Your message dated Mon, 27 Jun 2005 14:02:22 -0400
with message-id <[EMAIL PROTECTED]>
and subject line Bug#315582: fixed in backup-manager 0.5.8-2
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 23 Jun 2005 17:52:20 +0000
>From [EMAIL PROTECTED] Thu Jun 23 10:52:20 2005
Return-path: <[EMAIL PROTECTED]>
Received: from smtp05.web.de [217.72.192.209]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DlVsB-0002tz-00; Thu, 23 Jun 2005 10:52:19 -0700
Received: from [217.251.232.112] (helo=[127.0.0.1])
by smtp05.web.de with asmtp (WEB.DE 4.105 #297)
id 1DlVrg-0001Qv-00
for [EMAIL PROTECTED]; Thu, 23 Jun 2005 19:51:48 +0200
Message-ID: <[EMAIL PROTECTED]>
Date: Thu, 23 Jun 2005 19:51:26 +0200
From: Sven Joachim <[EMAIL PROTECTED]>
User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: backup-manager: insecure handling of temporary files
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Sender: [EMAIL PROTECTED]
X-Sender: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: backup-manager
Version: 0.5.7-1
Severity: critical
Justification: root security hole
Tags: patch
The optional CD-burning feature of backup-manager uses a hardcoded filename
(/tmp/bm-cdrecord.log) for logging the output of cdrecord. If a
malicious (or
just unlucky) user makes /tmp/bm-cdrecord.log a symlink to a system
file, that
file will be overwritten in the next run of backup-manager. A demonstration
follows:
$ whoami
sven
$ ls -l /etc/junk; cat /etc/junk
-rw-r--r-- 1 root root 32 Jun 22 21:23 /etc/junk
This will soon be overwritten!
$ ln -s /etc/junk /tmp/bm-cdrecord.log
$ su -c backup-manager
Password:
unable to mount 0,1,0 on /tmp/bm-mnt
$ ls -l /etc/junk; head -n 3 /etc/junk
-rw-r--r-- 1 root root 1431 Jun 22 21:25 /etc/junk
scsidev: '0,1,0'
scsibus: 0 target: 1 lun: 0
Linux sg driver version: 3.1.25
Replace /etc/junk with /etc/passwd, and the system becomes slightly less
usable. :-(
A solution is to use "mktemp" instead of a hardcoded file name, I
suggest the following patch:
----------------------------------------------------------
diff -u /usr/sbin/backup-manager /home/sven/backup-manager
--- /usr/sbin/backup-manager 2005-04-04 22:39:22.000000000 +0200
+++ /home/sven/backup-manager 2005-06-22 21:49:17.000000000 +0200
@@ -28,8 +28,8 @@
lockfile="/var/run/backup-manager.pid"
md5sum="/usr/bin/md5sum"
bc="/usr/bin/bc"
-logfile="/tmp/bm-cdrecord.log"
-mount_point="/tmp/bm-mnt"
+logfile="$(mktemp /tmp/bm-cdrecord.log.XXXXXX)"
+mount_point="$(mktemp -d /tmp/bm-mnt.XXXXXX)"
# Load the backup-manager's library
. $libdir/gettext.sh
-----------------------------------------------------------
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.31
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Versions of packages backup-manager depends on:
ii debconf 1.4.30.13 Debian configuration
management sy
ii gzip 1.3.5-10 The GNU compression utility
-- debconf information:
backup-manager/upload-key:
* backup-manager/name-format: long
backup-manager/upload-hosts:
backup-manager/upload-user-ftp:
* backup-manager/cron_frequency: daily
* backup-manager/blacklist: /home/sven/tmp
* backup-manager/time-to-live: 5
* backup-manager/burning-maxsize: 650
backup-manager/upload-user-scp-warning:
backup-manager/transfert_mode: scp
* backup-manager/dump_symlinks: false
backup-manager/upload-user-scp: bmngr
* backup-manager/burning-device: 0,1,0
backup-manager/upload-dir: /var/archives/uploads
* backup-manager/directories: /etc /home/sven /root
* backup-manager/filetype: tar.gz
* backup-manager/backup-repository: /var/archives
* backup-manager/burning-method: CDR
* backup-manager/burning-enabled: true
backup-manager/cron_remove_deprecated: false
* backup-manager/want_to_upload: false
---------------------------------------
Received: (at 315582-close) by bugs.debian.org; 27 Jun 2005 18:08:04 +0000
>From [EMAIL PROTECTED] Mon Jun 27 11:08:04 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Dmy1c-0004e0-00; Mon, 27 Jun 2005 11:08:04 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1Dmxw6-0005o3-00; Mon, 27 Jun 2005 14:02:22 -0400
From: Alexis Sukrieh <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#315582: fixed in backup-manager 0.5.8-2
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Mon, 27 Jun 2005 14:02:22 -0400
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Source: backup-manager
Source-Version: 0.5.8-2
We believe that the bug you reported is fixed in the latest version of
backup-manager, which is due to be installed in the Debian FTP archive:
backup-manager_0.5.8-2.diff.gz
to pool/main/b/backup-manager/backup-manager_0.5.8-2.diff.gz
backup-manager_0.5.8-2.dsc
to pool/main/b/backup-manager/backup-manager_0.5.8-2.dsc
backup-manager_0.5.8-2_all.deb
to pool/main/b/backup-manager/backup-manager_0.5.8-2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alexis Sukrieh <[EMAIL PROTECTED]> (supplier of updated backup-manager package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 25 Jun 2005 16:50:28 +0200
Source: backup-manager
Binary: backup-manager
Architecture: source all
Version: 0.5.8-2
Distribution: unstable
Urgency: low
Maintainer: Alexis Sukrieh <[EMAIL PROTECTED]>
Changed-By: Alexis Sukrieh <[EMAIL PROTECTED]>
Description:
backup-manager - command-line backup tool
Closes: 315582 315714
Changes:
backup-manager (0.5.8-2) unstable; urgency=low
.
* New patch for closing the security issue about temp paths (using mktemp
now).
+ debian/patches/02_security_315582.dpatch
(closes: #315582)
* Now handles cron with the cron.{daily|weekly|monthly} subdirectories
instead of the cron.d subdirectiry, wich is not handled by anacron.
+ added debian/cron.daily
+ removed debian.cron.d
+ added a debconf prompt for removing /ect/cron.d/backup-manager
(closes: #315714)
Files:
b5a98606a7cfcbe3fe61ccb8d7dea267 619 admin optional backup-manager_0.5.8-2.dsc
47a119410951074da813c71dcb7b04de 34881 admin optional
backup-manager_0.5.8-2.diff.gz
db3be16a8144831486cb0a3bec06ec8e 49060 admin optional
backup-manager_0.5.8-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFCwDf9hYgK5b1UDsERAntAAJ0UmxzMD4SLA8rWN8Qba/HyqupirQCeLlY1
ilnJPC7/SMzFT6Gk1B4uPTw=
=lGt7
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
