Debian Bug report logs - #291376
cdrtools: Unsafe recommendation (and implementation) of debugging in rscsi

version graph

Package: cdrtools; Maintainer for cdrtools is (unknown);

Reported by: Javier Fernández-Sanguino Peña <jfs@computer.org>

Date: Thu, 20 Jan 2005 12:03:02 UTC

Severity: minor

Tags: patch, security

Found in version 4:2.01+01a01-2

Fixed in version cdrtools/4:2.01+01a01-4

Done: Eduard Bloch <blade@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Joerg Jaspert <joerg@debian.org>:
Bug#291376; Package cdrtools. Full text and rfc822 format available.

Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
New Bug report received and forwarded. Copy sent to Joerg Jaspert <joerg@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: submit@bugs.debian.org
Subject: cdrtools: Unsafe recommendation (and implementation) of debugging in rscsi
Date: Thu, 20 Jan 2005 12:48:33 +0100
[Message part 1 (text/plain, inline)]
Package: cdrtools
Version: 4:2.01+01a01-2
Priority: minor
Tags: security patch

Cdrtools has some code (and default configuration) that suggests users that 
want to debug its behaviour to open up a can of worms associate to insecure 
temporary files usage. The Debug file defined in the configuration will 
just be fopened() without any checks and is thus vulnerable to symlink 
attacks.

The attached patch tries to fix this minor bug (not many users will really 
enabled DEBUG) by introducing a check in rscsi.c to avoid being vulnerable 
to symlink attacks and by modifying the provided config file telling users 
to use safe locations for debug files. The patch introduces a DoS condition 
(if somebody has created the file the program will exit) and that's why 
users are suggested (in the comments of the configuration file) to use a 
safe location (not /tmp) for debugging.

Regards

Javier
[cdrtools-debug.diff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Joerg Jaspert <joerg@debian.org>:
Bug#291376; Package cdrtools. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to Joerg Jaspert <joerg@debian.org>. Full text and rfc822 format available.

Message #10 received at 291376@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: 291376@bugs.debian.org
Subject: CAN-2005-0866
Date: Sun, 27 Mar 2005 19:02:23 -0500
[Message part 1 (text/plain, inline)]
Please refer to CAN-2005-0866 when closing this bug.

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Reply sent to Eduard Bloch <blade@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #15 received at 291376-close@bugs.debian.org (full text, mbox):

From: Eduard Bloch <blade@debian.org>
To: 291376-close@bugs.debian.org
Subject: Bug#291376: fixed in cdrtools 4:2.01+01a01-4
Date: Tue, 26 Apr 2005 05:17:20 -0400
Source: cdrtools
Source-Version: 4:2.01+01a01-4

We believe that the bug you reported is fixed in the latest version of
cdrtools, which is due to be installed in the Debian FTP archive:

cdda2wav_2.01+01a01-4_i386.deb
  to pool/main/c/cdrtools/cdda2wav_2.01+01a01-4_i386.deb
cdrecord_2.01+01a01-4_i386.deb
  to pool/main/c/cdrtools/cdrecord_2.01+01a01-4_i386.deb
cdrtools-doc_2.01+01a01-4_all.deb
  to pool/main/c/cdrtools/cdrtools-doc_2.01+01a01-4_all.deb
cdrtools_2.01+01a01-4.diff.gz
  to pool/main/c/cdrtools/cdrtools_2.01+01a01-4.diff.gz
cdrtools_2.01+01a01-4.dsc
  to pool/main/c/cdrtools/cdrtools_2.01+01a01-4.dsc
mkisofs_2.01+01a01-4_i386.deb
  to pool/main/c/cdrtools/mkisofs_2.01+01a01-4_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 291376@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Eduard Bloch <blade@debian.org> (supplier of updated cdrtools package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 26 Apr 2005 10:30:34 +0200
Source: cdrtools
Binary: cdrtools-doc cdda2wav mkisofs cdrecord
Architecture: source all i386
Version: 4:2.01+01a01-4
Distribution: unstable
Urgency: low
Maintainer: Joerg Jaspert <joerg@debian.org>
Changed-By: Eduard Bloch <blade@debian.org>
Description: 
 cdda2wav   - Creates WAV files from audio CDs
 cdrecord   - command line CD writing tool
 cdrtools-doc - Documentation for the cdrtools package-suite
 mkisofs    - Creates ISO-9660 CD-ROM filesystem images
Closes: 262678 291376
Changes: 
 cdrtools (4:2.01+01a01-4) unstable; urgency=low
 .
   * O_EXCL issue becoming hot, uploading to unstable
   * sync with Ubuntu Breezy (renamed as needed):
     + 23_o_excl.dpatch (replaced with Ubuntu's version, closes: #262678)
     + 24_debug_tmpfile.dpatch (secure file access in rscsi, closes: #291376)
     + 25_mkisofs_iconv_manpage.dpatch (explicit note about iconv support)
     + 26_author_locale.dpatch (replace ö in his name with an ascci
       transliteration)
Files: 
 f5f38c04fe7df13455077f7b4cb7aea0 716 otherosfs optional cdrtools_2.01+01a01-4.dsc
 20f39fbe1ca8a261e52d92da30c6fc31 114943 otherosfs optional cdrtools_2.01+01a01-4.diff.gz
 48a8a47a4c1be46cce294555bde67d3a 220032 doc optional cdrtools-doc_2.01+01a01-4_all.deb
 a31492042699a3091ac4a912cc3aa695 582066 otherosfs optional cdrecord_2.01+01a01-4_i386.deb
 5705d9efa361c3a41fffa8b4eca46449 530842 otherosfs optional mkisofs_2.01+01a01-4_i386.deb
 7357dd6ef1646d93cc8b44306d33cc1b 158690 sound optional cdda2wav_2.01+01a01-4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCbgSq4QZIHu3wCMURArpAAJ4+Wc/00m09gk5RN7jdY7iRBz2q1gCghctJ
mPcAgVQq9fMTFKiW1RqLHJc=
=hT7c
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Joerg Jaspert <joerg@debian.org>:
Bug#291376; Package cdrtools. Full text and rfc822 format available.

Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Extra info received and forwarded to list. Copy sent to Joerg Jaspert <joerg@debian.org>. Full text and rfc822 format available.

Message #20 received at 291376@bugs.debian.org (full text, mbox):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: 291376@bugs.debian.org
Subject: Re: Bug#291376 acknowledged by developer (Bug#291376: fixed in cdrtools 4:2.01+01a01-4)
Date: Tue, 26 Apr 2005 12:06:56 +0200
[Message part 1 (text/plain, inline)]
On Tue, Apr 26, 2005 at 02:33:31AM -0700, Debian Bug Tracking System wrote:> This is an automatic notification regarding your Bug report
> #291376: cdrtools: Unsafe recommendation (and implementation) of debugging in rscsi,
> which was filed against the cdrtools package.

(...)
>    * sync with Ubuntu Breezy (renamed as needed):
(...)
>      + 24_debug_tmpfile.dpatch (secure file access in rscsi, closes: #291376)

1) You do not acknowledge CAN-2005-0866 as Joey requested in the bug report
2) Ubuntu's patch is, I believe, based on my patch, you could at least 
granted me some credit for the patch in the changelog...

I'm surprised that a security bug (with patch) provided in January takes 
four months to fix. Oh well, this was not a critical issue either, but 
the fix was immediate...

Regards

Javier
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Joerg Jaspert <joerg@debian.org>:
Bug#291376; Package cdrtools. Full text and rfc822 format available.

Acknowledgement sent to Eduard Bloch <edi@gmx.de>:
Extra info received and forwarded to list. Copy sent to Joerg Jaspert <joerg@debian.org>. Full text and rfc822 format available.

Message #25 received at 291376@bugs.debian.org (full text, mbox):

From: Eduard Bloch <edi@gmx.de>
To: Javier Fernández-Sanguino Peña <jfs@computer.org>, 291376@bugs.debian.org
Subject: Re: Bug#291376: acknowledged by developer (Bug#291376: fixed in cdrtools 4:2.01+01a01-4)
Date: Tue, 26 Apr 2005 13:50:37 +0200
#include <hallo.h>
* Javier Fernández-Sanguino Peña [Tue, Apr 26 2005, 12:06:56PM]:
> On Tue, Apr 26, 2005 at 02:33:31AM -0700, Debian Bug Tracking System wrote:> This is an automatic notification regarding your Bug report
> > #291376: cdrtools: Unsafe recommendation (and implementation) of debugging in rscsi,
> > which was filed against the cdrtools package.
> 
> (...)
> >    * sync with Ubuntu Breezy (renamed as needed):
> (...)
> >      + 24_debug_tmpfile.dpatch (secure file access in rscsi, closes: #291376)
> 
> 1) You do not acknowledge CAN-2005-0866 as Joey requested in the bug report
> 2) Ubuntu's patch is, I believe, based on my patch, you could at least 
> granted me some credit for the patch in the changelog...
> 
> I'm surprised that a security bug (with patch) provided in January takes 
> four months to fix. Oh well, this was not a critical issue either, but 
> the fix was immediate...

You see, all of that has a common reason - lack of time. Do you wish to
be credited in the next changelog? Something like the following?

 * WE THANK JFS FOR PROVIDING A PATCH FIXING #291376. GET IT, BASTARDS!!!1

And nobody did hinder you on sending a reminder about the outstanding
problem. An (announced) NMU in this case would have been appropriate.

Regards,
Eduard.
-- 
Susan Ivanova: Ambassador, do you really want to know what's going on down
there?
Ambassador Londo Mollari: Yes, absolutely!
Susan Ivanova: Boom. Boom boom boom.  Boom boom. Boom! Have a nice day!
                                                 -- Quotes from Babylon 5 --



Information forwarded to debian-bugs-dist@lists.debian.org, Joerg Jaspert <joerg@debian.org>:
Bug#291376; Package cdrtools. Full text and rfc822 format available.

Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Extra info received and forwarded to list. Copy sent to Joerg Jaspert <joerg@debian.org>. Full text and rfc822 format available.

Message #30 received at 291376@bugs.debian.org (full text, mbox):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: Eduard Bloch <edi@gmx.de>
Cc: 291376@bugs.debian.org
Subject: Re: Bug#291376: acknowledged by developer (Bug#291376: fixed in cdrtools 4:2.01+01a01-4)
Date: Tue, 26 Apr 2005 15:40:54 +0200
[Message part 1 (text/plain, inline)]
On Tue, Apr 26, 2005 at 01:50:37PM +0200, Eduard Bloch wrote:
> 
> You see, all of that has a common reason - lack of time. Do you wish to
> be credited in the next changelog? Something like the following?
(...)

I estimate the time of you writing that witty mail similar to the one of
applying the patch I produced, build the package and upload it. The only
difference is that it took you ~2 hours to write that mail vs. the four
months for the patch.

Thanks for publicly encouraging others to help you out. 

Javier
growing an even thicker skin
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Joerg Jaspert <joerg@debian.org>:
Bug#291376; Package cdrtools. Full text and rfc822 format available.

Acknowledgement sent to Eduard Bloch <edi@gmx.de>:
Extra info received and forwarded to list. Copy sent to Joerg Jaspert <joerg@debian.org>. Full text and rfc822 format available.

Message #35 received at 291376@bugs.debian.org (full text, mbox):

From: Eduard Bloch <edi@gmx.de>
To: Javier Fernández-Sanguino Peña <jfs@computer.org>, 291376@bugs.debian.org
Subject: Re: Bug#291376: acknowledged by developer (Bug#291376: fixed in cdrtools 4:2.01+01a01-4)
Date: Tue, 26 Apr 2005 17:16:47 +0200
#include <hallo.h>
* Javier Fernández-Sanguino Peña [Tue, Apr 26 2005, 03:40:54PM]:

> > You see, all of that has a common reason - lack of time. Do you wish to
> > be credited in the next changelog? Something like the following?
> (...)
> 
> I estimate the time of you writing that witty mail similar to the one of
> applying the patch I produced, build the package and upload it. The only
> difference is that it took you ~2 hours to write that mail vs. the four
> months for the patch.

2 hours? Do you really think that it has taken 2 hours to write the few
lines? No, it was the time needed to react (as in: get spare time + mind
context switching).

> Thanks for publicly encouraging others to help you out. 

> growing an even thicker skin

A-Ha. Germans call a such thing "etwas in den falschen Hals kriegen",
translated by dict.leo.org to "to get hold of the wrong end of the
stick". Please try reading my message without interpretting offense into
it.

Regards,
Eduard.
-- 
Wir halten die Leichtigkeit zu sündigen für die Erlaubnis dazu.
		-- Jean Paul



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 08:47:38 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.