Євгеній
2010-Feb-08 13:00 UTC
[Secure-testing-team] Bug#568865: CVE-2009-4273: stap-server in SystemTap before 1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in stap command-line arguments in a request
Package: systemtap Version: 1.0-2 Severity: serious Tags: security Version 1.0-2 should not be released with this bug. Version 1.1-1 in experimental should fix this, but stap-server there does not work on Debian (user RedHat-specific shell scripts). -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, ''unstable''), (1, ''experimental'') Architecture: amd64 (x86_64) Kernel: Linux 2.6.33-rc6 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=uk_UA.UTF-8, LC_CTYPE=uk_UA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages systemtap depends on: ii libc6 2.10.2-6 Embedded GNU C Library: Shared lib ii libdw1 0.143-1 library that provides access to th ii libelf1 0.143-1 library to read and write ELF file ii libgcc1 1:4.5-20100202-1 GCC support library ii libsqlite3-0 3.6.22-1 SQLite 3 shared library ii libstdc++6 4.5-20100202-1 The GNU Standard C++ Library v3 ii systemtap-runtime 1.1-1 instrumentation system for Linux 2 systemtap recommends no packages. Versions of packages systemtap suggests: pn linux-debug-2.6 <none> (no description available) ii linux-headers-2. 2.6.32-10.00.Custom Header files related to Linux kern ii linux-headers-2. 2.6.33-rc6-10.00.Custom Header files related to Linux kern ii linux-image-2.6. 2.6.32-10.00.Custom Linux kernel binary image for vers ii linux-image-2.6. 2.6.33-rc6-10.00.Custom Linux kernel binary image for vers ii systemtap-doc 1.1-1 documentation and examples for Sys ii vim-addon-manage 0.4.3 manager of addons for the Vim edit -- no debconf information