Bug#341506: dpkg-source and file permissions

2005-12-08 Thread Mikko Rapeli 
On Thu, Dec 08, 2005 at 08:13:25AM +0100, Frank Lichtenheld wrote:
 Please note that there is both a bug report and a patch for this
 problem already...

Actually --no-same-owner and --no-same-permissions do different things;
one changes file owners and the other sets permissions. IMHO both should
be used by dpkg-source.pl tar invocations.

 If nobody deemed this worth a advisory for the past three years
 it probably isn't worth one now...

True, but this problem is easily fixed even before someone finds a way to
exploit it.

-Mikko


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#341506: dpkg-source and file permissions

2005-12-08 Thread Mikko Rapeli 
On Thu, Dec 08, 2005 at 10:02:48AM +0200, Mikko Rapeli wrote:
 On Thu, Dec 08, 2005 at 08:13:25AM +0100, Frank Lichtenheld wrote:
  Please note that there is both a bug report and a patch for this
  problem already...
 
 Actually --no-same-owner and --no-same-permissions do different things;
 one changes file owners and the other sets permissions. IMHO both should
 be used by dpkg-source.pl tar invocations.

Hmm, sorry for not reading #144571 properly before.

The patch in bug 144571 fixed file ownerships but not the sometimes
funny permissions within the source tar packages. Since --no-same* are
GNU extensions and should be avoided, perhaps the chown call after
extracttar should be supported by a chmod 0700 -R $tmp call?

-Mikko

diff -ru dpkg-1.13.11/scripts/dpkg-source.pl 
dpkg-1.13.11.mkr1/scripts/dpkg-source.pl
--- dpkg-1.13.11/scripts/dpkg-source.pl 2005-08-17 06:17:31.0 +0300
+++ dpkg-1.13.11.mkr1/scripts/dpkg-source.pl2005-12-08 10:07:55.248749232 
+0200
@@ -642,10 +642,12 @@
my $tmp = $target.tmp-nest;
(my $t = $target) =~ s!.*/!!;
 
-   mkdir($tmp,0755) || syserr(unable to create `$tmp');
+   mkdir($tmp,0700) || syserr(unable to create `$tmp');
system chmod, g-s, $tmp;
print($progname: unpacking $tarfile\n);
extracttar($dscdir/$tarfile,$tmp,$t);
+   system chown, '-R', '-f', join(':',@fowner), $tmp/$t;
+   system chmod, '0700', '-R', '-f', $tmp/$t;
rename($tmp/$t,$target)
|| syserr(unable to rename `$tmp/$t' to `$target');
rmdir($tmp)
Only in dpkg-1.13.11.mkr1/scripts/: dpkg-source.pl.orig


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#341506: dpkg-source and file permissions

2005-12-07 Thread Frank Lichtenheld 
merge 144571 341506
thanks

On Thu, Dec 01, 2005 at 03:32:46AM +0200, Mikko Rapeli wrote:
 Package: dpkg-dev
 Version: 1.13.11
 Version: 1.10.28
 Tags: security
 

Please note that there is both a bug report and a patch for this
problem already...
If nobody deemed this worth a advisory for the past three years
it probably isn't worth one now...

Gruesse,
-- 
Frank Lichtenheld [EMAIL PROTECTED]
www: http://www.djpig.de/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#341506: dpkg-source and file permissions

2005-12-01 Thread Mikko Rapeli 
On Thu, Dec 01, 2005 at 03:32:45AM +0200, Mikko Rapeli wrote:
 fakeroot combined with dpkg-source uses original source package permissions.
 If the original source has insecure permissions on files and/or directories
 dpkg-source -x should override them with umask, but:

snip 

What I ment to copy-paste here at 3:30 in the morning was:

$ fakeroot /bin/sh
sh-2.05b# ls -ld rssh-*
ls: rssh-*: No such file or directory
sh-2.05b# dpkg-source -x rssh_2.2.3-1.dsc
dpkg-source: extracting rssh in rssh-2.2.3
sh-2.05b# ls -ld rssh-*
drwxrwxrwx  3 500 500 4096 Dec  1 12:29 rssh-2.2.3
sh-2.05b# umask
0077

-Mikko


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#341506: dpkg-source and file permissions

2005-12-01 Thread Martin Schulze 
Mikko Rapeli wrote:
 On Thu, Dec 01, 2005 at 03:32:45AM +0200, Mikko Rapeli wrote:
  fakeroot combined with dpkg-source uses original source package permissions.
  If the original source has insecure permissions on files and/or directories
  dpkg-source -x should override them with umask, but:
 
 snip 
 
 What I ment to copy-paste here at 3:30 in the morning was:
 
 $ fakeroot /bin/sh
 sh-2.05b# ls -ld rssh-*
 ls: rssh-*: No such file or directory
 sh-2.05b# dpkg-source -x rssh_2.2.3-1.dsc
 dpkg-source: extracting rssh in rssh-2.2.3
 sh-2.05b# ls -ld rssh-*
 drwxrwxrwx  3 500 500 4096 Dec  1 12:29 rssh-2.2.3
 sh-2.05b# umask
 0077

Thanks for your report, but I'd rather consider this a
if-use-user-wants-to-shoot-in-both-feet-they-should error.  Why would
anybody would want to run dpkg-source inside a fakerooted shell?
You can't exploit root or another user, but only leave an exploit
for your own directory.

I'd still consider it a bug, though, and it should be fixed in sid.

Regards,

Joey

-- 
It's time to close the windows.

Please always Cc to me when replying to me on the lists.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#341506: dpkg-source and file permissions

2005-12-01 Thread Mikko Rapeli 
On Thu, Dec 01, 2005 at 11:34:15AM +0100, Martin Schulze wrote:
 Thanks for your report, but I'd rather consider this a
 if-use-user-wants-to-shoot-in-both-feet-they-should error.  Why would
 anybody would want to run dpkg-source inside a fakerooted shell?
 You can't exploit root or another user, but only leave an exploit
 for your own directory.

Oh, I need get back on reading what execute bit means for directories.
Sorry about this noice. For normal users within HOME which is not executable 
this not an problem even though I have run 'fakeroot apt-get source -b rssh' 
multiple times without checking that umask is obeyed.

But running apt-get source or dpkg-source with fakeroot or as root in a
world executable directory is a problem. Perhaps not worth an advisory
though.

Isn't default umask 022 in sarge? Then this is might again be worth an
advisory, or not if users are expected to know about file and directory
permissions.

-Mikko


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#341506: dpkg-source and file permissions

2005-11-30 Thread Mikko Rapeli 
Package: dpkg-dev
Version: 1.13.11
Version: 1.10.28
Tags: security

fakeroot combined with dpkg-source uses original source package permissions.
If the original source has insecure permissions on files and/or directories
dpkg-source -x should override them with umask, but:

$ fakeroot /bin/sh
sh-3.00# umask
0077
sh-3.00# ls -lad *
ls: *: No such file or directory
sh-3.00# tar -zxkf ../dash_0.5.3.orig.tar.gz
sh-3.00# ls -lad *
drwxrwxrwx 3 mikko mikko 4096 2005-11-26 05:19 dash-0.5.3
sh-3.00# rm -rf *
sh-3.00# tar --no-same-permissions -zxkf ../dash_0.5.3.orig.tar.gz
sh-3.00# ls -lad *
drwx-- 3 mikko mikko 4096 2005-11-26 05:19 dash-0.5.3

Debugging reveals that dpkg-source gives options xkf to tar, and (GNU only?)
tar adds --no-same-permissions for non-root users. fakeroot is fakeroot so
it fools tar too, and -p, --same-permissions, --preserve-permissions is
used instead as the tar manual page nicely explains.

Yeah, this is a security issue too although any environment with compilers
is hazard ;) Hopefully tighter permissions do not break any build automatics.

Attached patches fix this for unstable/testing and sarge, but IMO upstream
should receive some comments too if they have o=rwx directories in their 
release archives.

-Mikko
--- scripts/dpkg-source.pl  2004-11-11 05:16:35.0 +0200
+++ ../dpkg-1.10.28.sarge.mkr1/scripts/dpkg-source.pl   2005-12-01 
03:43:50.0 +0200
@@ -975,15 +975,15 @@
 sub extracttar {
 my ($tarfileread,$dirchdir,$newtopdir) = @_;
 forkgzipread($tarfileread);
-defined($c2= fork) || syserr(fork for tar -xkf -);
+defined($c2= fork) || syserr(fork for tar --no-same-permissions -xkf -);
 if (!$c2) {
-open(STDIN,GZIP) || syserr(reopen gzip for tar -xkf -);
+open(STDIN,GZIP) || syserr(reopen gzip for tar 
--no-same-permissions -xkf -);
 cpiostderr;
 chdir($dirchdir) || syserr(cannot chdir to \`$dirchdir' for tar 
extract);
-exec('tar','-xkf','-'); syserr(exec tar -xkf -);
+exec('tar','--no-same-permissions','-xkf','-'); syserr(exec tar 
--no-same-permissions -xkf -);
 }
 close(GZIP);
-$c2 == waitpid($c2,0) || syserr(wait for tar -xkf -);
+$c2 == waitpid($c2,0) || syserr(wait for tar --no-same-permissions -xkf 
-);
 $?  subprocerr(tar -xkf -);
 reapgzip;
 
--- scripts/dpkg-source.pl  2005-08-17 06:17:31.0 +0300
+++ ../dpkg-1.13.11.mkr1/scripts/dpkg-source.pl 2005-12-01 03:53:55.0 
+0200
@@ -1108,15 +1108,15 @@
 sub extracttar {
 my ($tarfileread,$dirchdir,$newtopdir) = @_;
 forkgzipread($tarfileread);
-defined($c2= fork) || syserr(fork for tar -xkf -);
+defined($c2= fork) || syserr(fork for tar --no-same-permissions -xkf -);
 if (!$c2) {
-open(STDIN,GZIP) || syserr(reopen gzip for tar -xkf -);
+open(STDIN,GZIP) || syserr(reopen gzip for tar 
--no-same-permissions -xkf -);
 cpiostderr;
 chdir($dirchdir) || syserr(cannot chdir to `$dirchdir' for tar 
extract);
-exec('tar','-xkf','-') or syserr(exec tar -xkf -);
+exec('tar','--no-same-permissions','-xkf','-') or syserr(exec tar 
--no-same-permissions -xkf -);
 }
 close(GZIP);
-$c2 == waitpid($c2,0) || syserr(wait for tar -xkf -);
+$c2 == waitpid($c2,0) || syserr(wait for tar --no-same-permissions -xkf 
-);
 $?  subprocerr(tar -xkf -);
 reapgzip;