Debian Bug report logs -
#496391
The possibility of attack with the help of symlinks in some Debian packages
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded to
debian-bugs-dist@lists.debian.org, smr@debian.org (Steve M. Robbins):
Bug#496391; Package
gccxml.
Full text and
rfc822 format available.
Acknowledgement sent to
"Dmitry E. Oboukhov" <dimka@uvw.ru>:
New Bug report received and forwarded. Copy sent to
smr@debian.org (Steve M. Robbins).
Full text and
rfc822 format available.
Message #5 received at submit@bugs.debian.org (full text, mbox):
Package: gccxml
Severity: grave
Hi, maintainer!
This message about the error concerns a few packages at once. I've
tested all the packages (for Lenny) on my Debian mirror. All scripts
of packages (marked as executable) were tested.
In some packages I've discovered scripts with errors which may be used
by a user for damaging important system files or user's files.
For example if a script uses in its work a temp file which is created
in /tmp directory, then every user can create symlink with the same
name in this directory in order to destroy or rewrite some system
or user file. Symlink attack may also lead not only to the data
desctruction but to denial of service as well.
Even if you create files or directories with help of function 'RANDOM'
or pid(), then your system is not protected. Attacker can create many
symlinks in order to destroy your data or create 'denial of service'
for your package scripts.
Even if you make rm(dir) for files/directories, then your system is
not protected. Attacker can permanently create symlinks.
This list is created with the help of script. This list is sorted by
hand. Howewer in some cases mistake is possible.
Please, Be understanding to possible mistakes. :)
I set Severity into grave for this bug. The table of discovered
problems is below.
Discussion of this bug you can see in debian-devel@:
http://lists.debian.org/debian-devel/2008/08/msg00271.html
Binary-package: r-base-core-ra (1.1.1-1)
file: /usr/lib/Ra/lib/R/bin/javareconf
Binary-package: rccp (0.9-2)
file: /usr/lib/rccp/delqueueask
Binary-package: mafft (6.240-1)
file: /usr/bin/mafft-homologs
Binary-package: openoffice.org-common (1:2.4.1-6)
file: /usr/lib/openoffice/program/senddoc
Binary-package: crossfire-maps (1.11.0-1)
file: /usr/share/games/crossfire/maps/Info/combine.pl
Binary-package: sgml2x (1.0.0-11.1)
file: /usr/bin/rlatex
Binary-package: liguidsoap (0.3.6-4)
file: /var/lib/liguidsoap/liguidsoap.py
Binary-package: citadel-server (7.37-1)
file: /usr/lib/citadel-server/migrate_aliases.sh
Binary-package: ampache (3.4.1-1)
file: /usr/share/ampache/www/locale/base/gather-messages.sh
Binary-package: xen-utils-3.2-1 (3.2.1-2)
file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug
Binary-package: dtc-common (0.29.6-1)
file: /usr/share/dtc/admin/accesslog.php
file: /usr/share/dtc/admin/sa-wrapper
Binary-package: honeyd-common (1.5c-3)
file: /usr/share/honeyd/scripts/test.sh
Binary-package: lustre-tests (1.6.5-1)
file: /usr/lib/lustre/tests/runiozone
Binary-package: linuxtrade (3.65-8+b4)
file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol
file: /usr/share/linuxtrade/bin/linuxtrade.wn
file: /usr/share/linuxtrade/bin/moneyam.helper
Binary-package: freevo (1.8.1-0)
file: /usr/bin/freevo.real
Binary-package: fml (4.0.3.dfsg-2)
file: /usr/share/fml/libexec/mead.pl
Binary-package: rkhunter (1.3.2-3)
file: /usr/bin/rkhunter
Binary-package: openswan (1:2.4.12+dfsg-1.1)
file: /usr/lib/ipsec/livetest
Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1)
file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap
file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest
Binary-package: aptoncd (0.1-1.1)
file: /usr/share/aptoncd/xmlfile.py
Binary-package: cdcontrol (1.90-1.1)
file: /usr/lib/cdcontrol/writtercontrol
Binary-package: newsgate (1.6-23)
file: /usr/bin/mkmailpost
Binary-package: gpsdrive-scripts (2.10~pre4-3)
file: /usr/bin/geo-code
Binary-package: impose+ (0.2-11)
file: /usr/bin/impose
Binary-package: mgt (2.31-5)
file: /usr/games/mailgo
Binary-package: audiolink (0.05-1)
file: /usr/bin/audiolink
Binary-package: ibackup (2.27-4.1)
file: /usr/bin/ibackup
Binary-package: emacspeak (26.0-3)
file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl
Binary-package: bk2site (1:1.1.9-3.1)
file: /usr/lib/cgi-bin/bk2site/redirect.pl
Binary-package: datafreedom-perl (0.1.7-1)
file: /usr/bin/dfxml-invoice
Binary-package: emacs-jabber (0.7.91-1)
file: /usr/lib/emacsen-common/packages/install/emacs-jabber
Binary-package: lmbench (3.0-a7-1)
file: /usr/lib/lmbench/scripts/rccs
file: /usr/lib/lmbench/scripts/STUFF
Binary-package: rancid-util (2.3.2~a8-1)
file: /var/lib/rancid/getipacctg
Binary-package: ogle (0.9.2-5.2)
file: /usr/lib/ogle/ogle_audio_debug
file: /usr/lib/ogle/ogle_cli_debug
file: /usr/lib/ogle/ogle_ctrl_debug
file: /usr/lib/ogle/ogle_gui_debug
file: /usr/lib/ogle/ogle_mpeg_ps_debug
file: /usr/lib/ogle/ogle_mpeg_vs_debug
file: /usr/lib/ogle/ogle_nav_debug
file: /usr/lib/ogle/ogle_vout_debug
Binary-package: firehol (1.256-4)
file: /sbin/firehol
Binary-package: aview (1.3.0rc1-8)
file: /usr/bin/asciiview
Binary-package: radiance (3R9+20080530-3)
file: /usr/bin/optics2rad
file: /usr/bin/pdelta
file: /usr/bin/dayfact
file: /usr/bin/raddepend
Binary-package: vdr-dbg (1.6.0-5)
file: /usr/bin/vdrleaktest
Binary-package: ogle-mmx (0.9.2-5.2)
file: /usr/lib/ogle/ogle_audio_debug
file: /usr/lib/ogle/ogle_cli_debug
file: /usr/lib/ogle/ogle_ctrl_debug
file: /usr/lib/ogle/ogle_gui_debug
file: /usr/lib/ogle/ogle_mpeg_ps_debug
file: /usr/lib/ogle/ogle_mpeg_vs_debug
file: /usr/lib/ogle/ogle_nav_debug
file: /usr/lib/ogle/ogle_vout_debug
Binary-package: convirt (0.8.2-3)
file: /usr/share/convirt/image_store/_template_/provision.sh
file: /usr/share/convirt/image_store/Linux_CD_Install/provision.sh
file: /usr/share/convirt/image_store/Fedora_PV_Install/provision.sh
file: /usr/share/convirt/image_store/CentOS_PV_Install/provision.sh
file: /usr/share/convirt/image_store/common/provision.sh
file: /usr/share/convirt/image_store/example/provision.sh
file: /usr/share/convirt/image_store/Windows_CD_Install/provision.sh
Binary-package: printfilters-ppd (2.13-9)
file: /usr/lib/printfilters/master-filter
Binary-package: r-base-core (2.7.1-1)
file: /usr/lib/R/bin/javareconf
file: /usr/lib/R/bin/javareconf.orig
Binary-package: xmcd (2.6-19.3)
file: /usr/share/xmcd/scripts/ncsarmt
file: /usr/share/xmcd/scripts/ncsawrap
Binary-package: tiger (1:3.2.2-3.1)
file: /usr/lib/tiger/util/genmsgidx
Binary-package: scilab-bin (4.1.2-5)
file: /usr/lib/scilab-4.1.2/bin/scilink
file: /usr/lib/scilab-4.1.2/util/scidoc
file: /usr/lib/scilab-4.1.2/util/scidem
Binary-package: dpkg-cross (2.3.0)
file: /usr/share/dpkg-cross/bin/gccross
Binary-package: ltp-network-test (20060918-2.1)
file: /usr/lib/debian-test/tests/linux/testcases/bin/ftp_setup_vsftp_conf
file: /usr/lib/debian-test/tests/linux/testcases/bin/nfs_fsstress.sh
Binary-package: cman (2.20080629-1)
file: /usr/sbin/fence_egenera
Binary-package: scratchbox2 (1.99.0.24-1)
file: /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps
file: /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings
Binary-package: sendmail-base (8.14.3-5)
file: /usr/sbin/checksendmail
file: /usr/bin/expn
Binary-package: fwbuilder (2.1.19-3)
file: /usr/bin/fwb_install
Binary-package: sng (1.0.2-5)
file: /usr/bin/sng_regress
Binary-package: dist (1:3.5-17-1)
file: /usr/bin/patcil
file: /usr/bin/patdiff
Binary-package: sympa (5.3.4-5)
file: /usr/lib/cgi-bin/sympa/wwsympa.fcgi
file: /usr/lib/sympa/bin/sympa.pl
Binary-package: postfix (2.5.2-2)
file: /usr/lib/postfix_groups.pl
Binary-package: caudium (3:1.4.12-11)
file: /usr/share/caudium/configvar
Binary-package: mgetty-fax (1.1.36-1.2)
file: /usr/bin/faxspool
Binary-package: aegis (4.24-3)
file: /usr/share/doc/aegis/examples/remind/bng_dvlpd.sh
file: /usr/share/doc/aegis/examples/remind/bng_rvwd.sh
file: /usr/share/doc/aegis/examples/remind/awt_dvlp.sh
file: /usr/share/doc/aegis/examples/remind/awt_intgrtn.sh
Binary-package: aegis-web (4.24-3)
file: /usr/lib/cgi-bin/aegis.cgi
Binary-package: digitaldj (0.7.5-6+b1)
file: /usr/share/digitaldj/fest.pl
Binary-package: mon (0.99.2-12)
file: /usr/lib/mon/alert.d/test.alert
Binary-package: feta (1.4.16)
file: /usr/share/feta/plugins/to-upgrade
Binary-package: arb-common (0.0.20071207.1-4)
file: /usr/lib/arb/SH/arb_fastdnaml
file: /usr/lib/arb/SH/dszmconnect.pl
Binary-package: qemu (0.9.1-5)
file: /usr/sbin/qemu-make-debian-root
Binary-package: apertium (3.0.7+1-1+b1)
file: /usr/bin/apertium-gen-deformat
file: /usr/bin/apertium-gen-reformat
file: /usr/bin/apertium
Binary-package: xcal (4.1-18.3)
file: /usr/bin/pscal
Binary-package: myspell-tools (1:3.1-20)
file: /usr/bin/i2myspell
Binary-package: gccxml (0.9.0+cvs20080525-1)
file: /usr/share/gccxml-0.9/MIPSpro/find_flags
Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4)
file: /usr/share/freeradius-dialupadmin/bin/backup_radacct
file: /usr/share/freeradius-dialupadmin/bin/clean_radacct
file: /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats
file: /usr/share/freeradius-dialupadmin/bin/tot_stats
file: /usr/share/freeradius-dialupadmin/bin/truncate_radacct
Binary-package: dhis-server (5.3-1)
file: /usr/lib/dhis-server/dhis-dummy-log-engine
Binary-package: wims (3.62-13)
file: /var/lib/wims/public_html/bin/coqweb
file: /var/lib/wims/bin/account.sh
Binary-package: initramfs-tools (0.92f)
file: /usr/share/initramfs-tools/init
Binary-package: realtimebattle-common (1.0.8-7)
file: /usr/lib/realtimebattle/Robots/perl.robot
Binary-package: netmrg (0.20-1)
file: /usr/bin/rrdedit
Binary-package: bulmages-servers (0.11.1-2)
file: /usr/share/bulmages/examples/scripts/actualizabulmacont
file: /usr/share/bulmages/examples/scripts/installbulmages-db
file: /usr/share/bulmages/examples/scripts/creabulmafact
file: /usr/share/bulmages/examples/scripts/creabulmacont
file: /usr/share/bulmages/examples/scripts/actualizabulmafact
Binary-package: xastir (1.9.2-1)
file: /usr/lib/xastir/get-maptools.sh
file: /usr/lib/xastir/get_shapelib.sh
Binary-package: plait (1.5.2-1)
file: /usr/bin/plaiter
file: /usr/bin/plait
Binary-package: cdrw-taper (0.4-2)
file: /usr/sbin/amlabel-cdrw
Binary-package: konwert-filters (1.8-11.1)
file: /usr/share/konwert/filters/any-UTF8
Binary-package: gdrae (0.1-1)
file: /usr/bin/gdrae
Binary-package: lazarus-src (0.9.24-0-9)
file: /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh
Information forwarded to
debian-bugs-dist@lists.debian.org, smr@debian.org (Steve M. Robbins):
Bug#496391; Package
gccxml.
Full text and
rfc822 format available.
Acknowledgement sent to
"Steve M. Robbins" <steve@sumost.ca>:
Extra info received and forwarded to list. Copy sent to
smr@debian.org (Steve M. Robbins).
Full text and
rfc822 format available.
Message #10 received at 496391@bugs.debian.org (full text, mbox):
[Message part 1 (text/plain, inline)]
severity 496391 normal
thanks
On Sun, Aug 24, 2008 at 10:05:30PM +0400, Dmitry E. Oboukhov wrote:
> In some packages I've discovered scripts with errors which may be used
> by a user for damaging important system files or user's files.
> Binary-package: gccxml (0.9.0+cvs20080525-1)
> file: /usr/share/gccxml-0.9/MIPSpro/find_flags
I'm resetting the severity of this, on the assumption that no
reasonable person will go out of their way to run a script for MIPS
pro on linux, with a privileged account.
-Steve
[signature.asc (application/pgp-signature, inline)]
Severity set to `normal' from `grave'
Request was from
"Steve M. Robbins" <steve@sumost.ca>
to
control@bugs.debian.org.
(Sun, 24 Aug 2008 19:45:04 GMT)
Full text and
rfc822 format available.
Tags added:
Request was from
"Dmitry E. Oboukhov" <dimka@uvw.ru>
to
control@bugs.debian.org.
(Tue, 26 Aug 2008 08:45:33 GMT)
Full text and
rfc822 format available.
Tags added: security
Request was from
"Dmitry E. Oboukhov" <dimka@uvw.ru>
to
control@bugs.debian.org.
(Tue, 26 Aug 2008 08:57:23 GMT)
Full text and
rfc822 format available.
Information forwarded
to
debian-bugs-dist@lists.debian.org, smr@debian.org (Steve M. Robbins):
Bug#496391; Package
gccxml.
(Mon, 21 Sep 2009 13:18:04 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Bill Hoffman <bill.hoffman@kitware.com>:
Extra info received and forwarded to list. Copy sent to
smr@debian.org (Steve M. Robbins).
(Mon, 21 Sep 2009 13:18:04 GMT)
Full text and
rfc822 format available.
Message #21 received at 496391@bugs.debian.org (full text, mbox):
This issue has been fixed in GCCXML for some time now (Dec 2008).
-Bill
Information forwarded
to
debian-bugs-dist@lists.debian.org, smr@debian.org (Steve M. Robbins):
Bug#496391; Package
gccxml.
(Tue, 22 Sep 2009 02:30:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
"Steve M. Robbins" <steve@sumost.ca>:
Extra info received and forwarded to list. Copy sent to
smr@debian.org (Steve M. Robbins).
(Tue, 22 Sep 2009 02:30:03 GMT)
Full text and
rfc822 format available.
Message #26 received at 496391@bugs.debian.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Mon, Sep 21, 2009 at 09:08:44AM -0400, Bill Hoffman wrote:
> This issue has been fixed in GCCXML for some time now (Dec 2008).
Really? I'm looking at :pserver:anoncvs@www.gccxml.org:/cvsroot/GCC_XML
and I don't see any change on the file in question since 2005. The file
is the same as that which provoked the bug report. Am I looking in
the wrong place?
steve@riemann{MIPSpro}cvs log find_flags
RCS file: /cvsroot/GCC_XML/gccxml/GCC_XML/Support/MIPSpro/find_flags,v
Working file: find_flags
head: 1.5
branch:
[...]
keyword substitution: kv
total revisions: 5; selected revisions: 5
description:
----------------------------
revision 1.5
date: 2005-08-01 17:11:33 -0500; author: king; state: Exp; lines: +74 -8;
ENH: Added support to detect some internally defined macros in the MIPSpro compiler. Now more than just -LANG:std => _STANDARD_C_PLUS_PLUS is supported.
----------------------------
revision 1.4
[...]
Regards,
-Steve
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
debian-bugs-dist@lists.debian.org, smr@debian.org (Steve M. Robbins):
Bug#496391; Package
gccxml.
(Tue, 22 Sep 2009 13:39:03 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Brad King <brad.king@kitware.com>:
Extra info received and forwarded to list. Copy sent to
smr@debian.org (Steve M. Robbins).
(Tue, 22 Sep 2009 13:39:03 GMT)
Full text and
rfc822 format available.
Message #31 received at 496391@bugs.debian.org (full text, mbox):
Hi Folks,
This bug was reported upstream and partly fixed in Dec 2008:
http://www.gccxml.org/Bug/view.php?id=8083
There were *two* scripts with the problem. One was MIPSpro/find_flags,
the other was "gccxml_find_flags" which was the one fixed (and later
replaced by a C++ implementation anyway). At the time I missed that
the MIPSpro one evaluates content of the file from /tmp in a shell
as command-line arguments, permitting the back-tick evaluation attack.
No one ever re-opened the bug to point that out or forwarded this
Debian report upstream until now. I re-opened the upstream report
with a link to this report, committed a fix, and closed it again
with a reference to the commit.
-Brad
Information forwarded
to
debian-bugs-dist@lists.debian.org, smr@debian.org (Steve M. Robbins):
Bug#496391; Package
gccxml.
(Wed, 23 Sep 2009 00:57:03 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
"Steve M. Robbins" <steve@sumost.ca>:
Extra info received and forwarded to list. Copy sent to
smr@debian.org (Steve M. Robbins).
(Wed, 23 Sep 2009 00:57:03 GMT)
Full text and
rfc822 format available.
Message #36 received at 496391@bugs.debian.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi Brad,
On Tue, Sep 22, 2009 at 09:25:54AM -0400, Brad King wrote:
> No one ever re-opened the bug to point that out or forwarded this
> Debian report upstream until now.
True. The attack appeared to be rather theoretical in the Debian
context. I didn't consider it high priority and then it slipped from
my mind.
Thanks for fixing it!
-Steve
[signature.asc (application/pgp-signature, inline)]
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Feb 9 19:15:31 2010;
Machine Name:
busoni.debian.org
Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.