Package: lintian Version: 1.23.27 Severity: grave Tags: security patch Justification: user security hole
The lintian collection script objdump-info uses the insecure temporary file /tmp/debug. Any invocation of lintian on a package containing ELF binaries, or containing files with ' ELF' in their nanes, will append lines of the form "Processing $bin" to /tmp/debug (or through a symlink at /tmp/debug). This trivially allows a local attacker to corrupt another user's files. If the local attacker can control the contents of the package getting checked by lintian, they can control the text after "Processing "; this would allow a variety of exploits based on tools that would ignore the prefix, such as the shell. For example, consider the filename "; do nasty stuff # ELF". This looks like debugging code, and lintian does not appear to use /tmp/debug for anything else, so removing the line solves the problem. Patch attached. - Josh Triplett -- System Information: Debian Release: 4.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.21-rc2test Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages lintian depends on: ii binutils 2.17-3 The GNU assembler, linker and bina ii diffstat 1.43-2 produces graph of changes introduc ii dpkg-dev 1.13.25 package building tools for Debian ii file 4.19-1 Determines file type using "magic" ii gettext 0.16.1-1 GNU Internationalization utilities ii intltool-debian 0.35.0+20060710.1 Help i18n of RFC822 compliant conf ii libparse-debianchangel 1.0-1 parse Debian changelogs and output ii man-db 2.4.3-6 The on-line manual pager ii perl [libdigest-md5-pe 5.8.8-7 Larry Wall's Practical Extraction lintian recommends no packages. -- no debconf information
diff -Naur lintian-1.23.27.orig/collection/objdump-info lintian-1.23.27/collection/objdump-info --- lintian-1.23.27.orig/collection/objdump-info 2006-11-19 20:28:06.000000000 -0800 +++ lintian-1.23.27/collection/objdump-info 2007-03-09 22:12:10.000000000 -0800 @@ -43,7 +43,6 @@ # output in the objdump-info file and let the check script deal with # it later. for bin in `grep ' ELF' <../file-info | cut -d\: -f1`; do - echo "Processing $bin" >> /tmp/debug echo "-- $bin" >> ../objdump-info if head $bin | grep -q 'packed.*with.*UPX'; then echo "objdump: $bin: Packed with UPX" >> ../objdump-info