Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
On Tue, Aug 12, 2008 at 03:52:14PM -0700, John H. Robinson, IV wrote: As mktemp and tempfile are both essential[2], they can be relied upon. Essential in Debian, not in other systems. Is there any scenario where using mktemp or tempfile fails, and sing $TMPDIR succeeds? Scripts that are written with portability to other OSes in mind (or have been originally written for these OSes and are now used in Linux). Some might even try to use mktemp/tempfile and fallback to $TMPDIR (or just plain /tmp) if unavailable. These scripts show up as false positives when looking for tmp race conditions using simple tools (such as 'grep' :) Regards Javier signature.asc Description: Digital signature
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
Hi *, a little bit late, but since I am currently working in germany... Am 2008-08-11 17:31:51, schrieb Sam Morris: A while ago, the use of libpam-tmpdir was suggested in order to mitigate some of these attacks. It would be nice to see it in use by default, some day. Obviously there will always be some programs that don't look at the TMPDIR environment variable and directly use /tmp. Isn't there some fancy thing in current kernels that allows /tmp to be mounted individually for each user? I am using since some years a selvmade tool called tdtmpdir [EMAIL PROTECTED]:~] tdtmpdir --show-tmpdirs You have following TMPDIR's cached: FQDN | DIS | TMPDIR -+-+-- | | /tmp/michelle.konzack.LbUVct aspire1350.private.tamay-dogan.n | | /tmp/michelle.konzack.XC3917 mail.private.tamay-dogan.net | | /tmp/michelle.konzack.YG3771 samba3.private.tamay-dogan.net | | /tmp/michelle.konzack.iV5846 tp570.private.tamay-dogan.net| | /tmp/michelle.konzack.rATqyA tp570.private.tamay-dogan.net| :0 | /tmp/michelle.konzack.rATqyA tp570.private.tamay-dogan.net| :1 | /tmp/michelle.konzack.rATqyA The TMPDIRS are cache with: [EMAIL PROTECTED]:~] ls .tmpdir* -rw-r--r-- 1 michelle.konzack private 29 2007-11-01 22:00 .tmpdir_aspire1350.private.tamay-dogan.net -rw-r--r-- 1 michelle.konzack private 29 2007-11-13 14:16 .tmpdir_mail.private.tamay-dogan.net -rw-r--r-- 1 michelle.konzack private 29 2008-08-20 19:43 .tmpdir_samba3.private.tamay-dogan.net -rw-r--r-- 1 michelle.konzack private 29 2008-08-19 23:19 .tmpdir_tp570.private.tamay-dogan.net -rw-r--r-- 1 michelle.konzack private 29 2008-08-20 19:43 .tmpdir_tp570.private.tamay-dogan.net:0 -rw-r--r-- 1 michelle.konzack private 29 2007-12-29 22:04 .tmpdir_tp570.private.tamay-dogan.net:1 The FQDN is, because I am mounting /home/ over NFS and in the /etc/profile I have if [ -x /bin/tdtmpdir ] ; then . /bin/tdtmpdir fi and since not all programs are honoring $TMPDIR I have [EMAIL PROTECTED]:~] env |grep /tmp/ TMPDIR=/tmp/michelle.konzack.iV5846 TEMP=/tmp/michelle.konzack.iV5846 TEMPDIR=/tmp/michelle.konzack.iV5846 TMP=/tmp/michelle.konzack.iV5846 Unfortunately GIMP and OpenOffice ignore $TMPDIR and the other three which is realy annoying. Some times ago I have already reported a BUG against GIMP but it was closed. Thanks, Greetings and nice Day/Evening Michelle Konzack Systemadministrator 24V Electronic Engineer Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # Michelle Konzack Apt. 917 ICQ #328449886 +49/177/935194750, rue de Soultz MSN LinuxMichi +33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com) signature.pgp Description: Digital signature
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
Package: lintian
Tags: patch, security
Severity: wishlist
Hello, lintan maintainers!
please, see full discussion in -devel:
http://lists.debian.org/debian-devel/2008/08/msg00271.html
for example, see the bug
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494648
(if attacker makes symlink from /tmp/twiki to /etc/shadow, then
he takes full access to the system (when twiki installs or
upgrades))
Hi all!
I wrote the check script for the lintian package. This additional check
verifies the debian packages for the presents of the discussed bug.
Notes and additions are welcome.
patch has been placed in attache
PS: X11 also uses the /tmp/.X11-unix directory, which may be used for
attacks, I don't known :(
but many scripts (in different packages) use /tmp/.X11-unix, if this is
not a security problem, may be I must add ignoring for this directory in
the lintian script?
I don't known yet :(
DEO This message about the error concerns a few packages at once. I've
DEO tested all the packages on my Debian mirror. (post|pre)(inst|rm) and
DEO config scripts were tested.
DEO In some packages I've discovered scripts with errors which may be used
DEO by a user for damaging important system files.
DEO For example if a script uses in its work a temp file which is created
DEO in /tmp directory, then every user can create symlink with the same
DEO name in this directory in order to destroy or rewrite some system
DEO file.
DEO I set Severity into grave for this bug. The table of discovered
DEO problems is below.
--
... mpd is off
. ''`. Dmitry E. Oboukhov
: :’ : [EMAIL PROTECTED]
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
`- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537
--- checks/symlink_attack 1970-01-01 03:00:00.0 +0300
+++ checks/symlink_attack 2008-08-19 23:11:44.0 +0400
@@ -0,0 +1,114 @@
+# symlink_attack -- lintian check script -*- perl -*-
+#
+# Copyright (C) 2008 Dmitry E. Oboukhov [EMAIL PROTECTED]
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see http://www.gnu.org/licenses/.
+
+package Lintian::symlink_attack;
+use strict;
+use Tags;
+
+# check file
+#
+# the parameters:
+# 1. name of check file
+# 2. error template
+# 3. warning template
+sub check_file($$$)
+{
+ my ($file_name, $err_tmpl, $warn_tmpl)[EMAIL PROTECTED];
+
+open my $file, '', $file_name
+or die Can not open file `$file_name': $!\n;
+
+$file_name =~ s/^..// if $file_name =~ m{^\./};
+$file_name =~ s{^debfiles/}{debian/};
+
+# read begin of shebang
+local $_;
+return unless 10 == read $file, $_, 10;
+return unless m{^#!\s*/};
+seek $file, 0, 0;
+
+$_ = $file;
+return unless m{^#!\s*(?:/\S+){2,}};
+
+# read all file content
+# (remove comments, join backslash-ended string)
+$_ = join '', map { s/#.*/\n/; s/\\$//; $_ } readline $file;
+
+# errors
+my $errors_found;
+if (m{\s*/tmp/} or m{(?:^|[|\s])tee\s+(?:-\S+\s+)*/tmp/}m)
+{
+$errors_found=1;
+tag $err_tmpl, $file_name (pipe);
+}
+
+my @wh = m{(mount|mkdir|chown|chmod)\s[^;]*?/tmp/}g;
+# remove dups
+@wh = keys %{{ map {($_,0)} @wh }};
+if (@wh)
+{
+ $errors_found=1;
+tag $err_tmpl, $file_name ($_) for @wh;
+}
+
+# warnings
+unless ($errors_found)
+{
+tag $warn_tmpl, $file_name if m{\s+/tmp/};
+}
+}
+
+
+sub run
+{
+ my ($package, $type)=(@_);
+
+my @check_files;
+
+# check maintainer scripts
+ if ($type eq 'source')
+ {
+ @check_files=
+ grep /(((pre|post)(inst|rm))|(config))(?:\.in)?$/,
+ glob ('debfiles/*');
+ }
+ else
+ {
+ @check_files=
+ grep /(((pre|post)(inst|rm))|(config))$/, glob ('control/*');
+ }
+check_file $_ = 'maint-scripts-uses-tmp-err',
+'maint-scripts-uses-tmp-warn' for @check_files;
+
+# check binary all files in the package
+if ($type eq 'binary')
+{
+ chdir 'unpacked';
+ open my $dir, '-|', 'find -type f -executable'
+ or die Can not start find: $!;
+ while($dir)
+ {
+ chomp;
+ check_file $_ = 'scripts-uses-tmp-err', 'scripts-uses-tmp-warn';
+ }
+ chdir '..';
+}
+}
+
+1;
+
+# vim: syntax=perl ts=4 sw=4 expandtab
--- checks/symlink_attack.desc 1970-01-01 03:00:00.0 +0300
+++ checks/symlink_attack.desc 2008-08-19
Re: Bug#495705: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
Dmitry E. Oboukhov [EMAIL PROTECTED] writes: Package: lintian Tags: patch, security Severity: wishlist Hello, lintan maintainers! please, see full discussion in -devel: http://lists.debian.org/debian-devel/2008/08/msg00271.html for example, see the bug http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494648 (if attacker makes symlink from /tmp/twiki to /etc/shadow, then he takes full access to the system (when twiki installs or upgrades)) I wrote the check script for the lintian package. This additional check verifies the debian packages for the presents of the discussed bug. Lintian already checks for this. If the current check is not sufficient (which is certainly believable), it should be improved, rather than adding a new, separate check. See possibly-insecure-handling-of-tmp-files-in-maintainer-script. This, like various other checks, should be extended to more than just maintainer scripts, which requires some additional infrastruture work on the lintian script checking. -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
Brian May wrote: Ivan Jager wrote: qemu-make-debian-root will continue running even if mkdir failed. Dmitry said the script has -e set - if so the script will not continue running if mkdir failed (unless it somehow overrides the -e check, e.g. mkdir /tmp/file || true). You must take care to sub shell, too. For example, try to type this in bash: ( set -e ; ( false ) ; echo ok ) You will see the 'ok'... Situation can be more complex (function called from a sub shell, ...) Regards, Vincent -- Vincent Danjean GPG key ID 0x9D025E87 [EMAIL PROTECTED] GPG key fingerprint: FC95 08A6 854D DB48 4B9A 8A94 0BF7 7867 9D02 5E87 Unofficial pacakges: http://www-id.imag.fr/~danjean/deb.html#package APT repo: deb http://perso.debian.org/~vdanjean/debian unstable main -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
Ivan Jager wrote: qemu-make-debian-root will continue running even if mkdir failed. Dmitry said the script has -e set - if so the script will not continue running if mkdir failed (unless it somehow overrides the -e check, e.g. mkdir /tmp/file || true). Also, assuming qemu-make-debian-root is running with PID 1234, an attacker is free to change the /tmp/mount.1234 symlink during the execution of the script. If /tmp/mount.1234 is linked to /etc/, the script will mount the freshly created filesystem image on top of /etc, making a lot of programs very sad. An attacker could then change the symlink such that debbootstrap will install anywhere he wants. (which may allow him to overwrite some files, but I haven't looked closely at debbootstrap.) I don't think these attacks are possible if the script aborts when mkdir fails. mkdir won't succeed if there is a symlink. In any case, doing something better would be good because it means an attacker can't run a denial-of-service type attack and prevent the script from running. Brian May -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
Dmitry E. Oboukhov wrote: qemu makes mount the directory /tmp/mount.$$. Attacker creates many symlinks /tmp/dir.\d+ - /etc and if qemu (/usr/sbin/qemu-make-debian-root) starts then /etc goes out from root directory tree. The result: system is unusable. I might be dense, but I don't get this. Attacker does: [EMAIL PROTECTED]:/tmp# ln -s /etc /tmp/mount-1234 Then the genuine user does: [EMAIL PROTECTED]:/tmp# mkdir /tmp/mount-1234 mkdir: cannot create directory `/tmp/mount-1234': File exists strace shows: mkdir(/tmp/pmount-1234, 0777) = -1 EEXIST (File exists) So, ok, this means the process can't continue any more (denial of service attack), and if the process does continue this is a problem, otherwise I can't see how this would bring the entire system down. Brian May -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
On 18:42 Wed 13 Aug , Brian May wrote: Dmitry E. Oboukhov wrote: qemu makes mount the directory /tmp/mount.$$. Attacker creates many symlinks /tmp/dir.\d+ - /etc and if qemu (/usr/sbin/qemu-make-debian-root) starts then /etc goes out from root directory tree. The result: system is unusable. I might be dense, but I don't get this. Attacker does: [EMAIL PROTECTED]:/tmp# ln -s /etc /tmp/mount-1234 Then the genuine user does: [EMAIL PROTECTED]:/tmp# mkdir /tmp/mount-1234 mkdir: cannot create directory `/tmp/mount-1234': File exists strace shows: mkdir(/tmp/pmount-1234, 0777) = -1 EEXIST (File exists) So, ok, this means the process can't continue any more (denial of service attack), and if the process does continue this is a problem, otherwise I can't see how this would bring the entire system down. Brian May yes, set -e directive is present in this script :) of cource the report is needed to be verified by hand for make separate by severity levels :) I'll added few directives for check verifying scripts for 'set -e' :) -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : [EMAIL PROTECTED] `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
On Wed, 13 Aug 2008, Brian May wrote: Dmitry E. Oboukhov wrote: qemu makes mount the directory /tmp/mount.$$. Attacker creates many symlinks /tmp/dir.\d+ - /etc and if qemu (/usr/sbin/qemu-make-debian-root) starts then /etc goes out from root directory tree. The result: system is unusable. I might be dense, but I don't get this. Attacker does: [EMAIL PROTECTED]:/tmp# ln -s /etc /tmp/mount-1234 Then the genuine user does: [EMAIL PROTECTED]:/tmp# mkdir /tmp/mount-1234 mkdir: cannot create directory `/tmp/mount-1234': File exists strace shows: mkdir(/tmp/pmount-1234, 0777) = -1 EEXIST (File exists) So, ok, this means the process can't continue any more (denial of service attack), and if the process does continue this is a problem, otherwise I can't see how this would bring the entire system down. qemu-make-debian-root will continue running even if mkdir failed. Also, assuming qemu-make-debian-root is running with PID 1234, an attacker is free to change the /tmp/mount.1234 symlink during the execution of the script. If /tmp/mount.1234 is linked to /etc/, the script will mount the freshly created filesystem image on top of /etc, making a lot of programs very sad. An attacker could then change the symlink such that debbootstrap will install anywhere he wants. (which may allow him to overwrite some files, but I haven't looked closely at debbootstrap.) And then he could change the symlink again to overwrite and delete a few more files. Of course some of these are timing attacks, so may work with varying reliability. Ivan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
Report of sid: http://uvw.ru/report.sid.txt -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : [EMAIL PROTECTED] `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
On 13:45 Mon 11 Aug , Joey Hess wrote:
JH Dmitry E. Oboukhov wrote:
JH os-prober_1.17 os-prober
/tmp/mounted-map (pipe)
JH
/tmp/raided-map (pipe)
JH os-prober writer to $OS_PROBER_TMP/{mounted-map.raided-map,etc}, which is
created by:
JH if [ -z $OS_PROBER_TMP ]; then
JH if type mktemp /dev/null 21; then
JH export OS_PROBER_TMP=$(mktemp -d /tmp/os-prober.XX)
JH trap rm -rf $OS_PROBER_TMP EXIT HUP INT QUIT TERM
JH else
JH export OS_PROBER_TMP=/tmp
JH fi
JH fi
package: os-prober_1.17_i386.deb
file: /usr/bin/os-prober
$ grep '/tmp/' bin/os-prober
grep ^/dev/ /proc/mounts | parse_proc_mounts /tmp/mounted-map || true
: /tmp/raided-map
grep ^md /proc/mdstat | parse_proc_mdstat /tmp/raided-map || true
if grep -q ^$mapped /tmp/raided-map ; then
if ! grep -q ^$mapped /tmp/mounted-map ; then
mpoint=$(grep ^$mapped /tmp/mounted-map | cut -d -f 2)
type=$(grep ^$mapped /tmp/mounted-map | cut -d -f 3)
Oldstable 1.04
Stable 1.17 - in my list :)
Testing 1.26
Unstable1.27
script writes the /tmp/mounted-map and the /tmp/raided-map by pipe.
new version (1.26) writes to $OS_PROBER_TMP/raided-map :)
JH This use of mktemp -d should be secure.
JH mktemp is a required package, so the insecure code path should only ever
run inside
JH a d-i environment, which has no non-root users.
--
... mpd is off
. ''`. Dmitry E. Oboukhov
: :’ : [EMAIL PROTECTED]
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
`- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537
signature.asc
Description: Digital signature
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
A while ago, the use of libpam-tmpdir was suggested in order to mitigate some of these attacks. It would be nice to see it in use by default, some day. Obviously there will always be some programs that don't look at the TMPDIR environment variable and directly use /tmp. write file to /tmp/filename == write file to $TMPDIR/filename both cases are security holes if TMPDIR=/tmp :) The idea behind libpam-tmpdir is that it creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Yes, but scripts must use $TMPDIR instead '/tmp' or mktemp/tempfile utils :) -- ... mpd playing: U.D.O. - Midnight Mover . ''`. Dmitry E. Oboukhov : :’ : [EMAIL PROTECTED] `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
The script in attach looks through a mirror of a specified distributive and makes a search of '\s*/tmp/' and 'tee [^|]*/tmp/' constructions. It finds less errors then I've found earlier however the results of its work are more accurate. The script looks through all the files of packages marked as executable. That is even if the script is in /usr/share/doc and is marked as executable it will be tested nevertheless. The full viewing of a mirror takes a few hours. Later I shall publish the reports on lenny (already attached) and etch. :) attaches: report of lenny: http://uvw.ru/report.lenny.txt script: http://uvw.ru/find_the_bug2.sh Somebody may rewrite 'check' section of script ;) short report of lenny: Package: aegis Version: 4.24-3 /usr/share/doc/aegis/examples/remind/bng_dvlpd.sh /usr/share/doc/aegis/examples/remind/bng_rvwd.sh /usr/share/doc/aegis/examples/remind/awt_dvlp.sh /usr/share/doc/aegis/examples/remind/awt_intgrtn.sh Package: aegis-web Version: 4.24-3 /usr/lib/cgi-bin/aegis.cgi Package: ampache Version: 3.4.1-1 /usr/share/ampache/www/locale/base/gather-messages.sh Package: apertium Version: 3.0.7+1-1+b1 /usr/bin/apertium-gen-deformat /usr/bin/apertium-gen-reformat /usr/bin/apertium Package: aptoncd Version: 0.1-1.1 /usr/share/aptoncd/xmlfile.py Package: ara-byte Version: 1.0.25 /usr/bin/ara Package: arb-common Version: 0.0.20071207.1-4 /usr/lib/arb/SH/arb_fastdnaml /usr/lib/arb/SH/dszmconnect.pl Package: audiolink Version: 0.05-1 /usr/bin/audiolink Package: aview Version: 1.3.0rc1-8 /usr/bin/asciiview Package: bacula-common Version: 2.4.2-1 /usr/share/doc/bacula-common/examples/autochangers/mtx-changer.Adic-Scala= r-24 Package: bash-doc Version: 3.2-4 /usr/share/doc/bash/examples/misc/aliasconv.sh /usr/share/doc/bash/examples/misc/aliasconv.bash /usr/share/doc/bash/examples/misc/cshtobash Package: bk2site Version: 1:1.1.9-3.1 /usr/lib/cgi-bin/bk2site/redirect.pl Package: bulmages-servers Version: 0.11.1-2 /usr/share/bulmages/examples/scripts/actualizabulmacont /usr/share/bulmages/examples/scripts/installbulmages-db /usr/share/bulmages/examples/scripts/creabulmafact /usr/share/bulmages/examples/scripts/creabulmacont /usr/share/bulmages/examples/scripts/actualizabulmafact Package: caudium Version: 3:1.4.12-11 /usr/share/caudium/configvar Package: cdcontrol Version: 1.90-1.1 /usr/lib/cdcontrol/writtercontrol Package: cdrw-taper Version: 0.4-2 /usr/sbin/amlabel-cdrw Package: citadel-server Version: 7.37-1 /usr/lib/citadel-server/migrate_aliases.sh Package: cman Version: 2.20080629-1 /usr/sbin/fence_egenera Package: cmus Version: 2.2.0-1+b1 /usr/share/doc/cmus/examples/cmus-status-display Package: convirt Version: 0.8.2-3 /usr/share/convirt/image_store/_template_/provision.sh /usr/share/convirt/image_store/Linux_CD_Install/provision.sh /usr/share/convirt/image_store/Fedora_PV_Install/provision.sh /usr/share/convirt/image_store/CentOS_PV_Install/provision.sh /usr/share/convirt/image_store/common/provision.sh /usr/share/convirt/image_store/example/provision.sh /usr/share/convirt/image_store/Windows_CD_Install/provision.sh Package: crossfire-maps Version: 1.11.0-1 /usr/share/games/crossfire/maps/Info/combine.pl Package: ctn Version: 3.0.6-12 /usr/share/doc/ctn/examples/add-accession-numbers Package: cups Version: 1.3.7-9 /usr/share/doc/cups/examples/pstopdf Package: datafreedom-perl Version: 0.1.7-1 /usr/bin/dfxml-invoice Package: decompyle Version: 2.3.2-4+b1 /usr/bin/decompyle Package: dhis-server Version: 5.3-1 /usr/lib/dhis-server/dhis-dummy-log-engine Package: digitaldj Version: 0.7.5-6+b1 /usr/share/digitaldj/fest.pl Package: dist Version: 1:3.5-17-1 /usr/bin/patcil /usr/bin/patdiff Package: docvert Version: 3.4-4 /usr/share/docvert/core/lib/pyodconverter/test-pipe-to-pyodconverter.org.= sh Package: dpkg-cross Version: 2.3.0 /usr/share/dpkg-cross/bin/gccross Package: dtc-common Version: 0.29.6-1 /usr/share/dtc/admin/accesslog.php /usr/share/dtc/admin/sa-wrapper Package: emacs-jabber Version: 0.7.91-1 /usr/lib/emacsen-common/packages/install/emacs-jabber Package: emacspeak Version: 26.0-3 /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl Package: feta Version: 1.4.16 /usr/share/feta/plugins/to-upgrade Package: firehol Version: 1.256-4 /sbin/firehol Package: fml Version: 4.0.3.dfsg-2 /usr/share/fml/libexec/mead.pl Package: freeradius-dialupadmin Version: 2.0.4+dfsg-4 /usr/share/freeradius-dialupadmin/bin/backup_radacct
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
Dmitry E. Oboukhov wrote: A while ago, the use of libpam-tmpdir was suggested in order to mitigate some of these attacks. It would be nice to see it in use by default, some day. Obviously there will always be some programs that don't look at the TMPDIR environment variable and directly use /tmp. write file to /tmp/filename == write file to $TMPDIR/filename both cases are security holes if TMPDIR=/tmp :) The idea behind libpam-tmpdir is that it creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Yes, but scripts must use $TMPDIR instead '/tmp' or mktemp/tempfile utils :) tempfile uses $TMPDIR by default :) -- Eugene V. Lyubimkin aka JackYF, Ukrainian C++ developer. signature.asc Description: OpenPGP digital signature
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
EVL The idea behind libpam-tmpdir is that it creates a subdirectory of /tmp EVL that is only accessible by that user, and then sets TMPDIR and other EVL variables to that. Hence, it doesn't matter nearly as much if you EVL create a non-random filename, because nobody but you can access it. EVL EVL Yes, but EVL scripts must use $TMPDIR instead '/tmp' or mktemp/tempfile utils :) EVL tempfile uses $TMPDIR by default :) sorry, scripts must use $TMPDIR or _must_ _use_ mktemp/tempfile ;) -- ... mpd playing: U.D.O. - Animal House . ''`. Dmitry E. Oboukhov : :’ : [EMAIL PROTECTED] `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
report for etch: http://uvw.ru/report.etch.txt 107 packages :( On 18:23 Tue 12 Aug , Dmitry E. Oboukhov wrote: TDEO The script in attach looks through a mirror of a specified distributive TDEO and makes a search of '\s*/tmp/' and 'tee [^|]*/tmp/' constructions. TDEO It finds less errors then I've found earlier however the results of its TDEO work are more accurate. TDEO The script looks through all the files of packages marked as executable. TDEO That is even if the script is in /usr/share/doc and is marked as TDEO executable it will be tested nevertheless. TDEO The full viewing of a mirror takes a few hours. TDEO Later I shall publish the reports on lenny (already attached) and etch. TDEO :) TDEO attaches: TDEO report of lenny: http://uvw.ru/report.lenny.txt TDEO script: http://uvw.ru/find_the_bug2.sh -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : [EMAIL PROTECTED] `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
Dmitry E. Oboukhov wrote: EVL The idea behind libpam-tmpdir is that it creates a subdirectory of /tmp EVL that is only accessible by that user, and then sets TMPDIR and other EVL variables to that. Hence, it doesn't matter nearly as much if you EVL create a non-random filename, because nobody but you can access it. EVL EVL Yes, but EVL scripts must use $TMPDIR instead '/tmp' or mktemp/tempfile utils :) EVL tempfile uses $TMPDIR by default :) sorry, scripts must use $TMPDIR or _must_ _use_ mktemp/tempfile ;) Why use $TMPDIR at all? $TMPDIR may not be set (libpam-tmp may not be installed[1]), so you have to test for it. If the test fails, you have to fall back to mktemp or tempfile. As mktemp and tempfile are both essential[2], they can be relied upon. If $TMPDIR is set, it may be set to something bad, like /tmp. You can be left with the exact same problem you are trying to solve. Both mktemp and tempfile support $TMPDIR, and will fall back gracefully if $TMPDIR does not exist in the environment. My impression is that mktemp or tempfile should be used, and ignore TMPDIR anyway. If you really need a directory to write lots of files to, mktemp -d is there for you. Is there any scenario where using mktemp or tempfile fails, and sing $TMPDIR succeeds? [1] % aptitude search libpam-tmp p libpam-tmpdir - automatic per-user temporary directories [2] % aptitude show $(dpkg -S $(which mktemp tempfile) | sed 's/:.*//') | grep -E '^(Pa|E)' Package: mktemp Essential: yes Package: debianutils Essential: yes [3] I liked [2] too much to remove it. Sorry. -- John H. Robinson, IV [EMAIL PROTECTED] http WARNING: I cannot be held responsible for the above, sbih.org ( )(:[ as apparently my cats have learned how to type. spiders.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
Package: mplayer nws ppp twiki Severity: grave Tags: security This message about the error concerns a few packages at once. I've tested all the packages on my Debian mirror. (post|pre)(inst|rm) and config scripts were tested. In some packages I've discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlink with the same name in this directory in order to destroy or rewrite some system file. I set Severity into grave for this bug. The table of discovered problems is below. +--+-+-- |package | script | file for attack +--+-+-- | mplayer-1.0~rc2 | config | /tmp/HACK (pipe) | | | | nws-2.13 | postinst | /tmp/nws.debug (cp) | | | | ppp-2.4.4rel | postinst | /tmp/probe-finished (rm -f, pipe) | | postinst | /tmp/ppp-errors (rm -f, pipe) | ppp-udeb | /etc/ppp/ip-up | /tmp/resolv.conf.tmp (cp) | | | | twiki-4.1.2 | postinst | /tmp/twiki (chmod 1777, chown) +--+-+-- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
On Mon Aug 11, 2008 at 10:57:56 +0400, Dmitry E. Oboukhov wrote: I set Severity into grave for this bug. The tableof discovered problems is below. Great work. I don't think there should be any objection to a mass-filing for security sensitive bugs - and from the sounds of it you'll only be filing a few bugs, not a mass of them. Steve -- http://www.steve.org.uk/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
On 10:27 Mon 11 Aug , Steve Kemp wrote: SK On Mon Aug 11, 2008 at 10:57:56 +0400, Dmitry E. Oboukhov wrote: SK I set Severity into grave for this bug. The table of discovered SK problems is below. SK Great work. SK I don't think there should be any objection to a mass-filing for SK security sensitive bugs - and from the sounds of it you'll only be SK filing a few bugs, not a mass of them. see additional table (next post) I 'll complete check few packages (5-8) again in few minutes/hours :) -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : [EMAIL PROTECTED] `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
On 10:57 Mon 11 Aug , Dmitry E. Oboukhov wrote:
DEO Package: mplayer nws ppp twiki
DEO Severity: grave
DEO Tags: security
DEO This message about the error concerns a few packages at once. I've
DEO tested all the packages on my Debian mirror. (post|pre)(inst|rm) and
DEO config scripts were tested.
DEO In some packages I've discovered scripts with errors which may be used
DEO by a user for damaging important system files.
DEO For example if a script uses in its work a temp file which is created
DEO in /tmp directory, then every user can create symlink with the same
DEO name in this directory in order to destroy or rewrite some system
DEO file.
DEO I set Severity into grave for this bug. The table of discovered
DEO problems is below.
DEO +--+-+--
DEO |package | script | file for attack
DEO +--+-+--
DEO | mplayer-1.0~rc2 | config | /tmp/HACK (pipe)
DEO | | |
DEO | nws-2.13 | postinst | /tmp/nws.debug (cp)
DEO | | |
mplayer nws - mistake, sorry
DEO | ppp-2.4.4rel | postinst | /tmp/probe-finished (rm -f, pipe)
DEO | | postinst | /tmp/ppp-errors (rm -f, pipe)
DEO | ppp-udeb | /etc/ppp/ip-up | /tmp/resolv.conf.tmp (cp)
DEO | | |
DEO | twiki-4.1.2 | postinst | /tmp/twiki (chmod 1777, chown)
DEO +--+-+--
additional table:
package script in usr/bin file for attack
or etc
or /usr/sbin
arb_0.0.20071207.1-4arb-kill
/tmp/arb_pids_${USER}_*
/tmp/arb_pids_*_* (rm -f)
newsgate_1.6-23 mkmailpost /tmp/mmp$$
(pipe, rm -f)
libalps-bin_1.2.2-1 changestylesheet/tmp/tmp$$
(pipe)
convert2html/tmp/input$$
(pipe)
convert2text/tmp/input$$
(pipe)
extractgp
/tmp/archive2plot$$.xsl (pipe)
/tmp/archive$$
(pipe)
/tmp/plot$$
(pipe)
extracthtml
/tmp/archive2plot$$.xsl (pipe)
/tmp/plot$$
(pipe)
/tmp/archive$$
(pipe)
extracttext /tmp/archive$$
(pipe)
/tmp/archive2plot$$.xsl (pipe)
/tmp/plot$$
(pipe)
transformall/tmp/archive$$
(pipe)
/tmp/plot$$
(pipe)
netdisco-mibs-installer_1.0 netdisco-mibs-install
/tmp/netdisco-mibs-0.6.tar.gz (unpack)
netdisco-mibs-download
/tmp/netdisco-mibs-0.6.tar.gz (write)
cman_2.20080801-1 fence_apc_snmp /tmp/apclog
(append)
nvidia-cg-toolkit_2.0.0015 nvidia-cg-toolkit-installer
/tmp/nvidia-cg-toolkit-manifest (w)
osdsh_0.7.0-9 osdshconfig /tmp/osdsh.$uid
(fifo)
os-prober_1.17 os-prober
/tmp/mounted-map (pipe)
/tmp/raided-map
(pipe)
netmrg_0.20-1 rrdedit /tmp/$1.xml
(pipe)
xcal_4.1-18 pscal /tmp/pscal$$
(pipe, rm -f)
tkusr_0.82 tkusr /tmp/tkusr.pgm
(w)
tkman_2.2-3 tkman /tmp/ll (pipe)
/tmp/tkman$$
mysql-client-5.1mysqlbug
/tmp/failed-mysql-bugreport (mv)
libpam-mount_0.43-1 passwdehd
/tmp/passwdehd.$$ (pipe, mv)
libmyspell-dev_3.1-18 i2myspell /tmp/i2my$$.1
(pipe)
jailer_0.4-9updatejail
/tmp/$$.updatejail (pipe, append)
ltp_20060918-2.1ltpmenu
/tmp/runltp.mainmenu.$$ (pipe)
mafft_6.240-1 mafft-homologs /tmp/_vf$$
(pipe)
mailscanner_4.55.10-3
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
On 10:57 Mon 11 Aug , Dmitry E. Oboukhov wrote: DEO Package: mplayer nws ppp twiki DEO Severity: grave DEO Tags: security DEO This message about the error concerns a few packages at once. I've DEO tested all the packages on my Debian mirror. (post|pre)(inst|rm) and DEO config scripts were tested. DEO In some packages I've discovered scripts with errors which may be used DEO by a user for damaging important system files. DEO For example if a script uses in its work a temp file which is created DEO in /tmp directory, then every user can create symlink with the same DEO name in this directory in order to destroy or rewrite some system DEO file. DEO I set Severity into grave for this bug. The table of discovered DEO problems is below. DEO +--+-+-- DEO |package | script | file for attack DEO +--+-+-- DEO | mplayer-1.0~rc2 | config | /tmp/HACK (pipe) DEO | | | DEO | nws-2.13 | postinst | /tmp/nws.debug (cp) DEO | | | DEO | ppp-2.4.4rel | postinst | /tmp/probe-finished (rm -f, pipe) DEO | | postinst | /tmp/ppp-errors (rm -f, pipe) DEO | ppp-udeb | /etc/ppp/ip-up | /tmp/resolv.conf.tmp (cp) DEO | | | DEO | twiki-4.1.2 | postinst | /tmp/twiki (chmod 1777, chown) DEO +--+-+-- additional table again muttprint_0.72d-9 muttprint /tmp/muttprint.log (write) myspell-tools_3.1-20i2myspell /tmp/i2my$$.1 (pipe) noip2_2.1.7-10 noip2 /tmp/noip2 (write) plait_1.5.2-1 plait /tmp/cut.$$ (pipe) plait /tmp/head.$$ (pipe, mv) pvpgn_1.8.1-1.1 pvpgn-support-installer /tmp/pvpgn-support-1.0.tar.gz (cp) radiance_3R9+20080530-3 dayfact /tmp/gsf$$ (pipe) /tmp/tl$$.pic (pipe) /tmp/ds$$.pic (pipe) /tmp/tfa$$ (pipe) optics2rad /tmp/opt.fmt (pipe) /tmp/out$$.fmt (pipe) raddepend /tmp/sed$$ (pipe) screenie_1.30.0-5 screenie/tmp/.screenie.$$ (pipe) sdm-terminal_0.4.0b-3 sdm-login /tmp/sdm.autologin.once (touch) sng_1.0.2-5 sng_regress /tmp/recompiled$$.png (pipe) /tmp/decompiled$$.sng (pipe) /tmp/canonicalized$$.sng (pipe) systemimager-server_3.6.3dfsg1-3 si_mkbootserver /tmp/*.inetd.conf (pipe) /tmp/* (rsync, sh) tau_2.16.4-1.1 tau_cc /tmp/makefile.tau.$USER.$$ (pipe) tau_cxx /tmp/makefile.tau.$USER.$$ (pipe) tau_f90 /tmp/makefile.tau.$USER.$$ (pipe) winkeydaemon_1.0.1-1winkeydaemon /tmp/.winkey/keyer_busy (touch) -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : [EMAIL PROTECTED] `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
Great work. If you have the time to see if any of these are included in stable (etch) please could you do so? It might be that we'd need to release a security update, or at least a package for the next point release. (I guess severity grave and a tag of security will ensure the same thing happens for testing/lenny.) Steve -- Debian GNU/Linux System Administration http://www.debian-administration.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
DEO Package: mplayer nws ppp twiki
DEO Severity: grave
DEO Tags: security
DEO This message about the error concerns a few packages at once. I've
DEO tested all the packages on my Debian mirror. (post|pre)(inst|rm) and
DEO config scripts were tested.
DEO In some packages I've discovered scripts with errors which may be used
DEO by a user for damaging important system files.
DEO For example if a script uses in its work a temp file which is created
DEO in /tmp directory, then every user can create symlink with the same
DEO name in this directory in order to destroy or rewrite some system
DEO file.
DEO I set Severity into grave for this bug. The table of discovered
DEO problems is below.
DEO +--+-+--
DEO |package | script | file for attack
DEO +--+-+--
DEO | mplayer-1.0~rc2 | config | /tmp/HACK (pipe)
DEO | | |
DEO | nws-2.13 | postinst | /tmp/nws.debug (cp)
DEO | | |
mplayer nws - mistake, sorry
DEO | ppp-2.4.4rel | postinst | /tmp/probe-finished (rm -f, pipe)
DEO | | postinst | /tmp/ppp-errors (rm -f, pipe)
DEO | ppp-udeb | /etc/ppp/ip-up | /tmp/resolv.conf.tmp (cp)
DEO | | |
DEO | twiki-4.1.2 | postinst | /tmp/twiki (chmod 1777, chown)
DEO +--+-+--
I could make few mistakes, sorry if :)
additional table:
package script in usr/bin file for attack
or etc
or /usr/sbin
arb_0.0.20071207.1-4arb-kill
/tmp/arb_pids_${USER}_*
/tmp/arb_pids_*_* (rm -f)
newsgate_1.6-23 mkmailpost /tmp/mmp$$
(pipe, rm -f)
libalps-bin_1.2.2-1 changestylesheet/tmp/tmp$$
(pipe)
convert2html/tmp/input$$
(pipe)
convert2text/tmp/input$$
(pipe)
extractgp
/tmp/archive2plot$$.xsl (pipe)
/tmp/archive$$
(pipe)
/tmp/plot$$
(pipe)
extracthtml
/tmp/archive2plot$$.xsl (pipe)
/tmp/plot$$
(pipe)
/tmp/archive$$
(pipe)
extracttext /tmp/archive$$
(pipe)
/tmp/archive2plot$$.xsl (pipe)
/tmp/plot$$
(pipe)
transformall/tmp/archive$$
(pipe)
/tmp/plot$$
(pipe)
netdisco-mibs-installer_1.0 netdisco-mibs-install
/tmp/netdisco-mibs-0.6.tar.gz (unpack)
netdisco-mibs-download
/tmp/netdisco-mibs-0.6.tar.gz (write)
cman_2.20080801-1 fence_apc_snmp /tmp/apclog
(append)
nvidia-cg-toolkit_2.0.0015 nvidia-cg-toolkit-installer
/tmp/nvidia-cg-toolkit-manifest (w)
osdsh_0.7.0-9 osdshconfig
/tmp/osdsh.$uid (fifo)
os-prober_1.17 os-prober
/tmp/mounted-map (pipe)
/tmp/raided-map (pipe)
netmrg_0.20-1 rrdedit /tmp/$1.xml
(pipe)
xcal_4.1-18 pscal /tmp/pscal$$
(pipe, rm -f)
tkusr_0.82 tkusr /tmp/tkusr.pgm
(w)
tkman_2.2-3 tkman /tmp/ll (pipe)
/tmp/tkman$$
mysql-client-5.1mysqlbug
/tmp/failed-mysql-bugreport (mv)
libpam-mount_0.43-1 passwdehd
/tmp/passwdehd.$$ (pipe, mv)
libmyspell-dev_3.1-18 i2myspell /tmp/i2my$$.1
(pipe)
jailer_0.4-9updatejail
/tmp/$$.updatejail (pipe, append)
ltp_20060918-2.1ltpmenu
/tmp/runltp.mainmenu.$$ (pipe)
mafft_6.240-1 mafft-homologs /tmp/_vf$$
(pipe)
mailscanner_4.55.10-3 trend-autoupdate.new
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
On Aug 11, Steve Kemp [EMAIL PROTECTED] wrote: I don't think there should be any objection to a mass-filing for security sensitive bugs - and from the sounds of it you'll only be filing a few bugs, not a mass of them. Except that one of the packages listed was obviously not vulnerable, just by looking at the name. -- ciao, Marco signature.asc Description: Digital signature
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
On 14:05 Mon 11 Aug , Steve Kemp wrote: SK Great work. If you have the time to see if any of these are included SK in stable (etch) please could you do so? I checked only the packages of last version. I'll few new checks... SK It might be that we'd need to release a security update, or at least SK a package for the next point release. (I guess severity grave and SK a tag of security will ensure the same thing happens for SK testing/lenny.) Altogether 47 packages. I could be mistaken in some of them (I could miss some and count some of them as error by mistake) when seeing them through by hand, however I think that it will be almost the same number in reality. -- ... mpd playing: WASP - Hold On To My Heart . ''`. Dmitry E. Oboukhov : :’ : [EMAIL PROTECTED] `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
MdI just by looking at the name. If program A writes file FILENAME and user1 and user2 can make (write) symlinks 'FILENAME' then name of program A is not important. user1 creates symlink FILENAME to ~user2/.gnupg/file, then user2 starts program A and destroy his .gnupg/file, etc this is security problem -- ... mpd playing: WASP - Scared To Death . ''`. Dmitry E. Oboukhov : :’ : [EMAIL PROTECTED] `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
On Mon, Aug 11, 2008 at 18:59:22 +0400, Dmitry E. Oboukhov wrote: MdI just by looking at the name. If program A writes file FILENAME and user1 and user2 can make (write) symlinks 'FILENAME' then name of program A is not important. If that program is in a udeb, then user1 and user2 don't exist, so it's not a security problem. Cheers, Julien -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
JC just by looking at the name. JC JC If program A writes file FILENAME and user1 and user2 can make (write) JC symlinks 'FILENAME' then name of program A is not important. JC JC If that program is in a udeb, then user1 and user2 don't exist, so it's JC not a security problem. Yes, udeb is my mistake :) -- ... mpd is off . ''`. Dmitry E. Oboukhov : :’ : [EMAIL PROTECTED] `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 signature.asc Description: Digital signature
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
On Mon, 11 Aug 2008 10:57:56 +0400, Dmitry E. Oboukhov wrote: Package: mplayer nws ppp twiki Severity: grave Tags: security This message about the error concerns a few packages at once. I've tested all the packages on my Debian mirror. (post|pre)(inst|rm) and config scripts were tested. In some packages I've discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlink with the same name in this directory in order to destroy or rewrite some system file. A while ago, the use of libpam-tmpdir was suggested in order to mitigate some of these attacks. It would be nice to see it in use by default, some day. Obviously there will always be some programs that don't look at the TMPDIR environment variable and directly use /tmp. Isn't there some fancy thing in current kernels that allows /tmp to be mounted individually for each user? -- Sam Morris http://robots.org.uk/ PGP key id 1024D/5EA01078 3412 EA18 1277 354B 991B C869 B219 7FDB 5EA0 1078 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
Dmitry E. Oboukhov wrote:
os-prober_1.17 os-prober
/tmp/mounted-map (pipe)
/tmp/raided-map (pipe)
os-prober writer to $OS_PROBER_TMP/{mounted-map.raided-map,etc}, which is
created by:
if [ -z $OS_PROBER_TMP ]; then
if type mktemp /dev/null 21; then
export OS_PROBER_TMP=$(mktemp -d /tmp/os-prober.XX)
trap rm -rf $OS_PROBER_TMP EXIT HUP INT QUIT TERM
else
export OS_PROBER_TMP=/tmp
fi
fi
This use of mktemp -d should be secure.
mktemp is a required package, so the insecure code path should only ever run
inside
a d-i environment, which has no non-root users.
--
see shy jo
signature.asc
Description: Digital signature
