Bug#763780: apt-get: Insecure temporary changelog handling
On Thu, Oct 02, 2014 at 06:29:45PM +0200, Guillem Jover wrote: Package: apt Version: 0.8.7 Severity: serious Tags: security patch Thanks for your bugreport and your patch! I've found an instance of insecure temporary filenames handling. The problem is that the code correctly creates a temporary directory, but then uses that name as just a prefix for the created changelog filename, thus creating it alongside the tamporary directory (instead of inside of it), and making it very much predictable. This is worsened due to the time it takes apt-get to download the changelog from the net, which gives a very huge window to use that pathname. Attached a patch fixing this. This affects all versions starting from the one in squeeze. I'm not sure if this deserves a CVE or perhaps a lower severity? [..] I uploaded a fix for wheezy now, squeeze is not affected, this feature got added in 0.8.11 in debian so we should be safe here. Cheers, Michael -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#763780: apt-get: Insecure temporary changelog handling
Hi! On Wed, 2014-10-08 at 10:42:07 +0200, Michael Vogt wrote: On Thu, Oct 02, 2014 at 06:29:45PM +0200, Guillem Jover wrote: Package: apt Version: 0.8.7 Severity: serious Tags: security patch Attached a patch fixing this. This affects all versions starting from the one in squeeze. I'm not sure if this deserves a CVE or perhaps a lower severity? [..] I uploaded a fix for wheezy now, squeeze is not affected, this feature got added in 0.8.11 in debian so we should be safe here. Oh, indeed, sorry about the wrong version. I was confused by the git history: $ git show a4c404301df135bea81f23b944dc6e1967f9ca85 $ git describe --tags a4c404301df135bea81f23b944dc6e1967f9ca85 0.8.6-22-ga4c4043 Thanks, Guillem -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#763780: apt-get: Insecure temporary changelog handling
Package: apt Version: 0.8.7 Severity: serious Tags: security patch Hi! I've found an instance of insecure temporary filenames handling. The problem is that the code correctly creates a temporary directory, but then uses that name as just a prefix for the created changelog filename, thus creating it alongside the tamporary directory (instead of inside of it), and making it very much predictable. This is worsened due to the time it takes apt-get to download the changelog from the net, which gives a very huge window to use that pathname. Attached a patch fixing this. This affects all versions starting from the one in squeeze. I'm not sure if this deserves a CVE or perhaps a lower severity? Thanks, Guillem From 9df147f44d1a9f1fb245ae085b105ed271170ce8 Mon Sep 17 00:00:00 2001 From: Guillem Jover guil...@debian.org Date: Thu, 2 Oct 2014 17:48:13 +0200 Subject: [PATCH] apt-get: Create the temporary downloaded changelog inside tmpdir The code is creating a secure temporary directory, but then creates the changelog alongside the tmpdir in the same base directory. This defeats the secure tmpdir creation, making the filename predictable. Inject a '/' between the tmpdir and the changelog filename. --- cmdline/apt-get.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmdline/apt-get.cc b/cmdline/apt-get.cc index 2e283da..cfa7933 100644 --- a/cmdline/apt-get.cc +++ b/cmdline/apt-get.cc @@ -1563,7 +1563,7 @@ static bool DoChangelog(CommandLine CmdL) { string changelogfile; if (downOnly == false) - changelogfile.append(tmpname).append(changelog); + changelogfile.append(tmpname).append(/changelog); else changelogfile.append(Ver.ParentPkg().Name()).append(.changelog); if (DownloadChangelog(Cache, Fetcher, Ver, changelogfile) downOnly == false) -- 2.1.1.391.g7a54a76