Gnome Virtual Terminal Emulator

Bug #22052
Comment #32

Comment 32 for bug 22052

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2005-10-07:

#32

Message-ID: <email address hidden>
Date: Fri, 7 Oct 2005 10:25:00 +0200
From: =?iso-8859-1?Q?Lo=EFc?= Minier <email address hidden>
To: Paul Szabo <email address hidden>, <email address hidden>,
Debian Security Team <email address hidden>
Subject: Re: gnome-pty-helper foo

Hi,

On Fri, Oct 07, 2005, Martin Schulze wrote:
> Could somebody explain the security implication for me?

You can record in the utmp/wtmp logs something which is wrong, for
example that an user is currently connected to a display while he
isn't. I'm not the one to argue with though.

> being able to write arbitrary strings into valid records without
> overwriting any other data in utmp/wtmp can hardly be classified
> as a security vulnerability.

I have no idea, I'll let you judge of such things. Since
gnome-pty-helper seemed to have some special permission to write to
utmp (because it is sgid), I took the problem seriously. Whether this
issue is to be considered a security vulnerability or not, I couldn't
tell for sure, and in doubt I selected security, but I agree that it's
a minor issue anyway.

> (Apart from that, I'm only slightly annoyed as I had to learn about
> this via MITRE / GNOME Bugzilla instead of a mail from the maintainer
> to the security team?)

For my defense (as I am the one which followed more or less this bug),
I'd claim that a/ this was reported against a GNOME 1 package (and it
was later discovered that the GNOME 2 package is affected too) which
was in the process of being orphaned, b/ this seemed like a very minor
issue, c/ I thought you were tracking "tags + security" bugs, and d/ I
didn't want to start bothering the security team for an issue not
discussed with upstream and without any patch. Of course, there's also
e/ I don't have any security background or training, but that's
obvious.

My usual way of handling of sec bugs is i/ tag the bug security,
connect the relevant CVE ids, upstream bugs, available patches, ii/
talk with upstream, check the affected versions, check the patch causes
no regression, check the patch applies everywhere, check the patch
fixes the issue iii/ proposed a diff to the security team.

I know realize I should have contacted the security team quite
immediately, and will do so in the future.

I have more important things to track right now that this
vulnerability, and I didn't have any response from upstream yet.

Cheers,
--=20
Lo=EFc Minier <email address hidden>

Message-ID: <20051007082500.GC13462@bugs.debian.org>
Date: Fri, 7 Oct 2005 10:25:00 +0200
From: =?iso-8859-1?Q?Lo=EFc?= Minier <lool@dooz.org>
To: Paul Szabo <psz@maths.usyd.edu.au>, 329156@bugs.debian.org,
	Debian Security Team <team@security.debian.org>
Subject: Re: gnome-pty-helper foo

Hi,

On Fri, Oct 07, 2005, Martin Schulze wrote:
> Could somebody explain the security implication for me?

You can record in the utmp/wtmp logs something which is wrong, for
 example that an user is currently connected to a display while he
 isn't.  I'm not the one to argue with though.

> being able to write arbitrary strings into valid records without
> overwriting any other data in utmp/wtmp can hardly be classified
> as a security vulnerability.

I have no idea, I'll let you judge of such things.  Since
 gnome-pty-helper seemed to have some special permission to write to
 utmp (because it is sgid), I took the problem seriously.  Whether this
 issue is to be considered a security vulnerability or not, I couldn't
 tell for sure, and in doubt I selected security, but I agree that it's
 a minor issue anyway.

> (Apart from that, I'm only slightly annoyed as I had to learn about
> this via MITRE / GNOME Bugzilla instead of a mail from the maintainer
> to the security team?)

For my defense (as I am the one which followed more or less this bug),
 I'd claim that a/ this was reported against a GNOME 1 package (and it
 was later discovered that the GNOME 2 package is affected too) which
 was in the process of being orphaned, b/ this seemed like a very minor
 issue, c/ I thought you were tracking "tags + security" bugs, and d/ I
 didn't want to start bothering the security team for an issue not
 discussed with upstream and without any patch.  Of course, there's also
 e/ I don't have any security background or training, but that's
 obvious.

My usual way of handling of sec bugs is i/ tag the bug security,
 connect the relevant CVE ids, upstream bugs, available patches, ii/
 talk with upstream, check the affected versions, check the patch causes
 no regression, check the patch applies everywhere, check the patch
 fixes the issue iii/ proposed a diff to the security team.

I know realize I should have contacted the security team quite
 immediately, and will do so in the future.

I have more important things to track right now that this
 vulnerability, and I didn't have any response from upstream yet.

Cheers,
--=20
Lo=EFc Minier <lool@dooz.org>