Debian Bug report logs - #290974
apache: Temporary usage bugs that can be used in symlink attacks

version graph

Package: apache; Maintainer for apache is (unknown);

Reported by: Javier Fernández-Sanguino Peña <jfs@computer.org>

Date: Tue, 18 Jan 2005 00:18:07 UTC

Severity: grave

Tags: sarge, security, sid

Found in version 1.3.33-2

Fixed in version apache/1.3.33-3

Done: Steve Langasek <vorlon@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#290974; Package apache. Full text and rfc822 format available.

Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
New Bug report received and forwarded. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: submit@bugs.debian.org
Subject: apache: Temporary usage bugs that can be used in symlink attacks
Date: Tue, 18 Jan 2005 01:08:42 +0100
[Message part 1 (text/plain, inline)]
Package: apache
Version: 1.3.33-2
Priority: grave
Tags: security sid sarge

Hi, I've found unsafe uses of /tmp in some of Apache's scripts in the 
source, one of this (check_forensic) is installed in Debian's apache-utils 
package and IMHO should be fixed. They are rather low risk, but I have to 
set the priority to grave in any case (since they qualify)

The fix is rather straightforward (use mktemp or tempfile instead of the $$ 
construct and add a trap to remove the temporary files) and it is needed, 
specially for check_forensic.

In the check_forensic script, for example, an attacker could just monitor
/tmp/ usage and construct symlinks to the fc-XX.$$ as soon as "sees" that
the fc-all.$$ file is being used. 

I've verified that none of these issues affect woody's Apache 
(1.3.26-0woody6). The fnm.sh script was there but it is not installed with 
any package and the check_forensic script was introduced later on.

The attached (untested) patch should fix these issues, hope it helps. 
Please fix fnm.sh even if not being installed in any Debian packages, just 
to ease the work of automatic source-code review tools.


Regards


Javier
[apache-1.3.33.diff (text/plain, attachment)]

Reply sent to Adam Conrad <adconrad@0c3.net>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at 290974-close@bugs.debian.org (full text, mbox):

From: Adam Conrad <adconrad@0c3.net>
To: 290974-close@bugs.debian.org
Subject: Bug#290974: fixed in apache 1.3.33-3
Date: Wed, 19 Jan 2005 21:32:13 -0500
Source: apache
Source-Version: 1.3.33-3

We believe that the bug you reported is fixed in the latest version of
apache, which is due to be installed in the Debian FTP archive:

apache-common_1.3.33-3_powerpc.deb
  to pool/main/a/apache/apache-common_1.3.33-3_powerpc.deb
apache-dbg_1.3.33-3_powerpc.deb
  to pool/main/a/apache/apache-dbg_1.3.33-3_powerpc.deb
apache-dev_1.3.33-3_all.deb
  to pool/main/a/apache/apache-dev_1.3.33-3_all.deb
apache-doc_1.3.33-3_all.deb
  to pool/main/a/apache/apache-doc_1.3.33-3_all.deb
apache-perl_1.3.33-3_powerpc.deb
  to pool/main/a/apache/apache-perl_1.3.33-3_powerpc.deb
apache-ssl_1.3.33-3_powerpc.deb
  to pool/main/a/apache/apache-ssl_1.3.33-3_powerpc.deb
apache-utils_1.3.33-3_powerpc.deb
  to pool/main/a/apache/apache-utils_1.3.33-3_powerpc.deb
apache_1.3.33-3.diff.gz
  to pool/main/a/apache/apache_1.3.33-3.diff.gz
apache_1.3.33-3.dsc
  to pool/main/a/apache/apache_1.3.33-3.dsc
apache_1.3.33-3_powerpc.deb
  to pool/main/a/apache/apache_1.3.33-3_powerpc.deb
libapache-mod-perl_1.29.0.2-17_powerpc.deb
  to pool/main/a/apache/libapache-mod-perl_1.29.0.2-17_powerpc.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 290974@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adam Conrad <adconrad@0c3.net> (supplier of updated apache package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 19 Jan 2005 18:31:25 -0700
Source: apache
Binary: apache-dev apache-common apache-doc apache-utils apache apache-dbg apache-perl libapache-mod-perl apache-ssl
Architecture: source powerpc all
Version: 1.3.33-3
Distribution: unstable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Adam Conrad <adconrad@0c3.net>
Description: 
 apache     - versatile, high-performance HTTP server
 apache-common - support files for all Apache webservers
 apache-dbg - debug versions of the Apache webservers
 apache-dev - development kit for the Apache webserver
 apache-doc - documentation for the Apache webserver
 apache-perl - versatile, high-performance HTTP server with Perl support
 apache-ssl - versatile, high-performance HTTP server with SSL support
 apache-utils - utility programs for webservers
 libapache-mod-perl - integration of perl with the Apache web server
Closes: 290974
Changes: 
 apache (1.3.33-3) unstable; urgency=low
 .
   * (Thom May)
     - Security fix - fix tempfile usage in check_forensic (Closes: #290974)
   * (Adam Conrad)
     - Mangle the debian/rules so that the libapache-mod-perl version number
       is defined in the variables at the top, rather than deep in the
       binary-arch target where it can get missed.
Files: 
 964cbd797a122ffcc9a550a128a6f54e 1107 web optional apache_1.3.33-3.dsc
 c9ddde8e80bb509183a70ca815ed3922 362637 web optional apache_1.3.33-3.diff.gz
 270a17ebbd079c5281d5128c7e79353e 1188626 doc optional apache-doc_1.3.33-3_all.deb
 42db312ef30a6ed79208a4a63247d93c 330540 devel extra apache-dev_1.3.33-3_all.deb
 01bfab983390ef73fa5b7f4b479cb9b6 396686 web optional apache_1.3.33-3_powerpc.deb
 2f588fe5d7847a0262d67fdf6da0ec5c 508466 web optional apache-ssl_1.3.33-3_powerpc.deb
 f9f223afd86ece1f6468c26ab7c3a429 512554 web optional apache-perl_1.3.33-3_powerpc.deb
 1b14b5014d05545713091f1740362f5f 9252266 devel extra apache-dbg_1.3.33-3_powerpc.deb
 bc8bfed9b8dc06e0eb1a9fbf8df06449 919422 web optional apache-common_1.3.33-3_powerpc.deb
 9bdd740d23807e05d3272eb217a2c58f 279850 web optional apache-utils_1.3.33-3_powerpc.deb
 44b484efef214b20138fc799643d9068 489752 web optional libapache-mod-perl_1.29.0.2-17_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFB7xUyvjztR8bOoMkRAsEPAJ459AyJBIJplbL8ORzX4sU6veBaMQCg57iR
fEbrS2BfyC7YEiPiR1qJxWA=
=QvYJ
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#290974; Package apache. Full text and rfc822 format available.

Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. Full text and rfc822 format available.

Message #15 received at 290974@bugs.debian.org (full text, mbox):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: 290974@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#290974 acknowledged by developer (Bug#290974: fixed in apache 1.3.33-3)
Date: Thu, 20 Jan 2005 08:55:19 +0100
[Message part 1 (text/plain, inline)]
reopen 290974
tags 290974 sarge
thanks

A few comments on this:

>    * (Thom May)
>      - Security fix - fix tempfile usage in check_forensic (Closes: #290974)

- Please help track this bugs in sarge by tagging them
- fmn.sh was not fixed. Even if not used in the Debian package I would 
appreciate if it was patched too, helps in source code reviews.
- Please forward the full bug report upstream (if not already done)

Regards

Javier
[signature.asc (application/pgp-signature, inline)]

Bug reopened, originator not changed. Request was from Javier Fernández-Sanguino Peña <jfs@computer.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: sarge Request was from Javier Fernández-Sanguino Peña <jfs@computer.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#290974; Package apache. Full text and rfc822 format available.

Acknowledgement sent to Thom May <thom@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. Full text and rfc822 format available.

Message #24 received at 290974@bugs.debian.org (full text, mbox):

From: Thom May <thom@debian.org>
To: Javier Fernández-Sanguino Peña <jfs@computer.org>, 290974@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#290974: acknowledged by developer (Bug#290974: fixed in apache 1.3.33-3)
Date: Thu, 20 Jan 2005 11:50:06 +0000
* Javier Fern?ndez-Sanguino Pe?a (jfs@computer.org) wrote :
> reopen 290974
> tags 290974 sarge
> thanks
> 
> A few comments on this:
> 
> >    * (Thom May)
> >      - Security fix - fix tempfile usage in check_forensic (Closes: #290974)
> 
> - Please help track this bugs in sarge by tagging them
> - fmn.sh was not fixed. Even if not used in the Debian package I would 
> appreciate if it was patched too, helps in source code reviews.
It was fixed, it's not mentioned in the changelog since it's not used
anywhere outside the build process.

> - Please forward the full bug report upstream (if not already done)
>
Fixed in cvs upstream.

Cheers,
-Thom



Tags removed: sid Request was from Frank Lichtenheld <djpig@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: sid Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug closed, send any further explanations to Javier Fernández-Sanguino Peña <jfs@computer.org> Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 10:23:24 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.