Bug#344029: Patch to fix this security bug
* Don Armstrong: Attached is the patch for the NMU that I am preparing; I will upload it to a delay queue sometime tomorrow (assuming it checks out when I've had more sleep.) What has happened to the NMU? Shall I upload your patch? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#344029: Patch to fix this security bug
On Mon, 23 Jan 2006, Florian Weimer wrote: * Don Armstrong: Attached is the patch for the NMU that I am preparing; I will upload it to a delay queue sometime tomorrow (assuming it checks out when I've had more sleep.) What has happened to the NMU? Shall I upload your patch? What should really happen is the package should be removed from testing and unstable; I'll make an upload with it sometime today, then request removal once it has propogated to unstable/testing. Don Armstrong. -- Physics is like sex. Sure, it may give some practical results, but that's not why we do it. -- Richard Feynman http://www.donarmstrong.com http://rzlab.ucr.edu signature.asc Description: Digital signature
Bug#344029: Patch to fix this security bug
Florian, Don't bother with the NMU - I just filed bug #349551 requesting the removal of this package, as libemail-filter-perl has already got in. Greetings, -- Gunnar Wolf - [EMAIL PROTECTED] - (+52-55)5623-0154 / 1451-2244 PGP key 1024D/8BB527AF 2001-10-23 Fingerprint: 0C79 D2D1 2C4E 9CE4 5973 F800 D80E F35A 8BB5 27AF signature.asc Description: Digital signature
Bug#344029: Bug #344029: Patch to fix this security bug
On Wed, Jan 04, 2006 at 03:27:48AM -0800, Don Armstrong wrote: Attached is the patch for the NMU that I am preparing; I will upload it to a delay queue sometime tomorrow (assuming it checks out when I've had more sleep.) Hi, and thanks for the patch. FWIW, we discussed this package a bit on the Debian Perl list (see the thread at http://lists.debian.org/debian-perl/2005/12/msg00033.html), and the consensus was that is should be removed. It's officially unsupported upstream, and the author recommends Email::Filter (currently in NEW) as a replacement. I'm going to file a removal request once libemail-filter-perl gets in. As for the /tmp vulnerabilities, the one in Mail::Audit::MimeEntity doesn't look quite as serious to me. I looked into it a bit, and although it does fall back to /tmp and follows symlinks, MIME::Parser uses a not quite trivially guessable directory underneath (current time + process ID, IIRC). Naturally, this doesn't mean it shouldn't be fixed. If you still want to do the NMU, that's fine of course. I guess the sarge version should be patched anyway. Cheers, -- Niko Tyni [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#344029: Bug #344029: Patch to fix this security bug
On Fri, 06 Jan 2006, Niko Tyni wrote: On Wed, Jan 04, 2006 at 03:27:48AM -0800, Don Armstrong wrote: Attached is the patch for the NMU that I am preparing; I will upload it to a delay queue sometime tomorrow (assuming it checks out when I've had more sleep.) Hi, and thanks for the patch. FWIW, we discussed this package a bit on the Debian Perl list (see the thread at http://lists.debian.org/debian-perl/2005/12/msg00033.html), and the consensus was that is should be removed. It's officially unsupported upstream, and the author recommends Email::Filter (currently in NEW) as a replacement. I'm going to file a removal request once libemail-filter-perl gets in. The important issue is that we've made a stable release with the package, and so the (albiet not so serious) security bug needs to be fixed, even if we end up removing it from unstable and testing. [Which I would recommend, given the rather lackluster quality of the code in that module.] Don Armstrong -- This message brought to you by weapons of mass destruction related program activities, and the letter G. http://www.donarmstrong.com http://rzlab.ucr.edu -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#344029: Patch to fix this security bug
tag 344029 patch
thanks
Attached is the patch for the NMU that I am preparing; I will upload
it to a delay queue sometime tomorrow (assuming it checks out when
I've had more sleep.)
Don Armstrong
--
A one-question geek test. If you get the joke, you're a geek: Seen on
a California license plate on a VW Beetle: 'FEATURE'...
-- Joshua D. Wachs - Natural Intelligence, Inc.
http://www.donarmstrong.com http://rzlab.ucr.edu
diff -u libmail-audit-perl-2.1/Audit.pm libmail-audit-perl-2.1/Audit.pm
--- libmail-audit-perl-2.1/Audit.pm
+++ libmail-audit-perl-2.1/Audit.pm
@@ -4,7 +4,13 @@
my $logging;
my $loglevel=3;
-my $logfile = /tmp/.getpwuid($).-audit.log;
+my $logfile;
+if (exists $ENV{HOME} and defined $ENV{HOME} and -d $ENV{HOME}) {
+ $logfile = $ENV{HOME}/.mail_audit.log
+}
+else {
+ (undef,$logfile) = tempfile(mail_audit.log-X,TMPDIR=1);
+}
# --
# no user-modifiable parts below this line.
@@ -18,6 +24,7 @@
use vars qw($VERSION @ISA @EXPORT @EXPORT_OK $ASSUME_MSGPREFIX);
# @ISA will depend on whether the message is MIME; if it is, we'll be
MIME::Entity. if not, we'll be Mail::Internet.
use Fcntl ':flock';
+use File::Temp qw(tempfile);
$ASSUME_MSGPREFIX = 0;
diff -u libmail-audit-perl-2.1/debian/changelog
libmail-audit-perl-2.1/debian/changelog
--- libmail-audit-perl-2.1/debian/changelog
+++ libmail-audit-perl-2.1/debian/changelog
@@ -1,3 +1,13 @@
+libmail-audit-perl (2.1-5.1) unstable; urgency=high
+
+ * NMU
+ * [SECURITY] Fix insecure tempfile creation with trivially guessable
+filename (Closes: #344029)
+ * [SECURITY] Fix analogous insecure tempdir creation with trivially
+guessable directory name
+
+ -- Don Armstrong [EMAIL PROTECTED] Wed, 4 Jan 2006 01:51:30 -0800
+
libmail-audit-perl (2.1-5) unstable; urgency=low
* Add missing dependency on libmail-listdetector-perl (Closes: #29364)
only in patch2:
unchanged:
--- libmail-audit-perl-2.1.orig/Audit/MimeEntity.pm
+++ libmail-audit-perl-2.1/Audit/MimeEntity.pm
@@ -4,6 +4,7 @@
use strict;
use File::Path;
+use File::Temp qw(tempdir)
use MIME::Parser;
use MIME::Entity;
use Mail::Audit::MailInternet;
@@ -12,10 +13,12 @@
$VERSION = '2.0';
-$MIME_PARSER_TMPDIR = /tmp/.getpwuid($).-mailaudit;
-
my $parser = MIME::Parser-new();
+# Create a tempdir using File::Temp::tempdir, have it be destroyed at
+# END{} time.
+$MIME_PARSER_TMPDIR = tempdir(CLEANUP = 1);
+
my @to_rmdir;
sub autotype_new {
@@ -23,8 +26,6 @@
my $mailinternet = shift;
$parser-ignore_errors(1);
-mkdir ($MIME_PARSER_TMPDIR, 0777);
-if (! -d $MIME_PARSER_TMPDIR) { $MIME_PARSER_TMPDIR = /tmp }
$parser-output_under($MIME_PARSER_TMPDIR);
# todo: add eval error trapping. if there's a problem, return
Mail::Audit::MailInternet as a fallback.
