Your message dated Mon, 22 Aug 2005 22:47:03 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#324598: fixed in firehol 1.231-4
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 22 Aug 2005 22:31:04 +0000
>From [EMAIL PROTECTED] Mon Aug 22 15:31:04 2005
Return-path: <[EMAIL PROTECTED]>
Received: from 148.red-213-96-98.pooles.rima-tde.net (javifsp.no-ip.org) 
[213.96.98.148] (Debian-exim)
        by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
        id 1E7Koq-0001O5-00; Mon, 22 Aug 2005 15:31:04 -0700
Received: from jfs by javifsp.no-ip.org with local (Exim 4.52)
        id 1E7Koo-0006qp-Hx
        for [EMAIL PROTECTED]; Tue, 23 Aug 2005 00:31:02 +0200
Date: Tue, 23 Aug 2005 00:31:02 +0200
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: firehol: firehol_wizard will use /tmp insecurely under some conditions 
and does not clean up the temporary directory it creates
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
        protocol="application/pgp-signature"; boundary="Ah40dssYA/cDqAW1"
Content-Disposition: inline
User-Agent: Mutt/1.5.9i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no 
        version=2.60-bugs.debian.org_2005_01_02


--Ah40dssYA/cDqAW1
Content-Type: multipart/mixed; boundary="QnBU6tTI9sljzm9u"
Content-Disposition: inline


--QnBU6tTI9sljzm9u
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: firehol
Version: 1.231-3
Priority: minor
Tags: patch

While doing a review of usage of tempfiles in Debian I've found out that
the firehol-wizard script uses temporary files in an unsafe
way which could be used to conduct symlink attacks against any user
running it. Notice that this is _not_ the same issue as the one fixed
when #291680 was closed (CAN-2005-0225)

If you review the script you will see that the script will define
FIREHOL_DIR and will then try to call FIREHOL_LIB (which redefines it,
after the fix for CAN-2005-0225 was applied). However if FIREHOL_LIB
cannot be executed for any reason (bad package installation or
the script is run from sources) the code will not abort if it cannot
create sucessfully the temporary directory (which might happen if the=20
directory already exists):

      7 FIREHOL_DIR=3D"/tmp/firehol-tmp-$$"
      [ ...]=20
      14 test -x $FIREHOL_LIB && . $FIREHOL_LIB
      [ ...]=20
      298 #Prepare the directory:
      299 mkdir "${FIREHOL_DIR}"
      300 cd "${FIREHOL_DIR}"

Since the script is not being executed with -e, it will happily
proceeded if a) FIREHOL_LIB is not executable for some reason and
b) the directory is there, so a rogue user could create the
directory and then plant symlinks in files that will be written on
later on (like 'services' or 'unknown_ports').

This is a minor issue, since most package installations will have
$FIREHOL_LIB properly and calling that library the value of
FIREHOL_DIR will be overriden.

In any case, attached is a patch that:

a) fixes this issue by introducing the=20
use of mktemp if FIREHOL_LIB does not define FIREHOL_DIR properly.=20
It will fail back to the old construct if mktemp is not
present, however. But will take steps to try to create a proper temporary
directory.

b) Clean up FIREHOL_DIR after the script is run (through a trap). Notice
that the firehol-wizard script will _not_ clean up the temporary directory

Again, this is a minor issue, probably cosmetic. But I would appreciate
if it would be fixed so these script does not jump out when
doing source code reviews for /tmp vulnerabilities.=20

Regards

Javier

--QnBU6tTI9sljzm9u
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="firehol-wizard.diff"
Content-Transfer-Encoding: quoted-printable

--- firehol-wizard.sh.orig      2005-08-06 17:50:48.000000000 +0200
+++ firehol-wizard.sh   2005-08-23 00:20:40.000000000 +0200
@@ -4,7 +4,6 @@
 # - Sharing rule() (and some other helper functions) between the files
 # - ip_in_net: Do a real check (converting to binary ip)
=20
-FIREHOL_DIR=3D"/tmp/firehol-tmp-$$"
 FIREHOL_LIB=3D"/lib/firehol/firehol"
=20
 PATH=3D"${PATH}:/bin:/usr/bin:/sbin:/usr/sbin"
@@ -13,6 +12,17 @@
=20
 test -x $FIREHOL_LIB && . $FIREHOL_LIB
=20
+if [ -z "$FIREHOL_DIR" ] ; then
+       if test -n "`type -p mktemp`" ; then
+               FIREHOL_DIR=3D`mktemp -d -t firehol.XXXXXX`  || { echo 
"$program:=
 Cannot create temporary dir!" >&2 ; exit 1; }
+       else
+               FIREHOL_DIR=3D${TMPDIR-/tmp}/firehol.$$
+                       [ -e $FIREHOL_DIR ] && rm -rf $FIREHOL_DIR
+               mkdir -m 0700 $FIREHOLD_DIR || { echo "$0: Cannot create 
temporar=
y dir!" >&2 ; exit 1 ; }
+       fi
+fi
+trap " [ -d \"$FIREHOL_DIR\" ] && /bin/rm -rf -- \"$FIREHOL_DIR\"" 0 1 2 3=
 13 15
+
 ##### Helper functions
=20
 # require commands for wizard mode
@@ -296,7 +306,6 @@
=20
=20
 #Prepare the directory:
-mkdir "${FIREHOL_DIR}"
 cd "${FIREHOL_DIR}"
 "${MKDIR_CMD}" ports
 "${MKDIR_CMD}" keys
@@ -683,5 +692,5 @@
        echo "# is not configured for forwarding traffic."
        echo
 fi
-=09
+
 exit 0

--QnBU6tTI9sljzm9u--

--Ah40dssYA/cDqAW1
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDClImsandgtyBSwkRArbOAJ4tKyKBI4YhZNz6i80kaP2ocUqfzgCeIEmi
YL7uUm6mru5VWUCGmBLXxNs=
=QthT
-----END PGP SIGNATURE-----

--Ah40dssYA/cDqAW1--

---------------------------------------
Received: (at 324598-close) by bugs.debian.org; 23 Aug 2005 05:49:05 +0000
>From [EMAIL PROTECTED] Mon Aug 22 22:49:05 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
        id 1E7Rcl-000522-00; Mon, 22 Aug 2005 22:47:03 -0700
From: Alexander Wirt <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#324598: fixed in firehol 1.231-4
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Mon, 22 Aug 2005 22:47:03 -0700
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02

Source: firehol
Source-Version: 1.231-4

We believe that the bug you reported is fixed in the latest version of
firehol, which is due to be installed in the Debian FTP archive:

firehol_1.231-4.diff.gz
  to pool/main/f/firehol/firehol_1.231-4.diff.gz
firehol_1.231-4.dsc
  to pool/main/f/firehol/firehol_1.231-4.dsc
firehol_1.231-4_all.deb
  to pool/main/f/firehol/firehol_1.231-4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alexander Wirt <[EMAIL PROTECTED]> (supplier of updated firehol package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 23 Aug 2005 07:23:29 +0200
Source: firehol
Binary: firehol
Architecture: source all
Version: 1.231-4
Distribution: unstable
Urgency: low
Maintainer: Alexander Wirt <[EMAIL PROTECTED]>
Changed-By: Alexander Wirt <[EMAIL PROTECTED]>
Description: 
 firehol    - An easy to use but powerful iptables stateful firewall
Closes: 324598
Changes: 
 firehol (1.231-4) unstable; urgency=low
 .
   * Cleaned up tempdir creation and removal in firehol-wizard
     (Closes: #324598). Thanks to Javier Fernández-Sanguino Peña for the patch
Files: 
 cc931982d6919aa5510a4d627487b5d1 578 net optional firehol_1.231-4.dsc
 636fbd99fccb6dc0db4c25f327ce842f 8835 net optional firehol_1.231-4.diff.gz
 a486662638910b03695c05b478a0e98b 160780 net optional firehol_1.231-4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDCrUn01u8mbx9AgoRAsskAJ9xE5J0qgfVdsK7T40WpMnRjGNbxwCgyQAA
9OQtA2avabNzuOm1KfTwjt0=
=08mv
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to