Bug#494648: The possibility of attack with the help of symlinks in some Debian packages

Thu, 14 Aug 2008 01:10:23 -0700 

tags 494648 patch
thanks

Hi, Sven

see my patch, please

--

. ''`. Dmitry E. Oboukhov
: :’  : [EMAIL PROTECTED]
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
  `- 1B23 D4F8 8EC0 D902 0555  E438 AB8C 00CF F8E2 6537

diff -u twiki-4.1.2/debian/changelog twiki-4.1.2/debian/changelog
--- twiki-4.1.2/debian/changelog
+++ twiki-4.1.2/debian/changelog
@@ -1,3 +1,12 @@
+twiki (1:4.1.2-3.3) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Fix security hole, closes: #494648.
+  * Build instructions moved from section -arch to -indep (closes lintian
+    warning).
+
+ -- Dmitry E. Oboukhov <[EMAIL PROTECTED]>  Thu, 14 Aug 2008 10:23:41 +0400
+
 twiki (1:4.1.2-3.2) unstable; urgency=high
 
   * Non-maintainer upload.
diff -u twiki-4.1.2/debian/LocalSite.cfg twiki-4.1.2/debian/LocalSite.cfg
--- twiki-4.1.2/debian/LocalSite.cfg
+++ twiki-4.1.2/debian/LocalSite.cfg
@@ -11,8 +11,8 @@
 $TWiki::cfg{Site}{CharSet} = 'iso-8859-15';
 $TWiki::cfg{LoginManager} = 'TWiki::Client::ApacheLogin';
 $TWiki::cfg{Plugins}{WysiwygPlugin}{Enabled} = 1;
-$TWiki::cfg{RCS}{WorkAreaDir} = '/tmp/twiki';
-$TWiki::cfg{TempfileDir} = '/tmp/twiki';
+$TWiki::cfg{RCS}{WorkAreaDir} = '-UNDEFINED_TEMP_DIR-';
+$TWiki::cfg{TempfileDir} = '-UNDEFINED_TEMP_DIR-';
 $TWiki::cfg{WorkingDir} = '/var/lib/twiki/working';
 
 1;
diff -u twiki-4.1.2/debian/postinst twiki-4.1.2/debian/postinst
--- twiki-4.1.2/debian/postinst
+++ twiki-4.1.2/debian/postinst
@@ -10,6 +10,29 @@
 # Source debconf library.
 . /usr/share/debconf/confmodule
 
+MAIN_CONFIG=/etc/twiki/LocalSite.cfg
+CONFIG_TEMP_DIR=`cat $MAIN_CONFIG \
+    |sed 's/#.*//'| grep TempfileDir | tail -n1\
+    |sed "s/.*\?=[[:space:]]*'\(.*\?\)'.*/\1/"`
+UNDEFINED_TEMP_DIR_PATTERN='-UNDEFINED_TEMP_DIR-'
+TWIKI_SESSION_DIR=/tmp/twiki    # first attempt to /tmp/twiki
+
+TWIKI_SESSION_PERMISSIONS=1770
+
+create_session_dir()
+{
+    # We make TWIKI_SESSION_DIR
+    if ! mkdir $TWIKI_SESSION_DIR &>/dev/null; then
+        TWIKI_SESSION_DIR=`mktemp -d /tmp/twiki.XXXXXXXXXX`
+    fi
+    chmod $TWIKI_SESSION_PERMISSIONS $TWIKI_SESSION_DIR
+    chown $TWIKI_OWNER:www-data $TWIKI_SESSION_DIR
+
+    perl -pi \
+        -e "s[(TempfileDir|WorkAreaDir).*][\$1} = '$TWIKI_SESSION_DIR';]" \
+        $MAIN_CONFIG
+}
+
 
 # summary of how this script can be called:
 #        * <postinst> `configure' <most-recently-configured-version>
@@ -58,7 +81,7 @@
 
 db_get twiki/defaultUrlHost
 # be more robust later:
-perl -pi~ -e '$U=q{'"$RET"'}; s{http://your.domain.com}{$U}g;' 
/etc/twiki/LocalSite.cfg
+perl -pi~ -e '$U=q{'"$RET"'}; s{http://your.domain.com}{$U}g;' $MAIN_CONFIG
 perl -pi~ -e '$U=q{'"$RET"'}; s{http://your.domain.com}{$U}g;' 
/etc/twiki/apache.conf
 #remove the double //cgi-bin caused by putting a / at the end of the hostUrl
 perl -pi~ -e 's{/(/cgi-bin)}{$1}g;' /etc/twiki/apache.conf
@@ -155,15 +178,26 @@
        fi
        chown $TWIKI_OWNER.www-data /var/lib/twiki/working/work_areas
 
-       #mmmm, mailnotify etc may be running _not_ as www-data
-       #and for some reason create a session
-       #use 1777 to prevent third parties replacing the file with a doctored 
one
-       #put into /tmp/twiki so that the open dir can't be used by others to 
fill up /var, thus crashing all logging
-       if [ ! -e /tmp/twiki ]; then
-               mkdir /tmp/twiki
-       fi
-       chmod 1777 /tmp/twiki
-       chown $TWIKI_OWNER.www-data /tmp/twiki
+
+    # create session dir (if needed)
+    if echo $CONFIG_TEMP_DIR|grep -q -- $UNDEFINED_TEMP_DIR_PATTERN; then
+       # NEW install
+       create_session_dir
+    else
+       if test -d $TWIKI_SESSION_DIR; then
+            found_owner=`ls -ld $TWIKI_SESSION_DIR|awk '{ print $3 }'`
+            found_group=`ls -ld $TWIKI_SESSION_DIR|awk '{ print $4 }'`
+            if ! test "$found_owner" = "$TWIKI_OWNER" -a \
+               "$found_group" = "www-data"; then
+               # error permissions, recreate
+                create_session_dir
+            fi
+        else
+            # $TWIKI_SESSION_DIR is not a directory
+               create_session_dir
+        fi
+    fi
+       chmod $TWIKI_SESSION_PERMISSIONS $TWIKI_SESSION_DIR
 
        #add softlinks to make adding plugins easier ()
        if [ ! -e /var/lib/twiki/lib ]; then
@@ -181,7 +215,7 @@
        
        chown -R $TWIKI_OWNER.www-data /var/log/twiki
        chmod -R 755 /var/log/twiki
-       chown $TWIKI_OWNER.www-data /etc/twiki/LocalSite.cfg
+       chown $TWIKI_OWNER.www-data $MAIN_CONFIG
 
        # erase configuser password
         db_reset "twiki/adminpassword"
diff -u twiki-4.1.2/debian/rules twiki-4.1.2/debian/rules
--- twiki-4.1.2/debian/rules
+++ twiki-4.1.2/debian/rules
@@ -124,10 +124,6 @@
 
 # Build architecture-independent files here.
 binary-indep: build install
-# We have nothing to do by default.
-
-# Build architecture-dependent files here.
-binary-arch: build install
        dh_testdir
        dh_testroot
        dh_installdebconf       
@@ -156,6 +152,10 @@
        dh_md5sums
        dh_builddeb
 
+# Build architecture-dependent files here.
+binary-arch: build install
+# We have nothing to do by default.
+
 # maintainer targets
 #checkpo:
 #      for i in po/*.po; do \

Attachment: signature.asc
Description: Digital signature

Reply via email to