Bug#429160: marked as done (po4a: po4a-gettextize is vulnerable to symlink attacks in /tmp)

[Debian Bug Tracking System]

Your message dated Sun, 17 Jun 2007 00:17:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#429160: fixed in po4a 0.31-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

Package: po4a
Version: 0.29-1
Severity: grave
Tags: security patch

If you run po4a-gettextize on contents that do not get converted to PO files
due to some issue, the script will dump its results in
/tmp/gettextization.failed.po. 

The script uses a file in the /tmp diretory but does not try to prevent a
symlink attack. A malicious user could create a symlink named liked that in
the temporary directory and pointing to one of the user's files so that when
a user runs po4-gettextize (and fails) the file the symlink pointed to would
get overwritten.

The fix is, IMHO, simple: just dump the results in the local directory, don't
use /tmp at all (it is, after all, unnecesary). The attached patch to
/usr/share/perl5/Locale/Po4a/Po.pm fixes this issue.

Regards

Javier

--- Po.pm.orig	2007-06-16 02:10:41.000000000 +0200
+++ Po.pm	2007-06-16 02:10:55.000000000 +0200
@@ -451,14 +451,14 @@
 	# Make sure both type are the same
 	#
 	if ($typeorig ne $typetrans){
-	    $pores->write("/tmp/gettextization.failed.po");
+	    $pores->write("gettextization.failed.po");
 	    die wrap_msg(dgettext("po4a",
 	    	"po4a gettextization: Structure disparity between original and translated files:\n".
 		"msgid (at %s) is of type '%s' while\n".
 		"msgstr (at %s) is of type '%s'.\n".
 		"Original text: %s\n".
 		"Translated text: %s\n".
-	        "(result so far dumped to /tmp/gettextization.failed.po)")."%s",
+	        "(result so far dumped to gettextization.failed.po)")."%s",
 	        $reforig, $typeorig, $reftrans, $typetrans, $orig, $trans,$toobad);
 	}
 

signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

Source: po4a
Source-Version: 0.31-1

We believe that the bug you reported is fixed in the latest version of
po4a, which is due to be installed in the Debian FTP archive:

po4a_0.31-1.diff.gz
  to pool/main/p/po4a/po4a_0.31-1.diff.gz
po4a_0.31-1.dsc
  to pool/main/p/po4a/po4a_0.31-1.dsc
po4a_0.31-1_all.deb
  to pool/main/p/po4a/po4a_0.31-1_all.deb
po4a_0.31.orig.tar.gz
  to pool/main/p/po4a/po4a_0.31.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nicolas FRANCOIS (Nekral) <[EMAIL PROTECTED]> (supplier of updated po4a package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 24 Mar 2007 21:19:01 +0100
Source: po4a
Binary: po4a
Architecture: source all
Version: 0.31-1
Distribution: unstable
Urgency: low
Maintainer: Nicolas FRANCOIS (Nekral) <[EMAIL PROTECTED]>
Changed-By: Nicolas FRANCOIS (Nekral) <[EMAIL PROTECTED]>
Description: 
 po4a       - tools for helping translation of documentation
Closes: 415643 429160
Changes: 
 po4a (0.31-1) unstable; urgency=low
 .
   * New upstream release.
     - New options for po4a: --msgid-bugs-address and --copyright-holder.
       Options can also be set in the configuration files. Closes: #415643
     - gettext (>= 0.16) is needed (use of the --previous flag).
   * Fix symlink attacks in /tmp vulnerability. Thanks to Javier
     Fernández-Sanguino Peña. Closes: #429160
   * Update the FSF address.
   * Update the debian/copyright to mention the actual copyrights and the
     upstream location
Files: 
 ba306098b27cbb10fbed957b3c94a7cb 717 text optional po4a_0.31-1.dsc
 c814a2205a21236c56dac69e88a7f20a 834753 text optional po4a_0.31.orig.tar.gz
 0fc6846b38188d136cb78aa596a0a701 164024 text optional po4a_0.31-1.diff.gz
 89ea608f82deb4c96a9fc2a7d6e0d8f7 719790 text optional po4a_0.31-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGdHxMST77jl1k+HARAuPmAKDfpfUyra5UxMpdtdeby3XJ3s4xlgCeIPYa
rrQMuYS/CnvDzekgOjT9Rxg=
=8APe
-----END PGP SIGNATURE-----

--- End Message ---