Bug#496361: The possibility of attack with the help of symlinks in some Debian packages

2008-08-25 Thread Rene Engelhard 
Hi,

Thijs Kinkhorst wrote:
> Rene Engelhard wrote:
> > I so far thought mktemp was safe enough? (of course, we get
> > senddoc.mutt., but...
> 
> mktemp is safe enough. I think Dmitry refers to lines 3 and 4 of that script:
> 
> echo "$@" > /tmp/log.obr.$$
> echo "$#" >> /tmp/log.obr.$$
> 
> which I agree should not be there, probably leftover debug code?

Sigh. Yes, looks like it. (Checked with the 3.0 packages, which don't have
those lines anymore).

Regards,

Rene



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Processed: Re: Bug#496361: The possibility of attack with the help of symlinks in some Debian packages

2008-08-25 Thread Debian Bug Tracking System 
Processing commands for [EMAIL PROTECTED]:

> found 496361 1:2.4.1-6
Bug#496361: The possibility of attack with the help of symlinks in some Debian 
packages
Bug marked as found in version 1:2.4.1-6.

> notfound 496361 1:3.0.0~beta2-1
Bug#496361: The possibility of attack with the help of symlinks in some Debian 
packages
Bug no longer marked as found in version 1:3.0.0~beta2-1.

> notfound 496361 2.0.4.dfsg.2-7etch5
Bug#496361: The possibility of attack with the help of symlinks in some Debian 
packages
Bug no longer marked as found in version 2.0.4.dfsg.2-7etch5.

> tag 496361 + pending
Bug#496361: The possibility of attack with the help of symlinks in some Debian 
packages
There were no tags set.
Tags added: pending

> thanks
Stopping processing here.

Please contact me if you need assistance.

Debian bug tracking system administrator
(administrator, Debian Bugs database)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496361: The possibility of attack with the help of symlinks in some Debian packages

2008-08-25 Thread Rene Engelhard 
found 496361 1:2.4.1-6
notfound 496361 1:3.0.0~beta2-1
notfound 496361 2.0.4.dfsg.2-7etch5
tag 496361 + pending
thanks

Dmitry E. Oboukhov wrote:
> #!/bin/sh
> URI_ENCODE="`dirname $0`/uri-encode"
> 
> echo "$@" > /tmp/log.obr.$$
> echo "$#" >> /tmp/log.obr.$$
[...]

Oops, I didn't see it because I checked in the 3.0 packages which don't have it
anymore..

(Only 2.4.1 is affected)

Regards,

Rene



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496361: The possibility of attack with the help of symlinks in some Debian packages

2008-08-25 Thread Dmitry E. Oboukhov 
On 06:13 Mon 25 Aug , Rene Engelhard wrote:
RE> Hi,

RE> Dmitry E. Oboukhov wrote:
RE>> For example if a script uses in its work a temp file which is  created
RE>> in /tmp directory, then every user can create symlink  with  the  same
RE>> name in this directory in order to  destroy  or  rewrite  some  system
RE>> or user file.  Symlink attack may also  lead  not  only  to  the  data
RE>> desctruction but to denial of service as well.
RE>> 
RE>> Even if you create files or directories with help of function 'RANDOM'
RE>> or pid(), then your system is not protected. Attacker can create many
RE>> symlinks in order to destroy your data or create 'denial  of  service'
RE>> for your package scripts.
RE> [...]
RE>> Binary-package: openoffice.org-common (1:2.4.1-6)
RE>> file: /usr/lib/openoffice/program/senddoc

RE> I guess you mean this snippet in the mutt handling part of senddoc?
$ grep -A5 -B5 /tmp/ /usr/lib/openoffice/program/senddoc
#!/bin/sh
URI_ENCODE="`dirname $0`/uri-encode"

echo "$@" > /tmp/log.obr.$$
echo "$#" >> /tmp/log.obr.$$

# tries to locate the executable specified 
# as first parameter in the user's path.
which() {
if [ ! -z "$1" ]; then

example for attacker script:

#!...perl

$file_for_attack='/path/to/file';

while(1)
{
exit unless fork;
symlink $file_for_attack, "/tmp//tmp/log.obr.$_" for ($$ .. $$+1);
}

RE> [...]
RE> --body)
RE> TEMPLATE="`basename $0`.mutt."
RE> BODY=`mktemp -q -t ${TEMPLATE}`
RE> echo "$2" > $BODY
RE> shift
RE> [...]
RE> x-terminal-emulator -e ${MAILER} \
RE> ${FROM:+-e} ${FROM:+"set from=\"${FROM}\""} \
RE> ${CC:+-c} ${CC:+"${CC}"} \
RE> ${BCC:+-b} ${BCC:+"${BCC}"} \
RE> ${SUBJECT:+-s} ${SUBJECT:+"${SUBJECT}"} \
RE> ${BODY:+-i} ${BODY:+"${BODY}"} \
RE> ${ATTACH:+-a} ${ATTACH:+"${ATTACH}"} \
RE> ${TO:+"${TO}"} &
RE> rm -f $BODY
RE> [...]

RE> I so far thought mktemp was safe enough? (of course, we get
RE> senddoc.mutt., but...

RE> Regards,

RE> Rene
--

. ''`. Dmitry E. Oboukhov
: :’  : [EMAIL PROTECTED]
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
  `- 1B23 D4F8 8EC0 D902 0555  E438 AB8C 00CF F8E2 6537


signature.asc
Description: Digital signature

Bug#496361: The possibility of attack with the help of symlinks in some Debian packages

2008-08-25 Thread Thijs Kinkhorst 
Hi Rene,

Rene Engelhard wrote:
> I so far thought mktemp was safe enough? (of course, we get
> senddoc.mutt., but...

mktemp is safe enough. I think Dmitry refers to lines 3 and 4 of that script:

echo "$@" > /tmp/log.obr.$$
echo "$#" >> /tmp/log.obr.$$

which I agree should not be there, probably leftover debug code?


cheers,
Thijs


pgpNG6NqvErHL.pgp
Description: PGP signature

Bug#496361: The possibility of attack with the help of symlinks in some Debian packages

2008-08-24 Thread Rene Engelhard 
Hi again,

Rene Engelhard wrote:
> I so far thought mktemp was safe enough? (of course, we get
> senddoc.mutt., but...

Sorry, missed the final sentence: What do you propose instead?

Regards,
 
Rene



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496361: The possibility of attack with the help of symlinks in some Debian packages

2008-08-24 Thread Rene Engelhard 
Hi,

Dmitry E. Oboukhov wrote:
> For example if a script uses in its work a temp file which is  created
> in /tmp directory, then every user can create symlink  with  the  same
> name in this directory in order to  destroy  or  rewrite  some  system
> or user file.  Symlink attack may also  lead  not  only  to  the  data
> desctruction but to denial of service as well.
> 
> Even if you create files or directories with help of function 'RANDOM'
> or pid(), then your system is not protected. Attacker can create many
> symlinks in order to destroy your data or create 'denial  of  service'
> for your package scripts.
[...]
> Binary-package: openoffice.org-common (1:2.4.1-6)
> file: /usr/lib/openoffice/program/senddoc

I guess you mean this snippet in the mutt handling part of senddoc?

[...]
--body)
TEMPLATE="`basename $0`.mutt."
BODY=`mktemp -q -t ${TEMPLATE}`
echo "$2" > $BODY
shift
[...]
x-terminal-emulator -e ${MAILER} \
${FROM:+-e} ${FROM:+"set from=\"${FROM}\""} \
${CC:+-c} ${CC:+"${CC}"} \
${BCC:+-b} ${BCC:+"${BCC}"} \
${SUBJECT:+-s} ${SUBJECT:+"${SUBJECT}"} \
${BODY:+-i} ${BODY:+"${BODY}"} \
${ATTACH:+-a} ${ATTACH:+"${ATTACH}"} \
${TO:+"${TO}"} &
rm -f $BODY
[...]

I so far thought mktemp was safe enough? (of course, we get
senddoc.mutt., but...

Regards,

Rene



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#496361: The possibility of attack with the help of symlinks in some Debian packages

2008-08-24 Thread Dmitry E. Oboukhov 
Package: openoffice.org-common
Severity: grave

Hi, maintainer!

This message about the error concerns a few packages  at  once.   I've
tested all the packages (for Lenny) on my Debian mirror.  All  scripts
of packages (marked as executable) were tested.

In some packages I've discovered scripts with errors which may be used
by a user for damaging important system files or user's files.

For example if a script uses in its work a temp file which is  created
in /tmp directory, then every user can create symlink  with  the  same
name in this directory in order to  destroy  or  rewrite  some  system
or user file.  Symlink attack may also  lead  not  only  to  the  data
desctruction but to denial of service as well.

Even if you create files or directories with help of function 'RANDOM'
or pid(), then your system is not protected. Attacker can create many
symlinks in order to destroy your data or create 'denial  of  service'
for your package scripts.

Even if you make rm(dir) for files/directories, then  your  system  is
not protected. Attacker can permanently create symlinks.

This list is created with the help of script.  This list is sorted  by
hand. Howewer in some cases mistake is possible.

Please, Be understanding to possible mistakes. :)

I set Severity into grave for this bug. The table of discovered
problems is below.

Discussion of this bug you can see in debian-devel@:
http://lists.debian.org/debian-devel/2008/08/msg00271.html

Binary-package: r-base-core-ra (1.1.1-1)
file: /usr/lib/Ra/lib/R/bin/javareconf
Binary-package: rccp (0.9-2)
file: /usr/lib/rccp/delqueueask
Binary-package: mafft (6.240-1)
file: /usr/bin/mafft-homologs
Binary-package: openoffice.org-common (1:2.4.1-6)
file: /usr/lib/openoffice/program/senddoc
Binary-package: crossfire-maps (1.11.0-1)
file: /usr/share/games/crossfire/maps/Info/combine.pl
Binary-package: sgml2x (1.0.0-11.1)
file: /usr/bin/rlatex
Binary-package: liguidsoap (0.3.6-4)
file: /var/lib/liguidsoap/liguidsoap.py
Binary-package: citadel-server (7.37-1)
file: /usr/lib/citadel-server/migrate_aliases.sh
Binary-package: ampache (3.4.1-1)
file: /usr/share/ampache/www/locale/base/gather-messages.sh
Binary-package: xen-utils-3.2-1 (3.2.1-2)
file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug
Binary-package: dtc-common (0.29.6-1)
file: /usr/share/dtc/admin/accesslog.php
file: /usr/share/dtc/admin/sa-wrapper
Binary-package: honeyd-common (1.5c-3)
file: /usr/share/honeyd/scripts/test.sh
Binary-package: lustre-tests (1.6.5-1)
file: /usr/lib/lustre/tests/runiozone
Binary-package: linuxtrade (3.65-8+b4)
file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol
file: /usr/share/linuxtrade/bin/linuxtrade.wn
file: /usr/share/linuxtrade/bin/moneyam.helper
Binary-package: freevo (1.8.1-0)
file: /usr/bin/freevo.real
Binary-package: fml (4.0.3.dfsg-2)
file: /usr/share/fml/libexec/mead.pl
Binary-package: rkhunter (1.3.2-3)
file: /usr/bin/rkhunter
Binary-package: openswan (1:2.4.12+dfsg-1.1)
file: /usr/lib/ipsec/livetest
Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1)
file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap
file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest
Binary-package: aptoncd (0.1-1.1)
file: /usr/share/aptoncd/xmlfile.py
Binary-package: cdcontrol (1.90-1.1)
file: /usr/lib/cdcontrol/writtercontrol
Binary-package: newsgate (1.6-23)
file: /usr/bin/mkmailpost
Binary-package: gpsdrive-scripts (2.10~pre4-3)
file: /usr/bin/geo-code
Binary-package: impose+ (0.2-11)
file: /usr/bin/impose
Binary-package: mgt (2.31-5)
file: /usr/games/mailgo
Binary-package: audiolink (0.05-1)
file: /usr/bin/audiolink
Binary-package: ibackup (2.27-4.1)
file: /usr/bin/ibackup
Binary-package: emacspeak (26.0-3)
file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl
Binary-package: bk2site (1:1.1.9-3.1)
file: /usr/lib/cgi-bin/bk2site/redirect.pl
Binary-package: datafreedom-perl (0.1.7-1)
file: /usr/bin/dfxml-invoice
Binary-package: emacs-jabber (0.7.91-1)
file: /usr/lib/emacsen-common/packages/install/emacs-jabber
Binary-package: lmbench (3.0-a7-1)
file: /usr/lib/lmbench/scripts/rccs
file: /usr/lib/lmbench/scripts/STUFF
Binary-package: rancid-util (2.3.2~a8-1)
file: /var/lib/rancid/getipacctg
Binary-package: ogle (0.9.2-5.2)
file: /usr/lib/ogle/ogle_audio_debug
file: /usr/lib/ogle/ogle_cli_debug
file: /usr/lib/ogle/ogle_ctrl_debug
file: /usr/lib/ogle/ogle_gui_debug
file: /usr/lib/ogle/ogle_mpeg_ps_debug
file: /usr/lib/ogle/ogle_mpeg_vs_debug
file: /usr/lib/ogle/ogle_nav_debug
file: /usr/lib/ogle/ogle_vout_debug
Binary-package: firehol (1.256-4)
file: /sbin/firehol
Binary-package: aview (1.3.0rc1-8)
file: /usr/bin/asciiview
Binary-package: radiance (3R9+20080530-3)
file: /usr/bin/optics2rad
file: /usr/bin/pdelta
file: /usr/bin/dayfact
file: /usr/bin/raddepend
Binary