Bug#496395: The possibility of attack with the help of symlinks in some Debian packages
Hi Can you please upload a fixed package to unstable, so it could migrate together with pcre3, TIA? Cheers Luk -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#496395: The possibility of attack with the help of symlinks in some Debian packages
Source: apertium Source-Version: 3.0.7+1-1.1 We believe that the bug you reported is fixed in the latest version of apertium, which is due to be installed in the Debian FTP archive: For the benefit of anyone following this bug via turmzimmer.net whilst tracking lenny RC issues, a version of apertium which fixes this bug is being blocked by #500171. Regards, -- ,''`. : :' : Chris Lamb `. `'` [EMAIL PROTECTED] `- signature.asc Description: PGP signature
Bug#496395: The possibility of attack with the help of symlinks in some Debian packages
tags 496395 confirmed patch thanks Dmitry E. Oboukhov wrote: Package: apertium Severity: grave Hi, maintainer! This message about the error concerns a few packages at once. I've tested all the packages (for Lenny) on my Debian mirror. All scripts of packages (marked as executable) were tested. Two patches fixing these issues are attached. Cheers, Moritz --- apertium-3.0.7+1.orig/apertium/Makefile.in 2008-03-31 06:22:55.0 +0200 +++ apertium-3.0.7+1/apertium/Makefile.in 2008-08-23 19:37:13.0 +0200 @@ -1148,25 +1148,29 @@ @echo Creating apertium-gen-deformat script @echo #!$(BASH) $@ @cat deformat-header.sh $@ + @echo TMP_DEFORMAT=\`mktemp\` $@ + @echo TMP_LEX=\`mktemp\` $@ @echo $(XMLLINT) --dtdvalid $(apertiumdir)/format.dtd --noout \$$FILE1 \\ $@ @if [ `basename $(XSLTPROC)` == xsltproc ]; \ - then echo $(XSLTPROC) --stringparam mode \$$MODE $(apertiumdir)/deformat.xsl \$$FILE1 /tmp/\$$\$$.deformat.l \\; \ - else echo $(XSLTPROC) $(apertiumdir)/deformat.xsl \$$FILE1 $$mode=\$$MODE\ /tmp/\$$\$$.deformat.l \\; \ + then echo $(XSLTPROC) --stringparam mode \$$MODE $(apertiumdir)/deformat.xsl \$$FILE1 \$$TMP_DEFORMAT \\; \ + else echo $(XSLTPROC) $(apertiumdir)/deformat.xsl \$$FILE1 $$mode=\$$MODE\ \$$TMP_DEFORMAT \\; \ fi $@ - @echo $(FLEX) \$$FLEXOPTS -o/tmp/\$$\$$.lex.cc /tmp/\$$\$$.deformat.l \\ $@ - @echo $(CXX) $(CXXFLAGS) -w $(APERTIUM_CFLAGS) -I $(apertiuminclude) -o \$$FILE2 /tmp/\$$\$$.lex.cc \\ $@ - @echo rm /tmp/\$$\$$.deformat.l /tmp/\$$\$$.lex.cc $@ + @echo $(FLEX) \$$FLEXOPTS -o \$$TMP_LEX \$$TMP_DEFORMAT \\ $@ + @echo $(CXX) $(CXXFLAGS) -w $(APERTIUM_CFLAGS) -I $(apertiuminclude) -o \$$FILE2 \$$TMP_LEX \\ $@ + @echo rm \$$TMP_DEFORMAT \$$TMP_LEX $@ @chmod a+x $@ apertium-gen-reformat: Makefile.am gen-header.sh @echo Creating apertium-gen-reformat script @echo #!$(BASH) $@ @cat gen-header.sh $@ + @echo TMP_REFORMAT=\`mktemp\` $@ + @echo TMP_LEX=\`mktemp\` $@ @echo $(XMLLINT) --dtdvalid $(apertiumdir)/format.dtd --noout \$$FILE1 \\ $@ - @echo $(XSLTPROC) $(apertiumdir)/reformat.xsl \$$FILE1 /tmp/\$$\$$.reformat.l \\ $@ - @echo $(FLEX) \$$FLEXOPTS -o/tmp/\$$\$$.lex.cc /tmp/\$$\$$.reformat.l \\ $@ - @echo $(CXX) $(CXXFLAGS) -w $(APERTIUM_CFLAGS) -I $(apertiuminclude) -o \$$FILE2 /tmp/\$$\$$.lex.cc \\ $@ - @echo rm /tmp/\$$\$$.reformat.l /tmp/\$$\$$.lex.cc $@ + @echo $(XSLTPROC) $(apertiumdir)/reformat.xsl \$$FILE1 \$$TMP_REFORMAT \\ $@ + @echo $(FLEX) \$$FLEXOPTS -o \$$TMP_LEX \$$TMP_REFORMAT \\ $@ + @echo $(CXX) $(CXXFLAGS) -w $(APERTIUM_CFLAGS) -I $(apertiuminclude) -o \$$FILE2 \$$TMP_LEX \\ $@ + @echo rm \$$TMP_REFORMAT \$$TMP_LEX $@ @chmod a+x $@ apertium-gen-modes: Makefile.am modes-header.sh --- apertium-3.0.7+1.orig/apertium/apertium-header.sh 2008-02-05 07:49:07.0 +0100 +++ apertium-3.0.7+1/apertium/apertium-header.sh 2008-08-23 21:41:12.0 +0200 @@ -38,17 +38,17 @@ function translate_odt { - INPUT_TMPDIR=/tmp/$$odtdir + INPUT_TMPDIR=`mktemp` locale_utf8 test_zip if [[ $FICHERO == ]] - then FICHERO=/tmp/$$odtorig + then FICHERO=`mktemp` cat $FICHERO BORRAFICHERO=true fi - OTRASALIDA=/tmp/$$odtsalida.zip + OTRASALIDA=/tmp/$RANDOM-$RANDOM-$RANDOM-odtsalida.zip unzip -q -o -d $INPUT_TMPDIR $FICHERO find $INPUT_TMPDIR | grep content\\\.xml |\ @@ -78,17 +78,17 @@ function translate_docx { - INPUT_TMPDIR=/tmp/$$docxdir + INPUT_TMPDIR=`mktemp` locale_utf8 test_zip if [[ $FICHERO == ]] - then FICHERO=/tmp/$$docxorig + then FICHERO=`mktemp` cat $FICHERO BORRAFICHERO=true fi - OTRASALIDA=/tmp/$$docxsalida.zip + OTRASALIDA=/tmp/$RANDOM-$RANDOM-$RANDOM-docxsalida.zip if [[ $UWORDS == no ]] then OPCIONU=-u; @@ -98,8 +98,9 @@ unzip -q -o -d $INPUT_TMPDIR $FICHERO for i in $(find $INPUT_TMPDIR|grep xlsx$); - do $APERTIUM_PATH/apertium -f xlsx -d $DIRECTORY $OPCIONU $PREFIJO $i /tmp/$$xlsxembed; - mv /tmp/$$xlsxembed $i; + TMP_XLSXEMBED=`mktemp` + do $APERTIUM_PATH/apertium -f xlsx -d $DIRECTORY $OPCIONU $PREFIJO $i $TMP_XLSXEMBED; + mv $TMP_XLSXEMBED $i; done; find $INPUT_TMPDIR | grep xml |\ @@ -130,17 +131,17 @@ function translate_xlsx { - INPUT_TMPDIR=/tmp/$$xlsxdir + INPUT_TMPDIR=`mktemp` locale_utf8 test_zip if [[ $FICHERO == ]] - then FICHERO=/tmp/$$xlsxorig + then FICHERO=`mktemp` cat $FICHERO BORRAFICHERO=true fi - OTRASALIDA=/tmp/$$xslxsalida.zip + OTRASALIDA=/tmp/$RANDOM-$RANDOM-$RANDOM-xslxsalida.zip unzip -q -o -d $INPUT_TMPDIR $FICHERO find $INPUT_TMPDIR | grep sharedStrings.xml |\
Bug#496395: The possibility of attack with the help of symlinks in some Debian packages
Package: apertium Severity: grave Hi, maintainer! This message about the error concerns a few packages at once. I've tested all the packages (for Lenny) on my Debian mirror. All scripts of packages (marked as executable) were tested. In some packages I've discovered scripts with errors which may be used by a user for damaging important system files or user's files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlink with the same name in this directory in order to destroy or rewrite some system or user file. Symlink attack may also lead not only to the data desctruction but to denial of service as well. Even if you create files or directories with help of function 'RANDOM' or pid(), then your system is not protected. Attacker can create many symlinks in order to destroy your data or create 'denial of service' for your package scripts. Even if you make rm(dir) for files/directories, then your system is not protected. Attacker can permanently create symlinks. This list is created with the help of script. This list is sorted by hand. Howewer in some cases mistake is possible. Please, Be understanding to possible mistakes. :) I set Severity into grave for this bug. The table of discovered problems is below. Discussion of this bug you can see in debian-devel@: http://lists.debian.org/debian-devel/2008/08/msg00271.html Binary-package: r-base-core-ra (1.1.1-1) file: /usr/lib/Ra/lib/R/bin/javareconf Binary-package: rccp (0.9-2) file: /usr/lib/rccp/delqueueask Binary-package: mafft (6.240-1) file: /usr/bin/mafft-homologs Binary-package: openoffice.org-common (1:2.4.1-6) file: /usr/lib/openoffice/program/senddoc Binary-package: crossfire-maps (1.11.0-1) file: /usr/share/games/crossfire/maps/Info/combine.pl Binary-package: sgml2x (1.0.0-11.1) file: /usr/bin/rlatex Binary-package: liguidsoap (0.3.6-4) file: /var/lib/liguidsoap/liguidsoap.py Binary-package: citadel-server (7.37-1) file: /usr/lib/citadel-server/migrate_aliases.sh Binary-package: ampache (3.4.1-1) file: /usr/share/ampache/www/locale/base/gather-messages.sh Binary-package: xen-utils-3.2-1 (3.2.1-2) file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug Binary-package: dtc-common (0.29.6-1) file: /usr/share/dtc/admin/accesslog.php file: /usr/share/dtc/admin/sa-wrapper Binary-package: honeyd-common (1.5c-3) file: /usr/share/honeyd/scripts/test.sh Binary-package: lustre-tests (1.6.5-1) file: /usr/lib/lustre/tests/runiozone Binary-package: linuxtrade (3.65-8+b4) file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol file: /usr/share/linuxtrade/bin/linuxtrade.wn file: /usr/share/linuxtrade/bin/moneyam.helper Binary-package: freevo (1.8.1-0) file: /usr/bin/freevo.real Binary-package: fml (4.0.3.dfsg-2) file: /usr/share/fml/libexec/mead.pl Binary-package: rkhunter (1.3.2-3) file: /usr/bin/rkhunter Binary-package: openswan (1:2.4.12+dfsg-1.1) file: /usr/lib/ipsec/livetest Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1) file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest Binary-package: aptoncd (0.1-1.1) file: /usr/share/aptoncd/xmlfile.py Binary-package: cdcontrol (1.90-1.1) file: /usr/lib/cdcontrol/writtercontrol Binary-package: newsgate (1.6-23) file: /usr/bin/mkmailpost Binary-package: gpsdrive-scripts (2.10~pre4-3) file: /usr/bin/geo-code Binary-package: impose+ (0.2-11) file: /usr/bin/impose Binary-package: mgt (2.31-5) file: /usr/games/mailgo Binary-package: audiolink (0.05-1) file: /usr/bin/audiolink Binary-package: ibackup (2.27-4.1) file: /usr/bin/ibackup Binary-package: emacspeak (26.0-3) file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl Binary-package: bk2site (1:1.1.9-3.1) file: /usr/lib/cgi-bin/bk2site/redirect.pl Binary-package: datafreedom-perl (0.1.7-1) file: /usr/bin/dfxml-invoice Binary-package: emacs-jabber (0.7.91-1) file: /usr/lib/emacsen-common/packages/install/emacs-jabber Binary-package: lmbench (3.0-a7-1) file: /usr/lib/lmbench/scripts/rccs file: /usr/lib/lmbench/scripts/STUFF Binary-package: rancid-util (2.3.2~a8-1) file: /var/lib/rancid/getipacctg Binary-package: ogle (0.9.2-5.2) file: /usr/lib/ogle/ogle_audio_debug file: /usr/lib/ogle/ogle_cli_debug file: /usr/lib/ogle/ogle_ctrl_debug file: /usr/lib/ogle/ogle_gui_debug file: /usr/lib/ogle/ogle_mpeg_ps_debug file: /usr/lib/ogle/ogle_mpeg_vs_debug file: /usr/lib/ogle/ogle_nav_debug file: /usr/lib/ogle/ogle_vout_debug Binary-package: firehol (1.256-4) file: /sbin/firehol Binary-package: aview (1.3.0rc1-8) file: /usr/bin/asciiview Binary-package: radiance (3R9+20080530-3) file: /usr/bin/optics2rad file: /usr/bin/pdelta file: /usr/bin/dayfact file: /usr/bin/raddepend Binary-package: