So cunning you could brush your teeth with it.

Wednesday, 8 October 2008

Lets take a look at a new tool available to Lenny & Sid:

apt-get source acon
int main(int argc,char **argv)
        int i,tty,useunicode=0;
        char *fontf=0,*translationf=0,*keymapf=0;


        /*Read configure file if no input options*/
                char *env;
                FILE *fp;
                char font[300],translation[300],keymap[300];
                char tmp[300];


Hmmm. Nice use of the environment there. I wonder what permissions the binary has:

skx@gold:~$ ls -l /usr/bin/acon
-rwsr-xr-x 1 root root 48672 2008-06-09 10:50 /usr/bin/acon

setuid(0) - just say no.

ObTitle: Blackadder II



Comments On This Entry

[gravitar] Florian Weimer

Submitted at 22:53:51 on 6 october 2008

It's #475733 and supposedly fixed. I haven't looked at the package, though.
[gravitar] Des

Submitted at 22:56:03 on 6 october 2008

I don't get it, is this really the way to report this? I didn't find any bug#, and disclosing things like this... am I missing something?
[gravitar] Joe Buck

Submitted at 22:56:53 on 6 october 2008

Hope there's an RC bug for that one.
[author] Steve

Submitted at 23:20:53 on 6 october 2008

I saw the bug, but I'm scared of the code. e.g. the my_system call.

Still it does look like permissions are dropped prior to that being invoked.

[gravitar] brian m. carlson

Submitted at 04:12:43 on 7 october 2008

There was a call for an audit on debian-audit, and I audited the code. My recommendation to Moritz was that this code not be released due to the use of fixed-size buffers, magic constants, and unsafe functions (strcpy and sprintf). Apparently nobody listened. See #476603.
[gravitar] Helmut Grohne

Submitted at 06:59:30 on 7 october 2008

Have you seen or did it happen again?
[gravitar] nion

Submitted at 12:58:56 on 7 october 2008

C'mon Steve, this blog post is really not fair, there is a) a bug for that and b) you didn't see debian/patches/05-CVE-2008-1994.diff did you? :)
[author] Steve Kemp

Submitted at 14:05:02 on 7 october 2008

Nion you're probably right.

I was updating my list of Setuid/setgid binaries in the archive and this package contained one near the top of the list. (Full list on gluck in ~skx/).

I started being shocked at the code. Then I saw the CVE assignment and rememembered we'd had a discussion.

I personally believe this package:

  • SHouldn't have ever been accepted into the archive.
  • Shouldn't be in Lenny.

I know that there were patches, but the application as a whole is not written in a secure fashion - and to require setuid(0) privileges just makes me scared.

[gravitar] rjc

Submitted at 12:34:50 on 8 october 2008

Seeing this and the last OpenSSL-related problems, one thing comes to my mind - OpenBSD-style code audit.
[gravitar] Jon

Submitted at 17:45:15 on 8 october 2008

rjc: well, in this case, the code *was* audited, sufficiently enough for the auditor to decide the code was not suitable for the OS. What is needed is perhaps for existing audits to be paid attention to?
[gravitar] Thomas

Submitted at 20:38:02 on 8 october 2008

The package has been removed by the request of the maintainer by now. Mind you: This package did provide a unique feature to Debian even if it is too bad to have in Debian. Luckily, a better-designed alternative seems to be available but it still needs some work.
[gravitar] James

Submitted at 05:34:57 on 9 october 2008

Why does this post keep going to the top of Planet Debian?
[author] Steve Kemp

Submitted at 06:34:46 on 9 october 2008

I failed to add a date to this entry, so each time I rebuilt the blog (to add the comments), it was marked as "new".

Thanks for pointing it out to me, I've fixed it now.


Comments are closed on posts which are more than ten days old.

Recent Posts

Recent Tags