Your message dated Wed, 05 Apr 2006 06:02:12 -0700 with message-id <[EMAIL PROTECTED]> and subject line Bug#356555: fixed in libcgi-session-perl 4.11-1 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---Package: libcgi-session-perl Version: 4.03-1 Severity: grave Tags: security Hole 1: CGI::Session with its default Driver::File contains this insecure code: $self->{Directory} ||= File::Spec->tmpdir(); my $directory = $self->{Directory}; my $path = File::Spec->catfile($directory, $file); unless ( sysopen(FH, $path, O_RDONLY) ) { File::Spec->tmpdir default to /tmp, and this is where CGI::Session defaults to storing its temporary files. Therefore, it writes files to /tmp without the O_EXCL flag set when opening them. This makes it vulnerable to symlink attacks when used with these default settings, provided that you can guess what session id will be generated before time. Of course session ids are supposed to be hard to guess, that's the point of them, but a failure mode that includes overwriting arbitrary files is a bit worse than would be expected. I suggest adding | O_EXCL to close this hole. Hole 2: Notice that the sysopen above does not include permissions. So with a standard umask, the session file defaults to world readable, and anyone on the machine can get access to all the session keys and whatever is secured via them, and whatever else is stored in the session files. I can see no reason not to pass a mode of 0400 to the sysopen above. Setting umask(077) before creating the session object will work around this problem. I know that perl's philisophy is to respect the umask by default, but I think that in this case a secure default is more important. Hole 3: Driver::db_file has documentation that falsely claims to write to /tmp/cgisessions.db by default, when in fact it seems to default to writing to ./cgisess.db. If your cgi script is ~/public_html/my.cgi, then it will unexpectedly write to ~/public_html/cgisess.db, which will be publically accessible, since it writes the file mode 644. Remote users can then download the file and take over other's sessions. Hole 4: If you write the file somewhere else, then it's still mode 644, so local users can read all the session data from it. Setting umask(077) before creating the session object is a way to work around the permissions issue. Hole 5: If you use Driver::db_file and specify a FileName for the file (like the example does in the man page), you can get it to write to /tmp, which is again subject to symlink attacks. There's an attack possible the first time the file is created, but a better attack is against the .lck file used for locking, which is written to the same directory, and which is opened without O_EXCL. Just start creating a symlink /tmp/cgisessions.db.lck -> /some/file in a loop, hit the CGI script that uses CGI::Sessions a few times until you win the race, and voila, /some/file has been zeroed. /var/log/apache2/access.log might be a good candidate for /some/file.. Hole 6: Driver::sqlite writes to /tmp/sessions.sqlt by default. I have not checked to see if DBI->connect opens the file with O_EXCL, but I doubt it, so again we have symlink attacks. Hole 7: Also we again have the situation where an attacker can create the file in /tmp full of malicious data that exploits any holes in squlite, and wait for someone to use Driver::db_file for the first time. I have not checked to see if it creates world readable files too, but I'm guessing it does. -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.15-1-686 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages libcgi-session-perl depends on: ii perl [libdigest-md5-perl] 5.8.8-2 Larry Wall's Practical Extraction libcgi-session-perl recommends no packages. -- no debconf information -- see shy jo
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---Source: libcgi-session-perl Source-Version: 4.11-1 We believe that the bug you reported is fixed in the latest version of libcgi-session-perl, which is due to be installed in the Debian FTP archive: libcgi-session-perl_4.11-1.diff.gz to pool/main/libc/libcgi-session-perl/libcgi-session-perl_4.11-1.diff.gz libcgi-session-perl_4.11-1.dsc to pool/main/libc/libcgi-session-perl/libcgi-session-perl_4.11-1.dsc libcgi-session-perl_4.11-1_all.deb to pool/main/libc/libcgi-session-perl/libcgi-session-perl_4.11-1_all.deb libcgi-session-perl_4.11.orig.tar.gz to pool/main/libc/libcgi-session-perl/libcgi-session-perl_4.11.orig.tar.gz A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Julien Danjou <[EMAIL PROTECTED]> (supplier of updated libcgi-session-perl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Wed, 5 Apr 2006 14:52:20 +0200 Source: libcgi-session-perl Binary: libcgi-session-perl Architecture: source all Version: 4.11-1 Distribution: unstable Urgency: high Maintainer: Julien Danjou <[EMAIL PROTECTED]> Changed-By: Julien Danjou <[EMAIL PROTECTED]> Description: libcgi-session-perl - Persistent session data in CGI applications Closes: 356555 Changes: libcgi-session-perl (4.11-1) unstable; urgency=high . * New upstream release Fix last security holes (Closes: #356555) * Set priority to high since this is a security update * Change Suggests to Recommends for libdbi-perl Files: c991eb5f7fca795778236bd3438ed5a2 626 perl optional libcgi-session-perl_4.11-1.dsc 4b97569d2f1f33fcef80c9ab2bffa291 55876 perl optional libcgi-session-perl_4.11.orig.tar.gz 44e3e8416324c53ce0e40bc7931c1580 1841 perl optional libcgi-session-perl_4.11-1.diff.gz b5233f607ec2b2d1a7a9b89345350179 107700 perl optional libcgi-session-perl_4.11-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEM75MpGK1HsL+5c0RAlBPAJkBSsCurW3dtqs1xUXS8puht27+CwCfX3d2 IWRBG2HR8ggkk4rwpa82RoM= =GkUv -----END PGP SIGNATURE-----
--- End Message ---
