Debian Bug report logs - #315582
backup-manager: insecure handling of temporary files

version graph

Package: backup-manager; Maintainer for backup-manager is Sven Joachim <svenjoac@gmx.de>; Source for backup-manager is src:backup-manager.

Reported by: Sven Joachim <sven_joachim@web.de>

Date: Thu, 23 Jun 2005 18:03:02 UTC

Severity: critical

Tags: fixed, patch, sarge, security

Found in version 0.5.7-1

Done: Alexis Sukrieh <sukria@sukria.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Alexis Sukrieh <sukria@sukria.net>:
Bug#315582; Package backup-manager. Full text and rfc822 format available.

Acknowledgement sent to Sven Joachim <sven_joachim@web.de>:
New Bug report received and forwarded. Copy sent to Alexis Sukrieh <sukria@sukria.net>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Sven Joachim <sven_joachim@web.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: backup-manager: insecure handling of temporary files
Date: Thu, 23 Jun 2005 19:51:26 +0200
Package: backup-manager
Version: 0.5.7-1
Severity: critical
Justification: root security hole
Tags: patch


The optional CD-burning feature of backup-manager uses a hardcoded filename
(/tmp/bm-cdrecord.log) for logging the output of cdrecord. If a 
malicious (or
just unlucky) user makes /tmp/bm-cdrecord.log a symlink to a system 
file, that
file will be overwritten in the next run of backup-manager. A demonstration
follows:

   $ whoami
   sven
   $ ls -l /etc/junk; cat /etc/junk
   -rw-r--r--  1 root root 32 Jun 22 21:23 /etc/junk
   This will soon be overwritten!

   $ ln -s /etc/junk /tmp/bm-cdrecord.log
   $ su -c backup-manager
   Password:
   unable to mount 0,1,0 on /tmp/bm-mnt
   $ ls -l /etc/junk; head -n 3 /etc/junk
   -rw-r--r--  1 root root 1431 Jun 22 21:25 /etc/junk
   scsidev: '0,1,0'
   scsibus: 0 target: 1 lun: 0
   Linux sg driver version: 3.1.25

Replace /etc/junk with /etc/passwd, and the system becomes slightly less
usable. :-(

A solution is to use "mktemp" instead of a hardcoded file name, I
suggest the following patch:

----------------------------------------------------------
diff -u /usr/sbin/backup-manager /home/sven/backup-manager
--- /usr/sbin/backup-manager    2005-04-04 22:39:22.000000000 +0200
+++ /home/sven/backup-manager    2005-06-22 21:49:17.000000000 +0200
@@ -28,8 +28,8 @@
lockfile="/var/run/backup-manager.pid"
md5sum="/usr/bin/md5sum"
bc="/usr/bin/bc"
-logfile="/tmp/bm-cdrecord.log"
-mount_point="/tmp/bm-mnt"
+logfile="$(mktemp /tmp/bm-cdrecord.log.XXXXXX)"
+mount_point="$(mktemp -d /tmp/bm-mnt.XXXXXX)"

# Load the backup-manager's library
. $libdir/gettext.sh
-----------------------------------------------------------

-- System Information:
Debian Release: 3.1
 APT prefers testing
 APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.31
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1)

Versions of packages backup-manager depends on:
ii  debconf                       1.4.30.13  Debian configuration 
management sy
ii  gzip                          1.3.5-10   The GNU compression utility

-- debconf information:
 backup-manager/upload-key:
* backup-manager/name-format: long
 backup-manager/upload-hosts:
 backup-manager/upload-user-ftp:
* backup-manager/cron_frequency: daily
* backup-manager/blacklist: /home/sven/tmp
* backup-manager/time-to-live: 5
* backup-manager/burning-maxsize: 650
 backup-manager/upload-user-scp-warning:
 backup-manager/transfert_mode: scp
* backup-manager/dump_symlinks: false
 backup-manager/upload-user-scp: bmngr
* backup-manager/burning-device: 0,1,0
 backup-manager/upload-dir: /var/archives/uploads
* backup-manager/directories: /etc /home/sven /root
* backup-manager/filetype: tar.gz
* backup-manager/backup-repository: /var/archives
* backup-manager/burning-method: CDR
* backup-manager/burning-enabled: true
 backup-manager/cron_remove_deprecated: false
* backup-manager/want_to_upload: false





Tags added: sarge, etch Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Merged 308897 315582. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#315582; Package backup-manager. Full text and rfc822 format available.

Acknowledgement sent to Alexis Sukrieh <sukria@sukria.net>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #14 received at 315582@bugs.debian.org (full text, mbox):

From: Alexis Sukrieh <sukria@sukria.net>
To: 315582@bugs.debian.org
Subject: unmerging
Date: Fri, 24 Jun 2005 09:51:46 +0200
unmerge 315582
thanks

That's not the same problem as the one in #308897.

-- 
                                  Alexis Sukrieh <sukria@sukria.net>
                                               http://www.sukria.net

« Quidquid latine dictum sit, altum sonatur. » 
Whatever is said in Latin sounds profound.



Disconnected #315582 from all other report(s). Request was from Alexis Sukrieh <sukria@sukria.net> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#315582; Package backup-manager. Full text and rfc822 format available.

Acknowledgement sent to Alexis Sukrieh <sukria@sukria.net>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #21 received at 315582@bugs.debian.org (full text, mbox):

From: Alexis Sukrieh <sukria@sukria.net>
To: 308897@bugs.debian.org, 315582@bugs.debian.org
Cc: Esteban Manchado Velázquez <zoso@demiurgo.org>, Alexis Sukrieh <sukria@sukria.net>, jtv@thaiopensource.org, Paul Brossier <piem@altern.org>, vorlon@debian.org, Sven Joachim <sven_joachim@web.de>
Subject: backup-manager security fixes, pending upload.
Date: Fri, 24 Jun 2005 10:20:48 +0200
tags 315582 + pending
tags 315582 + pending
thanks

Those two security issues are pending upload.

The security team has been contacted for uploading a fixed package to
stable.

Thanks for the report and the patches.

For testers, pending packages are available here:

For sarge:
http://www.sukria.net/debian/binary/backup-manager_0.5.7-2sarge1_all.deb

For sid/etch:
http://www.sukria.net/debian/binary/backup-manager_0.5.8-2_all.deb

You'll can find the sources of those packages here:
http://www.sukria.net/debian/source/

Regards.

-- 
                                  Alexis Sukrieh <sukria@sukria.net>
                                               http://www.sukria.net

« Quidquid latine dictum sit, altum sonatur. » 
Whatever is said in Latin sounds profound.



Tags added: pending Request was from Alexis Sukrieh <sukria@sukria.net> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: pending Request was from Alexis Sukrieh <sukria@sukria.net> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Alexis Sukrieh <sukria@sukria.net>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Sven Joachim <sven_joachim@web.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #30 received at 315582-close@bugs.debian.org (full text, mbox):

From: Alexis Sukrieh <sukria@sukria.net>
To: 315582-close@bugs.debian.org
Subject: Bug#315582: fixed in backup-manager 0.5.8-2
Date: Mon, 27 Jun 2005 14:02:22 -0400
Source: backup-manager
Source-Version: 0.5.8-2

We believe that the bug you reported is fixed in the latest version of
backup-manager, which is due to be installed in the Debian FTP archive:

backup-manager_0.5.8-2.diff.gz
  to pool/main/b/backup-manager/backup-manager_0.5.8-2.diff.gz
backup-manager_0.5.8-2.dsc
  to pool/main/b/backup-manager/backup-manager_0.5.8-2.dsc
backup-manager_0.5.8-2_all.deb
  to pool/main/b/backup-manager/backup-manager_0.5.8-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 315582@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alexis Sukrieh <sukria@sukria.net> (supplier of updated backup-manager package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 25 Jun 2005 16:50:28 +0200
Source: backup-manager
Binary: backup-manager
Architecture: source all
Version: 0.5.8-2
Distribution: unstable
Urgency: low
Maintainer: Alexis Sukrieh <sukria@sukria.net>
Changed-By: Alexis Sukrieh <sukria@sukria.net>
Description: 
 backup-manager - command-line backup tool
Closes: 315582 315714
Changes: 
 backup-manager (0.5.8-2) unstable; urgency=low
 .
   * New patch for closing the security issue about temp paths (using mktemp
     now).
     + debian/patches/02_security_315582.dpatch
     (closes: #315582)
   * Now handles cron with the cron.{daily|weekly|monthly} subdirectories
     instead of the cron.d subdirectiry, wich is not handled by anacron.
     + added debian/cron.daily
     + removed debian.cron.d
     + added a debconf prompt for removing /ect/cron.d/backup-manager
     (closes: #315714)
Files: 
 b5a98606a7cfcbe3fe61ccb8d7dea267 619 admin optional backup-manager_0.5.8-2.dsc
 47a119410951074da813c71dcb7b04de 34881 admin optional backup-manager_0.5.8-2.diff.gz
 db3be16a8144831486cb0a3bec06ec8e 49060 admin optional backup-manager_0.5.8-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCwDf9hYgK5b1UDsERAntAAJ0UmxzMD4SLA8rWN8Qba/HyqupirQCeLlY1
ilnJPC7/SMzFT6Gk1B4uPTw=
=lGt7
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#315582; Package backup-manager. Full text and rfc822 format available.

Acknowledgement sent to Alexis Sukrieh <sukria@sukria.net>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #35 received at 315582@bugs.debian.org (full text, mbox):

From: Alexis Sukrieh <sukria@sukria.net>
To: 315582@bugs.debian.org
Subject: [backup-manager #315582] Bug still open in sarge
Date: Tue, 28 Jun 2005 09:14:30 +0200
reopen 315582
thanks

This bug is closed in sid, but still opened in sarge.
It will will be closed in etch as soon as the
package propagate (I'll then remove the etch tag).

Regards.

-- 

 - Alexis Sukrieh 




Bug reopened, originator not changed. Request was from Alexis Sukrieh <sukria@sukria.net> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#315582; Package backup-manager. Full text and rfc822 format available.

Acknowledgement sent to Alexis Sukrieh <sukria@sukria.net>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #42 received at 315582@bugs.debian.org (full text, mbox):

From: Alexis Sukrieh <sukria@sukria.net>
To: 308897@bugs.debian.org, 315582@bugs.debian.org
Cc: 308897-submitter@bugs.debian.org, 315582-submitter@bugs.debian.org
Subject: Bugs closed in etch and sid
Date: Mon, 11 Jul 2005 14:26:20 +0200
tags 308897 - etch
tags 315582 - etch
thanks

The 0.5.8-2 package is in testing now and closes those bugs.

-- 

 - Alexis Sukrieh 




Tags removed: etch Request was from Alexis Sukrieh <sukria@sukria.net> to control@bugs.debian.org. Full text and rfc822 format available.

Message sent on to Sven Joachim <sven_joachim@web.de>:
Bug#315582. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#315582; Package backup-manager. Full text and rfc822 format available.

Acknowledgement sent to Alexis Sukrieh <sukria@sukria.net>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #52 received at 315582@bugs.debian.org (full text, mbox):

From: Alexis Sukrieh <sukria@sukria.net>
To: 308897@bugs.debian.org, 315582@bugs.debian.org, 308897-submitter@bugs.debian.org, 315582-submitter@bugs.debian.org
Subject: [backup-manager] Pending security upload
Date: Fri, 29 Jul 2005 17:46:46 +0200
tags 308897 + pending
tags 315582 + pending
thanks

This two bugs are fixed in the new pending sarge package (0.5.7-1sarge1), 
which will be uploaded hopefully to the security archive soon.

Regards.

-- 

 - Alexis Sukrieh 




Tags added: pending Request was from Alexis Sukrieh <sukria@sukria.net> to control@bugs.debian.org. Full text and rfc822 format available.

Message sent on to Sven Joachim <sven_joachim@web.de>:
Bug#315582. Full text and rfc822 format available.

Tags added: fixed Request was from Alexis Sukrieh <sukria@sukria.net> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Alexis Sukrieh <sukria@sukria.net>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Sven Joachim <sven_joachim@web.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #64 received at 315582-done@bugs.debian.org (full text, mbox):

From: Alexis Sukrieh <sukria@sukria.net>
To: 308897-done@bugs.debian.org, 315582-done@bugs.debian.org
Subject: bug closed
Date: Wed, 28 Sep 2005 11:04:51 +0200
Those bugs are closed in sarge now, and they are not open in etch and
sid.




Tags added: fixed Request was from Alexis Sukrieh <sukria@sukria.net> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 19 Jun 2007 03:37:47 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 21:58:33 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.