Bug#496410: The possibility of attack with the help of symlinks in some Debian packages

2008-11-18 Thread Stefan Fritsch 
The new upstream version that fixes this bug introduces a lot of other 
changes and doesn't seem acceptable for lenny.


Is anyone working on backporting the fix for a t-p-u upload? I can 
probably do it later this week but I don't want to duplicate work.


Cheers,
Stefan



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#496410: The possibility of attack with the help of symlinks in some Debian packages

2008-10-17 Thread Nico Golde 
Hi,
the following two additional CVE ids have been assigned to 
symlink issues in cman  redhat-cluster:
CVE-2008-4579[0]:
| The (1) fence_apc and (2) fence_apc_snmp programs, as used in (a)
| fence 2.02.00-r1 and possibly (b) cman, when running in verbose mode,
| allows local users to append to arbitrary files via a symlink attack
| on the apclog temporary file.

CVE-2008-4580[1]:
| fence_manual in fence allows local users to modify arbitrary files via
| a symlink attack on the fence_manual.fifo temporary file.

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4579
http://security-tracker.debian.net/tracker/CVE-2008-4579
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4580
http://security-tracker.debian.net/tracker/CVE-2008-4580

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.


pgpVKbWCFSVDC.pgp
Description: PGP signature

Bug#496410: The possibility of attack with the help of symlinks in some Debian packages

2008-10-11 Thread Tobias Klauser 
Hi,

It looks like there are some more tempfile creation problems in the
redhat-cluster source package.

1) In rgmanager/src/daemons/main.c (line 707):

void
dump_internal_state(char *loc)
{
FILE *fp;
fp=fopen(loc, w+);
dump_config_version(fp);
dump_threads(fp);
dump_vf_states(fp);
#ifdef WRAP_THREADS
dump_thread_states(fp);
#endif
dump_cluster_ctx(fp);
//malloc_dump_table(fp, 1, 16384); /* Only works if alloc.c us 
used */
fclose(fp);
}
...
dump_internal_state(/tmp/rgmanager-dump);

This file is part of the binary clurgmgrd (package rgmanager) which is run as
root.

2) In gfs2/edit/savemeta.c (line 27):

#define DFT_SAVE_FILE /tmp/gfsmeta
...
if (!out_fn)
out_fn = DFT_SAVE_FILE;
out_fd = open(out_fn, O_RDWR | O_CREAT, 0644);
if (out_fd  0)
die(Can't open %s: %s\n, out_fn, strerror(errno));

if (ftruncate(out_fd, 0))
die(Can't truncate %s: %s\n, out_fn, strerror(errno));

This file is part of the binary gfs2_edit (package gfs2-tools) which is run as
root.

3) In ccs/ccs_tool/upgrade.c (line 223):

sprintf(tmp_file, /tmp/tmp_%d, getpid());

tmp_fd = open(tmp_file, O_RDWR | O_CREAT |O_TRUNC, S_IRUSR|S_IWUSR)
...
unlink(tmp_file);

The filename is only depended on the PID of the process. Though, the binary
ccs_tool does not seem to be part of any package built from the redhat-cluster
source package.

Cheers, Tobias



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#496410: The possibility of attack with the help of symlinks in some Debian packages

2008-08-27 Thread Dmitry E. Oboukhov 
severity 496410 grave
thanks

SL So I don't think I've made a mistake here.

You are mistake, see
http://www.debian.org/Bugs/Developer.en.html#severities

quote:

grave
makes the package in question unusable or mostly so, or causes data
loss, or introduces a security hole allowing access to the accounts
of users who use the package.


_or_ _causes_ _data_ _loss_

create symlink /etc/shadow - /tmp/eglog and you are loss 
data of /etc/shadow :)

--
... mpd is off

. ''`.   Dmitry E. Oboukhov
: :’  : mailto://[EMAIL PROTECTED] jabber://[EMAIL PROTECTED]
`. `~’  GPGKey: 1024D / F8E26537 2006-11-21
  `- 1B23 D4F8 8EC0 D902 0555  E438 AB8C 00CF F8E2 6537


signature.asc
Description: Digital signature

Bug#496410: The possibility of attack with the help of symlinks in some Debian packages

2008-08-27 Thread Bastian Blank 
severity 496410 important
thanks

On Wed, Aug 27, 2008 at 07:12:29PM +0400, Dmitry E. Oboukhov wrote:
 _or_ _causes_ _data_ _loss_

It does not cause data loss, the admin needs to execute it. And now stop
bitching around.

Bastian

-- 
Superior ability breeds superior ambition.
-- Spock, Space Seed, stardate 3141.9



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#496410: The possibility of attack with the help of symlinks in some Debian packages

2008-08-25 Thread Dmitry E. Oboukhov 
tags 496410 security
thanks

On 13:15 Sun 24 Aug , Steve Langasek wrote:
SL severity 496410 important
SL thanks

You are mistake :)

Your script places in /usr/sbin, ie it runs with root privs.
If I create symlink /etc/shadow - /tmp/eglog and You start this script,
then your system 'll damaged.

Please, check it again :) (and please, revert severity level)

SL On Sun, Aug 24, 2008 at 10:05:29PM +0400, Dmitry E. Oboukhov wrote:
SL Package: cman
SL Severity: grave

SL Binary-package: cman (2.20080629-1)
SL file: /usr/sbin/fence_egenera

SL The broken usage is:

SL local *egen_log;
SL open(egen_log,/tmp/eglog);
SL [...]
SL print egen_log shutdown: $trys$status\n;
SL [...]
SL print egen_log shutdown: crash dump being performed. Waiting\n;
SL [...]
SL print egen_log shutdown: $cmd  being called, before open3\n;
SL [...]
SL print egen_log shutdown: after calling open3\n;
SL [...]
SL print egen_log shutdown: Open3 result: , @outlines, \n;
SL [...]
SL print egen_log shutdown: Returning from pserver_shutdown with return code 
$rtrn\n;

SL This is, of course, wrong, and subject to symlink attack.  However, I don't
SL see any way that this can be exploitable for privilege escalation, which is
SL the standard for 'grave' severity security bugs: it doesn't allow arbitrary
SL output to the file, only a finite set of strings which are not valid shell,
SL cron entries, password/shadow entries, or any other config file that I know
SL of.

SL So at best this appears to be a DoS symlink attack; therefore downgrading.
--

. ''`. Dmitry E. Oboukhov
: :’  : [EMAIL PROTECTED]
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
  `- 1B23 D4F8 8EC0 D902 0555  E438 AB8C 00CF F8E2 6537


signature.asc
Description: Digital signature

Bug#496410: The possibility of attack with the help of symlinks in some Debian packages

2008-08-25 Thread Steve Langasek 
On Mon, Aug 25, 2008 at 10:40:31AM +0400, Dmitry E. Oboukhov wrote:
 On 13:15 Sun 24 Aug , Steve Langasek wrote:
 SL severity 496410 important
 SL thanks

 You are mistake :)

 Your script places in /usr/sbin, ie it runs with root privs.
 If I create symlink /etc/shadow - /tmp/eglog and You start this script,
 then your system 'll damaged.

The standard for grave-severity security bugs in Debian is can be used by
an attacker to gain control of an account of a user who uses this package,
not can be used by an attacker to create a Denial of Service by breaking
the system.  Writing this garbage to /etc/shadow will not result in
privilege escalation, it will only result in a broken system; therefore, it
is my understanding that this is not a grave bug.

So I don't think I've made a mistake here.

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
Ubuntu Developerhttp://www.debian.org/
[EMAIL PROTECTED] [EMAIL PROTECTED]



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#496410: The possibility of attack with the help of symlinks in some Debian packages

2008-08-24 Thread Steve Langasek 
severity 496410 important
thanks

On Sun, Aug 24, 2008 at 10:05:29PM +0400, Dmitry E. Oboukhov wrote:
 Package: cman
 Severity: grave

 Binary-package: cman (2.20080629-1)
 file: /usr/sbin/fence_egenera

The broken usage is:

local *egen_log;
open(egen_log,/tmp/eglog);
[...]
print egen_log shutdown: $trys$status\n;
[...]
print egen_log shutdown: crash dump being performed. Waiting\n;
[...]
print egen_log shutdown: $cmd  being called, before open3\n;
[...]
print egen_log shutdown: after calling open3\n;
[...]
print egen_log shutdown: Open3 result: , @outlines, \n;
[...]
print egen_log shutdown: Returning from pserver_shutdown with return 
code $rtrn\n;

This is, of course, wrong, and subject to symlink attack.  However, I don't
see any way that this can be exploitable for privilege escalation, which is
the standard for 'grave' severity security bugs: it doesn't allow arbitrary
output to the file, only a finite set of strings which are not valid shell,
cron entries, password/shadow entries, or any other config file that I know
of.

So at best this appears to be a DoS symlink attack; therefore downgrading.

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
Ubuntu Developerhttp://www.debian.org/
[EMAIL PROTECTED] [EMAIL PROTECTED]



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#496410: The possibility of attack with the help of symlinks in some Debian packages

2008-08-24 Thread Dmitry E. Oboukhov 
Package: cman
Severity: grave

Hi, maintainer!

This message about the error concerns a few packages  at  once.   I've
tested all the packages (for Lenny) on my Debian mirror.  All  scripts
of packages (marked as executable) were tested.

In some packages I've discovered scripts with errors which may be used
by a user for damaging important system files or user's files.

For example if a script uses in its work a temp file which is  created
in /tmp directory, then every user can create symlink  with  the  same
name in this directory in order to  destroy  or  rewrite  some  system
or user file.  Symlink attack may also  lead  not  only  to  the  data
desctruction but to denial of service as well.

Even if you create files or directories with help of function 'RANDOM'
or pid(), then your system is not protected. Attacker can create many
symlinks in order to destroy your data or create 'denial  of  service'
for your package scripts.

Even if you make rm(dir) for files/directories, then  your  system  is
not protected. Attacker can permanently create symlinks.

This list is created with the help of script.  This list is sorted  by
hand. Howewer in some cases mistake is possible.

Please, Be understanding to possible mistakes. :)

I set Severity into grave for this bug. The table of discovered
problems is below.

Discussion of this bug you can see in debian-devel@:
http://lists.debian.org/debian-devel/2008/08/msg00271.html

Binary-package: r-base-core-ra (1.1.1-1)
file: /usr/lib/Ra/lib/R/bin/javareconf
Binary-package: rccp (0.9-2)
file: /usr/lib/rccp/delqueueask
Binary-package: mafft (6.240-1)
file: /usr/bin/mafft-homologs
Binary-package: openoffice.org-common (1:2.4.1-6)
file: /usr/lib/openoffice/program/senddoc
Binary-package: crossfire-maps (1.11.0-1)
file: /usr/share/games/crossfire/maps/Info/combine.pl
Binary-package: sgml2x (1.0.0-11.1)
file: /usr/bin/rlatex
Binary-package: liguidsoap (0.3.6-4)
file: /var/lib/liguidsoap/liguidsoap.py
Binary-package: citadel-server (7.37-1)
file: /usr/lib/citadel-server/migrate_aliases.sh
Binary-package: ampache (3.4.1-1)
file: /usr/share/ampache/www/locale/base/gather-messages.sh
Binary-package: xen-utils-3.2-1 (3.2.1-2)
file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug
Binary-package: dtc-common (0.29.6-1)
file: /usr/share/dtc/admin/accesslog.php
file: /usr/share/dtc/admin/sa-wrapper
Binary-package: honeyd-common (1.5c-3)
file: /usr/share/honeyd/scripts/test.sh
Binary-package: lustre-tests (1.6.5-1)
file: /usr/lib/lustre/tests/runiozone
Binary-package: linuxtrade (3.65-8+b4)
file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol
file: /usr/share/linuxtrade/bin/linuxtrade.wn
file: /usr/share/linuxtrade/bin/moneyam.helper
Binary-package: freevo (1.8.1-0)
file: /usr/bin/freevo.real
Binary-package: fml (4.0.3.dfsg-2)
file: /usr/share/fml/libexec/mead.pl
Binary-package: rkhunter (1.3.2-3)
file: /usr/bin/rkhunter
Binary-package: openswan (1:2.4.12+dfsg-1.1)
file: /usr/lib/ipsec/livetest
Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1)
file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap
file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest
Binary-package: aptoncd (0.1-1.1)
file: /usr/share/aptoncd/xmlfile.py
Binary-package: cdcontrol (1.90-1.1)
file: /usr/lib/cdcontrol/writtercontrol
Binary-package: newsgate (1.6-23)
file: /usr/bin/mkmailpost
Binary-package: gpsdrive-scripts (2.10~pre4-3)
file: /usr/bin/geo-code
Binary-package: impose+ (0.2-11)
file: /usr/bin/impose
Binary-package: mgt (2.31-5)
file: /usr/games/mailgo
Binary-package: audiolink (0.05-1)
file: /usr/bin/audiolink
Binary-package: ibackup (2.27-4.1)
file: /usr/bin/ibackup
Binary-package: emacspeak (26.0-3)
file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl
Binary-package: bk2site (1:1.1.9-3.1)
file: /usr/lib/cgi-bin/bk2site/redirect.pl
Binary-package: datafreedom-perl (0.1.7-1)
file: /usr/bin/dfxml-invoice
Binary-package: emacs-jabber (0.7.91-1)
file: /usr/lib/emacsen-common/packages/install/emacs-jabber
Binary-package: lmbench (3.0-a7-1)
file: /usr/lib/lmbench/scripts/rccs
file: /usr/lib/lmbench/scripts/STUFF
Binary-package: rancid-util (2.3.2~a8-1)
file: /var/lib/rancid/getipacctg
Binary-package: ogle (0.9.2-5.2)
file: /usr/lib/ogle/ogle_audio_debug
file: /usr/lib/ogle/ogle_cli_debug
file: /usr/lib/ogle/ogle_ctrl_debug
file: /usr/lib/ogle/ogle_gui_debug
file: /usr/lib/ogle/ogle_mpeg_ps_debug
file: /usr/lib/ogle/ogle_mpeg_vs_debug
file: /usr/lib/ogle/ogle_nav_debug
file: /usr/lib/ogle/ogle_vout_debug
Binary-package: firehol (1.256-4)
file: /sbin/firehol
Binary-package: aview (1.3.0rc1-8)
file: /usr/bin/asciiview
Binary-package: radiance (3R9+20080530-3)
file: /usr/bin/optics2rad
file: /usr/bin/pdelta
file: /usr/bin/dayfact
file: /usr/bin/raddepend
Binary-package: