Bug#496418: The possibility of attack with the help of symlinks in some Debian packages

2008-08-25 Thread Thijs Kinkhorst 
 Yes, something like that would be better - the current approach leaves a
 small but exploitable race condition.  I have no opinion on whether the
 race condition matters in practice, of course, but my gut says that the
 extra effort to use safe coding practices is so small that it's probably 
 worth it.

Yes, please fix this for lenny. Thanks!


Thijs


pgpQWLOwt1nuo.pgp
Description: PGP signature

Bug#496418: The possibility of attack with the help of symlinks in some Debian packages

2008-08-24 Thread Dmitry E. Oboukhov 
Package: r-base-core
Severity: grave

Hi, maintainer!

This message about the error concerns a few packages  at  once.   I've
tested all the packages (for Lenny) on my Debian mirror.  All  scripts
of packages (marked as executable) were tested.

In some packages I've discovered scripts with errors which may be used
by a user for damaging important system files or user's files.

For example if a script uses in its work a temp file which is  created
in /tmp directory, then every user can create symlink  with  the  same
name in this directory in order to  destroy  or  rewrite  some  system
or user file.  Symlink attack may also  lead  not  only  to  the  data
desctruction but to denial of service as well.

Even if you create files or directories with help of function 'RANDOM'
or pid(), then your system is not protected. Attacker can create many
symlinks in order to destroy your data or create 'denial  of  service'
for your package scripts.

Even if you make rm(dir) for files/directories, then  your  system  is
not protected. Attacker can permanently create symlinks.

This list is created with the help of script.  This list is sorted  by
hand. Howewer in some cases mistake is possible.

Please, Be understanding to possible mistakes. :)

I set Severity into grave for this bug. The table of discovered
problems is below.

Discussion of this bug you can see in debian-devel@:
http://lists.debian.org/debian-devel/2008/08/msg00271.html

Binary-package: r-base-core-ra (1.1.1-1)
file: /usr/lib/Ra/lib/R/bin/javareconf
Binary-package: rccp (0.9-2)
file: /usr/lib/rccp/delqueueask
Binary-package: mafft (6.240-1)
file: /usr/bin/mafft-homologs
Binary-package: openoffice.org-common (1:2.4.1-6)
file: /usr/lib/openoffice/program/senddoc
Binary-package: crossfire-maps (1.11.0-1)
file: /usr/share/games/crossfire/maps/Info/combine.pl
Binary-package: sgml2x (1.0.0-11.1)
file: /usr/bin/rlatex
Binary-package: liguidsoap (0.3.6-4)
file: /var/lib/liguidsoap/liguidsoap.py
Binary-package: citadel-server (7.37-1)
file: /usr/lib/citadel-server/migrate_aliases.sh
Binary-package: ampache (3.4.1-1)
file: /usr/share/ampache/www/locale/base/gather-messages.sh
Binary-package: xen-utils-3.2-1 (3.2.1-2)
file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug
Binary-package: dtc-common (0.29.6-1)
file: /usr/share/dtc/admin/accesslog.php
file: /usr/share/dtc/admin/sa-wrapper
Binary-package: honeyd-common (1.5c-3)
file: /usr/share/honeyd/scripts/test.sh
Binary-package: lustre-tests (1.6.5-1)
file: /usr/lib/lustre/tests/runiozone
Binary-package: linuxtrade (3.65-8+b4)
file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol
file: /usr/share/linuxtrade/bin/linuxtrade.wn
file: /usr/share/linuxtrade/bin/moneyam.helper
Binary-package: freevo (1.8.1-0)
file: /usr/bin/freevo.real
Binary-package: fml (4.0.3.dfsg-2)
file: /usr/share/fml/libexec/mead.pl
Binary-package: rkhunter (1.3.2-3)
file: /usr/bin/rkhunter
Binary-package: openswan (1:2.4.12+dfsg-1.1)
file: /usr/lib/ipsec/livetest
Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1)
file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap
file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest
Binary-package: aptoncd (0.1-1.1)
file: /usr/share/aptoncd/xmlfile.py
Binary-package: cdcontrol (1.90-1.1)
file: /usr/lib/cdcontrol/writtercontrol
Binary-package: newsgate (1.6-23)
file: /usr/bin/mkmailpost
Binary-package: gpsdrive-scripts (2.10~pre4-3)
file: /usr/bin/geo-code
Binary-package: impose+ (0.2-11)
file: /usr/bin/impose
Binary-package: mgt (2.31-5)
file: /usr/games/mailgo
Binary-package: audiolink (0.05-1)
file: /usr/bin/audiolink
Binary-package: ibackup (2.27-4.1)
file: /usr/bin/ibackup
Binary-package: emacspeak (26.0-3)
file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl
Binary-package: bk2site (1:1.1.9-3.1)
file: /usr/lib/cgi-bin/bk2site/redirect.pl
Binary-package: datafreedom-perl (0.1.7-1)
file: /usr/bin/dfxml-invoice
Binary-package: emacs-jabber (0.7.91-1)
file: /usr/lib/emacsen-common/packages/install/emacs-jabber
Binary-package: lmbench (3.0-a7-1)
file: /usr/lib/lmbench/scripts/rccs
file: /usr/lib/lmbench/scripts/STUFF
Binary-package: rancid-util (2.3.2~a8-1)
file: /var/lib/rancid/getipacctg
Binary-package: ogle (0.9.2-5.2)
file: /usr/lib/ogle/ogle_audio_debug
file: /usr/lib/ogle/ogle_cli_debug
file: /usr/lib/ogle/ogle_ctrl_debug
file: /usr/lib/ogle/ogle_gui_debug
file: /usr/lib/ogle/ogle_mpeg_ps_debug
file: /usr/lib/ogle/ogle_mpeg_vs_debug
file: /usr/lib/ogle/ogle_nav_debug
file: /usr/lib/ogle/ogle_vout_debug
Binary-package: firehol (1.256-4)
file: /sbin/firehol
Binary-package: aview (1.3.0rc1-8)
file: /usr/bin/asciiview
Binary-package: radiance (3R9+20080530-3)
file: /usr/bin/optics2rad
file: /usr/bin/pdelta
file: /usr/bin/dayfact
file: /usr/bin/raddepend
Binary-package:

Bug#496418: The possibility of attack with the help of symlinks in some Debian packages

2008-08-24 Thread Dirk Eddelbuettel 

This is the same as the one I just answered for r-base-core-ra as
r-base-core-ra is an extension/specialisation of r-base-core.

So again:

# test functionality of the compiler
javac_works='not present'
if test -n $JAVAC; then
javac_works='not functional'
rm -rf /tmp/A.java /tmp/A.class
echo public class A { }  /tmp/A.java
if test -e /tmp/A.java; then
if ${JAVAC} /tmp/A.java /dev/null; then
if test -e /tmp/A.class; then
javac_works=yes
fi
fi
fi
rm -rf /tmp/A.java /tmp/A.class
fi


rm just before file creation should prevent any symlink attack vectors, no?

Dirk

-- 
Three out of two people have difficulties with fractions.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#496418: The possibility of attack with the help of symlinks in some Debian packages

2008-08-24 Thread Stephen Gran 
This one time, at band camp, Dirk Eddelbuettel said:
 
 This is the same as the one I just answered for r-base-core-ra as
 r-base-core-ra is an extension/specialisation of r-base-core.
 
 So again:
 
 # test functionality of the compiler
 javac_works='not present'
 if test -n $JAVAC; then
 javac_works='not functional'
 rm -rf /tmp/A.java /tmp/A.class
 echo public class A { }  /tmp/A.java
 if test -e /tmp/A.java; then
 if ${JAVAC} /tmp/A.java /dev/null; then
 if test -e /tmp/A.class; then
 javac_works=yes
 fi
 fi
 fi
 rm -rf /tmp/A.java /tmp/A.class
 fi
 
 
 rm just before file creation should prevent any symlink attack vectors, no?

No.
-- 
 -
|   ,''`.Stephen Gran |
|  : :' :[EMAIL PROTECTED] |
|  `. `'Debian user, admin, and developer |
|`- http://www.debian.org |
 -


signature.asc
Description: Digital signature

Bug#496418: The possibility of attack with the help of symlinks in some Debian packages

2008-08-24 Thread Dirk Eddelbuettel 

On 25 August 2008 at 01:43, Stephen Gran wrote:
| This one time, at band camp, Dirk Eddelbuettel said:
|  
|  This is the same as the one I just answered for r-base-core-ra as
|  r-base-core-ra is an extension/specialisation of r-base-core.
|  
|  So again:
|  
|  # test functionality of the compiler
|  javac_works='not present'
|  if test -n $JAVAC; then
|  javac_works='not functional'
|  rm -rf /tmp/A.java /tmp/A.class
|  echo public class A { }  /tmp/A.java
|  if test -e /tmp/A.java; then
|  if ${JAVAC} /tmp/A.java /dev/null; then
|  if test -e /tmp/A.class; then
|  javac_works=yes
|  fi
|  fi
|  fi
|  rm -rf /tmp/A.java /tmp/A.class
|  fi
|  
|  
|  rm just before file creation should prevent any symlink attack vectors, no?
| 
| No.

Allright, so what is a better way?  Use of tempfile(1) or mktemp(1) ?

Dirk


| -- 
|  -
| |   ,''`.Stephen Gran |
| |  : :' :[EMAIL PROTECTED] |
| |  `. `'Debian user, admin, and developer |
| |`- http://www.debian.org |
|  -

-- 
Three out of two people have difficulties with fractions.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#496418: The possibility of attack with the help of symlinks in some Debian packages

2008-08-24 Thread Stephen Gran 
This one time, at band camp, Dirk Eddelbuettel said:
 
 On 25 August 2008 at 01:43, Stephen Gran wrote:
 | This one time, at band camp, Dirk Eddelbuettel said:
 |  
 |  This is the same as the one I just answered for r-base-core-ra as
 |  r-base-core-ra is an extension/specialisation of r-base-core.
 |  
 |  So again:
 |  
 |  # test functionality of the compiler
 |  javac_works='not present'
 |  if test -n $JAVAC; then
 |  javac_works='not functional'
 |  rm -rf /tmp/A.java /tmp/A.class
 |  echo public class A { }  /tmp/A.java
 |  if test -e /tmp/A.java; then
 |  if ${JAVAC} /tmp/A.java /dev/null; then
 |  if test -e /tmp/A.class; then
 |  javac_works=yes
 |  fi
 |  fi
 |  fi
 |  rm -rf /tmp/A.java /tmp/A.class
 |  fi
 |  
 |  
 |  rm just before file creation should prevent any symlink attack vectors, 
 no?
 | 
 | No.
 
 Allright, so what is a better way?  Use of tempfile(1) or mktemp(1) ?

Yes, something like that would be better - the current approach leaves a
small but exploitable race condition.  I have no opinion on whether the
race condition matters in practice, of course, but my gut says that the
extra effort to use safe coding practices is so small that it's probably 
worth it.
-- 
 -
|   ,''`.Stephen Gran |
|  : :' :[EMAIL PROTECTED] |
|  `. `'Debian user, admin, and developer |
|`- http://www.debian.org |
 -


signature.asc
Description: Digital signature