Ubuntu
likewise-open package

CVE-2011-2467: likewise-open local privilege escalation

Bug #802748 reported by Scott Salley
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
likewise-open (Ubuntu)
Fix Released
Medium
Steve Beattie

Bug Description

A SQL injection issue has been identified that could allow an attacker to craft a query that would result in local elevation of privileges. More details are in the attached file LWSA-2011-002.txt.

A public announcement is planned for July 12, 2011 but that could change.

This affects Likewise Open 5.4 (in Ubuntu 10.04, 10.10), and Likewise Open 6.0 (in Ubuntu 11.04 and the current branch).

Patches have been developed by engineers at Likewise for the versions Likewise released, but some additional work may be needed to make things compile clean on the respective Ubuntu releases as they often have some minor patches (which is what I generally take care of).

I've never handled a security issue before and I'm not even sure of which branch of code I should check out for Lucid which has already had a security issue.

Revision history for this message
Scott Salley (ssalley) wrote :
Revision history for this message
Steve Beattie (sbeattie) wrote :

Hi Scott,

Thanks for the heads up. Assuming you can provide us with patches relatively soon, the CRD of July 12, 2011 should be okay with us.

To get lucid source, you can either do apt-get source likewise-open on a lucid system (or apt-get source version=5.4.0.42111-2ubuntu1.2 on a system with lucid-updates in its apt sources.list). Alternatively, you can get it through bzr via the lp:ubuntu/lucid-updates/likewise-open branch or directly from the webpage https://launchpad.net/ubuntu/+source/likewise-open/5.4.0.42111-2ubuntu1.2 .

Once you have patches/debdiffs you're comfortable with, please attach them to this bug report and security team can build them in our infrastructure in preparation for update. We'll attempt to coordinate with the ubuntu server team for testing before release.

Changed in likewise-open (Ubuntu):
status: New → In Progress
importance: Undecided → Medium
Revision history for this message
Scott Salley (ssalley) wrote :

Patch for lp:ubuntu/lucid-updates/likewise-open

I had to update debian/rules to make sure autotool files were regenerated. I also updated debian/changelog, but may have violated etiquette or other rules in doing so.

Revision history for this message
Scott Salley (ssalley) wrote :

Patch for lp:ubuntu/maverick/likewise-open

I had to update debian/rules to make sure autotool files were regenerated. I also updated debian/changelog, but may have violated etiquette or other rules in doing so.

Revision history for this message
Scott Salley (ssalley) wrote :

Patch for lp:ubuntu/natty/likewise-open

I updated debian/changelog, but may have violated etiquette or other rules in doing so, but I have yet to see a problem I caused not corrected by the fine folks of Ubuntu.

Revision history for this message
Steve Beattie (sbeattie) wrote :

Scott, sorry for the delay in responding, travel and the US holiday interfered. Thanks for providing the debdiffs. Have you done any testing with the ubuntu packages you've created?

I've reviewed the debdiffs, made some minor touchups to the changelog entries, and removed a .orig file that leaked into the natty quilt patch. The maverick package build is unreliable for me in a local sbuild schroot environment, but the published release version of the package is consistently unbuildable there and on lucid as well, so I guess that's an improvement. We will also be doing some internal regression testing of the packages as well.

Assuming testing goes well, the coordinated release date of July 12th still looks good. Thanks again!

Changed in likewise-open (Ubuntu):
assignee: nobody → Steve Beattie (sbeattie)
Revision history for this message
Scott Salley (ssalley) wrote :

Likewise has done testing of the pre-Ubuntu-patched branches that we distribute and I have done local testing of these Ubuntu packages. No regressions have been found.

Revision history for this message
Scott Salley (ssalley) wrote :

Can we move the release to July 19th? Half of Likewise (technology and people (including me)) was acquired by BeyondTrust and that distracted us for a few days.

Revision history for this message
Steve Beattie (sbeattie) wrote :

Scott: yes, a release date of July 19th is also acceptable to us. Thanks.

(I hope congratulations are in order?)

Revision history for this message
Steve Beattie (sbeattie) wrote :

Hi Scott,

Is there a specific time you expect to announce your release? Also, is there someone we should credit with the discovery of the issue?

Thanks!

Revision history for this message
Scott Salley (ssalley) wrote :

You may release it immediately. I don't know for sure, but I don't believe the reporter would like to be identified.

Revision history for this message
Steve Beattie (sbeattie) wrote :

These have been released as http://www.ubuntu.com/usn/usn-1171-1 (my apologies, I should have added the bug reference to the changelog).

Thanks, Scott, for putting these together.

Changed in likewise-open (Ubuntu):
status: In Progress → Fix Released
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.