Bug#496359: marked as done (The possibility of attack with the help of symlinks in some Debian packages)

Debian Bug Tracking System Thu, 28 Aug 2008 07:35:40 -0700

Your message dated Thu, 28 Aug 2008 14:02:04 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#496359: fixed in citadel 7.37-3
has caused the Debian Bug report #496359,
regarding The possibility of attack with the help of symlinks in some Debian 
packages
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
496359: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496359
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems

--- Begin Message ---

Package: citadel-server
Severity: grave

Hi, maintainer!

This message about the error concerns a few packages  at  once.   I've
tested all the packages (for Lenny) on my Debian mirror.  All  scripts
of packages (marked as executable) were tested.

In some packages I've discovered scripts with errors which may be used
by a user for damaging important system files or user's files.

For example if a script uses in its work a temp file which is  created
in /tmp directory, then every user can create symlink  with  the  same
name in this directory in order to  destroy  or  rewrite  some  system
or user file.  Symlink attack may also  lead  not  only  to  the  data
desctruction but to denial of service as well.

Even if you create files or directories with help of function 'RANDOM'
or pid(), then your system is not protected. Attacker can create many
symlinks in order to destroy your data or create 'denial  of  service'
for your package scripts.

Even if you make rm(dir) for files/directories, then  your  system  is
not protected. Attacker can permanently create symlinks.

This list is created with the help of script.  This list is sorted  by
hand. Howewer in some cases mistake is possible.

Please, Be understanding to possible mistakes. :)

I set Severity into grave for this bug. The table of discovered
problems is below.

Discussion of this bug you can see in debian-devel@:
    http://lists.debian.org/debian-devel/2008/08/msg00271.html

Binary-package: r-base-core-ra (1.1.1-1)
    file: /usr/lib/Ra/lib/R/bin/javareconf
Binary-package: rccp (0.9-2)
    file: /usr/lib/rccp/delqueueask
Binary-package: mafft (6.240-1)
    file: /usr/bin/mafft-homologs
Binary-package: openoffice.org-common (1:2.4.1-6)
    file: /usr/lib/openoffice/program/senddoc
Binary-package: crossfire-maps (1.11.0-1)
    file: /usr/share/games/crossfire/maps/Info/combine.pl
Binary-package: sgml2x (1.0.0-11.1)
    file: /usr/bin/rlatex
Binary-package: liguidsoap (0.3.6-4)
    file: /var/lib/liguidsoap/liguidsoap.py
Binary-package: citadel-server (7.37-1)
    file: /usr/lib/citadel-server/migrate_aliases.sh
Binary-package: ampache (3.4.1-1)
    file: /usr/share/ampache/www/locale/base/gather-messages.sh
Binary-package: xen-utils-3.2-1 (3.2.1-2)
    file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug
Binary-package: dtc-common (0.29.6-1)
    file: /usr/share/dtc/admin/accesslog.php
    file: /usr/share/dtc/admin/sa-wrapper
Binary-package: honeyd-common (1.5c-3)
    file: /usr/share/honeyd/scripts/test.sh
Binary-package: lustre-tests (1.6.5-1)
    file: /usr/lib/lustre/tests/runiozone
Binary-package: linuxtrade (3.65-8+b4)
    file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol
    file: /usr/share/linuxtrade/bin/linuxtrade.wn
    file: /usr/share/linuxtrade/bin/moneyam.helper
Binary-package: freevo (1.8.1-0)
    file: /usr/bin/freevo.real
Binary-package: fml (4.0.3.dfsg-2)
    file: /usr/share/fml/libexec/mead.pl
Binary-package: rkhunter (1.3.2-3)
    file: /usr/bin/rkhunter
Binary-package: openswan (1:2.4.12+dfsg-1.1)
    file: /usr/lib/ipsec/livetest
Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1)
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest
Binary-package: aptoncd (0.1-1.1)
    file: /usr/share/aptoncd/xmlfile.py
Binary-package: cdcontrol (1.90-1.1)
    file: /usr/lib/cdcontrol/writtercontrol
Binary-package: newsgate (1.6-23)
    file: /usr/bin/mkmailpost
Binary-package: gpsdrive-scripts (2.10~pre4-3)
    file: /usr/bin/geo-code
Binary-package: impose+ (0.2-11)
    file: /usr/bin/impose
Binary-package: mgt (2.31-5)
    file: /usr/games/mailgo
Binary-package: audiolink (0.05-1)
    file: /usr/bin/audiolink
Binary-package: ibackup (2.27-4.1)
    file: /usr/bin/ibackup
Binary-package: emacspeak (26.0-3)
    file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl
Binary-package: bk2site (1:1.1.9-3.1)
    file: /usr/lib/cgi-bin/bk2site/redirect.pl
Binary-package: datafreedom-perl (0.1.7-1)
    file: /usr/bin/dfxml-invoice
Binary-package: emacs-jabber (0.7.91-1)
    file: /usr/lib/emacsen-common/packages/install/emacs-jabber
Binary-package: lmbench (3.0-a7-1)
    file: /usr/lib/lmbench/scripts/rccs
    file: /usr/lib/lmbench/scripts/STUFF
Binary-package: rancid-util (2.3.2~a8-1)
    file: /var/lib/rancid/getipacctg
Binary-package: ogle (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: firehol (1.256-4)
    file: /sbin/firehol
Binary-package: aview (1.3.0rc1-8)
    file: /usr/bin/asciiview
Binary-package: radiance (3R9+20080530-3)
    file: /usr/bin/optics2rad
    file: /usr/bin/pdelta
    file: /usr/bin/dayfact
    file: /usr/bin/raddepend
Binary-package: vdr-dbg (1.6.0-5)
    file: /usr/bin/vdrleaktest
Binary-package: ogle-mmx (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: convirt (0.8.2-3)
    file: /usr/share/convirt/image_store/_template_/provision.sh
    file: /usr/share/convirt/image_store/Linux_CD_Install/provision.sh
    file: /usr/share/convirt/image_store/Fedora_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/CentOS_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/common/provision.sh
    file: /usr/share/convirt/image_store/example/provision.sh
    file: /usr/share/convirt/image_store/Windows_CD_Install/provision.sh
Binary-package: printfilters-ppd (2.13-9)
    file: /usr/lib/printfilters/master-filter
Binary-package: r-base-core (2.7.1-1)
    file: /usr/lib/R/bin/javareconf
    file: /usr/lib/R/bin/javareconf.orig
Binary-package: xmcd (2.6-19.3)
    file: /usr/share/xmcd/scripts/ncsarmt
    file: /usr/share/xmcd/scripts/ncsawrap
Binary-package: tiger (1:3.2.2-3.1)
    file: /usr/lib/tiger/util/genmsgidx
Binary-package: scilab-bin (4.1.2-5)
    file: /usr/lib/scilab-4.1.2/bin/scilink
    file: /usr/lib/scilab-4.1.2/util/scidoc
    file: /usr/lib/scilab-4.1.2/util/scidem
Binary-package: dpkg-cross (2.3.0)
    file: /usr/share/dpkg-cross/bin/gccross
Binary-package: ltp-network-test (20060918-2.1)
    file: /usr/lib/debian-test/tests/linux/testcases/bin/ftp_setup_vsftp_conf
    file: /usr/lib/debian-test/tests/linux/testcases/bin/nfs_fsstress.sh
Binary-package: cman (2.20080629-1)
    file: /usr/sbin/fence_egenera
Binary-package: scratchbox2 (1.99.0.24-1)
    file: /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps
    file: /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings
Binary-package: sendmail-base (8.14.3-5)
    file: /usr/sbin/checksendmail
    file: /usr/bin/expn
Binary-package: fwbuilder (2.1.19-3)
    file: /usr/bin/fwb_install
Binary-package: sng (1.0.2-5)
    file: /usr/bin/sng_regress
Binary-package: dist (1:3.5-17-1)
    file: /usr/bin/patcil
    file: /usr/bin/patdiff
Binary-package: sympa (5.3.4-5)
    file: /usr/lib/cgi-bin/sympa/wwsympa.fcgi
    file: /usr/lib/sympa/bin/sympa.pl
Binary-package: postfix (2.5.2-2)
    file: /usr/lib/postfix_groups.pl
Binary-package: caudium (3:1.4.12-11)
    file: /usr/share/caudium/configvar
Binary-package: mgetty-fax (1.1.36-1.2)
    file: /usr/bin/faxspool
Binary-package: aegis (4.24-3)
    file: /usr/share/doc/aegis/examples/remind/bng_dvlpd.sh
    file: /usr/share/doc/aegis/examples/remind/bng_rvwd.sh
    file: /usr/share/doc/aegis/examples/remind/awt_dvlp.sh
    file: /usr/share/doc/aegis/examples/remind/awt_intgrtn.sh
Binary-package: aegis-web (4.24-3)
    file: /usr/lib/cgi-bin/aegis.cgi
Binary-package: digitaldj (0.7.5-6+b1)
    file: /usr/share/digitaldj/fest.pl
Binary-package: mon (0.99.2-12)
    file: /usr/lib/mon/alert.d/test.alert
Binary-package: feta (1.4.16)
    file: /usr/share/feta/plugins/to-upgrade
Binary-package: arb-common (0.0.20071207.1-4)
    file: /usr/lib/arb/SH/arb_fastdnaml
    file: /usr/lib/arb/SH/dszmconnect.pl
Binary-package: qemu (0.9.1-5)
    file: /usr/sbin/qemu-make-debian-root
Binary-package: apertium (3.0.7+1-1+b1)
    file: /usr/bin/apertium-gen-deformat
    file: /usr/bin/apertium-gen-reformat
    file: /usr/bin/apertium
Binary-package: xcal (4.1-18.3)
    file: /usr/bin/pscal
Binary-package: myspell-tools (1:3.1-20)
    file: /usr/bin/i2myspell
Binary-package: gccxml (0.9.0+cvs20080525-1)
    file: /usr/share/gccxml-0.9/MIPSpro/find_flags
Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4)
    file: /usr/share/freeradius-dialupadmin/bin/backup_radacct
    file: /usr/share/freeradius-dialupadmin/bin/clean_radacct
    file: /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/truncate_radacct
Binary-package: dhis-server (5.3-1)
    file: /usr/lib/dhis-server/dhis-dummy-log-engine
Binary-package: wims (3.62-13)
    file: /var/lib/wims/public_html/bin/coqweb
    file: /var/lib/wims/bin/account.sh
Binary-package: initramfs-tools (0.92f)
    file: /usr/share/initramfs-tools/init
Binary-package: realtimebattle-common (1.0.8-7)
    file: /usr/lib/realtimebattle/Robots/perl.robot
Binary-package: netmrg (0.20-1)
    file: /usr/bin/rrdedit
Binary-package: bulmages-servers (0.11.1-2)
    file: /usr/share/bulmages/examples/scripts/actualizabulmacont
    file: /usr/share/bulmages/examples/scripts/installbulmages-db
    file: /usr/share/bulmages/examples/scripts/creabulmafact
    file: /usr/share/bulmages/examples/scripts/creabulmacont
    file: /usr/share/bulmages/examples/scripts/actualizabulmafact
Binary-package: xastir (1.9.2-1)
    file: /usr/lib/xastir/get-maptools.sh
    file: /usr/lib/xastir/get_shapelib.sh
Binary-package: plait (1.5.2-1)
    file: /usr/bin/plaiter
    file: /usr/bin/plait
Binary-package: cdrw-taper (0.4-2)
    file: /usr/sbin/amlabel-cdrw
Binary-package: konwert-filters (1.8-11.1)
    file: /usr/share/konwert/filters/any-UTF8
Binary-package: gdrae (0.1-1)
    file: /usr/bin/gdrae
Binary-package: lazarus-src (0.9.24-0-9)
    file: /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh

--- End Message ---

--- Begin Message ---

Source: citadel
Source-Version: 7.37-3

We believe that the bug you reported is fixed in the latest version of
citadel, which is due to be installed in the Debian FTP archive:

citadel-client_7.37-3_i386.deb
  to pool/main/c/citadel/citadel-client_7.37-3_i386.deb
citadel-common_7.37-3_all.deb
  to pool/main/c/citadel/citadel-common_7.37-3_all.deb
citadel-doc_7.37-3_all.deb
  to pool/main/c/citadel/citadel-doc_7.37-3_all.deb
citadel-mta_7.37-3_i386.deb
  to pool/main/c/citadel/citadel-mta_7.37-3_i386.deb
citadel-server_7.37-3_i386.deb
  to pool/main/c/citadel/citadel-server_7.37-3_i386.deb
citadel-suite_7.37-3_all.deb
  to pool/main/c/citadel/citadel-suite_7.37-3_all.deb
citadel_7.37-3.diff.gz
  to pool/main/c/citadel/citadel_7.37-3.diff.gz
citadel_7.37-3.dsc
  to pool/main/c/citadel/citadel_7.37-3.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Meskes <[EMAIL PROTECTED]> (supplier of updated citadel package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 25 Aug 2008 10:51:15 +0200
Source: citadel
Binary: citadel-server citadel-suite citadel-common citadel-mta citadel-client 
citadel-doc
Architecture: source i386 all
Version: 7.37-3
Distribution: unstable
Urgency: low
Maintainer: Debian Citadel Team <[EMAIL PROTECTED]>
Changed-By: Michael Meskes <[EMAIL PROTECTED]>
Description: 
 citadel-client - complete and feature-rich groupware server (command line 
client)
 citadel-common - complete and feature-rich groupware server
 citadel-doc - complete and feature-rich groupware server (documentation)
 citadel-mta - complete and feature-rich groupware server (mail transport agent)
 citadel-server - complete and feature-rich groupware server
 citadel-suite - complete and feature-rich groupware server; metapackage for 
full 
Closes: 496359
Changes: 
 citadel (7.37-3) unstable; urgency=low
 .
   [ Wilfried Goesgens ]
   * [r6544] add upstream prepatch; fix off by one in the QP encoder
   * remove use of tempfiles from migrate_aliases.sh, closes: #496359
   * [r6535] add upstream prepatch; stop the autopurger from messing with
     system rooms
Checksums-Sha1: 
 ce92fb602e8741192df9cc99d50c28034cddda49 1382 citadel_7.37-3.dsc
 528dadcd822182fbc020c010615822e5c3ff84fc 25717 citadel_7.37-3.diff.gz
 5f357f2ecae677a37269721953b4ac52238e216d 551092 citadel-server_7.37-3_i386.deb
 c1fb69372ff66fbdf5c71b69db57cafb6e9bf080 15042 citadel-mta_7.37-3_i386.deb
 5c9056dbac80f1e2cc95926054113430bc735b8d 113692 citadel-client_7.37-3_i386.deb
 32b2623c7a426984d9c9914312a9683e946df0ff 8082 citadel-suite_7.37-3_all.deb
 5e7bb1e90116cf22364c0ba7df441a86a6acfa06 8226 citadel-common_7.37-3_all.deb
 f887ee2125ba57bcf268c45c4a66a7cdc0cacb1f 96126 citadel-doc_7.37-3_all.deb
Checksums-Sha256: 
 bf77951f04d296074d4f3f9677a43a7b15dd39980faacb2628ee9569eda24cb7 1382 
citadel_7.37-3.dsc
 f9f03c46498b8e063b885d05d86adf6da2b722b5948005f6ccca93b51a59bbee 25717 
citadel_7.37-3.diff.gz
 e1f975a4c23f90d2cf76db5d7379c38ac3335b4747547111c7455f03f520de49 551092 
citadel-server_7.37-3_i386.deb
 fc09c931ee10356be2ce7523bce25420f142cdb2a2ae86a5507180a457aa25b4 15042 
citadel-mta_7.37-3_i386.deb
 599b1de54417a08acd645f75c95886b065dc59caa878101e9cfc52b4926a8886 113692 
citadel-client_7.37-3_i386.deb
 5b3cb40b80ab52cfc6cf0dd0b9de8a3aa919c7006d04fb8f63f745ecde38bca6 8082 
citadel-suite_7.37-3_all.deb
 fa22cd935436d5d9329b51436205745ae967b675b9368a2a67755f9d49481f53 8226 
citadel-common_7.37-3_all.deb
 a5b268272002923add66abc4a188174eb3d39a14d405bd5ff441698870dc26bd 96126 
citadel-doc_7.37-3_all.deb
Files: 
 ae3b33753a29ea45cbabc6dfdf6fc8bf 1382 mail extra citadel_7.37-3.dsc
 3cebc6432aca46e30974131e2b652815 25717 mail extra citadel_7.37-3.diff.gz
 958ddf58dedd8e1140ea715db738f3b0 551092 mail extra 
citadel-server_7.37-3_i386.deb
 382eaca96cdc8b1fa6e4efd72b91af8c 15042 mail extra citadel-mta_7.37-3_i386.deb
 9eede5eb3c89a4f20a2b0b22a4c27d04 113692 mail extra 
citadel-client_7.37-3_i386.deb
 65395cdf3134c7d7c79d862421de9d6d 8082 mail extra citadel-suite_7.37-3_all.deb
 740d07fae025ec54feab0839e5adae4c 8226 mail extra citadel-common_7.37-3_all.deb
 bc9bc9bf6cce7916d3426c1f33dca1ed 96126 doc extra citadel-doc_7.37-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFItqPBVkEm8inxm9ERAs2GAJsFT0eaBt2lcDdUBfBS4ZqMzYXTpgCePc4K
kHMupU5sTxBHsBOA4xK47SI=
=V7Bu
-----END PGP SIGNATURE-----

--- End Message ---

Bug#496359: marked as done (The possibility of attack with the help of symlinks in some Debian packages)

Reply via email to