[Secure-testing-team] CLOSED - Re: Bug#496518: Insecure use of /tmp in sympa_wizard may lead to system damage

Mon, 25 Aug 2008 07:31:10 -0700 

On Mon, Aug 25, 2008 at 02:22:54PM +0200, Olivier Berger wrote:
> 
> AFAICT (and thanks to Thijs Kinkhorst <[EMAIL PROTECTED]> : 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494969#21) there are more 
> insecure use of /tmp in sympa.
> 
> One quite nasty is the one in /usr/lib/sympa/bin/sympa_wizard.pl, as this 
> script is used during sympa's postinst, so with root provileges, IMHO.
> 
> Note that the sympa_wizard.pl which needs to be fixed is in debian/ in 
> package sources (see #496514). Still, the insecure code is also present in 
> upstream's sympa_wizard.pl.
> 

Sh*t. There's no problem in sympa_wizard.pl actually.

The current sympa_wizard doesn't use any insecure file in /tmp.

This is again a "false positive", as the $new_wwsympa_conf = 
'/tmp/wwsympa.conf' and $new_sympa_conf = '/tmp/sympa.conf' aren't used for a 
long time 
(http://sourcesup.cru.fr/cgi/viewvc.cgi/trunk/src/sympa_wizard.pl?view=diff&r1=1613&r2=1614)...
 but the fix was incompletely done (remaining $new_[ww]sympa_conf variables 
although @new_[ww]sympa_conf are the only ones used).

Thus, the attached patch may be better, to finally get rid of the /tmp path.

Too bas, this wasn't really obvious looking at the code :(.

Sorry about bothering.


diff -a -u -i -b -w -r1.17 sympa_wizard.pl
--- debian/sympa_wizard.pl	9 Apr 2008 14:59:13 -0000	1.17
+++ debian/sympa_wizard.pl	25 Aug 2008 14:23:24 -0000
@@ -49,9 +49,6 @@
 
 ## Configuration
 
-my $new_wwsympa_conf = '/tmp/wwsympa.conf';
-my $new_sympa_conf = '/tmp/sympa.conf';
-
 my $wwsconf = {};
 
 ## Change to your wwsympa.conf location
@@ -716,11 +713,11 @@
 
     ## Write new config files
     unless (open (WWSYMPA,"> $wwsympa_conf")){
-	die "unable to open $new_wwsympa_conf : $!";
+	die "unable to open $wwsympa_conf : $!";
     };
 
     unless (open (SYMPA,"> $sympa_conf")){
-	die "unable to open $new_sympa_conf : $!";
+	die "unable to open $sympa_conf : $!";
     };
 
     print SYMPA @new_sympa_conf;

_______________________________________________
Secure-testing-team mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team

Reply via email to