Bug#701211: marked as done (pktstat: CVE-2013-0350: writes content from TCP streams to public readable file /tmp/smtp.log)

Sat, 23 Feb 2013 09:51:28 -0800 

Your message dated Sat, 23 Feb 2013 17:48:59 +0000
with message-id <[email protected]>
and subject line Bug#701211: fixed in pktstat 1.8.5-3
has caused the Debian Bug report #701211,
regarding pktstat: CVE-2013-0350: writes content from TCP streams to public 
readable file /tmp/smtp.log
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
701211: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701211
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: pktstat
Version: 1.8.5-2
Severity: normal
Tags: security

Hi!

I noticed pktstat creates a file with a fixed name in /tmp and writes debugging
info gathered from the sniffed TCP streams into it:

redacted:/tmp# ls -al smtp.log
-rw-r--r-- 1 root root 236726 Feb 22 21:30 smtp.log

Content is something like this:

-----------8<---------------------
smpt_line [EHLO mail.example.com]
normalized to [EHLO mail.example.com]
set desc to: [EHLO mail.example.com]
smpt_line [STARTTLS]
normalized to [STARTTLS]
set desc to: [STARTTLS]
smpt_line [EHLO mail.example.com]
normalized to [EHLO mail.example.com]
set desc to: [EHLO mail.example.com]
smpt_line [STARTTLS]
normalized to [STARTTLS]
set desc to: [STARTTLS]
smpt_line [EHLO mail.example.com]
normalized to [EHLO mail.example.com]
set desc to: [EHLO mail.example.com]
-----------8<---------------------

This is troublesome on several levels in my opinion:

a) the filename is always the same. Since pktstat is normally run as root, this
   can be used for a symlink attack, at least to overwrite important files with
   garbage

b) the file is normally world readable, depending on root's umask and may 
contain
   sensitive information.

c) if pktstat is left running for some time on a busier network interface, this
   logfile can get quite big and possibly fill /tmp or /.

The code responsible is in tmp_smtp.c:

oweh@hostname:~/apt/pktstat-1.8.5$ grep log *
tcp_smtp.c:FILE*log;
tcp_smtp.c:if ((log = fopen("/tmp/smtp.log", "a")))
tcp_smtp.c:   fprintf(log, "smpt_line [%s]\n", line);
tcp_smtp.c:if (log)fprintf(log, "normalized to [%s]\n", line);
tcp_smtp.c:if (log)fprintf(log, "from_addr = [%s]\n", state->from_addr);
tcp_smtp.c:if (log)fprintf(log, "to_addr = [%s]\n", state->to_addr);
tcp_smtp.c:if (log)fprintf(log, "set desc to: [%s]\n", f->desc);
tcp_smtp.c:if (log)fclose(log);

>From the indention and formatting of said code I gather it is leftover debug
code, never intended to be released.

Just removing all of the above lines is sufficient to close this bug.

Grüße,
Sven.


-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (600, 'unstable'), (500, 'experimental'), (400, 'testing')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.7-trunk-amd64 (SMP w/12 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages pktstat depends on:
ii  libc6        2.13-38
ii  libncurses5  5.9-10
ii  libpcap0.8   1.3.0-1
ii  libtinfo5    5.9-10

pktstat recommends no packages.

pktstat suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: pktstat
Source-Version: 1.8.5-3

We believe that the bug you reported is fixed in the latest version of
pktstat, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jari Aalto <[email protected]> (supplier of updated pktstat package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 23 Feb 2013 09:27:29 +0200
Source: pktstat
Binary: pktstat
Architecture: source amd64
Version: 1.8.5-3
Distribution: unstable
Urgency: low
Maintainer: Jari Aalto <[email protected]>
Changed-By: Jari Aalto <[email protected]>
Description: 
 pktstat    - top-like utility for network connections usage
Closes: 701211
Changes: 
 pktstat (1.8.5-3) unstable; urgency=low
 .
   * debian/control
     - (Standards-Version): Update to 3.9.4
   * debian/copyright
     - Update year.
   * debian/patches
     - (10): New. Do now write log to /tmp (CVE-2013-0350; Closes: #701211).
Checksums-Sha1: 
 ae83a225db4244419648a6e952977ecc44ee5e8d 1850 pktstat_1.8.5-3.dsc
 61d04f58c7b84a480ccdd9b19181f5edd3951b9e 3948 pktstat_1.8.5-3.debian.tar.gz
 4c881b35a1051e2be5883b51254afe9048fceb19 41158 pktstat_1.8.5-3_amd64.deb
Checksums-Sha256: 
 069f135e3f71f9d1369a405edf5357f14beace8d4828c6ea6eee660026d873c7 1850 
pktstat_1.8.5-3.dsc
 1fece9d52f0a55d1d48fcbbe7f28b28dbaa34a78a48a0e3a332a31b21aaeb891 3948 
pktstat_1.8.5-3.debian.tar.gz
 bd3189e5f0a334a83b6fa283dff095b103a933f5d8359cd9eb8f6be5070e7a9c 41158 
pktstat_1.8.5-3_amd64.deb
Files: 
 f97983a87e918cb762944dc6165fe9f6 1850 net optional pktstat_1.8.5-3.dsc
 0e56c2f12c8c3e30b4277157f08ce450 3948 net optional 
pktstat_1.8.5-3.debian.tar.gz
 3d8e200736377156acdbb18c35785fc2 41158 net optional pktstat_1.8.5-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJRKP0rAAoJECHSBYmXSz6WwgsP/0LFM42zPPwuvOSWRlSFSWgf
OagCdrlMSyObSyJ5i3NeLXC8LzRkGRIEVlrFyQEOpqUaGcKyQNwa2gu2H9L2zCQj
zJHCOVt79FDTA/CHwiKrVErhE6hTmt1uk+6cT0mTEs8ldFz/lb7jZlvTVp5UxM5y
kZlrYaXfij49kN0oslom2wUCV0coU6uS3Ur/4onFnLIGVjEJmewnGb/eIWwiVZYA
gK+PiA1Jb8qdnTF94vESJAN+rg+S9GceJuLNRPnnfw68BgB9W315hDi0jlhg0Daj
ovwnIkaKmD6g74xbU6SMZDstuaqpwh/2LmnwmIgBhsNINgCGmBCkoqRZTJ4V+8DW
xqHNivA7CEeePr5BL8eDJksaqP9uCo9eKWN+9v5IIgzkJ3splDTIslGYARhlVphk
iqonCBI8j3538pPCBURSoV1YgODGfQTFEuwviR7DQkaaRFM6QJWWXreP33BSdShQ
7NaI14JfFt/3vMTGHC9dQ+nem0o5vefh54pWzIOIcswCHE2hntPYfm6CQ43pPTYG
uUMdNCDtYymXAgmqqk8uuvMJ8x8LKV44H21J03HN7WzU6uiwEfyG4LIl8Llyf+hd
OXAojKz4DpHCNoAKVuAgzSEbP7AdcQHwTYFmXbQDvP7AGeTx7jTwRtd3g4auubeH
+LgvVELVQ6607PihN2rz
=EwLr
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to