Bug#344029: Patch to fix this security bug
* Don Armstrong: Attached is the patch for the NMU that I am preparing; I will upload it to a delay queue sometime tomorrow (assuming it checks out when I've had more sleep.) What has happened to the NMU? Shall I upload your patch? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#344029: Patch to fix this security bug
On Mon, 23 Jan 2006, Florian Weimer wrote: * Don Armstrong: Attached is the patch for the NMU that I am preparing; I will upload it to a delay queue sometime tomorrow (assuming it checks out when I've had more sleep.) What has happened to the NMU? Shall I upload your patch? What should really happen is the package should be removed from testing and unstable; I'll make an upload with it sometime today, then request removal once it has propogated to unstable/testing. Don Armstrong. -- Physics is like sex. Sure, it may give some practical results, but that's not why we do it. -- Richard Feynman http://www.donarmstrong.com http://rzlab.ucr.edu signature.asc Description: Digital signature
Bug#344029: Patch to fix this security bug
Florian, Don't bother with the NMU - I just filed bug #349551 requesting the removal of this package, as libemail-filter-perl has already got in. Greetings, -- Gunnar Wolf - [EMAIL PROTECTED] - (+52-55)5623-0154 / 1451-2244 PGP key 1024D/8BB527AF 2001-10-23 Fingerprint: 0C79 D2D1 2C4E 9CE4 5973 F800 D80E F35A 8BB5 27AF signature.asc Description: Digital signature
Bug#344029: Bug #344029: Patch to fix this security bug
On Wed, Jan 04, 2006 at 03:27:48AM -0800, Don Armstrong wrote: Attached is the patch for the NMU that I am preparing; I will upload it to a delay queue sometime tomorrow (assuming it checks out when I've had more sleep.) Hi, and thanks for the patch. FWIW, we discussed this package a bit on the Debian Perl list (see the thread at http://lists.debian.org/debian-perl/2005/12/msg00033.html), and the consensus was that is should be removed. It's officially unsupported upstream, and the author recommends Email::Filter (currently in NEW) as a replacement. I'm going to file a removal request once libemail-filter-perl gets in. As for the /tmp vulnerabilities, the one in Mail::Audit::MimeEntity doesn't look quite as serious to me. I looked into it a bit, and although it does fall back to /tmp and follows symlinks, MIME::Parser uses a not quite trivially guessable directory underneath (current time + process ID, IIRC). Naturally, this doesn't mean it shouldn't be fixed. If you still want to do the NMU, that's fine of course. I guess the sarge version should be patched anyway. Cheers, -- Niko Tyni [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#344029: Bug #344029: Patch to fix this security bug
On Fri, 06 Jan 2006, Niko Tyni wrote: On Wed, Jan 04, 2006 at 03:27:48AM -0800, Don Armstrong wrote: Attached is the patch for the NMU that I am preparing; I will upload it to a delay queue sometime tomorrow (assuming it checks out when I've had more sleep.) Hi, and thanks for the patch. FWIW, we discussed this package a bit on the Debian Perl list (see the thread at http://lists.debian.org/debian-perl/2005/12/msg00033.html), and the consensus was that is should be removed. It's officially unsupported upstream, and the author recommends Email::Filter (currently in NEW) as a replacement. I'm going to file a removal request once libemail-filter-perl gets in. The important issue is that we've made a stable release with the package, and so the (albiet not so serious) security bug needs to be fixed, even if we end up removing it from unstable and testing. [Which I would recommend, given the rather lackluster quality of the code in that module.] Don Armstrong -- This message brought to you by weapons of mass destruction related program activities, and the letter G. http://www.donarmstrong.com http://rzlab.ucr.edu -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#344029: Patch to fix this security bug
tag 344029 patch thanks Attached is the patch for the NMU that I am preparing; I will upload it to a delay queue sometime tomorrow (assuming it checks out when I've had more sleep.) Don Armstrong -- A one-question geek test. If you get the joke, you're a geek: Seen on a California license plate on a VW Beetle: 'FEATURE'... -- Joshua D. Wachs - Natural Intelligence, Inc. http://www.donarmstrong.com http://rzlab.ucr.edu diff -u libmail-audit-perl-2.1/Audit.pm libmail-audit-perl-2.1/Audit.pm --- libmail-audit-perl-2.1/Audit.pm +++ libmail-audit-perl-2.1/Audit.pm @@ -4,7 +4,13 @@ my $logging; my $loglevel=3; -my $logfile = /tmp/.getpwuid($).-audit.log; +my $logfile; +if (exists $ENV{HOME} and defined $ENV{HOME} and -d $ENV{HOME}) { + $logfile = $ENV{HOME}/.mail_audit.log +} +else { + (undef,$logfile) = tempfile(mail_audit.log-X,TMPDIR=1); +} # -- # no user-modifiable parts below this line. @@ -18,6 +24,7 @@ use vars qw($VERSION @ISA @EXPORT @EXPORT_OK $ASSUME_MSGPREFIX); # @ISA will depend on whether the message is MIME; if it is, we'll be MIME::Entity. if not, we'll be Mail::Internet. use Fcntl ':flock'; +use File::Temp qw(tempfile); $ASSUME_MSGPREFIX = 0; diff -u libmail-audit-perl-2.1/debian/changelog libmail-audit-perl-2.1/debian/changelog --- libmail-audit-perl-2.1/debian/changelog +++ libmail-audit-perl-2.1/debian/changelog @@ -1,3 +1,13 @@ +libmail-audit-perl (2.1-5.1) unstable; urgency=high + + * NMU + * [SECURITY] Fix insecure tempfile creation with trivially guessable +filename (Closes: #344029) + * [SECURITY] Fix analogous insecure tempdir creation with trivially +guessable directory name + + -- Don Armstrong [EMAIL PROTECTED] Wed, 4 Jan 2006 01:51:30 -0800 + libmail-audit-perl (2.1-5) unstable; urgency=low * Add missing dependency on libmail-listdetector-perl (Closes: #29364) only in patch2: unchanged: --- libmail-audit-perl-2.1.orig/Audit/MimeEntity.pm +++ libmail-audit-perl-2.1/Audit/MimeEntity.pm @@ -4,6 +4,7 @@ use strict; use File::Path; +use File::Temp qw(tempdir) use MIME::Parser; use MIME::Entity; use Mail::Audit::MailInternet; @@ -12,10 +13,12 @@ $VERSION = '2.0'; -$MIME_PARSER_TMPDIR = /tmp/.getpwuid($).-mailaudit; - my $parser = MIME::Parser-new(); +# Create a tempdir using File::Temp::tempdir, have it be destroyed at +# END{} time. +$MIME_PARSER_TMPDIR = tempdir(CLEANUP = 1); + my @to_rmdir; sub autotype_new { @@ -23,8 +26,6 @@ my $mailinternet = shift; $parser-ignore_errors(1); -mkdir ($MIME_PARSER_TMPDIR, 0777); -if (! -d $MIME_PARSER_TMPDIR) { $MIME_PARSER_TMPDIR = /tmp } $parser-output_under($MIME_PARSER_TMPDIR); # todo: add eval error trapping. if there's a problem, return Mail::Audit::MailInternet as a fallback.