Package: bugzilla Version: 2.18.3-1 Severity: grave Tags: sid etch security patch
The bugzilla package's postinst script uses temporary files in an unsafe way which could be used to conduct symlink attacks against the root user when the package is configured. This is because it uses a hardcoded location for the output of checksetup that resides in /tmp and makes no effort to verify if it is not a symlink. A rogue user could simply create the file and then wait for the administrator to install/upgrade the package which will result in files belonging to root being overwritten by the script. The attached patch fixes this issue by using mktemp instead of hardcoding the path. Regards Javier PS: Security team, this bug is not present in woody or sarge, the offending code is not there.
--- bugzilla-2.18.3/debian/bugzilla.postinst.orig 2005-08-06 10:44:10.000000000 +0200 +++ bugzilla-2.18.3/debian/bugzilla.postinst 2005-08-06 10:45:37.000000000 +0200 @@ -86,7 +86,9 @@ # The params file will then be updated if needed, the resulting file # will be saved in $params_218_new debug "Running checksetup.pl..." - /usr/share/bugzilla/lib/checksetup.pl $answerfile > /tmp/bugzilla.checksetup.log || true + tmpfile=`mktemp -t bugzilla.XXXXXX` || { echo "$0: Cannot create temporary file" >&2; exit 1; } + trap " [ -f \"$tmpfile\" ] && /bin/rm -f -- \"$tmpfile\"" 1 2 3 13 15 + /usr/share/bugzilla/lib/checksetup.pl $answerfile > $tmpfile || true if [ ! -f $params_218_new ]; then echo "Error in postinst: unable to find $params_218_new" exit 13 @@ -99,7 +101,7 @@ rm -f $answerfile # a bit of cleaning - rm -f /tmp/bugzilla.checksetup.log + rm -f $tmpfile # Now, our patched checksetup.pl had made a $params_218.new file, let's # ask our fellow user if he likes to use it
signature.asc
Description: Digital signature