Your message dated Fri, 12 Jun 2015 22:22:24 +0800 with message-id <CAMr=8w7o6a0sopbkwhyhubhkcqwrmxurmivr1sjtcppuor6...@mail.gmail.com> and subject line has caused the Debian Bug report #749846, regarding trafficserver: Insecure command execution and use of temporary filenames. to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 749846: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749846 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: trafficserver Version: 3.0.5-1 Severity: important Tags: security Dear Maintainer, The binary `/usr/bin/traffic_shell` contains the following strings, which should be sufficient to explain the issue: /bin/mv -f /tmp/shadow /etc/shadow /bin/sort /tmp/zonetab.tmp > /tmp/zonetab /bin/cp -f %s/net_config.xml /tmp/net_config.xml /tmp/dhcp_status /tmp/route_status /tmp/shadow .. I didn't look at the code in depth, but there are at least two errors here: * Predictable filenames, allowing file truncation/removal. * Race-conditions accessing files. The code in question comes from: trafficserver-3.0.5/mgmt/tools/SysAPI.cc + ConfigAPI.cc The code that uses /tmp should be updated to use popen, or similar to avoid the temporary files. Failing that a secure temporary filename should be generated. Please do request/assign CVE identifiers. -- System Information: Debian Release: 7.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.14-0.bpo.1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF8) Shell: /bin/sh linked to /bin/dash Versions of packages trafficserver depends on: ii adduser 3.113+nmu3 ii libc6 2.13-38+deb7u1 ii libcap2 1:2.22-1.2 ii libexpat1 2.1.0-1+deb7u1 ii libgcc1 1:4.7.2-5 ii libpcre3 1:8.30-5 ii libssl1.0.0 1.0.1e-2+deb7u9 ii libstdc++6 4.7.2-5 ii lsb-base 4.1+Debian8+deb7u1 ii tcl8.5 8.5.11-2 ii zlib1g 1:1.2.7.dfsg-13 trafficserver recommends no packages. trafficserver suggests no packages. -- no debconf information Steve -- http://steve.org.uk/
--- End Message ---
--- Begin Message ---This has been fixed long ago according to upstream bug tracker. Thanks, Aron
--- End Message ---
