Bug#129104: bug 129104 (buffer overflow + template reading in cgiemail)
On Sun, Mar 10, 2002 at 02:27:51AM +, Colin Watson wrote: Hi, Any progress with this cgiemail bug? If you've got the debconf stuff written, I could test it if that would help ... I worked on it significantly today, and will finish it tomorrow. This is my spring break, so I finally have some time. I'm getting kind of hung up on how to preserve user modifications to the configuration file yet still have dpkg-reconfigure do anything. The problem: i am wondering, in the postinst, how to handle the following cases (or if i should handle them): - already configured, don't reconfigure (normal) - already configured, reconfigure (that is, change the config file) (e.g. user runs dpkg-reconfigure) - already configured, then changed manually, don't reconfigure (e.g. user changes config and then upgrades package) - already configured, then changed manually, reconfigure (e.g. user somehow manages to break configuration and runs dpkg-reconfigure or dpkg --configure (would the latter one ever happen?)). the last three are the problem. i will sleep on it and try to figure it out, but if you know the Right Way then point me at it if you would. I will start working on it again probably late tomorrow afternoon. -- Colin Watson [EMAIL PROTECTED] -- Thomas resc Smith [EMAIL PROTECTED] web: http://finbar.dyndns.org/ gpg key id 1024D/ACABA81E, fingerprint: 3A47 CFA5 0E5D CF4A 5B22 12D3 FF1B 84FE ACAB A81E
Bug#129104: bug 129104 (buffer overflow + template reading in cgiemail)
Hi, Any progress with this cgiemail bug? If you've got the debconf stuff written, I could test it if that would help ... -- Colin Watson [EMAIL PROTECTED]
Bug#129104: bug 129104 (buffer overflow + template reading in cgiemail)
On Thu, Jan 17, 2002 at 04:42:42PM +, Colin Watson wrote: On Wed, Jan 16, 2002 at 04:17:25PM -0500, Thomas Smith wrote: Hmm, one problem that just occurred to me is that we can't easily make the location of the template files a compile-time option because people reconfigure their webservers to have different document roots, and the current design of cgiemail requires the template files to have PATH_TRANSLATEDs. That means, I guess, that configuration file parsing might have to be added. Yes, with the current design there really isn't any way to do it well (including backwards compatibility), only patch it up. I suggest a simple 'templatedir=/foo/bar/baz' in a trusted place like /etc/cgiemail.conf. That has the advantage that it can be parsed by the shell, so you can easily set it with debconf and not clobber the old setting on upgrades. Ok, that sounds as good as anything can be. Go ahead and write the code (or does there need to be more planning?); I'll do the debconf stuff + make up a sane default template telling people what to do when cgiemail stops working. Templates should live in /usr/share/cgiemail, right? 'Cause they're architecture-independent. Don't forget not to let people do something like GET /cgi-bin/cgiemail/../../../etc/passwd :-) Colin Watson [EMAIL PROTECTED] Thanks, -thomas -- Thomas resc Smith [EMAIL PROTECTED] web: http://finbar.dyndns.org/ gpg key id 1024D/ACABA81E, fingerprint: 3A47 CFA5 0E5D CF4A 5B22 12D3 FF1B 84FE ACAB A81E pgp9rZ0j5aWpw.pgp Description: PGP signature
Bug#129104: bug 129104 (buffer overflow + template reading in cgiemail)
On Wed, Jan 16, 2002 at 04:17:25PM -0500, Thomas Smith wrote:
I had released a new version with an almost-correct fix for the buffer
overflow problem last night, and just looked at your mail to the bug
this afternoon. My fix was almost the same as yours; it used
CGI_ERRMSG_MAX-1 instead of CGI_ERRMSG_MAX. My next upload will use
your correct version.
Right, that change isn't too big a deal.
That leaves the other stuff... the main problem is the template files,
and I like the solution you suggested (restricting them to a specific
directory). The relevant code, I think, is in the
cgi_standard_{email,echo,file} functions at the end of cgilib.c
(beginning on line 1010).
Hmm, one problem that just occurred to me is that we can't easily make
the location of the template files a compile-time option because people
reconfigure their webservers to have different document roots, and the
current design of cgiemail requires the template files to have
PATH_TRANSLATEDs. That means, I guess, that configuration file parsing
might have to be added.
Yes, with the current design there really isn't any way to do it well
(including backwards compatibility), only patch it up. I suggest a
simple 'templatedir=/foo/bar/baz' in a trusted place like
/etc/cgiemail.conf. That has the advantage that it can be parsed by the
shell, so you can easily set it with debconf and not clobber the old
setting on upgrades.
Maybe could restrict to files with extension .CGIEMAIL_TEMPLATE.
Do you have any other ideas, or a preference between these two?
I think I prefer the directory idea: I usually prefer moving files
between directories to renaming files, somehow.
The other issue is that it uses mkstemp() which is not very secure. I
don't guess that this is exploitable, but should be fixed at some point.
tmpnam(), rather - mkstemp() is fine. It's not very hard to convert from
one to the other with a bit of care, so I'll do that later.
--
Colin Watson [EMAIL PROTECTED]
Bug#129104: bug 129104 (buffer overflow + template reading in cgiemail)
Hello, thank you for helping/offering to help!
I had released a new version with an almost-correct fix for the buffer
overflow problem last night, and just looked at your mail to the bug
this afternoon. My fix was almost the same as yours; it used
CGI_ERRMSG_MAX-1 instead of CGI_ERRMSG_MAX. My next upload will use
your correct version.
That leaves the other stuff... the main problem is the template files,
and I like the solution you suggested (restricting them to a specific
directory). The relevant code, I think, is in the
cgi_standard_{email,echo,file} functions at the end of cgilib.c
(beginning on line 1010).
Hmm, one problem that just occurred to me is that we can't easily make
the location of the template files a compile-time option because people
reconfigure their webservers to have different document roots, and the
current design of cgiemail requires the template files to have
PATH_TRANSLATEDs. That means, I guess, that configuration file parsing
might have to be added.
Maybe could restrict to files with extension .CGIEMAIL_TEMPLATE.
Do you have any other ideas, or a preference between these two?
The other issue is that it uses mkstemp() which is not very secure. I
don't guess that this is exploitable, but should be fixed at some point.
Again, thanks for your help, Colin.
thomas
--
Thomas resc Smith [EMAIL PROTECTED]
web: http://finbar.dyndns.org/
gpg key id 1024D/ACABA81E, fingerprint:
3A47 CFA5 0E5D CF4A 5B22 12D3 FF1B 84FE ACAB A81E
