Package: backup-manager
Version: 0.5.7-1
Severity: critical
Justification: root security hole
Tags: patch
The optional CD-burning feature of backup-manager uses a hardcoded filename
(/tmp/bm-cdrecord.log) for logging the output of cdrecord. If a
malicious (or
just unlucky) user makes /tmp/bm-cdrecord.log a symlink to a system
file, that
file will be overwritten in the next run of backup-manager. A demonstration
follows:
$ whoami
sven
$ ls -l /etc/junk; cat /etc/junk
-rw-r--r-- 1 root root 32 Jun 22 21:23 /etc/junk
This will soon be overwritten!
$ ln -s /etc/junk /tmp/bm-cdrecord.log
$ su -c backup-manager
Password:
unable to mount 0,1,0 on /tmp/bm-mnt
$ ls -l /etc/junk; head -n 3 /etc/junk
-rw-r--r-- 1 root root 1431 Jun 22 21:25 /etc/junk
scsidev: '0,1,0'
scsibus: 0 target: 1 lun: 0
Linux sg driver version: 3.1.25
Replace /etc/junk with /etc/passwd, and the system becomes slightly less
usable. :-(
A solution is to use "mktemp" instead of a hardcoded file name, I
suggest the following patch:
----------------------------------------------------------
diff -u /usr/sbin/backup-manager /home/sven/backup-manager
--- /usr/sbin/backup-manager 2005-04-04 22:39:22.000000000 +0200
+++ /home/sven/backup-manager 2005-06-22 21:49:17.000000000 +0200
@@ -28,8 +28,8 @@
lockfile="/var/run/backup-manager.pid"
md5sum="/usr/bin/md5sum"
bc="/usr/bin/bc"
-logfile="/tmp/bm-cdrecord.log"
-mount_point="/tmp/bm-mnt"
+logfile="$(mktemp /tmp/bm-cdrecord.log.XXXXXX)"
+mount_point="$(mktemp -d /tmp/bm-mnt.XXXXXX)"
# Load the backup-manager's library
. $libdir/gettext.sh
-----------------------------------------------------------
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.31
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Versions of packages backup-manager depends on:
ii debconf 1.4.30.13 Debian configuration
management sy
ii gzip 1.3.5-10 The GNU compression utility
-- debconf information:
backup-manager/upload-key:
* backup-manager/name-format: long
backup-manager/upload-hosts:
backup-manager/upload-user-ftp:
* backup-manager/cron_frequency: daily
* backup-manager/blacklist: /home/sven/tmp
* backup-manager/time-to-live: 5
* backup-manager/burning-maxsize: 650
backup-manager/upload-user-scp-warning:
backup-manager/transfert_mode: scp
* backup-manager/dump_symlinks: false
backup-manager/upload-user-scp: bmngr
* backup-manager/burning-device: 0,1,0
backup-manager/upload-dir: /var/archives/uploads
* backup-manager/directories: /etc /home/sven /root
* backup-manager/filetype: tar.gz
* backup-manager/backup-repository: /var/archives
* backup-manager/burning-method: CDR
* backup-manager/burning-enabled: true
backup-manager/cron_remove_deprecated: false
* backup-manager/want_to_upload: false
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]