Hi all! :) * Holger Levsen <[EMAIL PROTECTED]> [2007-10-18 17:02]: > Amaya forwarded your mail to me, so that I can sponsor the upload as she is > too busy currently... > > On Sunday 14 October 2007 14:08, Sven wrote: > > is there any chance you could upload twiki_4.1.2-2_all.deb from > > http://distributedinformation.com/TWikiDebian/ > > Its for fixing http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=444982 > > I just looked at the debdiff between the version in testing+unstable > (4.1.2-1) > and http://distributedinformation.com/TWikiDebian/twiki_4.1.2-2.dsc > and decided not to upload it, because I cannot easily say if all the changes > are needed to fix the security issue (#444982 / CVE-2007-5193) > > I noticed that you edited the changelog for 4.1.2-1 in the 4.1.2-2 package > _and_ did some related changes to it (adding suggests) and did at least one > (small) change which is not in changelog: change maintainer address. > > This, _combined_ with my lack of knowledge of the package and therefore > inability to understand the changes without some effort, let me to the > decission to not sponsor the upload. Sorry. > > But I've forwarded this issue to the testing-security team so they can upload > it. [...] Without looking too deep into the changes sinec I have to write an examn tomorrow I saw the following in postinst: --- twiki-4.1.2/debian/postinst +++ twiki-4.1.2/debian/postinst @@ -139,13 +139,19 @@ fi #create securer-twiki session dir - if [ ! -e /tmp/twiki ]; then - mkdir /tmp/twiki + if [ ! -e /var/lib/twiki/working ]; then + mkdir /var/lib/twiki/working + fi + if [ ! -e /var/lib/twiki/working/tmp ]; then + mkdir /var/lib/twiki/working/tmp + fi + if [ ! -e /var/lib/twiki/working/work_areas ]; then + mkdir /var/lib/twiki/working/work_areas fi #mmmm, mailnotify etc may be running _not_ as www-data #and for some reason create a session - chmod 777 /tmp/twiki - chown $TWIKI_OWNER.www-data /tmp/twiki + chmod 777 /var/lib/twiki/working/tmp + chown $TWIKI_OWNER.www-data /var/lib/twiki/working/tmp #add softlinks to make adding plugins easier () if [ ! -e /var/lib/twiki/lib ]; then
Thanks that you did not sponsor this upload. Why is setting the rights to 777 done here? This would enable every user on the system to delete web content via a symlink attack. The old solution is of course not secure too. Please fix this. Kind regards Nico -- Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgp2tHU0wUxAc.pgp
Description: PGP signature
_______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
