About Archive Tags RSS Feed

 

So cunning you could brush your teeth with it.

8 October 2008 21:50

Lets take a look at a new tool available to Lenny & Sid:

apt-get source acon
int main(int argc,char **argv)
{
        int i,tty,useunicode=0;
        char *fontf=0,*translationf=0,*keymapf=0;

        get_ids();
        set_user_id();

        /*Read configure file if no input options*/
        if(argc<2)
        {
                char *env;
                FILE *fp;
                char font[300],translation[300],keymap[300];
                char tmp[300];

                font[0]=translation[0]=keymap[0]=0;
                if((env=getenv("HOME")))
                        sprintf(tmp,"%s/.acon.conf",env);
                else
                        strcpy(tmp,"/etc/acon.conf");

Hmmm. Nice use of the environment there. I wonder what permissions the binary has:

skx@gold:~$ ls -l /usr/bin/acon
-rwsr-xr-x 1 root root 48672 2008-06-09 10:50 /usr/bin/acon

setuid(0) - just say no.

ObTitle: Blackadder II

| 13 comments

 

Comments on this entry

icon Thomas at 20:38 on 8 October 2008
The package has been removed by the request of the maintainer by now. Mind you: This package did provide a unique feature to Debian even if it is too bad to have in Debian. Luckily, a better-designed alternative seems to be available but it still needs some work.
icon Jon at 17:45 on 8 October 2008
rjc: well, in this case, the code *was* audited, sufficiently enough for the auditor to decide the code was not suitable for the OS. What is needed is perhaps for existing audits to be paid attention to?
icon James at 05:34 on 9 October 2008
Why does this post keep going to the top of Planet Debian?
icon Steve Kemp at 06:34 on 9 October 2008

I failed to add a date to this entry, so each time I rebuilt the blog (to add the comments), it was marked as "new".

Thanks for pointing it out to me, I've fixed it now.

icon Florian Weimer at 22:53 on 6 October 2008
It's #475733 and supposedly fixed. I haven't looked at the package, though.
icon Des at 22:56 on 6 October 2008
I don't get it, is this really the way to report this? I didn't find any bug#, and disclosing things like this... am I missing something?
icon Joe Buck at 22:56 on 6 October 2008
Hope there's an RC bug for that one.
icon Steve at 23:20 on 6 October 2008

I saw the bug, but I'm scared of the code. e.g. the my_system call.

Still it does look like permissions are dropped prior to that being invoked.

icon brian m. carlson at 04:12 on 7 October 2008
There was a call for an audit on debian-audit, and I audited the code. My recommendation to Moritz was that this code not be released due to the use of fixed-size buffers, magic constants, and unsafe functions (strcpy and sprintf). Apparently nobody listened. See #476603.
icon Helmut Grohne at 06:59 on 7 October 2008
Have you seen http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=475733 or did it happen again?
Helmut
icon nion at 12:58 on 7 October 2008
C'mon Steve, this blog post is really not fair, there is a) a bug for that and b) you didn't see debian/patches/05-CVE-2008-1994.diff did you? :)
icon Steve Kemp at 14:05 on 7 October 2008

Nion you're probably right.

I was updating my list of Setuid/setgid binaries in the archive and this package contained one near the top of the list. (Full list on gluck in ~skx/).

I started being shocked at the code. Then I saw the CVE assignment and rememembered we'd had a discussion.

I personally believe this package:

  • SHouldn't have ever been accepted into the archive.
  • Shouldn't be in Lenny.

I know that there were patches, but the application as a whole is not written in a secure fashion - and to require setuid(0) privileges just makes me scared.

icon rjc at 12:34 on 8 October 2008
Seeing this and the last OpenSSL-related problems, one thing comes to my mind - OpenBSD-style code audit.