Bug#496361: The possibility of attack with the help of symlinks in some Debian packages
Hi, Thijs Kinkhorst wrote: > Rene Engelhard wrote: > > I so far thought mktemp was safe enough? (of course, we get > > senddoc.mutt., but... > > mktemp is safe enough. I think Dmitry refers to lines 3 and 4 of that script: > > echo "$@" > /tmp/log.obr.$$ > echo "$#" >> /tmp/log.obr.$$ > > which I agree should not be there, probably leftover debug code? Sigh. Yes, looks like it. (Checked with the 3.0 packages, which don't have those lines anymore). Regards, Rene -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Processed: Re: Bug#496361: The possibility of attack with the help of symlinks in some Debian packages
Processing commands for [EMAIL PROTECTED]: > found 496361 1:2.4.1-6 Bug#496361: The possibility of attack with the help of symlinks in some Debian packages Bug marked as found in version 1:2.4.1-6. > notfound 496361 1:3.0.0~beta2-1 Bug#496361: The possibility of attack with the help of symlinks in some Debian packages Bug no longer marked as found in version 1:3.0.0~beta2-1. > notfound 496361 2.0.4.dfsg.2-7etch5 Bug#496361: The possibility of attack with the help of symlinks in some Debian packages Bug no longer marked as found in version 2.0.4.dfsg.2-7etch5. > tag 496361 + pending Bug#496361: The possibility of attack with the help of symlinks in some Debian packages There were no tags set. Tags added: pending > thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#496361: The possibility of attack with the help of symlinks in some Debian packages
found 496361 1:2.4.1-6 notfound 496361 1:3.0.0~beta2-1 notfound 496361 2.0.4.dfsg.2-7etch5 tag 496361 + pending thanks Dmitry E. Oboukhov wrote: > #!/bin/sh > URI_ENCODE="`dirname $0`/uri-encode" > > echo "$@" > /tmp/log.obr.$$ > echo "$#" >> /tmp/log.obr.$$ [...] Oops, I didn't see it because I checked in the 3.0 packages which don't have it anymore.. (Only 2.4.1 is affected) Regards, Rene -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#496361: The possibility of attack with the help of symlinks in some Debian packages
On 06:13 Mon 25 Aug , Rene Engelhard wrote: RE> Hi, RE> Dmitry E. Oboukhov wrote: RE>> For example if a script uses in its work a temp file which is created RE>> in /tmp directory, then every user can create symlink with the same RE>> name in this directory in order to destroy or rewrite some system RE>> or user file. Symlink attack may also lead not only to the data RE>> desctruction but to denial of service as well. RE>> RE>> Even if you create files or directories with help of function 'RANDOM' RE>> or pid(), then your system is not protected. Attacker can create many RE>> symlinks in order to destroy your data or create 'denial of service' RE>> for your package scripts. RE> [...] RE>> Binary-package: openoffice.org-common (1:2.4.1-6) RE>> file: /usr/lib/openoffice/program/senddoc RE> I guess you mean this snippet in the mutt handling part of senddoc? $ grep -A5 -B5 /tmp/ /usr/lib/openoffice/program/senddoc #!/bin/sh URI_ENCODE="`dirname $0`/uri-encode" echo "$@" > /tmp/log.obr.$$ echo "$#" >> /tmp/log.obr.$$ # tries to locate the executable specified # as first parameter in the user's path. which() { if [ ! -z "$1" ]; then example for attacker script: #!...perl $file_for_attack='/path/to/file'; while(1) { exit unless fork; symlink $file_for_attack, "/tmp//tmp/log.obr.$_" for ($$ .. $$+1); } RE> [...] RE> --body) RE> TEMPLATE="`basename $0`.mutt." RE> BODY=`mktemp -q -t ${TEMPLATE}` RE> echo "$2" > $BODY RE> shift RE> [...] RE> x-terminal-emulator -e ${MAILER} \ RE> ${FROM:+-e} ${FROM:+"set from=\"${FROM}\""} \ RE> ${CC:+-c} ${CC:+"${CC}"} \ RE> ${BCC:+-b} ${BCC:+"${BCC}"} \ RE> ${SUBJECT:+-s} ${SUBJECT:+"${SUBJECT}"} \ RE> ${BODY:+-i} ${BODY:+"${BODY}"} \ RE> ${ATTACH:+-a} ${ATTACH:+"${ATTACH}"} \ RE> ${TO:+"${TO}"} & RE> rm -f $BODY RE> [...] RE> I so far thought mktemp was safe enough? (of course, we get RE> senddoc.mutt., but... RE> Regards, RE> Rene -- . ''`. Dmitry E. Oboukhov : :’ : [EMAIL PROTECTED] `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Bug#496361: The possibility of attack with the help of symlinks in some Debian packages
Hi Rene, Rene Engelhard wrote: > I so far thought mktemp was safe enough? (of course, we get > senddoc.mutt., but... mktemp is safe enough. I think Dmitry refers to lines 3 and 4 of that script: echo "$@" > /tmp/log.obr.$$ echo "$#" >> /tmp/log.obr.$$ which I agree should not be there, probably leftover debug code? cheers, Thijs pgpNG6NqvErHL.pgp Description: PGP signature
Bug#496361: The possibility of attack with the help of symlinks in some Debian packages
Hi again, Rene Engelhard wrote: > I so far thought mktemp was safe enough? (of course, we get > senddoc.mutt., but... Sorry, missed the final sentence: What do you propose instead? Regards, Rene -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#496361: The possibility of attack with the help of symlinks in some Debian packages
Hi, Dmitry E. Oboukhov wrote: > For example if a script uses in its work a temp file which is created > in /tmp directory, then every user can create symlink with the same > name in this directory in order to destroy or rewrite some system > or user file. Symlink attack may also lead not only to the data > desctruction but to denial of service as well. > > Even if you create files or directories with help of function 'RANDOM' > or pid(), then your system is not protected. Attacker can create many > symlinks in order to destroy your data or create 'denial of service' > for your package scripts. [...] > Binary-package: openoffice.org-common (1:2.4.1-6) > file: /usr/lib/openoffice/program/senddoc I guess you mean this snippet in the mutt handling part of senddoc? [...] --body) TEMPLATE="`basename $0`.mutt." BODY=`mktemp -q -t ${TEMPLATE}` echo "$2" > $BODY shift [...] x-terminal-emulator -e ${MAILER} \ ${FROM:+-e} ${FROM:+"set from=\"${FROM}\""} \ ${CC:+-c} ${CC:+"${CC}"} \ ${BCC:+-b} ${BCC:+"${BCC}"} \ ${SUBJECT:+-s} ${SUBJECT:+"${SUBJECT}"} \ ${BODY:+-i} ${BODY:+"${BODY}"} \ ${ATTACH:+-a} ${ATTACH:+"${ATTACH}"} \ ${TO:+"${TO}"} & rm -f $BODY [...] I so far thought mktemp was safe enough? (of course, we get senddoc.mutt., but... Regards, Rene -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#496361: The possibility of attack with the help of symlinks in some Debian packages
Package: openoffice.org-common Severity: grave Hi, maintainer! This message about the error concerns a few packages at once. I've tested all the packages (for Lenny) on my Debian mirror. All scripts of packages (marked as executable) were tested. In some packages I've discovered scripts with errors which may be used by a user for damaging important system files or user's files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlink with the same name in this directory in order to destroy or rewrite some system or user file. Symlink attack may also lead not only to the data desctruction but to denial of service as well. Even if you create files or directories with help of function 'RANDOM' or pid(), then your system is not protected. Attacker can create many symlinks in order to destroy your data or create 'denial of service' for your package scripts. Even if you make rm(dir) for files/directories, then your system is not protected. Attacker can permanently create symlinks. This list is created with the help of script. This list is sorted by hand. Howewer in some cases mistake is possible. Please, Be understanding to possible mistakes. :) I set Severity into grave for this bug. The table of discovered problems is below. Discussion of this bug you can see in debian-devel@: http://lists.debian.org/debian-devel/2008/08/msg00271.html Binary-package: r-base-core-ra (1.1.1-1) file: /usr/lib/Ra/lib/R/bin/javareconf Binary-package: rccp (0.9-2) file: /usr/lib/rccp/delqueueask Binary-package: mafft (6.240-1) file: /usr/bin/mafft-homologs Binary-package: openoffice.org-common (1:2.4.1-6) file: /usr/lib/openoffice/program/senddoc Binary-package: crossfire-maps (1.11.0-1) file: /usr/share/games/crossfire/maps/Info/combine.pl Binary-package: sgml2x (1.0.0-11.1) file: /usr/bin/rlatex Binary-package: liguidsoap (0.3.6-4) file: /var/lib/liguidsoap/liguidsoap.py Binary-package: citadel-server (7.37-1) file: /usr/lib/citadel-server/migrate_aliases.sh Binary-package: ampache (3.4.1-1) file: /usr/share/ampache/www/locale/base/gather-messages.sh Binary-package: xen-utils-3.2-1 (3.2.1-2) file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug Binary-package: dtc-common (0.29.6-1) file: /usr/share/dtc/admin/accesslog.php file: /usr/share/dtc/admin/sa-wrapper Binary-package: honeyd-common (1.5c-3) file: /usr/share/honeyd/scripts/test.sh Binary-package: lustre-tests (1.6.5-1) file: /usr/lib/lustre/tests/runiozone Binary-package: linuxtrade (3.65-8+b4) file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol file: /usr/share/linuxtrade/bin/linuxtrade.wn file: /usr/share/linuxtrade/bin/moneyam.helper Binary-package: freevo (1.8.1-0) file: /usr/bin/freevo.real Binary-package: fml (4.0.3.dfsg-2) file: /usr/share/fml/libexec/mead.pl Binary-package: rkhunter (1.3.2-3) file: /usr/bin/rkhunter Binary-package: openswan (1:2.4.12+dfsg-1.1) file: /usr/lib/ipsec/livetest Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1) file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest Binary-package: aptoncd (0.1-1.1) file: /usr/share/aptoncd/xmlfile.py Binary-package: cdcontrol (1.90-1.1) file: /usr/lib/cdcontrol/writtercontrol Binary-package: newsgate (1.6-23) file: /usr/bin/mkmailpost Binary-package: gpsdrive-scripts (2.10~pre4-3) file: /usr/bin/geo-code Binary-package: impose+ (0.2-11) file: /usr/bin/impose Binary-package: mgt (2.31-5) file: /usr/games/mailgo Binary-package: audiolink (0.05-1) file: /usr/bin/audiolink Binary-package: ibackup (2.27-4.1) file: /usr/bin/ibackup Binary-package: emacspeak (26.0-3) file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl Binary-package: bk2site (1:1.1.9-3.1) file: /usr/lib/cgi-bin/bk2site/redirect.pl Binary-package: datafreedom-perl (0.1.7-1) file: /usr/bin/dfxml-invoice Binary-package: emacs-jabber (0.7.91-1) file: /usr/lib/emacsen-common/packages/install/emacs-jabber Binary-package: lmbench (3.0-a7-1) file: /usr/lib/lmbench/scripts/rccs file: /usr/lib/lmbench/scripts/STUFF Binary-package: rancid-util (2.3.2~a8-1) file: /var/lib/rancid/getipacctg Binary-package: ogle (0.9.2-5.2) file: /usr/lib/ogle/ogle_audio_debug file: /usr/lib/ogle/ogle_cli_debug file: /usr/lib/ogle/ogle_ctrl_debug file: /usr/lib/ogle/ogle_gui_debug file: /usr/lib/ogle/ogle_mpeg_ps_debug file: /usr/lib/ogle/ogle_mpeg_vs_debug file: /usr/lib/ogle/ogle_nav_debug file: /usr/lib/ogle/ogle_vout_debug Binary-package: firehol (1.256-4) file: /sbin/firehol Binary-package: aview (1.3.0rc1-8) file: /usr/bin/asciiview Binary-package: radiance (3R9+20080530-3) file: /usr/bin/optics2rad file: /usr/bin/pdelta file: /usr/bin/dayfact file: /usr/bin/raddepend Binary