Debian Bug report logs - #286382
debstd: Insecure temporary directory usage

version graph

Package: debmake; Maintainer for debmake is Osamu Aoki <osamu@debian.org>; Source for debmake is src:debmake.

Reported by: Javier Fernández-Sanguino Peña <jfs@computer.org>

Date: Sun, 19 Dec 2004 23:18:04 UTC

Severity: important

Tags: security

Found in version 3.7.6

Fixed in version debmake/3.7.7

Done: Santiago Vila <sanvila@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#286382; Package debmake. Full text and rfc822 format available.

Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
New Bug report received and forwarded. Copy sent to Santiago Vila <sanvila@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: submit@bugs.debian.org
Subject: debstd: Insecure temporary directory usage
Date: Mon, 20 Dec 2004 00:03:50 +0100
[Message part 1 (text/plain, inline)]
Package: debmake
Version: 3.7.6
Priority: important
Tags: security

The debstd script does not protect itself from temporary directory
attacks since it creates a temporary directory in an insecure manner
(the process PID is not suffient to avoid and attack) and does not check
if the temporary dir it uses exists before using it. 

The attached patch is an attempt to fix this behaviour using the
mktemp tool.

Regards

Javier

PS: I initially reported this to the security team back in June,
but have not found time to follow up on this issue until today.
Security team, please check
Resent-Message-ID: <20040624124521.GA10101@dat.etsit.upm.es>


[debstd.diff (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#286382; Package debmake. Full text and rfc822 format available.

Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. Full text and rfc822 format available.

Message #10 received at 286382@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@unex.es>
To: Javier Fernández-Sanguino Peña <jfs@computer.org>, 286382@bugs.debian.org
Subject: Re: Bug#286382: debstd: Insecure temporary directory usage
Date: Mon, 20 Dec 2004 01:08:10 +0100 (CET)
On Mon, 20 Dec 2004, Javier Fernández-Sanguino Peña wrote:

> Package: debmake
> Version: 3.7.6
> Priority: important
> Tags: security
> 
> The debstd script does not protect itself from temporary directory
> attacks since it creates a temporary directory in an insecure manner
> (the process PID is not suffient to avoid and attack) and does not check
> if the temporary dir it uses exists before using it. 
> 
> The attached patch is an attempt to fix this behaviour using the
> mktemp tool.

Thanks for the report.

I wonder why an empty temporary directory is used at all to copy
files from $PDIR to $2/usr/share/info.

Do you see a reason why tar may not be used in this case?



Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#286382; Package debmake. Full text and rfc822 format available.

Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. Full text and rfc822 format available.

Message #15 received at 286382@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@unex.es>
To: Javier Fernández-Sanguino Peña <jfs@computer.org>, 286382@bugs.debian.org
Subject: Re: Bug#286382: debstd: Insecure temporary directory usage
Date: Mon, 20 Dec 2004 01:18:39 +0100 (CET)
I mean something like this:

diff -ru debmake-3.7.6.orig/debstd debmake-3.7.6/debstd
--- debmake-3.7.6.orig/debstd	2003-10-08 14:14:54.000000000 +0200
+++ debmake-3.7.6/debstd	2004-12-20 01:13:05.000000000 +0100
@@ -348,10 +348,7 @@
     FILEX="$FILE"
     if [ "$FILES" ]; then
       install -d $2/usr/share/info
-      mkdir /tmp/info$$
-      (cd $PDIR;cp $FILES /tmp/info$$)
-      (cd $2/usr/share/info;find /tmp/info$$ -type f -exec cp '{}' . \;)
-      rm -rf /tmp/info$$
+      (cd $PDIR; tar cf - $FILES) | (cd $2/usr/share/info; tar xpf - )
     fi
     if [ "$SECTION_MATCH" = "" ]; then
       addscript postinst < ${debmake_dir}/info.postinst

Do you see any flaw in the above code?

The only difference I see is that tar would copy symlinks as symlinks,
but that would be a feature, not a bug.



Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#286382; Package debmake. Full text and rfc822 format available.

Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. Full text and rfc822 format available.

Message #20 received at 286382@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@unex.es>
To: Javier Fernández-Sanguino Peña <jfs@computer.org>, 286382@bugs.debian.org
Subject: Re: Bug#286382: debstd: Insecure temporary directory usage
Date: Mon, 20 Dec 2004 17:00:48 +0100 (CET)
On Mon, 20 Dec 2004, Santiago Vila wrote:

> diff -ru debmake-3.7.6.orig/debstd debmake-3.7.6/debstd
> --- debmake-3.7.6.orig/debstd	2003-10-08 14:14:54.000000000 +0200
> +++ debmake-3.7.6/debstd	2004-12-20 01:13:05.000000000 +0100
> @@ -348,10 +348,7 @@
>      FILEX="$FILE"
>      if [ "$FILES" ]; then
>        install -d $2/usr/share/info
> -      mkdir /tmp/info$$
> -      (cd $PDIR;cp $FILES /tmp/info$$)
> -      (cd $2/usr/share/info;find /tmp/info$$ -type f -exec cp '{}' . \;)
> -      rm -rf /tmp/info$$
> +      (cd $PDIR; tar cf - $FILES) | (cd $2/usr/share/info; tar xpf - )
>      fi
>      if [ "$SECTION_MATCH" = "" ]; then
>        addscript postinst < ${debmake_dir}/info.postinst
> 
> Do you see any flaw in the above code?

Hmm, I'll reply to myself:

The above will not behave the same as before if FILES=somedirectory/somefile,
because the "-exec cp" makes any directory structure to disappear.

Still, I would like to remove the need for a temporary directory.
Ideas welcome.



Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#286382; Package debmake. Full text and rfc822 format available.

Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. Full text and rfc822 format available.

Message #25 received at 286382@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@unex.es>
To: 286382@bugs.debian.org
Cc: Javier Fernández-Sanguino Peña <jfs@computer.org>
Subject: Re: Bug#286382: debstd: Insecure temporary directory usage
Date: Mon, 20 Dec 2004 21:39:37 +0100 (CET)
In fact, there is no need for a temporary directory. Just this:

cp $FILES $2/usr/share/info

should work, as the variable PDIR happens to match the current working
directory.

I'll upload 3.7.7 for unstable and 3.6.10.woody.1 for stable-security
with this change.



Reply sent to Santiago Vila <sanvila@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #30 received at 286382-close@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@debian.org>
To: 286382-close@bugs.debian.org
Subject: Bug#286382: fixed in debmake 3.7.7
Date: Mon, 20 Dec 2004 17:32:07 -0500
Source: debmake
Source-Version: 3.7.7

We believe that the bug you reported is fixed in the latest version of
debmake, which is due to be installed in the Debian FTP archive:

debmake_3.7.7.dsc
  to pool/main/d/debmake/debmake_3.7.7.dsc
debmake_3.7.7.tar.gz
  to pool/main/d/debmake/debmake_3.7.7.tar.gz
debmake_3.7.7_all.deb
  to pool/main/d/debmake/debmake_3.7.7_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 286382@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Santiago Vila <sanvila@debian.org> (supplier of updated debmake package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 20 Dec 2004 23:14:22 +0100
Source: debmake
Binary: debmake
Architecture: source all
Version: 3.7.7
Distribution: unstable
Urgency: medium
Maintainer: Santiago Vila <sanvila@debian.org>
Changed-By: Santiago Vila <sanvila@debian.org>
Description: 
 debmake    - helper package for debian/rules (deprecated)
Closes: 286382
Changes: 
 debmake (3.7.7) unstable; urgency=medium
 .
   * Fixed insecure temporary directory usage in debstd (Closes: #286382).
     Simplified code, no need to use a temporary directory at all.
   * Standards-Version: 3.6.1.
Files: 
 8ba46797fc34e370db1429479f26e27b 552 devel optional debmake_3.7.7.dsc
 70cc33e538eb3203d70f4b5d89f60cf5 40420 devel optional debmake_3.7.7.tar.gz
 524e780e2846842278edb0c6905d51fc 35658 devel optional debmake_3.7.7_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBx08Bd9Uuvj7yPNYRAmg8AJwMVCUk4TWhkSC0W2YTiDK3GURKuwCgvpTq
0FomtN6qIRW1H7P6Opriq5k=
=En58
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#286382; Package debmake. Full text and rfc822 format available.

Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. Full text and rfc822 format available.

Message #35 received at 286382@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@unex.es>
To: team@security.debian.org, 286382@bugs.debian.org
Cc: Javier Fernández-Sanguino Peña <jfs@computer.org>
Subject: Re: Bug#286382: debstd: Insecure temporary directory usage
Date: Tue, 21 Dec 2004 00:07:04 +0100 (CET)
Security team:

For your review, I've uploaded debmake_3.6.10.woody.1 to stable-security
to fix this bug in stable. As this is Architecture: all, autobuilders will
have no job to do, so the upload should be ready almost immediately.

In case of problems with the upload, I have a world-readable copy in
my home directory in gluck, directory "debmake".

While we are at it, if you want to include a small note in the advisory
saying that debmake is officially deprecated and people is encouraged
to stop using it for new packages, you are more than welcome to do so.

Thanks.



Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#286382; Package debmake. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. Full text and rfc822 format available.

Message #40 received at 286382@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Santiago Vila <sanvila@unex.es>
Cc: team@security.debian.org, 286382@bugs.debian.org, Javier Fernández-Sanguino Peña <jfs@computer.org>
Subject: Re: Bug#286382: debstd: Insecure temporary directory usage
Date: Tue, 21 Dec 2004 08:11:22 +0100
Santiago Vila wrote:
> Security team:
> 
> For your review, I've uploaded debmake_3.6.10.woody.1 to stable-security
> to fix this bug in stable. As this is Architecture: all, autobuilders will
> have no job to do, so the upload should be ready almost immediately.

Bah!  Pleas talk to us *before* an upload so we can a) discuss the issue
and b) assign a CVE id *before* writing the changelog and stuff.

Which version in sid fixes the problem?

Regards,

	Joey

-- 
The only stupid question is the unasked one.

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#286382; Package debmake. Full text and rfc822 format available.

Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. Full text and rfc822 format available.

Message #45 received at 286382@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@unex.es>
To: Martin Schulze <joey@infodrom.org>
Cc: team@security.debian.org, 286382@bugs.debian.org, Javier Fernández-Sanguino Peña <jfs@computer.org>
Subject: Re: Bug#286382: debstd: Insecure temporary directory usage
Date: Tue, 21 Dec 2004 12:30:59 +0100 (CET)
On Tue, 21 Dec 2004, Martin Schulze wrote:

> Santiago Vila wrote:
> > Security team:
> > 
> > For your review, I've uploaded debmake_3.6.10.woody.1 to stable-security
> > to fix this bug in stable. As this is Architecture: all, autobuilders will
> > have no job to do, so the upload should be ready almost immediately.
> 
> Bah!  Pleas talk to us *before* an upload so we can a) discuss the issue
> and b) assign a CVE id *before* writing the changelog and stuff.

The last developers-reference I read seemed to allow it.
I've just read the current version and it seems to be more strict.
Sorry, will do for the next upload.

> Which version in sid fixes the problem?

3.7.7, now in incoming.debian.org, will be in unstable in a few hours.



Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#286382; Package debmake. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. Full text and rfc822 format available.

Message #50 received at 286382@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Santiago Vila <sanvila@unex.es>
Cc: Debian Security Team <team@security.debian.org>, 286382@bugs.debian.org, Javier Fernández-Sanguino Peña <jfs@computer.org>
Subject: Re: Bug#286382: debstd: Insecure temporary directory usage
Date: Wed, 22 Dec 2004 15:44:02 +0100
Santiago Vila wrote:
> > > to fix this bug in stable. As this is Architecture: all, autobuilders will
> > > have no job to do, so the upload should be ready almost immediately.
> > 
> > Bah!  Pleas talk to us *before* an upload so we can a) discuss the issue
> > and b) assign a CVE id *before* writing the changelog and stuff.
> 
> The last developers-reference I read seemed to allow it.
> I've just read the current version and it seems to be more strict.
> Sorry, will do for the next upload.
> 
> > Which version in sid fixes the problem?
> 
> 3.7.7, now in incoming.debian.org, will be in unstable in a few hours.

Thank you.  I've assigned CAN-2004-1179 to this issue.  It would be
nice if you could add this to the changelog entry with the next upload.

Advisory is to be sent out rsn.

Regards,

	Joey

-- 
All language designers are arrogant.  Goes with the territory...
	-- Larry Wall



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 22:42:13 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.