Bug#496410: The possibility of attack with the help of symlinks in some Debian packages
The new upstream version that fixes this bug introduces a lot of other changes and doesn't seem acceptable for lenny. Is anyone working on backporting the fix for a t-p-u upload? I can probably do it later this week but I don't want to duplicate work. Cheers, Stefan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#496410: The possibility of attack with the help of symlinks in some Debian packages
Hi, the following two additional CVE ids have been assigned to symlink issues in cman redhat-cluster: CVE-2008-4579[0]: | The (1) fence_apc and (2) fence_apc_snmp programs, as used in (a) | fence 2.02.00-r1 and possibly (b) cman, when running in verbose mode, | allows local users to append to arbitrary files via a symlink attack | on the apclog temporary file. CVE-2008-4580[1]: | fence_manual in fence allows local users to modify arbitrary files via | a symlink attack on the fence_manual.fifo temporary file. [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4579 http://security-tracker.debian.net/tracker/CVE-2008-4579 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4580 http://security-tracker.debian.net/tracker/CVE-2008-4580 Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpVKbWCFSVDC.pgp Description: PGP signature
Bug#496410: The possibility of attack with the help of symlinks in some Debian packages
Hi, It looks like there are some more tempfile creation problems in the redhat-cluster source package. 1) In rgmanager/src/daemons/main.c (line 707): void dump_internal_state(char *loc) { FILE *fp; fp=fopen(loc, w+); dump_config_version(fp); dump_threads(fp); dump_vf_states(fp); #ifdef WRAP_THREADS dump_thread_states(fp); #endif dump_cluster_ctx(fp); //malloc_dump_table(fp, 1, 16384); /* Only works if alloc.c us used */ fclose(fp); } ... dump_internal_state(/tmp/rgmanager-dump); This file is part of the binary clurgmgrd (package rgmanager) which is run as root. 2) In gfs2/edit/savemeta.c (line 27): #define DFT_SAVE_FILE /tmp/gfsmeta ... if (!out_fn) out_fn = DFT_SAVE_FILE; out_fd = open(out_fn, O_RDWR | O_CREAT, 0644); if (out_fd 0) die(Can't open %s: %s\n, out_fn, strerror(errno)); if (ftruncate(out_fd, 0)) die(Can't truncate %s: %s\n, out_fn, strerror(errno)); This file is part of the binary gfs2_edit (package gfs2-tools) which is run as root. 3) In ccs/ccs_tool/upgrade.c (line 223): sprintf(tmp_file, /tmp/tmp_%d, getpid()); tmp_fd = open(tmp_file, O_RDWR | O_CREAT |O_TRUNC, S_IRUSR|S_IWUSR) ... unlink(tmp_file); The filename is only depended on the PID of the process. Though, the binary ccs_tool does not seem to be part of any package built from the redhat-cluster source package. Cheers, Tobias -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#496410: The possibility of attack with the help of symlinks in some Debian packages
severity 496410 grave thanks SL So I don't think I've made a mistake here. You are mistake, see http://www.debian.org/Bugs/Developer.en.html#severities quote: grave makes the package in question unusable or mostly so, or causes data loss, or introduces a security hole allowing access to the accounts of users who use the package. _or_ _causes_ _data_ _loss_ create symlink /etc/shadow - /tmp/eglog and you are loss data of /etc/shadow :) -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : mailto://[EMAIL PROTECTED] jabber://[EMAIL PROTECTED] `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Bug#496410: The possibility of attack with the help of symlinks in some Debian packages
severity 496410 important thanks On Wed, Aug 27, 2008 at 07:12:29PM +0400, Dmitry E. Oboukhov wrote: _or_ _causes_ _data_ _loss_ It does not cause data loss, the admin needs to execute it. And now stop bitching around. Bastian -- Superior ability breeds superior ambition. -- Spock, Space Seed, stardate 3141.9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#496410: The possibility of attack with the help of symlinks in some Debian packages
tags 496410 security thanks On 13:15 Sun 24 Aug , Steve Langasek wrote: SL severity 496410 important SL thanks You are mistake :) Your script places in /usr/sbin, ie it runs with root privs. If I create symlink /etc/shadow - /tmp/eglog and You start this script, then your system 'll damaged. Please, check it again :) (and please, revert severity level) SL On Sun, Aug 24, 2008 at 10:05:29PM +0400, Dmitry E. Oboukhov wrote: SL Package: cman SL Severity: grave SL Binary-package: cman (2.20080629-1) SL file: /usr/sbin/fence_egenera SL The broken usage is: SL local *egen_log; SL open(egen_log,/tmp/eglog); SL [...] SL print egen_log shutdown: $trys$status\n; SL [...] SL print egen_log shutdown: crash dump being performed. Waiting\n; SL [...] SL print egen_log shutdown: $cmd being called, before open3\n; SL [...] SL print egen_log shutdown: after calling open3\n; SL [...] SL print egen_log shutdown: Open3 result: , @outlines, \n; SL [...] SL print egen_log shutdown: Returning from pserver_shutdown with return code $rtrn\n; SL This is, of course, wrong, and subject to symlink attack. However, I don't SL see any way that this can be exploitable for privilege escalation, which is SL the standard for 'grave' severity security bugs: it doesn't allow arbitrary SL output to the file, only a finite set of strings which are not valid shell, SL cron entries, password/shadow entries, or any other config file that I know SL of. SL So at best this appears to be a DoS symlink attack; therefore downgrading. -- . ''`. Dmitry E. Oboukhov : :’ : [EMAIL PROTECTED] `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Bug#496410: The possibility of attack with the help of symlinks in some Debian packages
On Mon, Aug 25, 2008 at 10:40:31AM +0400, Dmitry E. Oboukhov wrote: On 13:15 Sun 24 Aug , Steve Langasek wrote: SL severity 496410 important SL thanks You are mistake :) Your script places in /usr/sbin, ie it runs with root privs. If I create symlink /etc/shadow - /tmp/eglog and You start this script, then your system 'll damaged. The standard for grave-severity security bugs in Debian is can be used by an attacker to gain control of an account of a user who uses this package, not can be used by an attacker to create a Denial of Service by breaking the system. Writing this garbage to /etc/shadow will not result in privilege escalation, it will only result in a broken system; therefore, it is my understanding that this is not a grave bug. So I don't think I've made a mistake here. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#496410: The possibility of attack with the help of symlinks in some Debian packages
severity 496410 important thanks On Sun, Aug 24, 2008 at 10:05:29PM +0400, Dmitry E. Oboukhov wrote: Package: cman Severity: grave Binary-package: cman (2.20080629-1) file: /usr/sbin/fence_egenera The broken usage is: local *egen_log; open(egen_log,/tmp/eglog); [...] print egen_log shutdown: $trys$status\n; [...] print egen_log shutdown: crash dump being performed. Waiting\n; [...] print egen_log shutdown: $cmd being called, before open3\n; [...] print egen_log shutdown: after calling open3\n; [...] print egen_log shutdown: Open3 result: , @outlines, \n; [...] print egen_log shutdown: Returning from pserver_shutdown with return code $rtrn\n; This is, of course, wrong, and subject to symlink attack. However, I don't see any way that this can be exploitable for privilege escalation, which is the standard for 'grave' severity security bugs: it doesn't allow arbitrary output to the file, only a finite set of strings which are not valid shell, cron entries, password/shadow entries, or any other config file that I know of. So at best this appears to be a DoS symlink attack; therefore downgrading. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#496410: The possibility of attack with the help of symlinks in some Debian packages
Package: cman Severity: grave Hi, maintainer! This message about the error concerns a few packages at once. I've tested all the packages (for Lenny) on my Debian mirror. All scripts of packages (marked as executable) were tested. In some packages I've discovered scripts with errors which may be used by a user for damaging important system files or user's files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlink with the same name in this directory in order to destroy or rewrite some system or user file. Symlink attack may also lead not only to the data desctruction but to denial of service as well. Even if you create files or directories with help of function 'RANDOM' or pid(), then your system is not protected. Attacker can create many symlinks in order to destroy your data or create 'denial of service' for your package scripts. Even if you make rm(dir) for files/directories, then your system is not protected. Attacker can permanently create symlinks. This list is created with the help of script. This list is sorted by hand. Howewer in some cases mistake is possible. Please, Be understanding to possible mistakes. :) I set Severity into grave for this bug. The table of discovered problems is below. Discussion of this bug you can see in debian-devel@: http://lists.debian.org/debian-devel/2008/08/msg00271.html Binary-package: r-base-core-ra (1.1.1-1) file: /usr/lib/Ra/lib/R/bin/javareconf Binary-package: rccp (0.9-2) file: /usr/lib/rccp/delqueueask Binary-package: mafft (6.240-1) file: /usr/bin/mafft-homologs Binary-package: openoffice.org-common (1:2.4.1-6) file: /usr/lib/openoffice/program/senddoc Binary-package: crossfire-maps (1.11.0-1) file: /usr/share/games/crossfire/maps/Info/combine.pl Binary-package: sgml2x (1.0.0-11.1) file: /usr/bin/rlatex Binary-package: liguidsoap (0.3.6-4) file: /var/lib/liguidsoap/liguidsoap.py Binary-package: citadel-server (7.37-1) file: /usr/lib/citadel-server/migrate_aliases.sh Binary-package: ampache (3.4.1-1) file: /usr/share/ampache/www/locale/base/gather-messages.sh Binary-package: xen-utils-3.2-1 (3.2.1-2) file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug Binary-package: dtc-common (0.29.6-1) file: /usr/share/dtc/admin/accesslog.php file: /usr/share/dtc/admin/sa-wrapper Binary-package: honeyd-common (1.5c-3) file: /usr/share/honeyd/scripts/test.sh Binary-package: lustre-tests (1.6.5-1) file: /usr/lib/lustre/tests/runiozone Binary-package: linuxtrade (3.65-8+b4) file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol file: /usr/share/linuxtrade/bin/linuxtrade.wn file: /usr/share/linuxtrade/bin/moneyam.helper Binary-package: freevo (1.8.1-0) file: /usr/bin/freevo.real Binary-package: fml (4.0.3.dfsg-2) file: /usr/share/fml/libexec/mead.pl Binary-package: rkhunter (1.3.2-3) file: /usr/bin/rkhunter Binary-package: openswan (1:2.4.12+dfsg-1.1) file: /usr/lib/ipsec/livetest Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1) file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest Binary-package: aptoncd (0.1-1.1) file: /usr/share/aptoncd/xmlfile.py Binary-package: cdcontrol (1.90-1.1) file: /usr/lib/cdcontrol/writtercontrol Binary-package: newsgate (1.6-23) file: /usr/bin/mkmailpost Binary-package: gpsdrive-scripts (2.10~pre4-3) file: /usr/bin/geo-code Binary-package: impose+ (0.2-11) file: /usr/bin/impose Binary-package: mgt (2.31-5) file: /usr/games/mailgo Binary-package: audiolink (0.05-1) file: /usr/bin/audiolink Binary-package: ibackup (2.27-4.1) file: /usr/bin/ibackup Binary-package: emacspeak (26.0-3) file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl Binary-package: bk2site (1:1.1.9-3.1) file: /usr/lib/cgi-bin/bk2site/redirect.pl Binary-package: datafreedom-perl (0.1.7-1) file: /usr/bin/dfxml-invoice Binary-package: emacs-jabber (0.7.91-1) file: /usr/lib/emacsen-common/packages/install/emacs-jabber Binary-package: lmbench (3.0-a7-1) file: /usr/lib/lmbench/scripts/rccs file: /usr/lib/lmbench/scripts/STUFF Binary-package: rancid-util (2.3.2~a8-1) file: /var/lib/rancid/getipacctg Binary-package: ogle (0.9.2-5.2) file: /usr/lib/ogle/ogle_audio_debug file: /usr/lib/ogle/ogle_cli_debug file: /usr/lib/ogle/ogle_ctrl_debug file: /usr/lib/ogle/ogle_gui_debug file: /usr/lib/ogle/ogle_mpeg_ps_debug file: /usr/lib/ogle/ogle_mpeg_vs_debug file: /usr/lib/ogle/ogle_nav_debug file: /usr/lib/ogle/ogle_vout_debug Binary-package: firehol (1.256-4) file: /sbin/firehol Binary-package: aview (1.3.0rc1-8) file: /usr/bin/asciiview Binary-package: radiance (3R9+20080530-3) file: /usr/bin/optics2rad file: /usr/bin/pdelta file: /usr/bin/dayfact file: /usr/bin/raddepend Binary-package: