Package: lintian
Tags: patch, security
Severity: wishlist
Hello, lintan maintainers!
please, see full discussion in -devel:
http://lists.debian.org/debian-devel/2008/08/msg00271.html
for example, see the bug
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494648
(if attacker makes symlink from /tmp/twiki to /etc/shadow, then
he takes full access to the system (when twiki installs or
upgrades))
Hi all!
I wrote the check script for the lintian package. This additional check
verifies the debian packages for the presents of the discussed bug.
Notes and additions are welcome.
patch has been placed in attache
PS: X11 also uses the /tmp/.X11-unix directory, which may be used for
attacks, I don't known :(
but many scripts (in different packages) use /tmp/.X11-unix, if this is
not a security problem, may be I must add ignoring for this directory in
the lintian script?
I don't known yet :(
DEO This message about the error concerns a few packages at once. I've
DEO tested all the packages on my Debian mirror. (post|pre)(inst|rm) and
DEO config scripts were tested.
DEO In some packages I've discovered scripts with errors which may be used
DEO by a user for damaging important system files.
DEO For example if a script uses in its work a temp file which is created
DEO in /tmp directory, then every user can create symlink with the same
DEO name in this directory in order to destroy or rewrite some system
DEO file.
DEO I set Severity into grave for this bug. The table of discovered
DEO problems is below.
--
... mpd is off
. ''`. Dmitry E. Oboukhov
: :’ : [EMAIL PROTECTED]
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
`- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537
--- checks/symlink_attack 1970-01-01 03:00:00.0 +0300
+++ checks/symlink_attack 2008-08-19 23:11:44.0 +0400
@@ -0,0 +1,114 @@
+# symlink_attack -- lintian check script -*- perl -*-
+#
+# Copyright (C) 2008 Dmitry E. Oboukhov [EMAIL PROTECTED]
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see http://www.gnu.org/licenses/.
+
+package Lintian::symlink_attack;
+use strict;
+use Tags;
+
+# check file
+#
+# the parameters:
+# 1. name of check file
+# 2. error template
+# 3. warning template
+sub check_file($$$)
+{
+ my ($file_name, $err_tmpl, $warn_tmpl)[EMAIL PROTECTED];
+
+open my $file, '', $file_name
+or die Can not open file `$file_name': $!\n;
+
+$file_name =~ s/^..// if $file_name =~ m{^\./};
+$file_name =~ s{^debfiles/}{debian/};
+
+# read begin of shebang
+local $_;
+return unless 10 == read $file, $_, 10;
+return unless m{^#!\s*/};
+seek $file, 0, 0;
+
+$_ = $file;
+return unless m{^#!\s*(?:/\S+){2,}};
+
+# read all file content
+# (remove comments, join backslash-ended string)
+$_ = join '', map { s/#.*/\n/; s/\\$//; $_ } readline $file;
+
+# errors
+my $errors_found;
+if (m{\s*/tmp/} or m{(?:^|[|\s])tee\s+(?:-\S+\s+)*/tmp/}m)
+{
+$errors_found=1;
+tag $err_tmpl, $file_name (pipe);
+}
+
+my @wh = m{(mount|mkdir|chown|chmod)\s[^;]*?/tmp/}g;
+# remove dups
+@wh = keys %{{ map {($_,0)} @wh }};
+if (@wh)
+{
+ $errors_found=1;
+tag $err_tmpl, $file_name ($_) for @wh;
+}
+
+# warnings
+unless ($errors_found)
+{
+tag $warn_tmpl, $file_name if m{\s+/tmp/};
+}
+}
+
+
+sub run
+{
+ my ($package, $type)=(@_);
+
+my @check_files;
+
+# check maintainer scripts
+ if ($type eq 'source')
+ {
+ @check_files=
+ grep /(((pre|post)(inst|rm))|(config))(?:\.in)?$/,
+ glob ('debfiles/*');
+ }
+ else
+ {
+ @check_files=
+ grep /(((pre|post)(inst|rm))|(config))$/, glob ('control/*');
+ }
+check_file $_ = 'maint-scripts-uses-tmp-err',
+'maint-scripts-uses-tmp-warn' for @check_files;
+
+# check binary all files in the package
+if ($type eq 'binary')
+{
+ chdir 'unpacked';
+ open my $dir, '-|', 'find -type f -executable'
+ or die Can not start find: $!;
+ while($dir)
+ {
+ chomp;
+ check_file $_ = 'scripts-uses-tmp-err', 'scripts-uses-tmp-warn';
+ }
+ chdir '..';
+}
+}
+
+1;
+
+# vim: syntax=perl ts=4 sw=4 expandtab
--- checks/symlink_attack.desc 1970-01-01 03:00:00.0 +0300
+++ checks/symlink_attack.desc 2008-08-19