier of updated quagga package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Format: 1.8
Date: Tue, 18 Oct 2016 22:06:18 +0200
Source: quagga
Binary: quagga quagga-dbg quagga-doc
Architecture: source amd64 all
Version: 1.0.20160315-3
Distribution: unstable
Urgency: high
Maintainer: Debian QA Group 
Changed-By: Florian Weimer 
Description:
 quagga - BGP/OSPF/RIP routing daemon
 quagga-dbg - BGP/OSPF/RIP routing daemon (debug symbols)
 quagga-doc - documentation files for quagga
Closes: 841162
Changes:
 quagga (1.0.20160315-3) unstable; urgency=high
 .
   * Apply patch to fix CVE-2016-1245.  Closes: #841162.
Checksums-Sha1:
 8afff4e642bdbd52a885d81dc1cbfc133efe1f10 1850 quagga_1.0.20160315-3.dsc
 b259d7c52c491cf1e344cc4785d205c5aeb46522 36352 
quagga_1.0.20160315-3.debian.tar.xz
 ee3a2272b49a713cfca26efc3bc605f6801244d0 2121450 
quagga-dbg_1.0.20160315-3_amd64.deb
 71f4cdbc58a20412acc78afb0336b3bfa44864bb 977348 
quagga-doc_1.0.20160315-3_all.deb
 54c33120528d67f680a8ba6a896ff2ec8aba4128 1365952 
quagga_1.0.20160315-3_amd64.deb
Checksums-Sha256:
 2ac5563066e3f352078c8f9467f05eebf0fdd9e5e39afb0a327482cff8566f26 1850 
quagga_1.0.20160315-3.dsc
 f0e1051396f152e505a0cc9f4244bc44ffbecf11dd494b8e62d2f0da3dfa9be3 36352 
quagga_1.0.20160315-3.debian.tar.xz
 bbf95f62562b0e14a0e8acd7035763be7790c06046bce154678994a3d1d5682b 2121450 
quagga-dbg_1.0.20160315-3_amd64.deb
 7a05abf817663ff3229eba6632c043ab92c3078ad5179eb498b08b6b232ada78 977348 
quagga-doc_1.0.20160315-3_all.deb
 29fec831cc8074178833550b844bedccd5d29e5c0f72fa65cb4401b27342951b 1365952 
quagga_1.0.20160315-3_amd64.deb
Files:
 88ab56fa14f17513b6df3213d55a75ec 1850 net optional quagga_1.0.20160315-3.dsc
 5ac532674484640b6c7311e685e4cdbe 36352 net optional 
quagga_1.0.20160315-3.debian.tar.xz
 803c52c98443fa01460f7f8b79335533 2121450 debug extra 
quagga-dbg_1.0.20160315-3_amd64.deb
 aee71677f2c4ed27fc642c36be453749 977348 net optional 
quagga-doc_1.0.20160315-3_all.deb
 9411c17fc6a01be7bbb2f6d0f5e786c7 1365952 net optional 
quagga_1.0.20160315-3_amd64.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJYBo3UAAoJEL97/wQC1SS+bbEH/jor+NnM32r2OxJU3StcS/Yh
Y9twZSf3DTiKXe7a9YFPB2QgjrIdoDonPFLXu/kF5SiW3Jv0TJH3d7WHeQJqy0aK
rpBxJSGsHdpPhzFLi63pKgLoPRkVaAh8Yv8zxx8Ks1WsC/yhVU2zMIrDSwR5uuyf
6R6rx6kazjL7m7wRR+dwSmPP3ARhHBi0Ti/egxee6hwW9QFLxeR0d8UkAUufxbgt
ezaW2y95ydxxXg51WvpOEljnkuT/ef/G6Z03z6J6SKb85YRmm1+go8F+/PtaSzzw
UIr66wnj5RukZ8rUmmE9X/Ys1DlpmF9TO46qw+KwS4J6p3ZVhG+zSb01TBwP7kk=
=rCHJ
-END PGP SIGNATURE End Message ---

quagga_1.0.20160315-3_amd64.changes ACCEPTED into unstable

2016-10-18 Thread Debian FTP Masters 


Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Format: 1.8
Date: Tue, 18 Oct 2016 22:06:18 +0200
Source: quagga
Binary: quagga quagga-dbg quagga-doc
Architecture: source amd64 all
Version: 1.0.20160315-3
Distribution: unstable
Urgency: high
Maintainer: Debian QA Group 
Changed-By: Florian Weimer 
Description:
 quagga - BGP/OSPF/RIP routing daemon
 quagga-dbg - BGP/OSPF/RIP routing daemon (debug symbols)
 quagga-doc - documentation files for quagga
Closes: 841162
Changes:
 quagga (1.0.20160315-3) unstable; urgency=high
 .
   * Apply patch to fix CVE-2016-1245.  Closes: #841162.
Checksums-Sha1:
 8afff4e642bdbd52a885d81dc1cbfc133efe1f10 1850 quagga_1.0.20160315-3.dsc
 b259d7c52c491cf1e344cc4785d205c5aeb46522 36352 
quagga_1.0.20160315-3.debian.tar.xz
 ee3a2272b49a713cfca26efc3bc605f6801244d0 2121450 
quagga-dbg_1.0.20160315-3_amd64.deb
 71f4cdbc58a20412acc78afb0336b3bfa44864bb 977348 
quagga-doc_1.0.20160315-3_all.deb
 54c33120528d67f680a8ba6a896ff2ec8aba4128 1365952 
quagga_1.0.20160315-3_amd64.deb
Checksums-Sha256:
 2ac5563066e3f352078c8f9467f05eebf0fdd9e5e39afb0a327482cff8566f26 1850 
quagga_1.0.20160315-3.dsc
 f0e1051396f152e505a0cc9f4244bc44ffbecf11dd494b8e62d2f0da3dfa9be3 36352 
quagga_1.0.20160315-3.debian.tar.xz
 bbf95f62562b0e14a0e8acd7035763be7790c06046bce154678994a3d1d5682b 2121450 
quagga-dbg_1.0.20160315-3_amd64.deb
 7a05abf817663ff3229eba6632c043ab92c3078ad5179eb498b08b6b232ada78 977348 
quagga-doc_1.0.20160315-3_all.deb
 29fec831cc8074178833550b844bedccd5d29e5c0f72fa65cb4401b27342951b 1365952 
quagga_1.0.20160315-3_amd64.deb
Files:
 88ab56fa14f17513b6df3213d55a75ec 1850 net optional quagga_1.0.20160315-3.dsc
 5ac532674484640b6c7311e685e4cdbe 36352 net optional 
quagga_1.0.20160315-3.debian.tar.xz
 803c52c98443fa01460f7f8b79335533 2121450 debug extra 
quagga-dbg_1.0.20160315-3_amd64.deb
 aee71677f2c4ed27fc642c36be453749 977348 net optional 
quagga-doc_1.0.20160315-3_all.deb
 9411c17fc6a01be7bbb2f6d0f5e786c7 1365952 net optional 
quagga_1.0.20160315-3_amd64.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJYBo3UAAoJEL97/wQC1SS+bbEH/jor+NnM32r2OxJU3StcS/Yh
Y9twZSf3DTiKXe7a9YFPB2QgjrIdoDonPFLXu/kF5SiW3Jv0TJH3d7WHeQJqy0aK
rpBxJSGsHdpPhzFLi63pKgLoPRkVaAh8Yv8zxx8Ks1WsC/yhVU2zMIrDSwR5uuyf
6R6rx6kazjL7m7wRR+dwSmPP3ARhHBi0Ti/egxee6hwW9QFLxeR0d8UkAUufxbgt
ezaW2y95ydxxXg51WvpOEljnkuT/ef/G6Z03z6J6SKb85YRmm1+go8F+/PtaSzzw
UIr66wnj5RukZ8rUmmE9X/Ys1DlpmF9TO46qw+KwS4J6p3ZVhG+zSb01TBwP7kk=
=rCHJ
-END PGP SIGNATURE-


Thank you for your contribution to Debian.

Bug#841257: sendmail: Privilege escalation from group smmsp to (user) root

2016-10-18 Thread Paul Szabo 
Package: sendmail
Version: 8.14.4-8+deb8u1
Severity: grave
Tags: patch security
Justification: user security hole


Supposing that due to some bug in sendmail, we were able to execute
commands as group smmsp, then that might be leveraged to cause root
to create any (empty) file.

The directory /var/run/sendmail/stampdir is group-smmsp-writable, so
we (as group smmsp) could create symlinks there pointing to any name.
Then when /etc/init.d/sendmail was run as root (to restart the daemon
maybe?), one or another of the symlinks

  /var/run/sendmail/stampdir/reload
  /var/run/sendmail/stampdir/cron_msp
  /var/run/sendmail/stampdir/cron_mta
  /var/run/sendmail/stampdir/cron_msp

might be followed to create an empty file.

Lines in /etc/init.d/sendmail:

   ...
   110  SENDMAIL_ROOT='/var/run/sendmail';
   ...
   144  STAMP_DIR="${SENDMAIL_ROOT}/stampdir";
   ...
   246  touch $STAMP_DIR/reload;
   ...
   367  touch $STAMP_DIR/reload;
   ...
   900  touch $STAMP_DIR/cron_msp;
   ...
   912  touch $STAMP_DIR/cron_mta;
   ...
   938  touch $STAMP_DIR/cron_msp;
   ...
  1130  if [ ! -d "${STAMP_DIR}" ]; then
  1131  mkdir -p "${STAMP_DIR}";
  1132  chown root:smmsp "${STAMP_DIR}";
  1133  chmod 02775 "${STAMP_DIR}";
  1134  fi;
   ...


Things missing to make a "convincing" exploit:
 - a way to "get" group smmsp: there have not been such issues for some
   years now;
 - how to trick the sysadmin into restarting sendmail;
 - under what conditions would any of those "touch" lines be run;
 - a way to "get root" by creating some empty file: damage can be done
   with /etc/nologin, maybe some exploitation with /etc/hosts.deny.
Seems this issue has low priority.


My suggested fix:

$ diff /etc/init.d/sendmail.bak <---> /etc/init.d/sendmail
246c246
<   touch $STAMP_DIR/reload;
---
>   su smmsp -s /bin/bash -c "touch $STAMP_DIR/reload";
367c367
<   touch $STAMP_DIR/reload;
---
>   su smmsp -s /bin/bash -c "touch $STAMP_DIR/reload";
900c900
<   touch $STAMP_DIR/cron_msp;
---
>   su smmsp -s /bin/bash -c "touch 
> $STAMP_DIR/cron_msp";
912c912
<   touch $STAMP_DIR/cron_mta;
---
>   su smmsp -s /bin/bash -c "touch $STAMP_DIR/cron_mta";
938c938
<   touch $STAMP_DIR/cron_msp;
---
>   su smmsp -s /bin/bash -c "touch 
> $STAMP_DIR/cron_msp";


Cheers, Paul

Paul Szabo   p...@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of SydneyAustralia

Bug#841257: sendmail: Privilege escalation from group smmsp to (user) root

2016-10-18 Thread paul . szabo 
Hmm... you may also need to (once) do:
  chown smmsp /var/run/sendmail/stampdir/reload
when adopting my patch.

Cheers, Paul

Bug#841257: sendmail: Privilege escalation from group smmsp to (user) root

2016-10-18 Thread paul . szabo 
Hmm (again) ... Maybe file /usr/share/sendmail/sendmail needs updating
also? It is almost identical to /etc/init.d/sendmail, and in file
/etc/cron.daily/sendmail I notice the lines:

...
#--
# Every so often, give sendmail a chance to run the MSP queues.
*/20 ****   smmsp   test -x /etc/init.d/sendmail && 
/usr/share/sendmail/sendmail cron-msp
#
#--
# Every so often, give sendmail a chance to run the MTA queues.
# Will also run MSP queues if enabled
#*/10 ****  roottest -x /etc/init.d/sendmail && 
/usr/share/sendmail/sendmail cron-mta
...

Maybe no problem as long as that second line is commented out.

I wonder about the first line (whether it is needed), seeing how my
machines always have a process like:

USER   PID %CPU %MEMVSZ   RSS TTY  STAT START   TIME COMMAND
smmsp 2880  0.0  0.0  11956  3236 ?Ss   Oct11   0:00 sendmail: 
Queue runner@00:10:00 for /var/spool/mqueue-client

running.

Cheers, Paul

Paul Szabo   p...@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of SydneyAustralia