Version in base suite: 2.12p-4sarge1 Version in overlay suite: 2.12p-4sarge2 Base version: loop-aes-utils_2.12p-4sarge1 Target version: loop-aes-utils_2.12p-4sarge2 Base file: /org/ftp.debian.org/ftp/pool/main/l/loop-aes-utils/loop-aes-utils_2.12p-4sarge1.dsc Target file: /org/ftp.debian.org/ftp/pool/main/l/loop-aes-utils/loop-aes-utils_2.12p-4sarge2.dsc diff -u loop-aes-utils-2.12p/debian/patches/00list loop-aes-utils-2.12p/debian/patches/00list --- loop-aes-utils-2.12p/debian/patches/00list +++ loop-aes-utils-2.12p/debian/patches/00list @@ -5,0 +6 @@ +CVE-2007-5191 diff -u loop-aes-utils-2.12p/debian/changelog loop-aes-utils-2.12p/debian/changelog --- loop-aes-utils-2.12p/debian/changelog +++ loop-aes-utils-2.12p/debian/changelog @@ -1,3 +1,12 @@ +loop-aes-utils (2.12p-4sarge2) oldstable-security; urgency=high + + * Non-maintainer upload by the security team + * Fix privilege escalation by calling setuid() and setgid() in the + wrong order and not checking the return values in mount and umount + Fixes: CVE-2007-5191 + + -- Steffen Joeris Sat, 22 Dec 2007 14:04:14 +0000 + loop-aes-utils (2.12p-4sarge1) stable-security; urgency=high * [SECURITY] CAN-2005-2876. Applied patch from 2.12r-pre1 to diff -u loop-aes-utils-2.12p/config.guess loop-aes-utils-2.12p/config.guess --- loop-aes-utils-2.12p/config.guess +++ loop-aes-utils-2.12p/config.guess @@ -1,9 +1,9 @@ #! /bin/sh # Attempt to guess a canonical system name. # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, -# 2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc. +# 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc. -timestamp='2004-11-12' +timestamp='2005-04-22' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -53,7 +53,7 @@ GNU config.guess ($timestamp) Originally written by Per Bothner. -Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004 +Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO @@ -804,6 +804,9 @@ i*:UWIN*:*) echo ${UNAME_MACHINE}-pc-uwin exit 0 ;; + amd64:CYGWIN*:*:*) + echo x86_64-unknown-cygwin + exit 0 ;; p*:CYGWIN*:*) echo powerpcle-unknown-cygwin exit 0 ;; @@ -1137,6 +1140,10 @@ # From seanf@swdc.stratus.com. echo i860-stratus-sysv4 exit 0 ;; + i*86:VOS:*:*) + # From Paul.Green@stratus.com. + echo ${UNAME_MACHINE}-stratus-vos + exit 0 ;; *:VOS:*:*) # From Paul.Green@stratus.com. echo hppa1.1-stratus-vos @@ -1197,6 +1204,9 @@ *:QNX:*:4*) echo i386-pc-qnx exit 0 ;; + NSE-?:NONSTOP_KERNEL:*:*) + echo nse-tandem-nsk${UNAME_RELEASE} + exit 0 ;; NSR-?:NONSTOP_KERNEL:*:*) echo nsr-tandem-nsk${UNAME_RELEASE} exit 0 ;; @@ -1413,7 +1423,9 @@ the operating system you are using. It is advised that you download the most up to date version of the config scripts from - ftp://ftp.gnu.org/pub/gnu/config/ + http://savannah.gnu.org/cgi-bin/viewcvs/*checkout*/config/config/config.guess +and + http://savannah.gnu.org/cgi-bin/viewcvs/*checkout*/config/config/config.sub If the version you run ($0) is already up to date, please send the following data and any information you think might be diff -u loop-aes-utils-2.12p/config.sub loop-aes-utils-2.12p/config.sub --- loop-aes-utils-2.12p/config.sub +++ loop-aes-utils-2.12p/config.sub @@ -1,9 +1,9 @@ #! /bin/sh # Configuration validation subroutine script. # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, -# 2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc. +# 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc. -timestamp='2004-11-30' +timestamp='2005-04-22' # This file is (in principle) common to ALL GNU software. # The presence of a machine in this file suggests that SOME GNU software @@ -70,7 +70,7 @@ version="\ GNU config.sub ($timestamp) -Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004 +Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO @@ -231,13 +231,14 @@ | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \ | am33_2.0 \ | arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr \ + | bfin \ | c4x | clipper \ | d10v | d30v | dlx | dsp16xx \ | fr30 | frv \ | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ | i370 | i860 | i960 | ia64 \ | ip2k | iq2000 \ - | m32r | m32rle | m68000 | m68k | m88k | mcore \ + | m32r | m32rle | m68000 | m68k | m88k | maxq | mcore \ | mips | mipsbe | mipseb | mipsel | mipsle \ | mips16 \ | mips64 | mips64el \ @@ -262,7 +263,8 @@ | pyramid \ | sh | sh[1234] | sh[23]e | sh[34]eb | shbe | shle | sh[1234]le | sh3ele \ | sh64 | sh64le \ - | sparc | sparc64 | sparc86x | sparclet | sparclite | sparcv8 | sparcv9 | sparcv9b \ + | sparc | sparc64 | sparc64b | sparc86x | sparclet | sparclite \ + | sparcv8 | sparcv9 | sparcv9b \ | strongarm \ | tahoe | thumb | tic4x | tic80 | tron \ | v850 | v850e \ @@ -298,7 +300,7 @@ | alphapca5[67]-* | alpha64pca5[67]-* | arc-* \ | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ | avr-* \ - | bs2000-* \ + | bfin-* | bs2000-* \ | c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \ | clipper-* | craynv-* | cydra-* \ | d10v-* | d30v-* | dlx-* \ @@ -310,7 +312,7 @@ | ip2k-* | iq2000-* \ | m32r-* | m32rle-* \ | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \ - | m88110-* | m88k-* | mcore-* \ + | m88110-* | m88k-* | maxq-* | mcore-* \ | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \ | mips16-* \ | mips64-* | mips64el-* \ @@ -336,7 +338,8 @@ | romp-* | rs6000-* \ | sh-* | sh[1234]-* | sh[23]e-* | sh[34]eb-* | shbe-* \ | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ - | sparc-* | sparc64-* | sparc86x-* | sparclet-* | sparclite-* \ + | sparc-* | sparc64-* | sparc64b-* | sparc86x-* | sparclet-* \ + | sparclite-* \ | sparcv8-* | sparcv9-* | sparcv9b-* | strongarm-* | sv1-* | sx?-* \ | tahoe-* | thumb-* \ | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ only in patch2: unchanged: --- loop-aes-utils-2.12p.orig/debian/patches/CVE-2007-5191.dpatch +++ loop-aes-utils-2.12p/debian/patches/CVE-2007-5191.dpatch @@ -0,0 +1,37 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run + +@DPATCH@ +--- ../old/loop-aes-utils-2.12p/mount/mount.c 2007-12-22 13:59:48.000000000 +0000 ++++ loop-aes-utils-2.12p/mount/mount.c 2007-12-22 14:01:48.000000000 +0000 +@@ -730,8 +730,12 @@ + const char *oo, *mountargs[10]; + int i = 0; + +- setuid(getuid()); +- setgid(getgid()); ++ if(setgid(getgid()) < 0) ++ die(EX_FAIL, _("mount: cannot set group id: %s"), strerror(errno)); ++ ++ if(setuid(getuid()) < 0) ++ die(EX_FAIL, _("mount: cannot set user id: %s"), strerror(errno)); ++ + oo = fix_opts_string (flags, extra_opts, NULL); + mountargs[i++] = mountprog; + mountargs[i++] = spec; +--- ../old/loop-aes-utils-2.12p/mount/umount.c 2007-12-22 13:59:48.000000000 +0000 ++++ loop-aes-utils-2.12p/mount/umount.c 2007-12-22 14:02:13.000000000 +0000 +@@ -113,8 +113,12 @@ + char *umountargs[8]; + int i = 0; + +- setuid(getuid()); +- setgid(getgid()); ++ if(setgid(getgid()) < 0) ++ die(EX_FAIL, _("umount: cannot set group id: %s"), strerror(errno)); ++ ++ if(setuid(getuid()) < 0) ++ die(EX_FAIL, _("umount: cannot set user id: %s"), strerror(errno)); ++ + umountargs[i++] = umountprog; + umountargs[i++] = xstrdup(node); + if (nomtab)