[Pkg-lustre-maintainers] Bug#496371: marked as done (The possibility of attack with the help of symlinks in some Debian packages)

[Debian Bug Tracking System]

Your message dated Fri, 29 Aug 2008 07:02:05 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#496371: fixed in lustre 1.6.5.1-1
has caused the Debian Bug report #496371,
regarding The possibility of attack with the help of symlinks in some Debian 
packages
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
496371: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496371
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems

--- Begin Message ---

Package: lustre-tests
Severity: grave

Hi, maintainer!

This message about the error concerns a few packages  at  once.   I've
tested all the packages (for Lenny) on my Debian mirror.  All  scripts
of packages (marked as executable) were tested.

In some packages I've discovered scripts with errors which may be used
by a user for damaging important system files or user's files.

For example if a script uses in its work a temp file which is  created
in /tmp directory, then every user can create symlink  with  the  same
name in this directory in order to  destroy  or  rewrite  some  system
or user file.  Symlink attack may also  lead  not  only  to  the  data
desctruction but to denial of service as well.

Even if you create files or directories with help of function 'RANDOM'
or pid(), then your system is not protected. Attacker can create many
symlinks in order to destroy your data or create 'denial  of  service'
for your package scripts.

Even if you make rm(dir) for files/directories, then  your  system  is
not protected. Attacker can permanently create symlinks.

This list is created with the help of script.  This list is sorted  by
hand. Howewer in some cases mistake is possible.

Please, Be understanding to possible mistakes. :)

I set Severity into grave for this bug. The table of discovered
problems is below.

Discussion of this bug you can see in debian-devel@:
    http://lists.debian.org/debian-devel/2008/08/msg00271.html

Binary-package: r-base-core-ra (1.1.1-1)
    file: /usr/lib/Ra/lib/R/bin/javareconf
Binary-package: rccp (0.9-2)
    file: /usr/lib/rccp/delqueueask
Binary-package: mafft (6.240-1)
    file: /usr/bin/mafft-homologs
Binary-package: openoffice.org-common (1:2.4.1-6)
    file: /usr/lib/openoffice/program/senddoc
Binary-package: crossfire-maps (1.11.0-1)
    file: /usr/share/games/crossfire/maps/Info/combine.pl
Binary-package: sgml2x (1.0.0-11.1)
    file: /usr/bin/rlatex
Binary-package: liguidsoap (0.3.6-4)
    file: /var/lib/liguidsoap/liguidsoap.py
Binary-package: citadel-server (7.37-1)
    file: /usr/lib/citadel-server/migrate_aliases.sh
Binary-package: ampache (3.4.1-1)
    file: /usr/share/ampache/www/locale/base/gather-messages.sh
Binary-package: xen-utils-3.2-1 (3.2.1-2)
    file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug
Binary-package: dtc-common (0.29.6-1)
    file: /usr/share/dtc/admin/accesslog.php
    file: /usr/share/dtc/admin/sa-wrapper
Binary-package: honeyd-common (1.5c-3)
    file: /usr/share/honeyd/scripts/test.sh
Binary-package: lustre-tests (1.6.5-1)
    file: /usr/lib/lustre/tests/runiozone
Binary-package: linuxtrade (3.65-8+b4)
    file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol
    file: /usr/share/linuxtrade/bin/linuxtrade.wn
    file: /usr/share/linuxtrade/bin/moneyam.helper
Binary-package: freevo (1.8.1-0)
    file: /usr/bin/freevo.real
Binary-package: fml (4.0.3.dfsg-2)
    file: /usr/share/fml/libexec/mead.pl
Binary-package: rkhunter (1.3.2-3)
    file: /usr/bin/rkhunter
Binary-package: openswan (1:2.4.12+dfsg-1.1)
    file: /usr/lib/ipsec/livetest
Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1)
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest
Binary-package: aptoncd (0.1-1.1)
    file: /usr/share/aptoncd/xmlfile.py
Binary-package: cdcontrol (1.90-1.1)
    file: /usr/lib/cdcontrol/writtercontrol
Binary-package: newsgate (1.6-23)
    file: /usr/bin/mkmailpost
Binary-package: gpsdrive-scripts (2.10~pre4-3)
    file: /usr/bin/geo-code
Binary-package: impose+ (0.2-11)
    file: /usr/bin/impose
Binary-package: mgt (2.31-5)
    file: /usr/games/mailgo
Binary-package: audiolink (0.05-1)
    file: /usr/bin/audiolink
Binary-package: ibackup (2.27-4.1)
    file: /usr/bin/ibackup
Binary-package: emacspeak (26.0-3)
    file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl
Binary-package: bk2site (1:1.1.9-3.1)
    file: /usr/lib/cgi-bin/bk2site/redirect.pl
Binary-package: datafreedom-perl (0.1.7-1)
    file: /usr/bin/dfxml-invoice
Binary-package: emacs-jabber (0.7.91-1)
    file: /usr/lib/emacsen-common/packages/install/emacs-jabber
Binary-package: lmbench (3.0-a7-1)
    file: /usr/lib/lmbench/scripts/rccs
    file: /usr/lib/lmbench/scripts/STUFF
Binary-package: rancid-util (2.3.2~a8-1)
    file: /var/lib/rancid/getipacctg
Binary-package: ogle (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: firehol (1.256-4)
    file: /sbin/firehol
Binary-package: aview (1.3.0rc1-8)
    file: /usr/bin/asciiview
Binary-package: radiance (3R9+20080530-3)
    file: /usr/bin/optics2rad
    file: /usr/bin/pdelta
    file: /usr/bin/dayfact
    file: /usr/bin/raddepend
Binary-package: vdr-dbg (1.6.0-5)
    file: /usr/bin/vdrleaktest
Binary-package: ogle-mmx (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: convirt (0.8.2-3)
    file: /usr/share/convirt/image_store/_template_/provision.sh
    file: /usr/share/convirt/image_store/Linux_CD_Install/provision.sh
    file: /usr/share/convirt/image_store/Fedora_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/CentOS_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/common/provision.sh
    file: /usr/share/convirt/image_store/example/provision.sh
    file: /usr/share/convirt/image_store/Windows_CD_Install/provision.sh
Binary-package: printfilters-ppd (2.13-9)
    file: /usr/lib/printfilters/master-filter
Binary-package: r-base-core (2.7.1-1)
    file: /usr/lib/R/bin/javareconf
    file: /usr/lib/R/bin/javareconf.orig
Binary-package: xmcd (2.6-19.3)
    file: /usr/share/xmcd/scripts/ncsarmt
    file: /usr/share/xmcd/scripts/ncsawrap
Binary-package: tiger (1:3.2.2-3.1)
    file: /usr/lib/tiger/util/genmsgidx
Binary-package: scilab-bin (4.1.2-5)
    file: /usr/lib/scilab-4.1.2/bin/scilink
    file: /usr/lib/scilab-4.1.2/util/scidoc
    file: /usr/lib/scilab-4.1.2/util/scidem
Binary-package: dpkg-cross (2.3.0)
    file: /usr/share/dpkg-cross/bin/gccross
Binary-package: ltp-network-test (20060918-2.1)
    file: /usr/lib/debian-test/tests/linux/testcases/bin/ftp_setup_vsftp_conf
    file: /usr/lib/debian-test/tests/linux/testcases/bin/nfs_fsstress.sh
Binary-package: cman (2.20080629-1)
    file: /usr/sbin/fence_egenera
Binary-package: scratchbox2 (1.99.0.24-1)
    file: /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps
    file: /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings
Binary-package: sendmail-base (8.14.3-5)
    file: /usr/sbin/checksendmail
    file: /usr/bin/expn
Binary-package: fwbuilder (2.1.19-3)
    file: /usr/bin/fwb_install
Binary-package: sng (1.0.2-5)
    file: /usr/bin/sng_regress
Binary-package: dist (1:3.5-17-1)
    file: /usr/bin/patcil
    file: /usr/bin/patdiff
Binary-package: sympa (5.3.4-5)
    file: /usr/lib/cgi-bin/sympa/wwsympa.fcgi
    file: /usr/lib/sympa/bin/sympa.pl
Binary-package: postfix (2.5.2-2)
    file: /usr/lib/postfix_groups.pl
Binary-package: caudium (3:1.4.12-11)
    file: /usr/share/caudium/configvar
Binary-package: mgetty-fax (1.1.36-1.2)
    file: /usr/bin/faxspool
Binary-package: aegis (4.24-3)
    file: /usr/share/doc/aegis/examples/remind/bng_dvlpd.sh
    file: /usr/share/doc/aegis/examples/remind/bng_rvwd.sh
    file: /usr/share/doc/aegis/examples/remind/awt_dvlp.sh
    file: /usr/share/doc/aegis/examples/remind/awt_intgrtn.sh
Binary-package: aegis-web (4.24-3)
    file: /usr/lib/cgi-bin/aegis.cgi
Binary-package: digitaldj (0.7.5-6+b1)
    file: /usr/share/digitaldj/fest.pl
Binary-package: mon (0.99.2-12)
    file: /usr/lib/mon/alert.d/test.alert
Binary-package: feta (1.4.16)
    file: /usr/share/feta/plugins/to-upgrade
Binary-package: arb-common (0.0.20071207.1-4)
    file: /usr/lib/arb/SH/arb_fastdnaml
    file: /usr/lib/arb/SH/dszmconnect.pl
Binary-package: qemu (0.9.1-5)
    file: /usr/sbin/qemu-make-debian-root
Binary-package: apertium (3.0.7+1-1+b1)
    file: /usr/bin/apertium-gen-deformat
    file: /usr/bin/apertium-gen-reformat
    file: /usr/bin/apertium
Binary-package: xcal (4.1-18.3)
    file: /usr/bin/pscal
Binary-package: myspell-tools (1:3.1-20)
    file: /usr/bin/i2myspell
Binary-package: gccxml (0.9.0+cvs20080525-1)
    file: /usr/share/gccxml-0.9/MIPSpro/find_flags
Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4)
    file: /usr/share/freeradius-dialupadmin/bin/backup_radacct
    file: /usr/share/freeradius-dialupadmin/bin/clean_radacct
    file: /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/truncate_radacct
Binary-package: dhis-server (5.3-1)
    file: /usr/lib/dhis-server/dhis-dummy-log-engine
Binary-package: wims (3.62-13)
    file: /var/lib/wims/public_html/bin/coqweb
    file: /var/lib/wims/bin/account.sh
Binary-package: initramfs-tools (0.92f)
    file: /usr/share/initramfs-tools/init
Binary-package: realtimebattle-common (1.0.8-7)
    file: /usr/lib/realtimebattle/Robots/perl.robot
Binary-package: netmrg (0.20-1)
    file: /usr/bin/rrdedit
Binary-package: bulmages-servers (0.11.1-2)
    file: /usr/share/bulmages/examples/scripts/actualizabulmacont
    file: /usr/share/bulmages/examples/scripts/installbulmages-db
    file: /usr/share/bulmages/examples/scripts/creabulmafact
    file: /usr/share/bulmages/examples/scripts/creabulmacont
    file: /usr/share/bulmages/examples/scripts/actualizabulmafact
Binary-package: xastir (1.9.2-1)
    file: /usr/lib/xastir/get-maptools.sh
    file: /usr/lib/xastir/get_shapelib.sh
Binary-package: plait (1.5.2-1)
    file: /usr/bin/plaiter
    file: /usr/bin/plait
Binary-package: cdrw-taper (0.4-2)
    file: /usr/sbin/amlabel-cdrw
Binary-package: konwert-filters (1.8-11.1)
    file: /usr/share/konwert/filters/any-UTF8
Binary-package: gdrae (0.1-1)
    file: /usr/bin/gdrae
Binary-package: lazarus-src (0.9.24-0-9)
    file: /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh

--- End Message ---

--- Begin Message ---

Source: lustre
Source-Version: 1.6.5.1-1

We believe that the bug you reported is fixed in the latest version of
lustre, which is due to be installed in the Debian FTP archive:

liblustre_1.6.5.1-1_i386.deb
  to pool/main/l/lustre/liblustre_1.6.5.1-1_i386.deb
linux-patch-lustre_1.6.5.1-1_all.deb
  to pool/main/l/lustre/linux-patch-lustre_1.6.5.1-1_all.deb
lustre-dev_1.6.5.1-1_i386.deb
  to pool/main/l/lustre/lustre-dev_1.6.5.1-1_i386.deb
lustre-source_1.6.5.1-1_all.deb
  to pool/main/l/lustre/lustre-source_1.6.5.1-1_all.deb
lustre-tests_1.6.5.1-1_i386.deb
  to pool/main/l/lustre/lustre-tests_1.6.5.1-1_i386.deb
lustre-utils_1.6.5.1-1_i386.deb
  to pool/main/l/lustre/lustre-utils_1.6.5.1-1_i386.deb
lustre_1.6.5.1-1.diff.gz
  to pool/main/l/lustre/lustre_1.6.5.1-1.diff.gz
lustre_1.6.5.1-1.dsc
  to pool/main/l/lustre/lustre_1.6.5.1-1.dsc
lustre_1.6.5.1.orig.tar.gz
  to pool/main/l/lustre/lustre_1.6.5.1.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Winnertz <[EMAIL PROTECTED]> (supplier of updated lustre package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 27 Aug 2008 16:59:29 +0200
Source: lustre
Binary: linux-patch-lustre lustre-source lustre-utils lustre-tests liblustre 
lustre-dev
Architecture: source all i386
Version: 1.6.5.1-1
Distribution: unstable
Urgency: low
Maintainer: Debian Lustre Packaging team 
<pkg-lustre-maintainers@lists.alioth.debian.org>
Changed-By: Patrick Winnertz <[EMAIL PROTECTED]>
Description: 
 liblustre  - Runtime library for Lustre filesystem utilities
 linux-patch-lustre - Linux kernel patch for the Lustre Filesystem
 lustre-dev - Development files for the Lustre filesystem
 lustre-source - source for Lustre filesystem client kernel modules
 lustre-tests - Test suite for the Lustre filesystem
 lustre-utils - Userspace utilities for the Lustre filesystem
Closes: 496371
Changes: 
 lustre (1.6.5.1-1) unstable; urgency=low
 .
   * New upstream version
   * Add README.Debian also to lustre-source
   * Fix possible symlink attack in lustre-tests. (Closes: #496371)
Checksums-Sha1: 
 b7b173efc4d3490be6e4ed64eb25237587b44b5e 1488 lustre_1.6.5.1-1.dsc
 e51c7c2ead94abb99249ac2e22e383b21018ce79 4485031 lustre_1.6.5.1.orig.tar.gz
 5f927df8d81f22a7159dca58bc15599202dbc409 26917 lustre_1.6.5.1-1.diff.gz
 bf6b03b17ed6de1a41fcd710a7f15d8d4982ae4e 465242 
linux-patch-lustre_1.6.5.1-1_all.deb
 69a702fe8fa0835b7939232e216873b47b01adf4 3054826 
lustre-source_1.6.5.1-1_all.deb
 67f6aa4516da1be4c31fef11b2bd6b439a24c023 533866 lustre-utils_1.6.5.1-1_i386.deb
 88943cdab62f9311c2e58e7b942e607218c18890 360576 lustre-tests_1.6.5.1-1_i386.deb
 c8761534073e2105e581e083aadb54b099434abb 4585414 lustre-dev_1.6.5.1-1_i386.deb
 233ad00d0a58f98c3981a9b13f81960b5609f8c4 669830 liblustre_1.6.5.1-1_i386.deb
Checksums-Sha256: 
 6030a4688050bede5d74e818e858a5d85223e6983a190c58f4a6ffa026362eaf 1488 
lustre_1.6.5.1-1.dsc
 28d2a0e4f43c9f28e362e5c4e238b79cdbbc097b0cbb79a7c88ddd884ffdb703 4485031 
lustre_1.6.5.1.orig.tar.gz
 e6ba04d8871ce656610943c24eeb3a0c53a00024b8ca0c2428ce7a521dd20d47 26917 
lustre_1.6.5.1-1.diff.gz
 4572cd01d402f52e81f36e8cb503361299741101470aa0ce877c6254f0848c47 465242 
linux-patch-lustre_1.6.5.1-1_all.deb
 7f9c46a2fbde6d700c083631603c7287def427286edb6021b2681ddbc9b3d200 3054826 
lustre-source_1.6.5.1-1_all.deb
 134eb99ae1c5d8743ba55d68b4ad6416fbd8a71ff7986d81e6aff6fa688fca55 533866 
lustre-utils_1.6.5.1-1_i386.deb
 03aa06c89d07e94c608fe341c78acf291f740e899dada645b199f74a38c4d260 360576 
lustre-tests_1.6.5.1-1_i386.deb
 040a94becfcfb4b78930665f24cb16dada9dc56be8c471fbba24ab46b110ecda 4585414 
lustre-dev_1.6.5.1-1_i386.deb
 6e90b58cecb145cb5d062dee90075dc37ccba4dd474f454a4f2c71eca180ac92 669830 
liblustre_1.6.5.1-1_i386.deb
Files: 
 081a85161e3f1fb5949a51a78d39cb97 1488 admin optional lustre_1.6.5.1-1.dsc
 fd81b70d94a70762af17e98086d3d537 4485031 admin optional 
lustre_1.6.5.1.orig.tar.gz
 e0fad1b944474f50a72bd30184a7887c 26917 admin optional lustre_1.6.5.1-1.diff.gz
 beb6452fe3d81a8ce3e1f75df4db0210 465242 devel optional 
linux-patch-lustre_1.6.5.1-1_all.deb
 29fb0f19ea7569fba4d8753579f63214 3054826 base optional 
lustre-source_1.6.5.1-1_all.deb
 71ff3c3882c9305543c711611ed1d913 533866 utils optional 
lustre-utils_1.6.5.1-1_i386.deb
 6dd38633ed2c7ad62cfd031ea56c387d 360576 admin optional 
lustre-tests_1.6.5.1-1_i386.deb
 79a614000330642a6075b92d9c5c1400 4585414 libdevel optional 
lustre-dev_1.6.5.1-1_i386.deb
 36b64cea5fca7ffff962e00b1b5ef495 669830 otherosfs optional 
liblustre_1.6.5.1-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAki3mCwACgkQzgm26bkTFDoyXQCdFqNoX+K/NkJd52ZrrOIB8LIl
gFAAn3ttuxyhxDYkWofKm9MW6ybgz6/d
=LT6x
-----END PGP SIGNATURE-----

--- End Message ---

_______________________________________________
Pkg-lustre-maintainers mailing list
Pkg-lustre-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-lustre-maintainers