[Secure-testing-team] Bug#773751: race condition between fur and fex_cleanup
Kilian Krause
kilian at debian.org
Mon Dec 22 21:33:50 UTC 2014
Package: fex
Version: 20140917-1
Severity: serious
Tags: security patch upstream pending confirmed jessie
As upstream has released a new version of the fex package which closes a
security issue and there is no CVE assigned, we'll use this bug to track
the issue.
Problem is:
a race condition between fur and fex_cleanup may create internal instead of
external user. With the default configuration no auto registration is
possible and no exploit is possible. You must have allowed user self
registration via fex.ph.
Background is a timing race condition that fex_cleanup will throw away the
"external user" flag if the link a user is sent is not clicked/visited before
fex_cleanup is run (i.e. usually next day). The user account will then be
created with full internal user privileges instead of the reduced externel
priv. set.
The new release is currently being prepared for uploading into Debian.
Some minor updates that have nothing to do with the issue at hand are
currently being discussed between me and upstream. I'd guess we can have
a new fixed version in unstable before end of this year - maybe even
before Xmas. As we don't have a version in stable, I'll prepare uploads
of wheezy-backports and squeeze-backports once we're in jessie with the
new version. Since the other security fixes haven't been backported to
oldstable (yet), it seems not very logical to start with this (rather
minor) one.
Best,
Kilian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20141222/1ef31571/attachment.sig>
More information about the Secure-testing-team
mailing list