Your message dated Sun, 23 Feb 2014 00:43:27 +0100 with message-id <[email protected]> and subject line Re: Bug#629003: fabric is prone to file-overwrite security issue(s). has caused the Debian Bug report #629003, regarding fabric is prone to file-overwrite security issue(s). to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 629003: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629003 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: fabric Version: 0.9.1-1 Justification: causes serious data loss Severity: important Tags: security *** Please type your report below this line *** Fabric includes two modules which are marked as "contrib", and are included in the main package. These two modules both suffer from the same issue: * They write files with (semi-)predictable names, in world-readable and world-writeable locations. This allows a malicious local-user to pre-create the filenames which will be used, and allow the overwriting of arbitrary files the user invoking fabric controls. The relevant code is included is: fabric/contrib/projects.py: tar_file = "/tmp/fab.%s.tar" % datetime.utcnow().strftime( '%Y_%m_%d_%H-%M-%S') cwd_name = getcwd().split(sep)[-1] tgz_name = cwd_name + ".tar.gz" local("tar -czf %s ." % tar_file) fabric/contrib/files.py: basename = os.path.basename(filename) temp_destination = '/tmp/' + basename ... ... put(tempfile_name, temp_destination) [The latter case the upload happens on the *remote* system.] -- System Information: Debian Release: 6.0.1 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/3 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages fabric depends on: ii python 2.6.6-3+squeeze6 interactive high-level object-orie ii python-paramiko 1.7.6-5 Make ssh v2 connections with Pytho ii python-pkg-resources 0.6.14-4 Package Discovery and Resource Acc ii python-support 1.0.10 automated rebuilding support for P fabric recommends no packages. fabric suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Version: 1.7.0-2 Hi Steve, On Thu, Jun 02, 2011 at 11:25:01PM +0100, Steve Kemp wrote: > > Package: fabric > Version: 0.9.1-1 > Justification: causes serious data loss > Severity: important > Tags: security > > *** Please type your report below this line *** > > Fabric includes two modules which are marked as "contrib", and are > included in the main package. > > These two modules both suffer from the same issue: > > * They write files with (semi-)predictable names, in world-readable > and world-writeable locations. > > This allows a malicious local-user to pre-create the filenames which > will be used, and allow the overwriting of arbitrary files the user > invoking fabric controls. > > The relevant code is included is: > > fabric/contrib/projects.py: > > tar_file = "/tmp/fab.%s.tar" % datetime.utcnow().strftime( > '%Y_%m_%d_%H-%M-%S') > cwd_name = getcwd().split(sep)[-1] > tgz_name = cwd_name + ".tar.gz" > local("tar -czf %s ." % tar_file) > This uses now mkdtemp. > > fabric/contrib/files.py: > basename = os.path.basename(filename) > temp_destination = '/tmp/' + basename > ... > ... > put(tempfile_name, temp_destination) > > [The latter case the upload happens on the *remote* system.] This code seems to have dissapeared. Ana > > > -- System Information: > Debian Release: 6.0.1 > APT prefers stable > APT policy: (500, 'stable') > Architecture: amd64 (x86_64) > > Kernel: Linux 2.6.32-5-amd64 (SMP w/3 CPU cores) > Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > > Versions of packages fabric depends on: > ii python 2.6.6-3+squeeze6 interactive high-level > object-orie > ii python-paramiko 1.7.6-5 Make ssh v2 connections with > Pytho > ii python-pkg-resources 0.6.14-4 Package Discovery and Resource > Acc > ii python-support 1.0.10 automated rebuilding support for > P > > fabric recommends no packages. > > fabric suggests no packages. > > -- no debconf information > > >
--- End Message ---
