Package: backup-manager
Version: 0.5.7-1
Severity: critical
Justification: root security hole
Tags: patch


The optional CD-burning feature of backup-manager uses a hardcoded filename
(/tmp/bm-cdrecord.log) for logging the output of cdrecord. If a malicious (or just unlucky) user makes /tmp/bm-cdrecord.log a symlink to a system file, that
file will be overwritten in the next run of backup-manager. A demonstration
follows:

   $ whoami
   sven
   $ ls -l /etc/junk; cat /etc/junk
   -rw-r--r--  1 root root 32 Jun 22 21:23 /etc/junk
   This will soon be overwritten!

   $ ln -s /etc/junk /tmp/bm-cdrecord.log
   $ su -c backup-manager
   Password:
   unable to mount 0,1,0 on /tmp/bm-mnt
   $ ls -l /etc/junk; head -n 3 /etc/junk
   -rw-r--r--  1 root root 1431 Jun 22 21:25 /etc/junk
   scsidev: '0,1,0'
   scsibus: 0 target: 1 lun: 0
   Linux sg driver version: 3.1.25

Replace /etc/junk with /etc/passwd, and the system becomes slightly less
usable. :-(

A solution is to use "mktemp" instead of a hardcoded file name, I
suggest the following patch:

----------------------------------------------------------
diff -u /usr/sbin/backup-manager /home/sven/backup-manager
--- /usr/sbin/backup-manager    2005-04-04 22:39:22.000000000 +0200
+++ /home/sven/backup-manager    2005-06-22 21:49:17.000000000 +0200
@@ -28,8 +28,8 @@
lockfile="/var/run/backup-manager.pid"
md5sum="/usr/bin/md5sum"
bc="/usr/bin/bc"
-logfile="/tmp/bm-cdrecord.log"
-mount_point="/tmp/bm-mnt"
+logfile="$(mktemp /tmp/bm-cdrecord.log.XXXXXX)"
+mount_point="$(mktemp -d /tmp/bm-mnt.XXXXXX)"

# Load the backup-manager's library
. $libdir/gettext.sh
-----------------------------------------------------------

-- System Information:
Debian Release: 3.1
 APT prefers testing
 APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.31
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1)

Versions of packages backup-manager depends on:
ii debconf 1.4.30.13 Debian configuration management sy
ii  gzip                          1.3.5-10   The GNU compression utility

-- debconf information:
 backup-manager/upload-key:
* backup-manager/name-format: long
 backup-manager/upload-hosts:
 backup-manager/upload-user-ftp:
* backup-manager/cron_frequency: daily
* backup-manager/blacklist: /home/sven/tmp
* backup-manager/time-to-live: 5
* backup-manager/burning-maxsize: 650
 backup-manager/upload-user-scp-warning:
 backup-manager/transfert_mode: scp
* backup-manager/dump_symlinks: false
 backup-manager/upload-user-scp: bmngr
* backup-manager/burning-device: 0,1,0
 backup-manager/upload-dir: /var/archives/uploads
* backup-manager/directories: /etc /home/sven /root
* backup-manager/filetype: tar.gz
* backup-manager/backup-repository: /var/archives
* backup-manager/burning-method: CDR
* backup-manager/burning-enabled: true
 backup-manager/cron_remove_deprecated: false
* backup-manager/want_to_upload: false




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to