Yves-Alexis Perez
2011-Oct-07 11:35 UTC
[Secure-testing-team] Bug#644614: multiple security issues in radvd 1.6
Package: radvd Version: 1.6-1 Severity: grave Tags: security Justification: user security hole Hey, Solar Designer reported on http://seclists.org/oss-sec/2011/q4/30 that multiple issues were found in radvd 1.8.1. Not all of them apply to 1.6-1 in squeeze or 1.8-1 in sid though. As far as I can tell: * CVE-2011-3601 (privilege escalation) is present in 1.8-1 but not in 1.6-1 (no support for ND_OPT_DNSSL_INFORMATION in 1.6) Patch: https://github.com/reubenhwk/radvd/commit/9dfaaaf740ce784541e76e68de4ae04dce2c0921 * CVE-2011-3602 (arbitrary file overwrite) is present in both versions Patch: https://github.com/reubenhwk/radvd/commit/92e22ca23e52066da2258df8c76a2dca8a428bcc * CVE-2011-3603 (failure to check privsep() errors) is present in both versions Patches: https://github.com/reubenhwk/radvd/commit/2c50375043186e133f15135f4c93ca964238ee60 https://github.com/reubenhwk/radvd/commit/074816cd0b37aac7b3209987e6e998f0a847b275 https://github.com/reubenhwk/radvd/commit/7dc53cc3b792775369bf0b2f053a3f4ed5d87e3d * CVE-2011-3604 (buffer overreads) is present in both versions Patch: https://github.com/reubenhwk/radvd/commit/7de1b9abf87b747ee2611c0d2a94dfeee79878b4 * CVE-2011-3605 (denial of service in unicast mode) is present in both versions Patch: https://github.com/reubenhwk/radvd/commit/2591d0189257caeaae2057dfed0a260310497a61 I''m reporting only one bug for all the issues, which can be fixed by uploading 1.8.2-1 to unstable. For squeeze, backporting the patches should be fairly straightforward. Please add CVE numbers in the changelog. Regards, -- Yves-Alexis -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, ''unstable'') Architecture: amd64 (x86_64) Kernel: Linux 3.0.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
Yves-Alexis Perez
2011-Oct-07 12:23 UTC
[Secure-testing-team] Bug#644614: multiple security issues in radvd 1.6
On ven., 2011-10-07 at 13:35 +0200, Yves-Alexis Perez wrote:> I''m reporting only one bug for all the issues, which can be fixed by > uploading 1.8.2-1 to unstable. For squeeze, backporting the patches > should be fairly straightforward.Unless I hear some news from the maintainer I guess I''m gonna prepare a stable upload. I can''t really find the procedure for preparing an upload, make it and release a DSA (never really did that so...). I looked at the doc/ folder in secure-testing folder but didn''t really found the correct procedure. I seem to recall something about claiming an issue to rt.debian.org but besides that... :) Regards, -- Yves-Alexis -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20111007/193169e9/attachment.pgp>
Yves-Alexis Perez
2011-Oct-07 14:38 UTC
[Secure-testing-team] [rt.debian.org #3440] Re: Bug#644614: multiple security issues in radvd 1.6
On ven., 2011-10-07 at 13:35 +0200, Yves-Alexis Perez wrote:> I''m reporting only one bug for all the issues, which can be fixed by > uploading 1.8.2-1 to unstable. For squeeze, backporting the patches > should be fairly straightforward.Attached is an attempted debdiff for stable-security. Regards, -- Yves-Alexis -------------- next part -------------- A non-text attachment was scrubbed... Name: radvd-1.6-1..1.6-1.1.diff Type: text/x-patch Size: 8398 bytes Desc: not available URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20111007/98abda77/attachment-0001.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20111007/98abda77/attachment-0001.pgp>
Yves-Alexis Perez
2011-Oct-12 13:00 UTC
[Secure-testing-team] [rt.debian.org #3440] Re: Bug#644614: multiple security issues in radvd 1.6
On ven., 2011-10-07 at 16:38 +0200, Yves-Alexis Perez wrote:> On ven., 2011-10-07 at 13:35 +0200, Yves-Alexis Perez wrote: > > I''m reporting only one bug for all the issues, which can be fixed by > > uploading 1.8.2-1 to unstable. For squeeze, backporting the patches > > should be fairly straightforward. > > Attached is an attempted debdiff for stable-security. >An updated fix for CVE-2011-3603 is available at https://github.com/reubenhwk/radvd/commit/7a1471b62da88373e8f4209d503307c5d841b81f so I''ll make an updated package for stable-security. 1.8.3 should be released soon for the same reason. Regards, -- Yves-Alexis -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20111012/ae409491/attachment.pgp>
Yves-Alexis Perez
2011-Oct-12 13:56 UTC
[Secure-testing-team] [rt.debian.org #3440] Re: Bug#644614: multiple security issues in radvd 1.6
On mer., 2011-10-12 at 15:00 +0200, Yves-Alexis Perez wrote:> On ven., 2011-10-07 at 16:38 +0200, Yves-Alexis Perez wrote: > > On ven., 2011-10-07 at 13:35 +0200, Yves-Alexis Perez wrote: > > > I''m reporting only one bug for all the issues, which can be fixed by > > > uploading 1.8.2-1 to unstable. For squeeze, backporting the patches > > > should be fairly straightforward. > > > > Attached is an attempted debdiff for stable-security. > > > An updated fix for CVE-2011-3603 is available at > https://github.com/reubenhwk/radvd/commit/7a1471b62da88373e8f4209d503307c5d841b81f > > so I''ll make an updated package for stable-security. 1.8.3 should be > released soon for the same reason.Here''s the updated debdiff. -- Yves-Alexis -------------- next part -------------- A non-text attachment was scrubbed... Name: radvd_1.6-1_1.6-1.1.diff Type: text/x-patch Size: 9528 bytes Desc: not available URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20111012/7217fa44/attachment.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20111012/7217fa44/attachment.pgp>
Yves-Alexis Perez
2011-Oct-14 07:10 UTC
[Secure-testing-team] [rt.debian.org #3440] Re: Bug#644614: multiple security issues in radvd 1.6
On mer., 2011-10-12 at 15:56 +0200, Yves-Alexis Perez wrote:> On mer., 2011-10-12 at 15:00 +0200, Yves-Alexis Perez wrote: > > On ven., 2011-10-07 at 16:38 +0200, Yves-Alexis Perez wrote: > > > On ven., 2011-10-07 at 13:35 +0200, Yves-Alexis Perez wrote: > > > > I''m reporting only one bug for all the issues, which can be fixed by > > > > uploading 1.8.2-1 to unstable. For squeeze, backporting the patches > > > > should be fairly straightforward. > > > > > > Attached is an attempted debdiff for stable-security. > > > > > An updated fix for CVE-2011-3603 is available at > > https://github.com/reubenhwk/radvd/commit/7a1471b62da88373e8f4209d503307c5d841b81f > > > > so I''ll make an updated package for stable-security. 1.8.3 should be > > released soon for the same reason. > > Here''s the updated debdiff.Here''s the debdiff for Lenny. Since I got no news from the maintainer, I guess I''ll prepare a 1.8.2 NMU with the 7a1471 patch backported for unstable. Regards, -- Yves-Alexis -------------- next part -------------- A non-text attachment was scrubbed... Name: radvd_1.1-3_1.1-3.1.diff Type: text/x-patch Size: 9590 bytes Desc: not available URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20111014/94f99421/attachment.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20111014/94f99421/attachment.pgp>
Yves-Alexis Perez
2011-Oct-14 21:26 UTC
[Secure-testing-team] [rt.debian.org #3440] Re: Bug#644614: multiple security issues in radvd 1.6
On ven., 2011-10-14 at 09:10 +0200, Yves-Alexis Perez wrote:> Here''s the debdiff for Lenny. Since I got no news from the maintainer, I > guess I''ll prepare a 1.8.2 NMU with the 7a1471 patch backported for > unstable.1.8.3 is out but that makes a diff a bit too huge for an NMU maybe. Backporting only the relevant patch makes it a bit smaller, so here''s the debdiff I''m gonna upload to DELAYED/2. Regards, -- Yves-Alexis -------------- next part -------------- A non-text attachment was scrubbed... Name: radvd_1.8-1_1.8-1.1.diff Type: text/x-patch Size: 9574 bytes Desc: not available URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20111014/40866aae/attachment.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20111014/40866aae/attachment.pgp>
Luciano Bello
2011-Oct-15 23:36 UTC
[Secure-testing-team] [rt.debian.org #3440] Re: Bug#644614: multiple security issues in radvd 1.6
On Friday 14 October 2011, Yves-Alexis Perez wrote:> On ven., 2011-10-14 at 09:10 +0200, Yves-Alexis Perez wrote: > > Here''s the debdiff for Lenny. Since I got no news from the maintainer, I > > guess I''ll prepare a 1.8.2 NMU with the 7a1471 patch backported for > > unstable.I can take care of the upload to (old/)stable and DSA. /luciano
Yves-Alexis Perez
2011-Oct-16 07:56 UTC
[Secure-testing-team] [rt.debian.org #3440] Re: Bug#644614: multiple security issues in radvd 1.6
On dim., 2011-10-16 at 01:36 +0200, Luciano Bello wrote:> On Friday 14 October 2011, Yves-Alexis Perez wrote: > > On ven., 2011-10-14 at 09:10 +0200, Yves-Alexis Perez wrote: > > > Here''s the debdiff for Lenny. Since I got no news from the maintainer, I > > > guess I''ll prepare a 1.8.2 NMU with the 7a1471 patch backported for > > > unstable. > > I can take care of the upload to (old/)stable and DSA. >That''d be nice, I''m not sure if I can do the upload or not but I''m quite sure I can''t do the DSA. Regards, -- Yves-Alexis -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20111016/0e49fd1d/attachment.pgp>
Yves-Alexis Perez
2011-Oct-17 16:42 UTC
[Secure-testing-team] [rt.debian.org #3440] Re: Bug#644614: multiple security issues in radvd 1.6
On ven., 2011-10-14 at 23:26 +0200, Yves-Alexis Perez wrote:> On ven., 2011-10-14 at 09:10 +0200, Yves-Alexis Perez wrote: > > Here''s the debdiff for Lenny. Since I got no news from the maintainer, I > > guess I''ll prepare a 1.8.2 NMU with the 7a1471 patch backported for > > unstable. > > 1.8.3 is out but that makes a diff a bit too huge for an NMU maybe. > Backporting only the relevant patch makes it a bit smaller, so here''s > the debdiff I''m gonna upload to DELAYED/2. >Fix for CVE-2011-3601 was missing so here''s the debdiff to the -1.2 NMU, just uploaded to unstable. Regards, -- Yves-Alexis -------------- next part -------------- A non-text attachment was scrubbed... Name: radvd_1.8-1.1_1.8-1.2.diff Type: text/x-patch Size: 2570 bytes Desc: not available URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20111017/9da24a8e/attachment.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20111017/9da24a8e/attachment.pgp>