Your message dated Wed, 28 Sep 2005 11:04:51 +0200
with message-id <[EMAIL PROTECTED]>
and subject line bug closed
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 23 Jun 2005 17:52:20 +0000
>From [EMAIL PROTECTED] Thu Jun 23 10:52:20 2005
Return-path: <[EMAIL PROTECTED]>
Received: from smtp05.web.de [217.72.192.209]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DlVsB-0002tz-00; Thu, 23 Jun 2005 10:52:19 -0700
Received: from [217.251.232.112] (helo=[127.0.0.1])
by smtp05.web.de with asmtp (WEB.DE 4.105 #297)
id 1DlVrg-0001Qv-00
for [EMAIL PROTECTED]; Thu, 23 Jun 2005 19:51:48 +0200
Message-ID: <[EMAIL PROTECTED]>
Date: Thu, 23 Jun 2005 19:51:26 +0200
From: Sven Joachim <[EMAIL PROTECTED]>
User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: backup-manager: insecure handling of temporary files
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Sender: [EMAIL PROTECTED]
X-Sender: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: backup-manager
Version: 0.5.7-1
Severity: critical
Justification: root security hole
Tags: patch
The optional CD-burning feature of backup-manager uses a hardcoded filename
(/tmp/bm-cdrecord.log) for logging the output of cdrecord. If a
malicious (or
just unlucky) user makes /tmp/bm-cdrecord.log a symlink to a system
file, that
file will be overwritten in the next run of backup-manager. A demonstration
follows:
$ whoami
sven
$ ls -l /etc/junk; cat /etc/junk
-rw-r--r-- 1 root root 32 Jun 22 21:23 /etc/junk
This will soon be overwritten!
$ ln -s /etc/junk /tmp/bm-cdrecord.log
$ su -c backup-manager
Password:
unable to mount 0,1,0 on /tmp/bm-mnt
$ ls -l /etc/junk; head -n 3 /etc/junk
-rw-r--r-- 1 root root 1431 Jun 22 21:25 /etc/junk
scsidev: '0,1,0'
scsibus: 0 target: 1 lun: 0
Linux sg driver version: 3.1.25
Replace /etc/junk with /etc/passwd, and the system becomes slightly less
usable. :-(
A solution is to use "mktemp" instead of a hardcoded file name, I
suggest the following patch:
----------------------------------------------------------
diff -u /usr/sbin/backup-manager /home/sven/backup-manager
--- /usr/sbin/backup-manager 2005-04-04 22:39:22.000000000 +0200
+++ /home/sven/backup-manager 2005-06-22 21:49:17.000000000 +0200
@@ -28,8 +28,8 @@
lockfile="/var/run/backup-manager.pid"
md5sum="/usr/bin/md5sum"
bc="/usr/bin/bc"
-logfile="/tmp/bm-cdrecord.log"
-mount_point="/tmp/bm-mnt"
+logfile="$(mktemp /tmp/bm-cdrecord.log.XXXXXX)"
+mount_point="$(mktemp -d /tmp/bm-mnt.XXXXXX)"
# Load the backup-manager's library
. $libdir/gettext.sh
-----------------------------------------------------------
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.31
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Versions of packages backup-manager depends on:
ii debconf 1.4.30.13 Debian configuration
management sy
ii gzip 1.3.5-10 The GNU compression utility
-- debconf information:
backup-manager/upload-key:
* backup-manager/name-format: long
backup-manager/upload-hosts:
backup-manager/upload-user-ftp:
* backup-manager/cron_frequency: daily
* backup-manager/blacklist: /home/sven/tmp
* backup-manager/time-to-live: 5
* backup-manager/burning-maxsize: 650
backup-manager/upload-user-scp-warning:
backup-manager/transfert_mode: scp
* backup-manager/dump_symlinks: false
backup-manager/upload-user-scp: bmngr
* backup-manager/burning-device: 0,1,0
backup-manager/upload-dir: /var/archives/uploads
* backup-manager/directories: /etc /home/sven /root
* backup-manager/filetype: tar.gz
* backup-manager/backup-repository: /var/archives
* backup-manager/burning-method: CDR
* backup-manager/burning-enabled: true
backup-manager/cron_remove_deprecated: false
* backup-manager/want_to_upload: false
---------------------------------------
Received: (at 315582-done) by bugs.debian.org; 28 Sep 2005 09:07:35 +0000
>From [EMAIL PROTECTED] Wed Sep 28 02:07:35 2005
Return-path: <[EMAIL PROTECTED]>
Received: from www.sukria.net [81.56.73.92]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EKXuY-0004aB-00; Wed, 28 Sep 2005 02:07:34 -0700
Received: by www.sukria.net (Postfix, from userid 1000)
id 1638621EF79; Wed, 28 Sep 2005 11:04:51 +0200 (CEST)
Date: Wed, 28 Sep 2005 11:04:51 +0200
From: Alexis Sukrieh <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: bug closed
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
X-Editor: Vim http://www.vim.org/
X-Operating-System: Linux/2.6.8-powerpc (ppc)
X-Uptime: 11:03:33 up 15:29, 9 users, load average: 0.08, 0.02, 0.00
X-PGP-ID: 1EE5DD34
User-Agent: Mutt/1.5.9i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 2
Those bugs are closed in sarge now, and they are not open in etch and
sid.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
