Package: apt
Version: 0.9.7.9+deb7u1
Severity: important
Tags: security
When installing/upgrading packages via `apt-get` a child process
is invoked against the downloaded .deb-file to extract any templates
which might be contained in that package.
For example I was recently upgrading my lighttpd package and I see
this is logged (thanks to `snoopy`):
apt-extracttemplates
/var/cache/apt/archives/lighttpd_1.4.31-4+deb7u2_amd64.deb
As that package contains no actual templates all is well.
However consider a case where templates/config files are present,
again upon my system I can see that some recent downloads do indeed
include such things, and they are output as expected via the
apt-extracttemplates invokation:
shelob ~ $ apt-extracttemplates
/var/cache/apt/archives/gdm3_3.4.1-8_amd64.deb
gdm3 3.4.1-8 /tmp/gdm3.template.136800 /tmp/gdm3.config.136801
What `apt-extracttemplates` has done is twofold:
* Extracted the template config files.
* Reported their location.
However what it has also done is create files with predictable
filenames, overwriting the carefully constructed memoirs I kept
in the file /tmp/gdm3.template.136800 ... ;)
Mitigating factors? The code correctly removes files first, so
symlinks and hardlinks are not followed. I suppose that makes this
trivial rather than serious, (Yes a standard temporary race
could allow symlink/link following, but it looks like the file
is opened via O_CREAT + O_EXCL so that's not a concern - right?)
Anyway given that the generated file names are output to the console
it feels like we should use mkstemp and do it properly, right?
The code in question is in cmdline/apt-extracttemplates.cc,
in the function string WriteFile(const char *package, const char *prefix,
const char *data)
:
char fn[512];
...
snprintf(fn, sizeof(fn), %s/%s.%s.%u%d,
_config-Find(APT::ExtractTemplates::TempDir,
tempdir).c_str(),
package, prefix, getpid(), i++);
if (!f.Open(fn, FileFd::WriteTemp, 0600))
The opening, which mitigates this, is carried out using 'WriteTemp',
which is implemented in apt-pkg/contrib/fileutl.cc, and maps to:
WriteTemp = ReadWrite | Create | Exclusive,
(from fileutl.h.)
Steve
--
http://tweaked.io/
-- Package-specific info:
-- (no /etc/apt/preferences present) --
-- (/etc/apt/sources.list present, but not submitted) --
-- System Information:
Debian Release: 7.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.12-0.bpo.1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8) (ignored: LC_ALL
set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash
Versions of packages apt depends on:
ii debian-archive-keyring 2012.4
ii gnupg 1.4.12-7+deb7u3
ii libapt-pkg4.12 0.9.7.9+deb7u1
ii libc6 2.13-38+deb7u1
ii libgcc1 1:4.7.2-5
ii libstdc++6 4.7.2-5
apt recommends no packages.
Versions of packages apt suggests:
pn apt-doc none
ii aptitude0.6.8.2-1
ii dpkg-dev1.16.12
ii python-apt 0.8.8.2
ii synaptic0.75.13
ii xz-utils5.1.1alpha+20120614-2
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
