Dmitry E. Oboukhov wrote:
> Package: dtc-common
> Severity: grave
>
> Hi, maintainer!
>
> This message about the error concerns a few packages at once. I've
> tested all the packages (for Lenny) on my Debian mirror. All scripts
> of packages (marked as executable) were tested.
>
> In some packages I've discovered scripts with errors which may be used
> by a user for damaging important system files or user's files.
>
> For example if a script uses in its work a temp file which is created
> in /tmp directory, then every user can create symlink with the same
> name in this directory in order to destroy or rewrite some system
> or user file. Symlink attack may also lead not only to the data
> desctruction but to denial of service as well.
>
> Even if you create files or directories with help of function 'RANDOM'
> or pid(), then your system is not protected. Attacker can create many
> symlinks in order to destroy your data or create 'denial of service'
> for your package scripts.
>
> Even if you make rm(dir) for files/directories, then your system is
> not protected. Attacker can permanently create symlinks.
>
> This list is created with the help of script. This list is sorted by
> hand. Howewer in some cases mistake is possible.
>
> Please, Be understanding to possible mistakes. :)
>
> I set Severity into grave for this bug. The table of discovered
> problems is below.
>
> Discussion of this bug you can see in debian-devel@:
> http://lists.debian.org/debian-devel/2008/08/msg00271.html
>
> Binary-package: dtc-common (0.29.6-1)
> file: /usr/share/dtc/admin/accesslog.php
> file: /usr/share/dtc/admin/sa-wrapper
Hi,
Clearly, you have been using a SCRIPT to detect for the use of /tmp, and
your script did wrong, in my case. I really don't think that using a
script to just detect the use of /tmp/ is enough, as it can even be a
comment and your script will not see it. Let me show you an example:
--- Quick example ---
#!/bin/sh
# create a temp file for later use in /tmp/
MY_TMP_FILE=`mktemp APP_TMP_FILE_XXXXXX`
--- /Quick example ---
Your script would detect the COMMENT, and mark the script as problematic.
--- accesslog.php ---
Either it detected this:
$fullpath =
$a["path"]."/".$a["name"]."/subdomains/".$a["subdomain_name"]."/tmp";
which is in fact later used to DELETE files (like php sessions):
$cmd = "find $fullpath -atime +6 -exec rm {} \;";
or it detected this:
echo \"\$AWSTATS_LOG_FILE \$AWSTATS_FULL_DOMAIN \$AWSTATS_DIR_DATA\" >>
/tmp/awstats.log
which is in fact commented out.
--- sa-wrapper ---
It seems to me that it detected the use of /tmp/spam_err.log which is in
fact used only if sa-wrapper is in debug mode, which is not the case by
default. I'm not 100% sure as this sa-wrapper is coming from
spamassassin, and there is more than one instance of the use of /tmp,
but I think I'm right saying that it should be safe.
I'm closing this bug. If you find that it still needs to be fixed, let
me know and reopen the bug.
Thomas Goirand
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
