Debian Bug report logs - #318285
CAN-2005-2240 symlink attack in xpvm.tcl

version graph

Package: xpvm; Maintainer for xpvm is (unknown);

Reported by: Joey Hess <joeyh@debian.org>

Date: Thu, 14 Jul 2005 14:48:07 UTC

Severity: serious

Tags: patch, security

Found in versions xpvm/1.2.5-7.2, xpvm/1.2.5-7.3

Fixed in version 1.2.5-8

Done: Thijs Kinkhorst <kink@squirrelmail.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#318285; Package xpvm. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
New Bug report received and forwarded. Copy sent to Debian QA Group <packages@qa.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CAN-2005-2240 symlink attack in xpvm.tcl
Date: Thu, 14 Jul 2005 17:27:33 +0300
[Message part 1 (text/plain, inline)]
Package: xpvm
Severity: serious
Tags: security

According to http://secunia.com/advisories/16040:

  Eric Romang has reported a vulnerability in xpvm, which can be exploited by
  malicious, local users to perform certain actions on a vulnerable system with
  escalated privileges.

  The vulnerability is caused due to the temporary file "/tmp/xpvm.trace.$user"
  being created insecurely by "src/xpvm.tcl". This can be exploited via symlink
  attacks to create or overwrite arbitrary files with the privileges of the user
  running the affected application.

This is CAN-2005-2240.

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#318285; Package xpvm. Full text and rfc822 format available.

Acknowledgement sent to Frank Lichtenheld <djpig@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>. Full text and rfc822 format available.

Message #10 received at 318285@bugs.debian.org (full text, mbox):

From: Frank Lichtenheld <djpig@debian.org>
To: Joey Hess <joeyh@debian.org>, 318285@bugs.debian.org
Subject: Re: Bug#318285: CAN-2005-2240 symlink attack in xpvm.tcl
Date: Fri, 15 Jul 2005 13:47:44 +0200
On Thu, Jul 14, 2005 at 05:27:33PM +0300, Joey Hess wrote:
> According to http://secunia.com/advisories/16040:

Some investigation on it:
There is a tempfile procedure available in tcllib, one could either
use that or copy&paste (since it isn't available in tcllib in woody)

@security team: Should I cook up a patch for that?

Gruesse,
-- 
Frank Lichtenheld <djpig@debian.org>
www: http://www.djpig.de/



Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#318285; Package xpvm. Full text and rfc822 format available.

Acknowledgement sent to Frank Lichtenheld <djpig@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>. Full text and rfc822 format available.

Message #15 received at 318285@bugs.debian.org (full text, mbox):

From: Frank Lichtenheld <djpig@debian.org>
To: Joey Hess <joeyh@debian.org>, 318285@bugs.debian.org
Subject: Re: Bug#318285: CAN-2005-2240 symlink attack in xpvm.tcl
Date: Sat, 16 Jul 2005 22:58:48 +0200
On Fri, Jul 15, 2005 at 01:47:44PM +0200, Frank Lichtenheld wrote:
> On Thu, Jul 14, 2005 at 05:27:33PM +0300, Joey Hess wrote:
> > According to http://secunia.com/advisories/16040:
> 
> Some investigation on it:
> There is a tempfile procedure available in tcllib, one could either
> use that or copy&paste (since it isn't available in tcllib in woody)
> 
> @security team: Should I cook up a patch for that?

Hmm, tried that and failed. Unfortunatly it requires more TCL knowledge
than I have.

Gruesse,
-- 
Frank Lichtenheld <djpig@debian.org>
www: http://www.djpig.de/



Reply sent to Matej Vela <vela@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Joey Hess <joeyh@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #20 received at 318285-close@bugs.debian.org (full text, mbox):

From: Matej Vela <vela@debian.org>
To: 318285-close@bugs.debian.org
Subject: Bug#318285: fixed in xpvm 1.2.5-8
Date: Sun, 04 Sep 2005 06:17:09 -0700
Source: xpvm
Source-Version: 1.2.5-8

We believe that the bug you reported is fixed in the latest version of
xpvm, which is due to be installed in the Debian FTP archive:

xpvm_1.2.5-8.diff.gz
  to pool/main/x/xpvm/xpvm_1.2.5-8.diff.gz
xpvm_1.2.5-8.dsc
  to pool/main/x/xpvm/xpvm_1.2.5-8.dsc
xpvm_1.2.5-8_i386.deb
  to pool/main/x/xpvm/xpvm_1.2.5-8_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 318285@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matej Vela <vela@debian.org> (supplier of updated xpvm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun,  4 Sep 2005 14:44:07 +0200
Source: xpvm
Binary: xpvm
Architecture: source i386
Version: 1.2.5-8
Distribution: unstable
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Matej Vela <vela@debian.org>
Description: 
 xpvm       - graphical console and monitor for PVM
Closes: 318285
Changes: 
 xpvm (1.2.5-8) unstable; urgency=high
 .
   * QA upload.
   * Use ~/.xpvm_trace instead of /tmp/xpvm.trace.$USER to prevent symlink
     attacks.  (Trace files are meant to be semi-persistent, so this is more
     in line with user expectations than creating unique temporary files.)
     [src/xpvm.tcl, src/help/traces.help, debian/xpvm.1, CAN-2005-2240]
     Closes: #318285.
Files: 
 302430bf43733f943f9b64d8bd6e3ef0 565 devel extra xpvm_1.2.5-8.dsc
 4830ca9affcea2cbc192acaeed63e5cf 6808 devel extra xpvm_1.2.5-8.diff.gz
 495af96ea96f348b9f0264f5e38de908 169334 devel extra xpvm_1.2.5-8_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDGuw2xBYivKllgY8RAl+aAJ9fXjR+01irGCT5T994OQETuGNb5QCghRcF
nryezpCnlLWHgZu78m/mh7c=
=R8A3
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#318285; Package xpvm. Full text and rfc822 format available.

Acknowledgement sent to Matej Vela <vela@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>. Full text and rfc822 format available.

Message #25 received at 318285@bugs.debian.org (full text, mbox):

From: Matej Vela <vela@debian.org>
To: team@security.debian.org, 318285@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Bug#318285: CAN-2005-2240 symlink attack in xpvm.tcl
Date: Sun, 4 Sep 2005 15:37:54 +0200
[Message part 1 (text/plain, inline)]
tag 318285 patch
thanks

Hi,

Here's the CAN-2005-2240 fix for woody and sarge (sid upload is already
in incoming).

Cheers,

Matej
[xpvm-woody.diff (text/plain, attachment)]
[xpvm-sarge.diff (text/plain, attachment)]

Tags added: patch Request was from Matej Vela <vela@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug reopened, originator not changed. Request was from Matej Vela <vela@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: woody, sarge Request was from Matej Vela <vela@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as found in version 1.2.5-7.2. Request was from Matej Vela <vela@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as found in version 1.2.5-7.3. Request was from Matej Vela <vela@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as not found in version 1.2.5-8. Request was from Matej Vela <vela@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags removed: woody, sarge Request was from Matej Vela <vela@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Thijs Kinkhorst <kink@squirrelmail.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Joey Hess <joeyh@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #44 received at 318285-done@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: 318285-done@bugs.debian.org
Subject: Fixed in xpvm
Date: Tue, 14 Mar 2006 18:13:38 +0100
Version: 1.2.5-8

This bug has been fixed in the upload of 2005-09-04 by Matej Vela, but
was inadvertently reopened for sid. Closing the bug again with the right
version.


Thijs



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 21:47:28 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 14:02:14 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.