To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: lm-sensors: Insecure tempfile usage in pwmconfig
Date: Sat, 20 Aug 2005 22:21:13 +0200
Package: lm-sensors
Version: 1:2.9.1-5
Severity: grave
Tags: security patch
lm-sensors's configuration script pwmconfig, which is used, generally as
root, to probe the fan controls and generate a new configuration file,
uses files under /tmp in an unsafe way which makes it possible to
conduct symlink attacks. The temporary filename used to create a
temporary configuration file is hardcoded to '/tmp/fancontrol'.
Thanks to Javier Fernández-Sanguino Peña <jfs@computer.org> who first
reported me the bug.
--- pwmconfig.orig 2005-08-05 18:36:40.000000000 +0200
+++ pwmconfig 2005-08-05 18:37:47.000000000 +0200
@@ -465,9 +465,11 @@
function SaveConfig {
echo
echo "Saving configuration to $FCCONFIG..."
- egrep -v '(INTERVAL|FCTEMPS|FCFANS|MAXTEMP|MINTEMP|MINSTART|MINSTOP)' $FCCONFIG >/tmp/fancontrol
- echo -e "INTERVAL=$INTERVAL\nFCTEMPS=$FCTEMPS\nFCFANS=$FCFANS\nMINTEMP=$MINTEMP\nMAXTEMP=$MAXTEMP\nMINSTART=$MINSTART\nMINSTOP=$MINSTOP" >>/tmp/fancontrol
- mv /tmp/fancontrol $FCCONFIG
+ tmpfile=`tempfile` || { echo "$0: Cannot create temporary file" >&2; exit 1; }
+ trap " [ -f \"$tmpfile\" ] && /bin/rm -f -- \"$tmpfile\"" 0 1 2 3 13 15
+ egrep -v '(INTERVAL|FCTEMPS|FCFANS|MAXTEMP|MINTEMP|MINSTART|MINSTOP)' $FCCONFIG >$tmpfile
+ echo -e "INTERVAL=$INTERVAL\nFCTEMPS=$FCTEMPS\nFCFANS=$FCFANS\nMINTEMP=$MINTEMP\nMAXTEMP=$MAXTEMP\nMINSTART=$MINSTART\nMINSTOP=$MINSTOP" >>$tmpfile
+ mv $tmpfile $FCCONFIG
#check if file was written correctly
echo 'Configuration saved'
}
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to fr_FR.UTF-8)
Versions of packages lm-sensors depends on:
ii debconf [debconf-2.0] 1.4.57 Debian configuration management sy
ii libc6 2.3.5-3 GNU C Library: Shared libraries an
ii libsensors3 1:2.9.1-5 library to read temperature/voltag
ii makedev 2.3.1-78 creates device files in /dev
ii perl 5.8.7-4 Larry Wall's Practical Extraction
ii sed 4.1.4-2 The GNU sed stream editor
ii sysvinit 2.86.ds1-1 System-V like init
ii ucf 2.001 Update Configuration File: preserv
Versions of packages lm-sensors recommends:
ii kernel-image-2.6.12 [kernel 10.00.Custom Linux kernel binary image for vers
ii lm-sensors-2.4.27-2-k7 [lm- 1:2.9.1-5 kernel drivers to read temperature
-- debconf information excluded
Reply sent to Aurelien Jarno <aurel32@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Aurelien Jarno <aurel32@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Subject: Bug#324193: fixed in lm-sensors 1:2.9.1-7
Date: Sat, 20 Aug 2005 17:17:06 -0700
Source: lm-sensors
Source-Version: 1:2.9.1-7
We believe that the bug you reported is fixed in the latest version of
lm-sensors, which is due to be installed in the Debian FTP archive:
kernel-patch-2.4-lm-sensors_2.9.1-7_all.deb
to pool/main/l/lm-sensors/kernel-patch-2.4-lm-sensors_2.9.1-7_all.deb
libsensors-dev_2.9.1-7_hppa.deb
to pool/main/l/lm-sensors/libsensors-dev_2.9.1-7_hppa.deb
libsensors-dev_2.9.1-7_i386.deb
to pool/main/l/lm-sensors/libsensors-dev_2.9.1-7_i386.deb
libsensors-dev_2.9.1-7_mips.deb
to pool/main/l/lm-sensors/libsensors-dev_2.9.1-7_mips.deb
libsensors-dev_2.9.1-7_powerpc.deb
to pool/main/l/lm-sensors/libsensors-dev_2.9.1-7_powerpc.deb
libsensors-dev_2.9.1-7_sparc.deb
to pool/main/l/lm-sensors/libsensors-dev_2.9.1-7_sparc.deb
libsensors3_2.9.1-7_hppa.deb
to pool/main/l/lm-sensors/libsensors3_2.9.1-7_hppa.deb
libsensors3_2.9.1-7_i386.deb
to pool/main/l/lm-sensors/libsensors3_2.9.1-7_i386.deb
libsensors3_2.9.1-7_mips.deb
to pool/main/l/lm-sensors/libsensors3_2.9.1-7_mips.deb
libsensors3_2.9.1-7_powerpc.deb
to pool/main/l/lm-sensors/libsensors3_2.9.1-7_powerpc.deb
libsensors3_2.9.1-7_sparc.deb
to pool/main/l/lm-sensors/libsensors3_2.9.1-7_sparc.deb
lm-sensors-2.4.27-2-386_2.9.1-7_i386.deb
to pool/main/l/lm-sensors/lm-sensors-2.4.27-2-386_2.9.1-7_i386.deb
lm-sensors-2.4.27-2-586tsc_2.9.1-7_i386.deb
to pool/main/l/lm-sensors/lm-sensors-2.4.27-2-586tsc_2.9.1-7_i386.deb
lm-sensors-2.4.27-2-686-smp_2.9.1-7_i386.deb
to pool/main/l/lm-sensors/lm-sensors-2.4.27-2-686-smp_2.9.1-7_i386.deb
lm-sensors-2.4.27-2-686_2.9.1-7_i386.deb
to pool/main/l/lm-sensors/lm-sensors-2.4.27-2-686_2.9.1-7_i386.deb
lm-sensors-2.4.27-2-k6_2.9.1-7_i386.deb
to pool/main/l/lm-sensors/lm-sensors-2.4.27-2-k6_2.9.1-7_i386.deb
lm-sensors-2.4.27-2-k7-smp_2.9.1-7_i386.deb
to pool/main/l/lm-sensors/lm-sensors-2.4.27-2-k7-smp_2.9.1-7_i386.deb
lm-sensors-2.4.27-2-k7_2.9.1-7_i386.deb
to pool/main/l/lm-sensors/lm-sensors-2.4.27-2-k7_2.9.1-7_i386.deb
lm-sensors-source_2.9.1-7_all.deb
to pool/main/l/lm-sensors/lm-sensors-source_2.9.1-7_all.deb
lm-sensors_2.9.1-7.diff.gz
to pool/main/l/lm-sensors/lm-sensors_2.9.1-7.diff.gz
lm-sensors_2.9.1-7.dsc
to pool/main/l/lm-sensors/lm-sensors_2.9.1-7.dsc
lm-sensors_2.9.1-7_hppa.deb
to pool/main/l/lm-sensors/lm-sensors_2.9.1-7_hppa.deb
lm-sensors_2.9.1-7_i386.deb
to pool/main/l/lm-sensors/lm-sensors_2.9.1-7_i386.deb
lm-sensors_2.9.1-7_mips.deb
to pool/main/l/lm-sensors/lm-sensors_2.9.1-7_mips.deb
lm-sensors_2.9.1-7_powerpc.deb
to pool/main/l/lm-sensors/lm-sensors_2.9.1-7_powerpc.deb
lm-sensors_2.9.1-7_sparc.deb
to pool/main/l/lm-sensors/lm-sensors_2.9.1-7_sparc.deb
sensord_2.9.1-7_hppa.deb
to pool/main/l/lm-sensors/sensord_2.9.1-7_hppa.deb
sensord_2.9.1-7_i386.deb
to pool/main/l/lm-sensors/sensord_2.9.1-7_i386.deb
sensord_2.9.1-7_mips.deb
to pool/main/l/lm-sensors/sensord_2.9.1-7_mips.deb
sensord_2.9.1-7_powerpc.deb
to pool/main/l/lm-sensors/sensord_2.9.1-7_powerpc.deb
sensord_2.9.1-7_sparc.deb
to pool/main/l/lm-sensors/sensord_2.9.1-7_sparc.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 324193@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aurelien Jarno <aurel32@debian.org> (supplier of updated lm-sensors package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 20 Aug 2005 22:12:54 +0200
Source: lm-sensors
Binary: lm-sensors-2.4.27-2-386 lm-sensors-source lm-sensors-2.4.27-2-k7 libsensors-dev lm-sensors-2.4.27-2-k7-smp lm-sensors-2.4.27-2-586tsc lm-sensors sensord kernel-patch-2.4-lm-sensors lm-sensors-2.4.27-2-686 lm-sensors-2.4.27-2-k6 lm-sensors-2.4.27-2-686-smp libsensors3
Architecture: all hppa i386 mips powerpc source sparc
Version: 1:2.9.1-7
Distribution: unstable
Urgency: high
Maintainer: Aurelien Jarno <aurel32@debian.org>
Changed-By: Aurelien Jarno <aurel32@debian.org>
Description:
libsensors-dev - lm-sensors development kit
libsensors3 - library to read temperature/voltage/fan sensors
lm-sensors - utilities to read temperature/voltage/fan sensors
sensord - hardware sensor information logging daemon
Closes: 324193
Changes:
lm-sensors (1:2.9.1-7) unstable; urgency=high
.
* Urgency set to high due to security fix.
* Fixed and insecure tempfile usage in pwmconfig. Thanks to Javier
Fernández-Sanguino Peña <jfs@computer.org> for the bug report and the
patch (closes: bug#324193).
Files:
0516aaf8e29df8c9649895b4172823ef 258084 utils extra lm-sensors-2.4.27-2-386_2.9.1-7_i386.deb
0585b3d2ac5e5606097833356767f1f7 941732 misc extra lm-sensors-source_2.9.1-7_all.deb
0aa708156bb116d038268c1968e54f00 1086 utils extra lm-sensors_2.9.1-7.dsc
1787514e5eb011bc4c20274fc963b5d5 107066 libdevel extra libsensors-dev_2.9.1-7_powerpc.deb
1e62f1a2097bee1ebf426d8f381af6fa 258026 utils extra lm-sensors-2.4.27-2-586tsc_2.9.1-7_i386.deb
210ffba71baecdf9813d250a4548a2b1 474082 utils extra lm-sensors_2.9.1-7_hppa.deb
36c2b2092c0a7aeb6993b3e4cb9bebff 100668 libdevel extra libsensors-dev_2.9.1-7_sparc.deb
493108678d39c69d36345a4825cfcd39 304740 devel extra kernel-patch-2.4-lm-sensors_2.9.1-7_all.deb
4fac1b4f1e79e9c4ccfa65f5478d67bd 33521 utils extra lm-sensors_2.9.1-7.diff.gz
6aa7e28a0349ae4c107c84aa08e11ffa 258104 utils extra lm-sensors-2.4.27-2-k6_2.9.1-7_i386.deb
72fe5179b837f867deb3c8bf2f86155c 469182 utils extra lm-sensors_2.9.1-7_i386.deb
748e4a1ada4ab6a3919d1b5eff45b9dd 471554 utils extra lm-sensors_2.9.1-7_powerpc.deb
798123a11b44866e257a2fcad8b898ca 258518 utils extra lm-sensors-2.4.27-2-686-smp_2.9.1-7_i386.deb
7a4b6e65ab67b821ca5126f4224cb4a2 59448 utils extra sensord_2.9.1-7_hppa.deb
840e4b15760ea78e1504a674c9eae9fd 258856 utils extra lm-sensors-2.4.27-2-k7-smp_2.9.1-7_i386.deb
9164834eca8b10bb84f5c63904fa4394 469068 utils extra lm-sensors_2.9.1-7_mips.deb
9c5bed74ce03f94e5ce7ae1908e15386 93186 libdevel extra libsensors-dev_2.9.1-7_i386.deb
a19218e71ef3fe21df879496fe84f29a 82132 libs optional libsensors3_2.9.1-7_mips.deb
ae355a7965b87190c50e7288bfce1398 77504 libs optional libsensors3_2.9.1-7_i386.deb
b46c41f23141c6f79a62977cce90fd60 467912 utils extra lm-sensors_2.9.1-7_sparc.deb
c678a0c2e5a21b8e245b0c9b0e91d2bc 59266 utils extra sensord_2.9.1-7_mips.deb
cab3debe919916b807439a65294d4173 258368 utils extra lm-sensors-2.4.27-2-k7_2.9.1-7_i386.deb
d04b1103cb3fb687cf1a5a962c3754e9 56180 utils extra sensord_2.9.1-7_i386.deb
da4616930c9a272b87d4660bb955c6c5 56872 utils extra sensord_2.9.1-7_sparc.deb
dbc952fa5d0e1a3320afa93e593f2a39 85302 libs optional libsensors3_2.9.1-7_powerpc.deb
dd2adf9e678fdab7e7f1dbaca3173b44 81968 libs optional libsensors3_2.9.1-7_sparc.deb
e260695ab74bd63805dc016441fed720 103650 libdevel extra libsensors-dev_2.9.1-7_mips.deb
e38912090e5083e8f2f320d9b66f1275 104894 libdevel extra libsensors-dev_2.9.1-7_hppa.deb
ec9414cc5fe31750d1ac6eb77bcf04a8 258078 utils extra lm-sensors-2.4.27-2-686_2.9.1-7_i386.deb
f4fdf9a4e6730892154e7dadcf668703 89014 libs optional libsensors3_2.9.1-7_hppa.deb
fe6f24f759921708b42d03e987a716d2 59310 utils extra sensord_2.9.1-7_powerpc.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDB8Yww3ao2vG823MRAo0XAJ90DZfFg6t7eyXJcZ/MCdrO/OIUlwCfbkPS
mwy8X0LTERAkDvBFava7a3E=
=lk2F
-----END PGP SIGNATURE-----
Bug reopened, originator not changed.
Request was from Aurelien Jarno <aurelien@aurel32.net>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: sarge
Request was from Aurelien Jarno <aurelien@aurel32.net>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: etch
Request was from Aurelien Jarno <aurelien@aurel32.net>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Aurelien Jarno <aurel32@debian.org>: Bug#324193; Package lm-sensors.
(full text, mbox, link).
Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to Aurelien Jarno <aurel32@debian.org>.
(full text, mbox, link).
Hi!
This got a CAN number assigned. Can you please mention it in the
changelog when you fix this?
Thanks,
Martin
----- Forwarded message from "Steven M. Christey" <coley@mitre.org> -----
Date: Tue, 23 Aug 2005 14:53:06 -0400 (EDT)
From: "Steven M. Christey" <coley@mitre.org>
To: joey@infodrom.org, martin.pitt@canonical.com
Cc: coley@mitre.org
Subject: CAN-2005-2672 assigned to pwmconfig symlink
X-Spam-Status: No, score=1.4 required=4.0 tests=AWL,BAYES_50 autolearn=no
version=3.0.3
FYI...
======================================================
Candidate: CAN-2005-2672
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2672
Reference: BID:14624
Reference: URL:http://www.securityfocus.com/bid/14624
Reference: UBUNTU:USN-172-1
Reference: URL:http://www.ubuntulinux.org/support/documentation/usn/usn-172-1
Reference: CONFIRM:http://secure.netroedge.com/~lm78/cvs/lm_sensors2/CHANGES
pwmconfig in LM_sensors before 2.9.1 creates temporary files
insecurely, which allows local users to overwrite arbitrary files via
a symlink attack on the fancontrol temporary file.
----- End forwarded message -----
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
Information forwarded to debian-bugs-dist@lists.debian.org, Aurelien Jarno <aurel32@debian.org>: Bug#324193; Package lm-sensors.
(full text, mbox, link).
Acknowledgement sent to Aurelien Jarno <aurelien@aurel32.net>:
Extra info received and forwarded to list. Copy sent to Aurelien Jarno <aurel32@debian.org>.
(full text, mbox, link).
To: Martin Pitt <mpitt@debian.org>, 324193@bugs.debian.org
Subject: Re: Bug#324193: Fwd: CAN-2005-2672 assigned to pwmconfig symlink
Date: Wed, 24 Aug 2005 11:10:53 +0200
On Wed, Aug 24, 2005 at 08:47:53AM +0200, Martin Pitt wrote:
> Hi!
>
> This got a CAN number assigned. Can you please mention it in the
> changelog when you fix this?
Well, the bug is now fixed for a few days. I have decided to fix it
without a CAN number because I was unable to get one (got no answer from
the security team, and it is still the case).
Should I upload a new version, just adding this CAN number.
Bye,
Aurelien
--
.''`. Aurelien Jarno | GPG: 1024D/F1BCDB73
: :' : Debian GNU/Linux developer | Electrical Engineer
`. `' aurel32@debian.org | aurelien@aurel32.net
`- people.debian.org/~aurel32 | www.aurel32.net
Information forwarded to debian-bugs-dist@lists.debian.org, Aurelien Jarno <aurel32@debian.org>: Bug#324193; Package lm-sensors.
(full text, mbox, link).
Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to Aurelien Jarno <aurel32@debian.org>.
(full text, mbox, link).
To: Aurelien Jarno <aurelien@aurel32.net>, 324193@bugs.debian.org
Subject: Re: Bug#324193: Fwd: CAN-2005-2672 assigned to pwmconfig symlink
Date: Wed, 24 Aug 2005 13:47:00 +0200
Hi Aurelien!
Aurelien Jarno [2005-08-24 11:10 +0200]:
> On Wed, Aug 24, 2005 at 08:47:53AM +0200, Martin Pitt wrote:
> > Hi!
> >
> > This got a CAN number assigned. Can you please mention it in the
> > changelog when you fix this?
>
> Well, the bug is now fixed for a few days. I have decided to fix it
> without a CAN number because I was unable to get one (got no answer from
> the security team, and it is still the case).
Ah, fine.
> Should I upload a new version, just adding this CAN number.
No, that's not worth the trouble. However, it would be nice if you
could add it at the next regular upload.
Thanks!
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
Tags added: fixed
Request was from Martin Schulze <joey@infodrom.org>
to control@bugs.debian.org.
(full text, mbox, link).
Tags removed: sarge
Request was from Aurelien Jarno <aurelien@aurel32.net>
to control@bugs.debian.org.
(full text, mbox, link).
Tags removed: fixed
Request was from Aurelien Jarno <aurelien@aurel32.net>
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to Aurelien Jarno <aurelien@aurel32.net>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Aurelien Jarno <aurel32@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
lm-sensors has been moved to etch. Closing the bug.
--
.''`. Aurelien Jarno | GPG: 1024D/F1BCDB73
: :' : Debian developer | Electrical Engineer
`. `' aurel32@debian.org | aurelien@aurel32.net
`- people.debian.org/~aurel32 | www.aurel32.net
Bug reopened, originator not changed.
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Bug marked as found in version 1:2.9.1-1.
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Bug marked as fixed in version 1:2.9.1-7, send any further explanations to Aurelien Jarno <aurel32@debian.org>
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Bug marked as fixed in version 1:2.9.1-1sarge2, send any further explanations to Aurelien Jarno <aurel32@debian.org>
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: fixed
Request was from Martin Schulze <joey@infodrom.org>
to control@bugs.debian.org.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 27 Jun 2007 04:32:09 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.