Your message dated Thu, 26 Jun 2008 16:36:10 -0400 with message-id <[EMAIL PROTECTED]> and subject line Re: checkinstall: Unsafe temp dir creation has caused the Debian Bug report #488140, regarding checkinstall: Unsafe temp dir creation to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 488140: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=488140 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems
--- Begin Message ---Package: checkinstall Version: 1.6.1-6 Severity: grave Tags: security patch Justification: user security hole *** Please type ddyour report below this line *** Checkinstall (and installwatch) create temporary directories manually instead of using mktemp, which creates a race condition. The attached patch changes these into calls to mktemp, which is secure. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.25-preempt (SMP w/2 CPU cores; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages checkinstall depends on: ii dpkg-dev 1.15.0 Debian package development tools ii file 4.24-2 Determines file type using "magic" ii findutils 4.4.0-2 utilities for finding files--find, ii libc6 2.7-12 GNU C Library: Shared libraries Versions of packages checkinstall recommends: ii make 3.81-5 The GNU version of the "make" util -- no debconf informationIndex: checkinstall =================================================================== --- checkinstall (revision 10000) +++ checkinstall (working copy) @@ -965,16 +965,8 @@ # Find a safe TMP_DIR -TMP_DIR=${BASE_TMP_DIR}/`awk 'BEGIN { srand(); for (i=1;i<22;i++) { a=95; while (a > 90 && a < 97) { a=65+int(50*rand())}; printf("%c", a) } }'` -[ -e "$TMP_DIR" ] && rm -rf $TMP_DIR -if [ -e "$TMP_DIR" ]; then - echo - echog "My temp dir exists already.\nThis looks like a symlink attack!" - echo - echog "*** Aborting" - echo - exit 1 -fi +TMP_DIR=`mktemp -q -d -p "${BASE_TMP_DIR}"` +RETURN=$? if [ "$TMP_DIR" = "$BASE_TMP_DIR" -o "$TMP_DIR" = "/" ]; then echo @@ -985,11 +977,6 @@ exit 1 fi - -mkdir $TMP_DIR -chmod 700 $TMP_DIR -RETURN=$? - if [ $RETURN -gt 0 ]; then echo echog "**** Failed to create temp dir! \n**** Do you have write permission for %s? \n\n**** Aborting installation." "$BASE_TMP_DIR" Index: installwatch-0.7.0beta5/installwatch =================================================================== --- installwatch-0.7.0beta5/installwatch (revision 10000) +++ installwatch-0.7.0beta5/installwatch (working copy) @@ -74,31 +74,8 @@ local mkt_refdir=$1 local mkt_wrkdir="" - mkt_wrkdir=${BASE_TMP_DIR}/\ -`awk 'BEGIN {\ - srand();\ - for (i=1;i<21;i++) {\ - a=95;\ - while (a > 90 && a < 97) {\ - a=65+int(50*rand())\ - };\ - printf("%c", a) \ - }\ -}'` - - [ -e "${mkt_wrkdir}" ] && rm -rf ${mkt_wrkdir} - if [ -e "${mkt_wrkdir}" ]; then - echo - echo "Error : My temp dir exists already. This looks like a symlink attack!" - echo - echo "*** Aborting ***" - echo - exit 1 - fi + mkt_wrkdir=`mktemp -q -d -p ${BASE_TMP_DIR}` - mkdir ${mkt_wrkdir} - chmod 0700 ${mkt_wrkdir} - eval $mkt_refdir=\$mkt_wrkdir }
--- End Message ---
--- Begin Message ---Version: 1.6.1-7 The patch was applied on version 1.6.1-7. Saludos, Felipe Satelersignature.asc
Description: This is a digitally signed message part.
--- End Message ---