Bug#496403: marked as done (The possibility of attack with the help of symlinks in some Debian packages)

Fri, 05 Sep 2008 10:08:25 -0700 

Your message dated Fri, 05 Sep 2008 16:32:06 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#496403: fixed in mgetty 1.1.36-1.3
has caused the Debian Bug report #496403,
regarding The possibility of attack with the help of symlinks in some Debian 
packages
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
496403: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496403
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message --- 
Package: mgetty-fax
Severity: grave

Hi, maintainer!

This message about the error concerns a few packages  at  once.   I've
tested all the packages (for Lenny) on my Debian mirror.  All  scripts
of packages (marked as executable) were tested.

In some packages I've discovered scripts with errors which may be used
by a user for damaging important system files or user's files.

For example if a script uses in its work a temp file which is  created
in /tmp directory, then every user can create symlink  with  the  same
name in this directory in order to  destroy  or  rewrite  some  system
or user file.  Symlink attack may also  lead  not  only  to  the  data
desctruction but to denial of service as well.

Even if you create files or directories with help of function 'RANDOM'
or pid(), then your system is not protected. Attacker can create many
symlinks in order to destroy your data or create 'denial  of  service'
for your package scripts.

Even if you make rm(dir) for files/directories, then  your  system  is
not protected. Attacker can permanently create symlinks.

This list is created with the help of script.  This list is sorted  by
hand. Howewer in some cases mistake is possible.

Please, Be understanding to possible mistakes. :)

I set Severity into grave for this bug. The table of discovered
problems is below.

Discussion of this bug you can see in debian-devel@:
    http://lists.debian.org/debian-devel/2008/08/msg00271.html

Binary-package: r-base-core-ra (1.1.1-1)
    file: /usr/lib/Ra/lib/R/bin/javareconf
Binary-package: rccp (0.9-2)
    file: /usr/lib/rccp/delqueueask
Binary-package: mafft (6.240-1)
    file: /usr/bin/mafft-homologs
Binary-package: openoffice.org-common (1:2.4.1-6)
    file: /usr/lib/openoffice/program/senddoc
Binary-package: crossfire-maps (1.11.0-1)
    file: /usr/share/games/crossfire/maps/Info/combine.pl
Binary-package: sgml2x (1.0.0-11.1)
    file: /usr/bin/rlatex
Binary-package: liguidsoap (0.3.6-4)
    file: /var/lib/liguidsoap/liguidsoap.py
Binary-package: citadel-server (7.37-1)
    file: /usr/lib/citadel-server/migrate_aliases.sh
Binary-package: ampache (3.4.1-1)
    file: /usr/share/ampache/www/locale/base/gather-messages.sh
Binary-package: xen-utils-3.2-1 (3.2.1-2)
    file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug
Binary-package: dtc-common (0.29.6-1)
    file: /usr/share/dtc/admin/accesslog.php
    file: /usr/share/dtc/admin/sa-wrapper
Binary-package: honeyd-common (1.5c-3)
    file: /usr/share/honeyd/scripts/test.sh
Binary-package: lustre-tests (1.6.5-1)
    file: /usr/lib/lustre/tests/runiozone
Binary-package: linuxtrade (3.65-8+b4)
    file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol
    file: /usr/share/linuxtrade/bin/linuxtrade.wn
    file: /usr/share/linuxtrade/bin/moneyam.helper
Binary-package: freevo (1.8.1-0)
    file: /usr/bin/freevo.real
Binary-package: fml (4.0.3.dfsg-2)
    file: /usr/share/fml/libexec/mead.pl
Binary-package: rkhunter (1.3.2-3)
    file: /usr/bin/rkhunter
Binary-package: openswan (1:2.4.12+dfsg-1.1)
    file: /usr/lib/ipsec/livetest
Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1)
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest
Binary-package: aptoncd (0.1-1.1)
    file: /usr/share/aptoncd/xmlfile.py
Binary-package: cdcontrol (1.90-1.1)
    file: /usr/lib/cdcontrol/writtercontrol
Binary-package: newsgate (1.6-23)
    file: /usr/bin/mkmailpost
Binary-package: gpsdrive-scripts (2.10~pre4-3)
    file: /usr/bin/geo-code
Binary-package: impose+ (0.2-11)
    file: /usr/bin/impose
Binary-package: mgt (2.31-5)
    file: /usr/games/mailgo
Binary-package: audiolink (0.05-1)
    file: /usr/bin/audiolink
Binary-package: ibackup (2.27-4.1)
    file: /usr/bin/ibackup
Binary-package: emacspeak (26.0-3)
    file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl
Binary-package: bk2site (1:1.1.9-3.1)
    file: /usr/lib/cgi-bin/bk2site/redirect.pl
Binary-package: datafreedom-perl (0.1.7-1)
    file: /usr/bin/dfxml-invoice
Binary-package: emacs-jabber (0.7.91-1)
    file: /usr/lib/emacsen-common/packages/install/emacs-jabber
Binary-package: lmbench (3.0-a7-1)
    file: /usr/lib/lmbench/scripts/rccs
    file: /usr/lib/lmbench/scripts/STUFF
Binary-package: rancid-util (2.3.2~a8-1)
    file: /var/lib/rancid/getipacctg
Binary-package: ogle (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: firehol (1.256-4)
    file: /sbin/firehol
Binary-package: aview (1.3.0rc1-8)
    file: /usr/bin/asciiview
Binary-package: radiance (3R9+20080530-3)
    file: /usr/bin/optics2rad
    file: /usr/bin/pdelta
    file: /usr/bin/dayfact
    file: /usr/bin/raddepend
Binary-package: vdr-dbg (1.6.0-5)
    file: /usr/bin/vdrleaktest
Binary-package: ogle-mmx (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: convirt (0.8.2-3)
    file: /usr/share/convirt/image_store/_template_/provision.sh
    file: /usr/share/convirt/image_store/Linux_CD_Install/provision.sh
    file: /usr/share/convirt/image_store/Fedora_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/CentOS_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/common/provision.sh
    file: /usr/share/convirt/image_store/example/provision.sh
    file: /usr/share/convirt/image_store/Windows_CD_Install/provision.sh
Binary-package: printfilters-ppd (2.13-9)
    file: /usr/lib/printfilters/master-filter
Binary-package: r-base-core (2.7.1-1)
    file: /usr/lib/R/bin/javareconf
    file: /usr/lib/R/bin/javareconf.orig
Binary-package: xmcd (2.6-19.3)
    file: /usr/share/xmcd/scripts/ncsarmt
    file: /usr/share/xmcd/scripts/ncsawrap
Binary-package: tiger (1:3.2.2-3.1)
    file: /usr/lib/tiger/util/genmsgidx
Binary-package: scilab-bin (4.1.2-5)
    file: /usr/lib/scilab-4.1.2/bin/scilink
    file: /usr/lib/scilab-4.1.2/util/scidoc
    file: /usr/lib/scilab-4.1.2/util/scidem
Binary-package: dpkg-cross (2.3.0)
    file: /usr/share/dpkg-cross/bin/gccross
Binary-package: ltp-network-test (20060918-2.1)
    file: /usr/lib/debian-test/tests/linux/testcases/bin/ftp_setup_vsftp_conf
    file: /usr/lib/debian-test/tests/linux/testcases/bin/nfs_fsstress.sh
Binary-package: cman (2.20080629-1)
    file: /usr/sbin/fence_egenera
Binary-package: scratchbox2 (1.99.0.24-1)
    file: /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps
    file: /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings
Binary-package: sendmail-base (8.14.3-5)
    file: /usr/sbin/checksendmail
    file: /usr/bin/expn
Binary-package: fwbuilder (2.1.19-3)
    file: /usr/bin/fwb_install
Binary-package: sng (1.0.2-5)
    file: /usr/bin/sng_regress
Binary-package: dist (1:3.5-17-1)
    file: /usr/bin/patcil
    file: /usr/bin/patdiff
Binary-package: sympa (5.3.4-5)
    file: /usr/lib/cgi-bin/sympa/wwsympa.fcgi
    file: /usr/lib/sympa/bin/sympa.pl
Binary-package: postfix (2.5.2-2)
    file: /usr/lib/postfix_groups.pl
Binary-package: caudium (3:1.4.12-11)
    file: /usr/share/caudium/configvar
Binary-package: mgetty-fax (1.1.36-1.2)
    file: /usr/bin/faxspool
Binary-package: aegis (4.24-3)
    file: /usr/share/doc/aegis/examples/remind/bng_dvlpd.sh
    file: /usr/share/doc/aegis/examples/remind/bng_rvwd.sh
    file: /usr/share/doc/aegis/examples/remind/awt_dvlp.sh
    file: /usr/share/doc/aegis/examples/remind/awt_intgrtn.sh
Binary-package: aegis-web (4.24-3)
    file: /usr/lib/cgi-bin/aegis.cgi
Binary-package: digitaldj (0.7.5-6+b1)
    file: /usr/share/digitaldj/fest.pl
Binary-package: mon (0.99.2-12)
    file: /usr/lib/mon/alert.d/test.alert
Binary-package: feta (1.4.16)
    file: /usr/share/feta/plugins/to-upgrade
Binary-package: arb-common (0.0.20071207.1-4)
    file: /usr/lib/arb/SH/arb_fastdnaml
    file: /usr/lib/arb/SH/dszmconnect.pl
Binary-package: qemu (0.9.1-5)
    file: /usr/sbin/qemu-make-debian-root
Binary-package: apertium (3.0.7+1-1+b1)
    file: /usr/bin/apertium-gen-deformat
    file: /usr/bin/apertium-gen-reformat
    file: /usr/bin/apertium
Binary-package: xcal (4.1-18.3)
    file: /usr/bin/pscal
Binary-package: myspell-tools (1:3.1-20)
    file: /usr/bin/i2myspell
Binary-package: gccxml (0.9.0+cvs20080525-1)
    file: /usr/share/gccxml-0.9/MIPSpro/find_flags
Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4)
    file: /usr/share/freeradius-dialupadmin/bin/backup_radacct
    file: /usr/share/freeradius-dialupadmin/bin/clean_radacct
    file: /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/truncate_radacct
Binary-package: dhis-server (5.3-1)
    file: /usr/lib/dhis-server/dhis-dummy-log-engine
Binary-package: wims (3.62-13)
    file: /var/lib/wims/public_html/bin/coqweb
    file: /var/lib/wims/bin/account.sh
Binary-package: initramfs-tools (0.92f)
    file: /usr/share/initramfs-tools/init
Binary-package: realtimebattle-common (1.0.8-7)
    file: /usr/lib/realtimebattle/Robots/perl.robot
Binary-package: netmrg (0.20-1)
    file: /usr/bin/rrdedit
Binary-package: bulmages-servers (0.11.1-2)
    file: /usr/share/bulmages/examples/scripts/actualizabulmacont
    file: /usr/share/bulmages/examples/scripts/installbulmages-db
    file: /usr/share/bulmages/examples/scripts/creabulmafact
    file: /usr/share/bulmages/examples/scripts/creabulmacont
    file: /usr/share/bulmages/examples/scripts/actualizabulmafact
Binary-package: xastir (1.9.2-1)
    file: /usr/lib/xastir/get-maptools.sh
    file: /usr/lib/xastir/get_shapelib.sh
Binary-package: plait (1.5.2-1)
    file: /usr/bin/plaiter
    file: /usr/bin/plait
Binary-package: cdrw-taper (0.4-2)
    file: /usr/sbin/amlabel-cdrw
Binary-package: konwert-filters (1.8-11.1)
    file: /usr/share/konwert/filters/any-UTF8
Binary-package: gdrae (0.1-1)
    file: /usr/bin/gdrae
Binary-package: lazarus-src (0.9.24-0-9)
    file: /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh

--- End Message ---
--- Begin Message --- 
Source: mgetty
Source-Version: 1.1.36-1.3

We believe that the bug you reported is fixed in the latest version of
mgetty, which is due to be installed in the Debian FTP archive:

mgetty-docs_1.1.36-1.3_all.deb
  to pool/main/m/mgetty/mgetty-docs_1.1.36-1.3_all.deb
mgetty-fax_1.1.36-1.3_amd64.deb
  to pool/main/m/mgetty/mgetty-fax_1.1.36-1.3_amd64.deb
mgetty-pvftools_1.1.36-1.3_amd64.deb
  to pool/main/m/mgetty/mgetty-pvftools_1.1.36-1.3_amd64.deb
mgetty-viewfax_1.1.36-1.3_amd64.deb
  to pool/main/m/mgetty/mgetty-viewfax_1.1.36-1.3_amd64.deb
mgetty-voice_1.1.36-1.3_amd64.deb
  to pool/main/m/mgetty/mgetty-voice_1.1.36-1.3_amd64.deb
mgetty_1.1.36-1.3.diff.gz
  to pool/main/m/mgetty/mgetty_1.1.36-1.3.diff.gz
mgetty_1.1.36-1.3.dsc
  to pool/main/m/mgetty/mgetty_1.1.36-1.3.dsc
mgetty_1.1.36-1.3_amd64.deb
  to pool/main/m/mgetty/mgetty_1.1.36-1.3_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated mgetty package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 05 Sep 2008 17:52:42 +0200
Source: mgetty
Binary: mgetty mgetty-fax mgetty-viewfax mgetty-voice mgetty-pvftools 
mgetty-docs
Architecture: source all amd64
Version: 1.1.36-1.3
Distribution: unstable
Urgency: high
Maintainer: Andreas Barth <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description: 
 mgetty     - Smart Modem getty replacement
 mgetty-docs - Documentation Package for mgetty
 mgetty-fax - Faxing tools for mgetty
 mgetty-pvftools - Programs for listening and manipulating pvf and rmd files
 mgetty-viewfax - Program for displaying Group-3 Fax files under X
 mgetty-voice - Voicemail handler for mgetty
Closes: 496403
Changes: 
 mgetty (1.1.36-1.3) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix insecure use of temporary file names that could lead to a symlink
     attack.
     (debian/patches/78-insecure-tmp-usage; No CVE id yet; Closes: #496403)
Checksums-Sha1: 
 8627502cc05f7346333d30bf8c9868f8c3446ba0 1198 mgetty_1.1.36-1.3.dsc
 67b791285cbb20636e71e4ffd7a2b6526de7cf6e 60792 mgetty_1.1.36-1.3.diff.gz
 91f2d0d311c6981d9b2b32d1dc8e68039b361369 522916 mgetty-docs_1.1.36-1.3_all.deb
 1047fe4bcdabbe16f420c47ae6a731d8683ec4d3 183248 mgetty_1.1.36-1.3_amd64.deb
 3433cb471a8bf1238481527398478e3f3320a6c9 159802 mgetty-fax_1.1.36-1.3_amd64.deb
 cf7a3dfffb7f30f22ee4def51ae58aee773d0539 68736 
mgetty-viewfax_1.1.36-1.3_amd64.deb
 96d324ee9558029237f49e1148d9fe18f17523e4 201506 
mgetty-voice_1.1.36-1.3_amd64.deb
 6a8ea599dc3e690c54393a567807d02e0cb96ada 320246 
mgetty-pvftools_1.1.36-1.3_amd64.deb
Checksums-Sha256: 
 c3b05ca02439ec1dce1a6e619d85fc9ed5e594539be13c58c68432cd63b1fc97 1198 
mgetty_1.1.36-1.3.dsc
 e6d7ac14d6050765dc3c5e080c1586015f703a3eb7b42156be8eda38493719a7 60792 
mgetty_1.1.36-1.3.diff.gz
 3c9b1891a00bf9558c9bd3b31ca8314137007fc17258d84fab711113c6bb2668 522916 
mgetty-docs_1.1.36-1.3_all.deb
 3fe0c6396853ec7863b1854d58854f7021bcc97517cb05e29e788726114ac83c 183248 
mgetty_1.1.36-1.3_amd64.deb
 64a04f8a48ab6167935715f4c45792a94464c9c6859296ddc350318ed555908c 159802 
mgetty-fax_1.1.36-1.3_amd64.deb
 ae35fa632955461ac2820d378fa43d11590e5acfb859dfa8514b5d3da8b7c021 68736 
mgetty-viewfax_1.1.36-1.3_amd64.deb
 cd7f6e3eb048143b0539bbd5b1d3b95cb4ff6fd7adc0d7c3996c734144eca97a 201506 
mgetty-voice_1.1.36-1.3_amd64.deb
 2752aa3b500d5ca11cac47438b25aa5c200be77a6243c56fcc753ff3a8b8fc54 320246 
mgetty-pvftools_1.1.36-1.3_amd64.deb
Files: 
 58311aacff5cbff1407f9ab7daa8b953 1198 comm optional mgetty_1.1.36-1.3.dsc
 df151dc2948b99dc84f5392e56b7a02d 60792 comm optional mgetty_1.1.36-1.3.diff.gz
 ce51bacd99c26fe62034644537c6927e 522916 comm optional 
mgetty-docs_1.1.36-1.3_all.deb
 7349e8ddea956135eb2f4103ffbc9258 183248 comm optional 
mgetty_1.1.36-1.3_amd64.deb
 055e5258991149f28b5b36e9a0261f1e 159802 comm optional 
mgetty-fax_1.1.36-1.3_amd64.deb
 7663f1d75a221988db1e791d41f17c4a 68736 comm optional 
mgetty-viewfax_1.1.36-1.3_amd64.deb
 0b9be2ea5523b862aed6b5b332179613 201506 comm optional 
mgetty-voice_1.1.36-1.3_amd64.deb
 8021c031a25b2aa15ebb23551c43b4b1 320246 comm optional 
mgetty-pvftools_1.1.36-1.3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkjBWzEACgkQHYflSXNkfP/X0wCfd7u8vMU7Q7Y7iwet5xJOVUwv
KBAAn2DTmZ9JLEHUOBIQT8I8brf1S1ug
=aRgp
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to