Bug#763780: apt-get: Insecure temporary changelog handling
On Thu, Oct 02, 2014 at 06:29:45PM +0200, Guillem Jover wrote: Package: apt Version: 0.8.7 Severity: serious Tags: security patch Thanks for your bugreport and your patch! I've found an instance of insecure temporary filenames handling. The problem is that the code correctly creates a temporary directory, but then uses that name as just a prefix for the created changelog filename, thus creating it alongside the tamporary directory (instead of inside of it), and making it very much predictable. This is worsened due to the time it takes apt-get to download the changelog from the net, which gives a very huge window to use that pathname. Attached a patch fixing this. This affects all versions starting from the one in squeeze. I'm not sure if this deserves a CVE or perhaps a lower severity? [..] I uploaded a fix for wheezy now, squeeze is not affected, this feature got added in 0.8.11 in debian so we should be safe here. Cheers, Michael -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#763780: apt-get: Insecure temporary changelog handling
Hi! On Wed, 2014-10-08 at 10:42:07 +0200, Michael Vogt wrote: On Thu, Oct 02, 2014 at 06:29:45PM +0200, Guillem Jover wrote: Package: apt Version: 0.8.7 Severity: serious Tags: security patch Attached a patch fixing this. This affects all versions starting from the one in squeeze. I'm not sure if this deserves a CVE or perhaps a lower severity? [..] I uploaded a fix for wheezy now, squeeze is not affected, this feature got added in 0.8.11 in debian so we should be safe here. Oh, indeed, sorry about the wrong version. I was confused by the git history: $ git show a4c404301df135bea81f23b944dc6e1967f9ca85 $ git describe --tags a4c404301df135bea81f23b944dc6e1967f9ca85 0.8.6-22-ga4c4043 Thanks, Guillem -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#763780: apt-get: Insecure temporary changelog handling
Package: apt
Version: 0.8.7
Severity: serious
Tags: security patch
Hi!
I've found an instance of insecure temporary filenames handling. The
problem is that the code correctly creates a temporary directory, but
then uses that name as just a prefix for the created changelog
filename, thus creating it alongside the tamporary directory (instead
of inside of it), and making it very much predictable. This is worsened
due to the time it takes apt-get to download the changelog from the net,
which gives a very huge window to use that pathname.
Attached a patch fixing this. This affects all versions starting from
the one in squeeze.
I'm not sure if this deserves a CVE or perhaps a lower severity?
Thanks,
Guillem
From 9df147f44d1a9f1fb245ae085b105ed271170ce8 Mon Sep 17 00:00:00 2001
From: Guillem Jover guil...@debian.org
Date: Thu, 2 Oct 2014 17:48:13 +0200
Subject: [PATCH] apt-get: Create the temporary downloaded changelog inside
tmpdir
The code is creating a secure temporary directory, but then creates
the changelog alongside the tmpdir in the same base directory. This
defeats the secure tmpdir creation, making the filename predictable.
Inject a '/' between the tmpdir and the changelog filename.
---
cmdline/apt-get.cc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cmdline/apt-get.cc b/cmdline/apt-get.cc
index 2e283da..cfa7933 100644
--- a/cmdline/apt-get.cc
+++ b/cmdline/apt-get.cc
@@ -1563,7 +1563,7 @@ static bool DoChangelog(CommandLine CmdL)
{
string changelogfile;
if (downOnly == false)
- changelogfile.append(tmpname).append(changelog);
+ changelogfile.append(tmpname).append(/changelog);
else
changelogfile.append(Ver.ParentPkg().Name()).append(.changelog);
if (DownloadChangelog(Cache, Fetcher, Ver, changelogfile) downOnly == false)
--
2.1.1.391.g7a54a76
