Debian Bug report logs - #287604
astats: Multiple temporary symlink vulnerabilities in the astats script

Package: astats; Maintainer for astats is (unknown);

Reported by: Javier Fernández-Sanguino Peña <jfs@computer.org>

Date: Wed, 29 Dec 2004 00:48:01 UTC

Severity: grave

Tags: security

Done: Martin Michlmayr <tbm@cyrius.com>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Julien Delange <julien@gunnm.org>:
Bug#287604; Package astats. (full text, mbox, link).


Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
New Bug report received and forwarded. Copy sent to Julien Delange <julien@gunnm.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: submit@bugs.debian.org
Subject: astats: Multiple temporary symlink vulnerabilities in the astats script
Date: Wed, 29 Dec 2004 01:43:19 +0100
[Message part 1 (text/plain, inline)]
Package: astats
Version: 1.6.5-2
Priority: grave
Tags: security sarge sid

The astats script does not protect itself from temporary filename attacks
since it creates file in an insecure manner (using names like
'/tmp/aStats-Graphic-Signature-Generation', '/tmp/aMule-temp1.png',
'/tmp/aMule-temp2.png', etc.). No checks are done to prevent symlink
attacks (set -C, for example).

IMHO this makes this script unsuitable for release.

Regards

Javier

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Julien Delange <julien@gunnm.org>:
Bug#287604; Package astats. (full text, mbox, link).


Acknowledgement sent to Julien Delange <soda@gunnm.org>:
Extra info received and forwarded to list. Copy sent to Julien Delange <julien@gunnm.org>. (full text, mbox, link).


Message #10 received at 287604@bugs.debian.org (full text, mbox, reply):

From: Julien Delange <soda@gunnm.org>
To: Javier Fernández-Sanguino Peña <jfs@computer.org>, 287604@bugs.debian.org
Subject: Re: Bug#287604: astats: Multiple temporary symlink vulnerabilities in the astats script
Date: Thu, 30 Dec 2004 19:55:27 +0100
[Message part 1 (text/plain, inline)]
On Wed, Dec 29, 2004 at 01:43:19AM +0100, Javier Fernández-Sanguino Peña wrote:
> Package: astats
> Version: 1.6.5-2
> Priority: grave
> Tags: security sarge sid
> 
> The astats script does not protect itself from temporary filename attacks
> since it creates file in an insecure manner (using names like
> '/tmp/aStats-Graphic-Signature-Generation', '/tmp/aMule-temp1.png',
> '/tmp/aMule-temp2.png', etc.). No checks are done to prevent symlink
> attacks (set -C, for example).
> 
> IMHO this makes this script unsuitable for release.

In fact, aStats is now replaced by amule-utils. So, in few days (if I
could take time to do it), I will remove astats from Debian.

-- 
.''`.  Julien Delange
: :' : 
`. `'  http://gunnm.org/~soda/debian
  `-  
[signature.asc (application/pgp-signature, inline)]

Changed Bug title. Request was from Matt Kraai <kraai@ftbfs.org> to control@bugs.debian.org. (full text, mbox, link).


Bug reassigned from package `astats' to `ftp.debian.org'. Request was from Matt Kraai <kraai@ftbfs.org> to control@bugs.debian.org. (full text, mbox, link).


Bug 287604 cloned as bug 288297. Request was from Frank Lichtenheld <djpig@debian.org> to control@bugs.debian.org. (full text, mbox, link).


Changed Bug title. Request was from Frank Lichtenheld <djpig@debian.org> to control@bugs.debian.org. (full text, mbox, link).


Bug reassigned from package `ftp.debian.org' to `astats'. Request was from Frank Lichtenheld <djpig@debian.org> to control@bugs.debian.org. (full text, mbox, link).


Tags removed: sarge Request was from Frank Lichtenheld <djpig@debian.org> to control@bugs.debian.org. (full text, mbox, link).


Tags removed: sid Request was from Frank Lichtenheld <djpig@debian.org> to control@bugs.debian.org. (full text, mbox, link).


Reply sent to Martin Michlmayr <tbm@cyrius.com>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Bug acknowledged by developer. (full text, mbox, link).


Message #29 received at 287604-done@bugs.debian.org (full text, mbox, reply):

From: Martin Michlmayr <tbm@cyrius.com>
To: 287604-done@bugs.debian.org
Subject: Removed
Date: Sun, 6 Feb 2005 18:26:51 +0000
This package has been removed ("RM: astats -- Security issues,
obsolete")
-- 
Martin Michlmayr
http://www.cyrius.com/



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 04:49:15 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.