Hello Dmitri, José Luis, Dmitri, thank you for your investigation work: your script revealed some weak points inside scripts of the package wims. I made a new package to fix these weaknesses, and will send a message about them to the upstream developer.
José Luis, please can you sponsor the new package? The description file is at ftp://debian.ofset.org/debian/pool/main/w/wims_3.62-15.dsc Thanking you in advance, best regards, Georges. Dmitry E. Oboukhov a écrit : > Package: wims > Severity: grave > > Hi, maintainer! > > This message about the error concerns a few packages at once. I've > tested all the packages (for Lenny) on my Debian mirror. All scripts > of packages (marked as executable) were tested. > > In some packages I've discovered scripts with errors which may be used > by a user for damaging important system files or user's files. > > For example if a script uses in its work a temp file which is created > in /tmp directory, then every user can create symlink with the same > name in this directory in order to destroy or rewrite some system > or user file. Symlink attack may also lead not only to the data > desctruction but to denial of service as well. > > Even if you create files or directories with help of function 'RANDOM' > or pid(), then your system is not protected. Attacker can create many > symlinks in order to destroy your data or create 'denial of service' > for your package scripts. > > Even if you make rm(dir) for files/directories, then your system is > not protected. Attacker can permanently create symlinks. > > This list is created with the help of script. This list is sorted by > hand. Howewer in some cases mistake is possible. > > Please, Be understanding to possible mistakes. :) > > I set Severity into grave for this bug. The table of discovered > problems is below. > > Discussion of this bug you can see in debian-devel@: > http://lists.debian.org/debian-devel/2008/08/msg00271.html > > Binary-package: r-base-core-ra (1.1.1-1) > file: /usr/lib/Ra/lib/R/bin/javareconf > Binary-package: rccp (0.9-2) > file: /usr/lib/rccp/delqueueask > Binary-package: mafft (6.240-1) > file: /usr/bin/mafft-homologs > Binary-package: openoffice.org-common (1:2.4.1-6) > file: /usr/lib/openoffice/program/senddoc > Binary-package: crossfire-maps (1.11.0-1) > file: /usr/share/games/crossfire/maps/Info/combine.pl > Binary-package: sgml2x (1.0.0-11.1) > file: /usr/bin/rlatex > Binary-package: liguidsoap (0.3.6-4) > file: /var/lib/liguidsoap/liguidsoap.py > Binary-package: citadel-server (7.37-1) > file: /usr/lib/citadel-server/migrate_aliases.sh > Binary-package: ampache (3.4.1-1) > file: /usr/share/ampache/www/locale/base/gather-messages.sh > Binary-package: xen-utils-3.2-1 (3.2.1-2) > file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug > Binary-package: dtc-common (0.29.6-1) > file: /usr/share/dtc/admin/accesslog.php > file: /usr/share/dtc/admin/sa-wrapper > Binary-package: honeyd-common (1.5c-3) > file: /usr/share/honeyd/scripts/test.sh > Binary-package: lustre-tests (1.6.5-1) > file: /usr/lib/lustre/tests/runiozone > Binary-package: linuxtrade (3.65-8+b4) > file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol > file: /usr/share/linuxtrade/bin/linuxtrade.wn > file: /usr/share/linuxtrade/bin/moneyam.helper > Binary-package: freevo (1.8.1-0) > file: /usr/bin/freevo.real > Binary-package: fml (4.0.3.dfsg-2) > file: /usr/share/fml/libexec/mead.pl > Binary-package: rkhunter (1.3.2-3) > file: /usr/bin/rkhunter > Binary-package: openswan (1:2.4.12+dfsg-1.1) > file: /usr/lib/ipsec/livetest > Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1) > file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap > file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest > Binary-package: aptoncd (0.1-1.1) > file: /usr/share/aptoncd/xmlfile.py > Binary-package: cdcontrol (1.90-1.1) > file: /usr/lib/cdcontrol/writtercontrol > Binary-package: newsgate (1.6-23) > file: /usr/bin/mkmailpost > Binary-package: gpsdrive-scripts (2.10~pre4-3) > file: /usr/bin/geo-code > Binary-package: impose+ (0.2-11) > file: /usr/bin/impose > Binary-package: mgt (2.31-5) > file: /usr/games/mailgo > Binary-package: audiolink (0.05-1) > file: /usr/bin/audiolink > Binary-package: ibackup (2.27-4.1) > file: /usr/bin/ibackup > Binary-package: emacspeak (26.0-3) > file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl > Binary-package: bk2site (1:1.1.9-3.1) > file: /usr/lib/cgi-bin/bk2site/redirect.pl > Binary-package: datafreedom-perl (0.1.7-1) > file: /usr/bin/dfxml-invoice > Binary-package: emacs-jabber (0.7.91-1) > file: /usr/lib/emacsen-common/packages/install/emacs-jabber > Binary-package: lmbench (3.0-a7-1) > file: /usr/lib/lmbench/scripts/rccs > file: /usr/lib/lmbench/scripts/STUFF > Binary-package: rancid-util (2.3.2~a8-1) > file: /var/lib/rancid/getipacctg > Binary-package: ogle (0.9.2-5.2) > file: /usr/lib/ogle/ogle_audio_debug > file: /usr/lib/ogle/ogle_cli_debug > file: /usr/lib/ogle/ogle_ctrl_debug > file: /usr/lib/ogle/ogle_gui_debug > file: /usr/lib/ogle/ogle_mpeg_ps_debug > file: /usr/lib/ogle/ogle_mpeg_vs_debug > file: /usr/lib/ogle/ogle_nav_debug > file: /usr/lib/ogle/ogle_vout_debug > Binary-package: firehol (1.256-4) > file: /sbin/firehol > Binary-package: aview (1.3.0rc1-8) > file: /usr/bin/asciiview > Binary-package: radiance (3R9+20080530-3) > file: /usr/bin/optics2rad > file: /usr/bin/pdelta > file: /usr/bin/dayfact > file: /usr/bin/raddepend > Binary-package: vdr-dbg (1.6.0-5) > file: /usr/bin/vdrleaktest > Binary-package: ogle-mmx (0.9.2-5.2) > file: /usr/lib/ogle/ogle_audio_debug > file: /usr/lib/ogle/ogle_cli_debug > file: /usr/lib/ogle/ogle_ctrl_debug > file: /usr/lib/ogle/ogle_gui_debug > file: /usr/lib/ogle/ogle_mpeg_ps_debug > file: /usr/lib/ogle/ogle_mpeg_vs_debug > file: /usr/lib/ogle/ogle_nav_debug > file: /usr/lib/ogle/ogle_vout_debug > Binary-package: convirt (0.8.2-3) > file: /usr/share/convirt/image_store/_template_/provision.sh > file: /usr/share/convirt/image_store/Linux_CD_Install/provision.sh > file: /usr/share/convirt/image_store/Fedora_PV_Install/provision.sh > file: /usr/share/convirt/image_store/CentOS_PV_Install/provision.sh > file: /usr/share/convirt/image_store/common/provision.sh > file: /usr/share/convirt/image_store/example/provision.sh > file: /usr/share/convirt/image_store/Windows_CD_Install/provision.sh > Binary-package: printfilters-ppd (2.13-9) > file: /usr/lib/printfilters/master-filter > Binary-package: r-base-core (2.7.1-1) > file: /usr/lib/R/bin/javareconf > file: /usr/lib/R/bin/javareconf.orig > Binary-package: xmcd (2.6-19.3) > file: /usr/share/xmcd/scripts/ncsarmt > file: /usr/share/xmcd/scripts/ncsawrap > Binary-package: tiger (1:3.2.2-3.1) > file: /usr/lib/tiger/util/genmsgidx > Binary-package: scilab-bin (4.1.2-5) > file: /usr/lib/scilab-4.1.2/bin/scilink > file: /usr/lib/scilab-4.1.2/util/scidoc > file: /usr/lib/scilab-4.1.2/util/scidem > Binary-package: dpkg-cross (2.3.0) > file: /usr/share/dpkg-cross/bin/gccross > Binary-package: ltp-network-test (20060918-2.1) > file: /usr/lib/debian-test/tests/linux/testcases/bin/ftp_setup_vsftp_conf > file: /usr/lib/debian-test/tests/linux/testcases/bin/nfs_fsstress.sh > Binary-package: cman (2.20080629-1) > file: /usr/sbin/fence_egenera > Binary-package: scratchbox2 (1.99.0.24-1) > file: /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps > file: /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings > Binary-package: sendmail-base (8.14.3-5) > file: /usr/sbin/checksendmail > file: /usr/bin/expn > Binary-package: fwbuilder (2.1.19-3) > file: /usr/bin/fwb_install > Binary-package: sng (1.0.2-5) > file: /usr/bin/sng_regress > Binary-package: dist (1:3.5-17-1) > file: /usr/bin/patcil > file: /usr/bin/patdiff > Binary-package: sympa (5.3.4-5) > file: /usr/lib/cgi-bin/sympa/wwsympa.fcgi > file: /usr/lib/sympa/bin/sympa.pl > Binary-package: postfix (2.5.2-2) > file: /usr/lib/postfix_groups.pl > Binary-package: caudium (3:1.4.12-11) > file: /usr/share/caudium/configvar > Binary-package: mgetty-fax (1.1.36-1.2) > file: /usr/bin/faxspool > Binary-package: aegis (4.24-3) > file: /usr/share/doc/aegis/examples/remind/bng_dvlpd.sh > file: /usr/share/doc/aegis/examples/remind/bng_rvwd.sh > file: /usr/share/doc/aegis/examples/remind/awt_dvlp.sh > file: /usr/share/doc/aegis/examples/remind/awt_intgrtn.sh > Binary-package: aegis-web (4.24-3) > file: /usr/lib/cgi-bin/aegis.cgi > Binary-package: digitaldj (0.7.5-6+b1) > file: /usr/share/digitaldj/fest.pl > Binary-package: mon (0.99.2-12) > file: /usr/lib/mon/alert.d/test.alert > Binary-package: feta (1.4.16) > file: /usr/share/feta/plugins/to-upgrade > Binary-package: arb-common (0.0.20071207.1-4) > file: /usr/lib/arb/SH/arb_fastdnaml > file: /usr/lib/arb/SH/dszmconnect.pl > Binary-package: qemu (0.9.1-5) > file: /usr/sbin/qemu-make-debian-root > Binary-package: apertium (3.0.7+1-1+b1) > file: /usr/bin/apertium-gen-deformat > file: /usr/bin/apertium-gen-reformat > file: /usr/bin/apertium > Binary-package: xcal (4.1-18.3) > file: /usr/bin/pscal > Binary-package: myspell-tools (1:3.1-20) > file: /usr/bin/i2myspell > Binary-package: gccxml (0.9.0+cvs20080525-1) > file: /usr/share/gccxml-0.9/MIPSpro/find_flags > Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4) > file: /usr/share/freeradius-dialupadmin/bin/backup_radacct > file: /usr/share/freeradius-dialupadmin/bin/clean_radacct > file: /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats > file: /usr/share/freeradius-dialupadmin/bin/tot_stats > file: /usr/share/freeradius-dialupadmin/bin/truncate_radacct > Binary-package: dhis-server (5.3-1) > file: /usr/lib/dhis-server/dhis-dummy-log-engine > Binary-package: wims (3.62-13) > file: /var/lib/wims/public_html/bin/coqweb > file: /var/lib/wims/bin/account.sh > Binary-package: initramfs-tools (0.92f) > file: /usr/share/initramfs-tools/init > Binary-package: realtimebattle-common (1.0.8-7) > file: /usr/lib/realtimebattle/Robots/perl.robot > Binary-package: netmrg (0.20-1) > file: /usr/bin/rrdedit > Binary-package: bulmages-servers (0.11.1-2) > file: /usr/share/bulmages/examples/scripts/actualizabulmacont > file: /usr/share/bulmages/examples/scripts/installbulmages-db > file: /usr/share/bulmages/examples/scripts/creabulmafact > file: /usr/share/bulmages/examples/scripts/creabulmacont > file: /usr/share/bulmages/examples/scripts/actualizabulmafact > Binary-package: xastir (1.9.2-1) > file: /usr/lib/xastir/get-maptools.sh > file: /usr/lib/xastir/get_shapelib.sh > Binary-package: plait (1.5.2-1) > file: /usr/bin/plaiter > file: /usr/bin/plait > Binary-package: cdrw-taper (0.4-2) > file: /usr/sbin/amlabel-cdrw > Binary-package: konwert-filters (1.8-11.1) > file: /usr/share/konwert/filters/any-UTF8 > Binary-package: gdrae (0.1-1) > file: /usr/bin/gdrae > Binary-package: lazarus-src (0.9.24-0-9) > file: /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh > > > -- Georges KHAZNADAR et Jocelyne FOURNIER 22 rue des mouettes, 59240 Dunkerque France. Téléphone +33 (0)3 28 29 17 70
signature.asc
Description: Digital signature