Bug#496363: The possibility of attack with the help of symlinks in some Debian packages
Hi Dirk, On Monday 25 August 2008 13:57, Dirk Eddelbuettel wrote: Upstream covers more than just Linux distros: Aix, Solaris, OS X, HP-UX, ... and even Windoze (though the javareconf script may not matter there). But I just emailed the point person for javareconf. Maybe we can move creation of the temp.dir into a helper function which use mktemp if present and default to what it currently does. New version with patched javareconf now uploaded. I see an upload of r-base-core but not (yet) of r-base-core-ra, is that intentional? cheers, Thijs pgp41FK95aCdh.pgp Description: PGP signature
Bug#496363: The possibility of attack with the help of symlinks in some Debian packages
Hi Thijs, On 27 August 2008 at 13:57, Thijs Kinkhorst wrote: | Hi Dirk, | | On Monday 25 August 2008 13:57, Dirk Eddelbuettel wrote: | Upstream covers more than just Linux distros: Aix, Solaris, OS X, HP-UX, | ... and even Windoze (though the javareconf script may not matter there). | | But I just emailed the point person for javareconf. Maybe we can move | creation of the temp.dir into a helper function which use mktemp if present | and default to what it currently does. | | New version with patched javareconf now uploaded. | | I see an upload of r-base-core but not (yet) of r-base-core-ra, is that | intentional? It was. R 2.7.2 came out on Monday, so r-base-core was a natural candidate. Yesterday I worked on the RC bug requiring GSL docs to go to non-free for dfsg / gfdl reasons. So for r-base-core-ra, a build will follow shortly. There will be a new release too (corresponding to R 2.7.2), but as we don't know when I'll just preempt it with a new build with a patched javareconf. Hth, Dirk -- Three out of two people have difficulties with fractions. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#496363: The possibility of attack with the help of symlinks in some Debian packages
Trouble is that we then accumulate yet another Debian-only patch... Oh well. Why wouldn't it be acceptable to upstream? So something like # test functionality of the compiler javac_works='not present' if test -n $JAVAC; then javac_works='not functional' #rm -rf /tmp/A.java /tmp/A.class tempdir=`mktemp -d` echo public class A { } ${tempdir}/A.java if test -e ${tempdir}/A.java; then if ${JAVAC} ${tempdir}/A.java /dev/null; then if test -e ${tempdir}/A.class; then javac_works=yes fi fi fi #rm -rf /tmp/A.java /tmp/A.class rm -rf ${tempdir} fi should do, right? Yes, that looks good. Thanks for working on this! Thijs pgpzy1EO65qWC.pgp Description: PGP signature
Bug#496363: The possibility of attack with the help of symlinks in some Debian packages
Hi Dirk, * Dirk Eddelbuettel [EMAIL PROTECTED] [2008-08-25 13:06]: On 25 August 2008 at 04:11, Nico Golde wrote: | * Dirk Eddelbuettel [EMAIL PROTECTED] [2008-08-25 03:07]: [...] | Right before /tmp/A.* are being used, they are being wiped. No symlink | attack. | | Unless I hear objections, I plan to close this one. | | Please don't. There is still a race condition here. The | chance is not that high but it's still possible in theory to | create the symlink after the unlink. Using mktemp shouldn't | be a big effort but solve this problem. Right. Stephen said so too. Trouble is that we then accumulate yet another Debian-only patch... Oh well. That shouldn't be really a problem. So something like # test functionality of the compiler javac_works='not present' if test -n $JAVAC; then javac_works='not functional' #rm -rf /tmp/A.java /tmp/A.class tempdir=`mktemp -d` echo public class A { } ${tempdir}/A.java if test -e ${tempdir}/A.java; then if ${JAVAC} ${tempdir}/A.java /dev/null; then if test -e ${tempdir}/A.class; then javac_works=yes fi fi fi #rm -rf /tmp/A.java /tmp/A.class rm -rf ${tempdir} fi should do, right? Looks correct to me! Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpeoQ2vFWUP7.pgp Description: PGP signature
Bug#496363: The possibility of attack with the help of symlinks in some Debian packages
On 25 August 2008 at 13:19, Thijs Kinkhorst wrote: | Trouble is that we then accumulate yet another Debian-only patch... Oh well. | | Why wouldn't it be acceptable to upstream? I'll talk to them but mktemp is not universal, is it? | So something like | | # test functionality of the compiler | javac_works='not present' | if test -n $JAVAC; then | javac_works='not functional' | #rm -rf /tmp/A.java /tmp/A.class | tempdir=`mktemp -d` | echo public class A { } ${tempdir}/A.java | if test -e ${tempdir}/A.java; then | if ${JAVAC} ${tempdir}/A.java /dev/null; then | if test -e ${tempdir}/A.class; then | javac_works=yes | fi | fi | fi | #rm -rf /tmp/A.java /tmp/A.class | rm -rf ${tempdir} | fi | | should do, right? | | Yes, that looks good. Thanks for working on this! Pleasure. A new release happens to have come out this morning (as per a timeline announced a few weeks ago). Dirk -- Three out of two people have difficulties with fractions. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#496363: The possibility of attack with the help of symlinks in some Debian packages
On Monday 25 August 2008 13:36, Dirk Eddelbuettel wrote: On 25 August 2008 at 13:19, Thijs Kinkhorst wrote: | Trouble is that we then accumulate yet another Debian-only patch... Oh | well. | | Why wouldn't it be acceptable to upstream? I'll talk to them but mktemp is not universal, is it? It's in coreutils since last year, and before that several distros provided versions of it. cheers, Thijs pgp9MtCqZaXnj.pgp Description: PGP signature
Bug#496363: The possibility of attack with the help of symlinks in some Debian packages
On 25 August 2008 at 13:44, Thijs Kinkhorst wrote: | On Monday 25 August 2008 13:36, Dirk Eddelbuettel wrote: | On 25 August 2008 at 13:19, Thijs Kinkhorst wrote: | | Trouble is that we then accumulate yet another Debian-only patch... Oh | | well. | | | | Why wouldn't it be acceptable to upstream? | | I'll talk to them but mktemp is not universal, is it? | | It's in coreutils since last year, and before that several distros provided | versions of it. Upstream covers more than just Linux distros: Aix, Solaris, OS X, HP-UX, ... and even Windoze (though the javareconf script may not matter there). But I just emailed the point person for javareconf. Maybe we can move creation of the temp.dir into a helper function which use mktemp if present and default to what it currently does. New version with patched javareconf now uploaded. Dirk -- Three out of two people have difficulties with fractions. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#496363: The possibility of attack with the help of symlinks in some Debian packages
I think it is a false positive: # test functionality of the compiler javac_works='not present' if test -n $JAVAC; then javac_works='not functional' rm -rf /tmp/A.java /tmp/A.class ## - note the rm -rf echo public class A { } /tmp/A.java if test -e /tmp/A.java; then if ${JAVAC} /tmp/A.java /dev/null; then if test -e /tmp/A.class; then javac_works=yes fi fi fi rm -rf /tmp/A.java /tmp/A.class fi Right before /tmp/A.* are being used, they are being wiped. No symlink attack. Unless I hear objections, I plan to close this one. Dirk -- Three out of two people have difficulties with fractions. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#496363: The possibility of attack with the help of symlinks in some Debian packages
Hi Dirk, * Dirk Eddelbuettel [EMAIL PROTECTED] [2008-08-25 03:07]: I think it is a false positive: # test functionality of the compiler javac_works='not present' if test -n $JAVAC; then javac_works='not functional' rm -rf /tmp/A.java /tmp/A.class ## - note the rm -rf echo public class A { } /tmp/A.java if test -e /tmp/A.java; then if ${JAVAC} /tmp/A.java /dev/null; then if test -e /tmp/A.class; then javac_works=yes fi fi fi rm -rf /tmp/A.java /tmp/A.class fi Right before /tmp/A.* are being used, they are being wiped. No symlink attack. Unless I hear objections, I plan to close this one. Please don't. There is still a race condition here. The chance is not that high but it's still possible in theory to create the symlink after the unlink. Using mktemp shouldn't be a big effort but solve this problem. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgptQCjqGB0Lr.pgp Description: PGP signature
Bug#496363: The possibility of attack with the help of symlinks in some Debian packages
On 25 August 2008 at 04:11, Nico Golde wrote: | Hi Dirk, | * Dirk Eddelbuettel [EMAIL PROTECTED] [2008-08-25 03:07]: | I think it is a false positive: | | # test functionality of the compiler | javac_works='not present' | if test -n $JAVAC; then | javac_works='not functional' | rm -rf /tmp/A.java /tmp/A.class ## - note the rm -rf | echo public class A { } /tmp/A.java | if test -e /tmp/A.java; then | if ${JAVAC} /tmp/A.java /dev/null; then | if test -e /tmp/A.class; then | javac_works=yes | fi | fi | fi | rm -rf /tmp/A.java /tmp/A.class | fi | | Right before /tmp/A.* are being used, they are being wiped. No symlink | attack. | | Unless I hear objections, I plan to close this one. | | Please don't. There is still a race condition here. The | chance is not that high but it's still possible in theory to | create the symlink after the unlink. Using mktemp shouldn't | be a big effort but solve this problem. Right. Stephen said so too. Trouble is that we then accumulate yet another Debian-only patch... Oh well. So something like # test functionality of the compiler javac_works='not present' if test -n $JAVAC; then javac_works='not functional' #rm -rf /tmp/A.java /tmp/A.class tempdir=`mktemp -d` echo public class A { } ${tempdir}/A.java if test -e ${tempdir}/A.java; then if ${JAVAC} ${tempdir}/A.java /dev/null; then if test -e ${tempdir}/A.class; then javac_works=yes fi fi fi #rm -rf /tmp/A.java /tmp/A.class rm -rf ${tempdir} fi should do, right? Dirk -- Three out of two people have difficulties with fractions. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#496363: The possibility of attack with the help of symlinks in some Debian packages
Package: r-base-core-ra Severity: grave Hi, maintainer! This message about the error concerns a few packages at once. I've tested all the packages (for Lenny) on my Debian mirror. All scripts of packages (marked as executable) were tested. In some packages I've discovered scripts with errors which may be used by a user for damaging important system files or user's files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlink with the same name in this directory in order to destroy or rewrite some system or user file. Symlink attack may also lead not only to the data desctruction but to denial of service as well. Even if you create files or directories with help of function 'RANDOM' or pid(), then your system is not protected. Attacker can create many symlinks in order to destroy your data or create 'denial of service' for your package scripts. Even if you make rm(dir) for files/directories, then your system is not protected. Attacker can permanently create symlinks. This list is created with the help of script. This list is sorted by hand. Howewer in some cases mistake is possible. Please, Be understanding to possible mistakes. :) I set Severity into grave for this bug. The table of discovered problems is below. Discussion of this bug you can see in debian-devel@: http://lists.debian.org/debian-devel/2008/08/msg00271.html Binary-package: r-base-core-ra (1.1.1-1) file: /usr/lib/Ra/lib/R/bin/javareconf Binary-package: rccp (0.9-2) file: /usr/lib/rccp/delqueueask Binary-package: mafft (6.240-1) file: /usr/bin/mafft-homologs Binary-package: openoffice.org-common (1:2.4.1-6) file: /usr/lib/openoffice/program/senddoc Binary-package: crossfire-maps (1.11.0-1) file: /usr/share/games/crossfire/maps/Info/combine.pl Binary-package: sgml2x (1.0.0-11.1) file: /usr/bin/rlatex Binary-package: liguidsoap (0.3.6-4) file: /var/lib/liguidsoap/liguidsoap.py Binary-package: citadel-server (7.37-1) file: /usr/lib/citadel-server/migrate_aliases.sh Binary-package: ampache (3.4.1-1) file: /usr/share/ampache/www/locale/base/gather-messages.sh Binary-package: xen-utils-3.2-1 (3.2.1-2) file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug Binary-package: dtc-common (0.29.6-1) file: /usr/share/dtc/admin/accesslog.php file: /usr/share/dtc/admin/sa-wrapper Binary-package: honeyd-common (1.5c-3) file: /usr/share/honeyd/scripts/test.sh Binary-package: lustre-tests (1.6.5-1) file: /usr/lib/lustre/tests/runiozone Binary-package: linuxtrade (3.65-8+b4) file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol file: /usr/share/linuxtrade/bin/linuxtrade.wn file: /usr/share/linuxtrade/bin/moneyam.helper Binary-package: freevo (1.8.1-0) file: /usr/bin/freevo.real Binary-package: fml (4.0.3.dfsg-2) file: /usr/share/fml/libexec/mead.pl Binary-package: rkhunter (1.3.2-3) file: /usr/bin/rkhunter Binary-package: openswan (1:2.4.12+dfsg-1.1) file: /usr/lib/ipsec/livetest Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1) file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest Binary-package: aptoncd (0.1-1.1) file: /usr/share/aptoncd/xmlfile.py Binary-package: cdcontrol (1.90-1.1) file: /usr/lib/cdcontrol/writtercontrol Binary-package: newsgate (1.6-23) file: /usr/bin/mkmailpost Binary-package: gpsdrive-scripts (2.10~pre4-3) file: /usr/bin/geo-code Binary-package: impose+ (0.2-11) file: /usr/bin/impose Binary-package: mgt (2.31-5) file: /usr/games/mailgo Binary-package: audiolink (0.05-1) file: /usr/bin/audiolink Binary-package: ibackup (2.27-4.1) file: /usr/bin/ibackup Binary-package: emacspeak (26.0-3) file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl Binary-package: bk2site (1:1.1.9-3.1) file: /usr/lib/cgi-bin/bk2site/redirect.pl Binary-package: datafreedom-perl (0.1.7-1) file: /usr/bin/dfxml-invoice Binary-package: emacs-jabber (0.7.91-1) file: /usr/lib/emacsen-common/packages/install/emacs-jabber Binary-package: lmbench (3.0-a7-1) file: /usr/lib/lmbench/scripts/rccs file: /usr/lib/lmbench/scripts/STUFF Binary-package: rancid-util (2.3.2~a8-1) file: /var/lib/rancid/getipacctg Binary-package: ogle (0.9.2-5.2) file: /usr/lib/ogle/ogle_audio_debug file: /usr/lib/ogle/ogle_cli_debug file: /usr/lib/ogle/ogle_ctrl_debug file: /usr/lib/ogle/ogle_gui_debug file: /usr/lib/ogle/ogle_mpeg_ps_debug file: /usr/lib/ogle/ogle_mpeg_vs_debug file: /usr/lib/ogle/ogle_nav_debug file: /usr/lib/ogle/ogle_vout_debug Binary-package: firehol (1.256-4) file: /sbin/firehol Binary-package: aview (1.3.0rc1-8) file: /usr/bin/asciiview Binary-package: radiance (3R9+20080530-3) file: /usr/bin/optics2rad file: /usr/bin/pdelta file: /usr/bin/dayfact file: /usr/bin/raddepend