Your message dated Wed, 19 Jan 2005 21:32:13 -0500 with message-id <[EMAIL PROTECTED]> and subject line Bug#290974: fixed in apache 1.3.33-3 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 18 Jan 2005 00:08:47 +0000 >From [EMAIL PROTECTED] Mon Jan 17 16:08:47 2005 Return-path: <[EMAIL PROTECTED]> Received: from tornado.dat.etsit.upm.es (dat.etsit.upm.es) [138.100.17.73] by spohr.debian.org with smtp (Exim 3.35 1 (Debian)) id 1CqgvP-0007EJ-00; Mon, 17 Jan 2005 16:08:47 -0800 Received: (qmail 9429 invoked by uid 1013); 18 Jan 2005 00:08:43 -0000 Date: Tue, 18 Jan 2005 01:08:42 +0100 From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: apache: Temporary usage bugs that can be used in symlink attacks Message-ID: <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="5vNYLRcllDrimb99" Content-Disposition: inline User-Agent: Mutt/1.5.6+20040907i Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: --5vNYLRcllDrimb99 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Package: apache Version: 1.3.33-2 Priority: grave Tags: security sid sarge Hi, I've found unsafe uses of /tmp in some of Apache's scripts in the source, one of this (check_forensic) is installed in Debian's apache-utils package and IMHO should be fixed. They are rather low risk, but I have to set the priority to grave in any case (since they qualify) The fix is rather straightforward (use mktemp or tempfile instead of the $$ construct and add a trap to remove the temporary files) and it is needed, specially for check_forensic. In the check_forensic script, for example, an attacker could just monitor /tmp/ usage and construct symlinks to the fc-XX.$$ as soon as "sees" that the fc-all.$$ file is being used. I've verified that none of these issues affect woody's Apache (1.3.26-0woody6). The fnm.sh script was there but it is not installed with any package and the check_forensic script was introduced later on. The attached (untested) patch should fix these issues, hope it helps. Please fix fnm.sh even if not being installed in any Debian packages, just to ease the work of automatic source-code review tools. Regards Javier --5vNYLRcllDrimb99 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="apache-1.3.33.diff" diff -Nru build-tree-apache.orig/apache_1.3.33/src/helpers/fmn.sh build-tree-apache/apache_1.3.33/src/helpers/fmn.sh --- build-tree-apache.orig/apache_1.3.33/src/helpers/fmn.sh 2004-02-16 23:23:09.000000000 +0100 +++ build-tree-apache/apache_1.3.33/src/helpers/fmn.sh 2005-01-18 00:51:03.000000000 +0100 @@ -24,8 +24,8 @@ modfile=$1 # the part from the Configure script -tmpfile=${TMPDIR-/tmp}/fmn.tmp.$$ -rm -f $tmpfile +tmpfile=`mktemp -t fmn.XXXXXX || tempfile --prefix=fmn` || { echo "$0: Cannot create temporary file" >&2; exit 1; } +trap "rm -f -- \"$tmpfile\";" 0 1 2 3 13 15 modname='' ext=`echo $modfile | sed 's/^.*\.//'` modbase=`echo $modfile | sed 's/\.[^.]*$//'` @@ -52,8 +52,8 @@ modname=`echo $modbase | sed 's/^.*\///' | \ sed 's/^mod_//' | sed 's/^lib//' | sed 's/$/_module/'` fi -rm -f $tmpfile # output: the name of the module structure symbol echo "$modname" +exit 0 diff -Nru build-tree-apache.orig/apache_1.3.33/src/support/check_forensic build-tree-apache/apache_1.3.33/src/support/check_forensic --- build-tree-apache.orig/apache_1.3.33/src/support/check_forensic 2005-01-18 00:49:23.000000000 +0100 +++ build-tree-apache/apache_1.3.33/src/support/check_forensic 2005-01-18 00:53:32.000000000 +0100 @@ -7,9 +7,14 @@ F=$1 -cut -f 1 -d '|' $F > /tmp/fc-all.$$ -grep + < /tmp/fc-all.$$ | cut -c2- | sort > /tmp/fc-in.$$ -grep -- - < /tmp/fc-all.$$ | cut -c2- | sort > /tmp/fc-out.$$ +all=`mktemp -t fcall.XXXXXX || tempfile --prefix=fcall` || { echo "$0: Cannot create temporary file" >&2; exit 1; } +in=`mktemp -t fcin.XXXXXX || tempfile --prefix=fcin` || { echo "$0: Cannot create temporary file" >&2; exit 1; } +out=`mktemp -t fcout.XXXXXX || tempfile --prefix=fcout` || { echo "$0: Cannot create temporary file" >&2; exit 1; } +trap "rm -f -- \"$all\" \"$in\" \"$out\";" 0 1 2 3 13 15 + +cut -f 1 -d '|' $F > $all +grep + < $all | cut -c2- | sort > $in +grep -- - < $all | cut -c2- | sort > $out # use -i instead of -I for GNU xargs -join -v 1 /tmp/fc-in.$$ /tmp/fc-out.$$ | xargs -ixx egrep "^\\+xx" $F -rm /tmp/fc-all.$$ /tmp/fc-in.$$ /tmp/fc-out.$$ +join -v 1 $in $out | xargs -ixx egrep "^\\+xx" $F +exit 0 --5vNYLRcllDrimb99-- --------------------------------------- Received: (at 290974-close) by bugs.debian.org; 20 Jan 2005 02:37:34 +0000 >From [EMAIL PROTECTED] Wed Jan 19 18:37:34 2005 Return-path: <[EMAIL PROTECTED]> Received: from newraff.debian.org [208.185.25.31] (mail) by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1CrSCU-0003hS-00; Wed, 19 Jan 2005 18:37:34 -0800 Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian)) id 1CrS7J-0006t1-00; Wed, 19 Jan 2005 21:32:13 -0500 From: Adam Conrad <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] X-Katie: $Revision: 1.55 $ Subject: Bug#290974: fixed in apache 1.3.33-3 Message-Id: <[EMAIL PROTECTED]> Sender: Archive Administrator <[EMAIL PROTECTED]> Date: Wed, 19 Jan 2005 21:32:13 -0500 Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: Source: apache Source-Version: 1.3.33-3 We believe that the bug you reported is fixed in the latest version of apache, which is due to be installed in the Debian FTP archive: apache-common_1.3.33-3_powerpc.deb to pool/main/a/apache/apache-common_1.3.33-3_powerpc.deb apache-dbg_1.3.33-3_powerpc.deb to pool/main/a/apache/apache-dbg_1.3.33-3_powerpc.deb apache-dev_1.3.33-3_all.deb to pool/main/a/apache/apache-dev_1.3.33-3_all.deb apache-doc_1.3.33-3_all.deb to pool/main/a/apache/apache-doc_1.3.33-3_all.deb apache-perl_1.3.33-3_powerpc.deb to pool/main/a/apache/apache-perl_1.3.33-3_powerpc.deb apache-ssl_1.3.33-3_powerpc.deb to pool/main/a/apache/apache-ssl_1.3.33-3_powerpc.deb apache-utils_1.3.33-3_powerpc.deb to pool/main/a/apache/apache-utils_1.3.33-3_powerpc.deb apache_1.3.33-3.diff.gz to pool/main/a/apache/apache_1.3.33-3.diff.gz apache_1.3.33-3.dsc to pool/main/a/apache/apache_1.3.33-3.dsc apache_1.3.33-3_powerpc.deb to pool/main/a/apache/apache_1.3.33-3_powerpc.deb libapache-mod-perl_1.29.0.2-17_powerpc.deb to pool/main/a/apache/libapache-mod-perl_1.29.0.2-17_powerpc.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Adam Conrad <[EMAIL PROTECTED]> (supplier of updated apache package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Wed, 19 Jan 2005 18:31:25 -0700 Source: apache Binary: apache-dev apache-common apache-doc apache-utils apache apache-dbg apache-perl libapache-mod-perl apache-ssl Architecture: source powerpc all Version: 1.3.33-3 Distribution: unstable Urgency: low Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org> Changed-By: Adam Conrad <[EMAIL PROTECTED]> Description: apache - versatile, high-performance HTTP server apache-common - support files for all Apache webservers apache-dbg - debug versions of the Apache webservers apache-dev - development kit for the Apache webserver apache-doc - documentation for the Apache webserver apache-perl - versatile, high-performance HTTP server with Perl support apache-ssl - versatile, high-performance HTTP server with SSL support apache-utils - utility programs for webservers libapache-mod-perl - integration of perl with the Apache web server Closes: 290974 Changes: apache (1.3.33-3) unstable; urgency=low . * (Thom May) - Security fix - fix tempfile usage in check_forensic (Closes: #290974) * (Adam Conrad) - Mangle the debian/rules so that the libapache-mod-perl version number is defined in the variables at the top, rather than deep in the binary-arch target where it can get missed. Files: 964cbd797a122ffcc9a550a128a6f54e 1107 web optional apache_1.3.33-3.dsc c9ddde8e80bb509183a70ca815ed3922 362637 web optional apache_1.3.33-3.diff.gz 270a17ebbd079c5281d5128c7e79353e 1188626 doc optional apache-doc_1.3.33-3_all.deb 42db312ef30a6ed79208a4a63247d93c 330540 devel extra apache-dev_1.3.33-3_all.deb 01bfab983390ef73fa5b7f4b479cb9b6 396686 web optional apache_1.3.33-3_powerpc.deb 2f588fe5d7847a0262d67fdf6da0ec5c 508466 web optional apache-ssl_1.3.33-3_powerpc.deb f9f223afd86ece1f6468c26ab7c3a429 512554 web optional apache-perl_1.3.33-3_powerpc.deb 1b14b5014d05545713091f1740362f5f 9252266 devel extra apache-dbg_1.3.33-3_powerpc.deb bc8bfed9b8dc06e0eb1a9fbf8df06449 919422 web optional apache-common_1.3.33-3_powerpc.deb 9bdd740d23807e05d3272eb217a2c58f 279850 web optional apache-utils_1.3.33-3_powerpc.deb 44b484efef214b20138fc799643d9068 489752 web optional libapache-mod-perl_1.29.0.2-17_powerpc.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFB7xUyvjztR8bOoMkRAsEPAJ459AyJBIJplbL8ORzX4sU6veBaMQCg57iR fEbrS2BfyC7YEiPiR1qJxWA= =QvYJ -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]