Debian Bug report logs - #325468
polygen: ignores umask

version graph

Package: polygen; Maintainer for polygen is Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>; Source for polygen is src:polygen.

Reported by: Justin B Rye <jbr@edlug.org.uk>

Date: Sun, 28 Aug 2005 21:48:02 UTC

Severity: critical

Tags: fixed, security

Found in version polygen/1.0.6-7

Fixed in version polygen/1.0.6-9

Done: Enrico Zini <enrico@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Enrico Zini <enrico@debian.org>:
Bug#325468; Package polygen. Full text and rfc822 format available.

Acknowledgement sent to Justin B Rye <jbr@edlug.org.uk>:
New Bug report received and forwarded. Copy sent to Enrico Zini <enrico@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Justin B Rye <jbr@edlug.org.uk>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: polygen: ignores umask
Date: Sun, 28 Aug 2005 22:41:52 +0100
Package: polygen
Version: 1.0.6-7
Severity: critical
Tags: security
Justification: root security hole

/var/lib/dpkg/info/polygen-data.postinst invokes /usr/bin/polygen on
all its /usr/share/polygen/*/*.grm data files to create corresponding
.grm.o files.  Unfortunately polygen ignores the umask and creates
all these output files with a mode of 0666.

On Sat, Aug 13, Enrico Zini wrote:
> Oh!  That's a bad bug, security-related, critical severity.  Could you
> please report it?

Sorry about the delay.  I can't see quite how the exploit would
work, even as a "grave" user-versus-user attack, but it smells
vaguely of buffer-overflow risk as well as being a violation of
policy 10.9 and generally bad behaviour.

-- System Information:
Debian Release: 3.1
Architecture: i386 (i586)
Kernel: Linux 2.6.11.hurakan
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)

Versions of packages polygen depends on:
ii  ocaml-base-nox [ocaml-base-no 3.08.3-3   Runtime system for ocaml bytecode

-- no debconf information
-- 
JBR
Ankh kak! (Ancient Egyptian blessing)



Information forwarded to debian-bugs-dist@lists.debian.org, Enrico Zini <enrico@debian.org>:
Bug#325468; Package polygen. Full text and rfc822 format available.

Acknowledgement sent to Enrico Zini <enrico@enricozini.org>:
Extra info received and forwarded to list. Copy sent to Enrico Zini <enrico@debian.org>. Full text and rfc822 format available.

Message #10 received at 325468@bugs.debian.org (full text, mbox):

From: Enrico Zini <enrico@enricozini.org>
To: Justin B Rye <jbr@edlug.org.uk>, 325468@bugs.debian.org
Subject: Re: Bug#325468: polygen: ignores umask
Date: Mon, 29 Aug 2005 13:44:42 +0200
[Message part 1 (text/plain, inline)]
On Sun, Aug 28, 2005 at 10:41:52PM +0100, Justin B Rye wrote:

> On Sat, Aug 13, Enrico Zini wrote:
> > Oh!  That's a bad bug, security-related, critical severity.  Could you
> > please report it?
> 
> Sorry about the delay.  I can't see quite how the exploit would
> work, even as a "grave" user-versus-user attack, but it smells
> vaguely of buffer-overflow risk as well as being a violation of
> policy 10.9 and generally bad behaviour.

Thanks for reporting.  I pinged upstream pointing him at the report, I
hope he gets back to me quickly.

It can surely be used to fill up disk space on a DoS attack.  I don't
know anything about Ocaml's serialisations methods so I can't say if
this could be exploited to cause a buffer overflow.

In the meantime, the problem seems to be in io.ml, line 65:

     Unix.chmod tmp 0o666;

I've asked upstream if he can see any problems in just removing that
line.


Ciao,

Enrico

--
GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <enrico@debian.org>
[signature.asc (application/pgp-signature, inline)]

Reply sent to Enrico Zini <enrico@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Justin B Rye <jbr@edlug.org.uk>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #15 received at 325468-close@bugs.debian.org (full text, mbox):

From: Enrico Zini <enrico@debian.org>
To: 325468-close@bugs.debian.org
Subject: Bug#325468: fixed in polygen 1.0.6-8
Date: Mon, 29 Aug 2005 08:02:05 -0700
Source: polygen
Source-Version: 1.0.6-8

We believe that the bug you reported is fixed in the latest version of
polygen, which is due to be installed in the Debian FTP archive:

polygen-data_1.0.6-8_all.deb
  to pool/main/p/polygen/polygen-data_1.0.6-8_all.deb
polygen_1.0.6-8.diff.gz
  to pool/main/p/polygen/polygen_1.0.6-8.diff.gz
polygen_1.0.6-8.dsc
  to pool/main/p/polygen/polygen_1.0.6-8.dsc
polygen_1.0.6-8_all.deb
  to pool/main/p/polygen/polygen_1.0.6-8_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 325468@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Enrico Zini <enrico@debian.org> (supplier of updated polygen package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 29 Aug 2005 16:51:08 +0200
Source: polygen
Binary: polygen-data polygen
Architecture: source all
Version: 1.0.6-8
Distribution: unstable
Urgency: high
Maintainer: Enrico Zini <enrico@debian.org>
Changed-By: Enrico Zini <enrico@debian.org>
Description: 
 polygen    - generator of random sentences from grammar definitions
 polygen-data - grammar definitions for PolyGen
Closes: 325468
Changes: 
 polygen (1.0.6-8) unstable; urgency=high
 .
   * Added a patch to honor umask when creating .grm.o files.
     Closes: #325468.
   * Urgency set to high since we close a security bug.
   * Bumped Standards-version.
Files: 
 9bd5069f81ecff42ae9195db4dd06080 612 games optional polygen_1.0.6-8.dsc
 c2f0b82496f89b156652b9626ae2a597 4013 games optional polygen_1.0.6-8.diff.gz
 afcb527f481b0c0f80eb640a031008bb 85850 games optional polygen_1.0.6-8_all.deb
 44a7b55065c16f1af1de64fe3f45395c 265456 games optional polygen-data_1.0.6-8_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDEyGI9LSwzHl+v6sRAuTHAJ0WCiZAyO79Z/RAgPNNhxTH2pHkEgCghgaD
tOf2gT8fE4vwFs1hhBxZs4Q=
=zgzv
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Enrico Zini <enrico@debian.org>:
Bug#325468; Package polygen. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Enrico Zini <enrico@debian.org>. Full text and rfc822 format available.

Message #20 received at 325468@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Enrico Zini <enrico@enricozini.org>, 325468@bugs.debian.org
Cc: Justin B Rye <jbr@edlug.org.uk>
Subject: Re: Bug#325468: polygen: ignores umask
Date: Mon, 29 Aug 2005 12:26:09 -0700
[Message part 1 (text/plain, inline)]
On Mon, Aug 29, 2005 at 01:44:42PM +0200, Enrico Zini wrote:

> > On Sat, Aug 13, Enrico Zini wrote:
> > > Oh!  That's a bad bug, security-related, critical severity.  Could you
> > > please report it?

> > Sorry about the delay.  I can't see quite how the exploit would
> > work, even as a "grave" user-versus-user attack, but it smells
> > vaguely of buffer-overflow risk as well as being a violation of
> > policy 10.9 and generally bad behaviour.

> Thanks for reporting.  I pinged upstream pointing him at the report, I
> hope he gets back to me quickly.

> It can surely be used to fill up disk space on a DoS attack.  I don't
> know anything about Ocaml's serialisations methods so I can't say if
> this could be exploited to cause a buffer overflow.

> In the meantime, the problem seems to be in io.ml, line 65:

>      Unix.chmod tmp 0o666;

> I've asked upstream if he can see any problems in just removing that
> line.

You probably want some way instead to ensure that such files are created
with 0644 mode if they're system-wide entries created by root; I see
that you've closed this bug with a changelog entry saying to set the
umask, but unless you're also setting the umask at some point there's no
guarantee that the root user's umask is sanely configured, either.

Cheers,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Enrico Zini <enrico@debian.org>:
Bug#325468; Package polygen. Full text and rfc822 format available.

Acknowledgement sent to Enrico Zini <enrico@enricozini.org>:
Extra info received and forwarded to list. Copy sent to Enrico Zini <enrico@debian.org>. Full text and rfc822 format available.

Message #25 received at 325468@bugs.debian.org (full text, mbox):

From: Enrico Zini <enrico@enricozini.org>
To: Steve Langasek <vorlon@debian.org>
Cc: 325468@bugs.debian.org, Justin B Rye <jbr@edlug.org.uk>
Subject: Re: Bug#325468: polygen: ignores umask
Date: Tue, 30 Aug 2005 11:45:14 +0200
[Message part 1 (text/plain, inline)]
On Mon, Aug 29, 2005 at 12:26:09PM -0700, Steve Langasek wrote:

> You probably want some way instead to ensure that such files are created
> with 0644 mode if they're system-wide entries created by root; I see
> that you've closed this bug with a changelog entry saying to set the
> umask, but unless you're also setting the umask at some point there's no
> guarantee that the root user's umask is sanely configured, either.

Gosh, thanks, you are right: I have to set the umask in postinst when
generating the grammar objects.

Actually I've just learnt from upstream that the format of the grammar
objects should be arch-independent, so I intend to update the package to
build the .grm.o at package build time and get rid of the postinst at
all.

In the meantime, I'm reopening this bug.


Ciao,

Enrico

--
GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <enrico@debian.org>
[signature.asc (application/pgp-signature, inline)]

Bug reopened, originator not changed. Request was from Enrico Zini <enrico@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Enrico Zini <enrico@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Justin B Rye <jbr@edlug.org.uk>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #32 received at 325468-close@bugs.debian.org (full text, mbox):

From: Enrico Zini <enrico@debian.org>
To: 325468-close@bugs.debian.org
Subject: Bug#325468: fixed in polygen 1.0.6-9
Date: Wed, 31 Aug 2005 05:32:08 -0700
Source: polygen
Source-Version: 1.0.6-9

We believe that the bug you reported is fixed in the latest version of
polygen, which is due to be installed in the Debian FTP archive:

polygen-data_1.0.6-9_all.deb
  to pool/main/p/polygen/polygen-data_1.0.6-9_all.deb
polygen_1.0.6-9.diff.gz
  to pool/main/p/polygen/polygen_1.0.6-9.diff.gz
polygen_1.0.6-9.dsc
  to pool/main/p/polygen/polygen_1.0.6-9.dsc
polygen_1.0.6-9_all.deb
  to pool/main/p/polygen/polygen_1.0.6-9_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 325468@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Enrico Zini <enrico@debian.org> (supplier of updated polygen package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 31 Aug 2005 13:34:20 +0200
Source: polygen
Binary: polygen-data polygen
Architecture: source all
Version: 1.0.6-9
Distribution: unstable
Urgency: high
Maintainer: Enrico Zini <enrico@debian.org>
Changed-By: Enrico Zini <enrico@debian.org>
Description: 
 polygen    - generator of random sentences from grammar definitions
 polygen-data - grammar definitions for PolyGen
Closes: 325468
Changes: 
 polygen (1.0.6-9) unstable; urgency=high
 .
   * Directly install the .grm.o files built at build time, and remove the need
     for postinst and postrm.  It removes the annoying delays at install time,
     and really closes: #325468.
   * Urgency set to high since we close a security bug (hopefully for real this
     time).
   * Need a postinst to compensate for previously existing broken postrm from
     previous polygens
Files: 
 0fac411f0057bb6e3162451461917bd0 612 games optional polygen_1.0.6-9.dsc
 2e19d5448d27431c92649d2a92df4ea9 4292 games optional polygen_1.0.6-9.diff.gz
 e4d20c44192d2ce6a72cb580a5e61432 86008 games optional polygen_1.0.6-9_all.deb
 3cc8bc7faef0ec100ff298ac2a42a481 1250868 games optional polygen-data_1.0.6-9_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDFaDu9LSwzHl+v6sRAqGvAJ4pZNsw5b4N+dvHAuwK/yMMYBT3WgCghMGk
0LxRlIVNSawtxDvbMgGLUt0=
=fTsA
-----END PGP SIGNATURE-----




Tags added: fixed Request was from Enrico Zini <enrico@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Enrico Zini <enrico@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 08:30:11 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 12:51:07 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.