Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
New Bug report received and forwarded. Copy sent to Alexis Sukrieh <sukria@sukria.net>.
(full text, mbox, link).
Package: bugzilla
Version: 2.16.7-7sarge1
Priority: critical
Tags: patch sarge woody
I sent this mail to the security team a while back and forwarded it upstream
too. Since this bug is now public
(https://bugzilla.mozilla.org/show_bug.cgi?id=305353), I'm opening up a
ticket in the BTS for easier tracking of this issue. Notice that a DSA fixing
this should also fix #321567.
-------------------------------------------------------------------------
Hi there,
Bugzilla (bugzilla_2.14.2-0woody4 and bugzilla_2.16.7-7sarge1) contains
a script which is used to synchronise the bugzilla user database with
the shadow password database called syncshadowdb. This script is intented
to be run by the Bug Tracking System.
The script uses temporary files in an unsafe way since it selects a
name for the file based on PID and does not make any effort to determine
if the file exists and if it is a symlink. A local user could use this
to direct symlink attacks and overwrite files that the Bug Tracking System
has access to.
The attached (untested) patch, which uses File::Temp should fix this issue
and prevent any symlink attacks.
Regards
Javier
--- bugzilla-2.16.7/syncshadowdb.orig 2005-08-06 10:49:27.000000000 +0200
+++ bugzilla-2.16.7/syncshadowdb 2005-08-06 11:04:22.000000000 +0200
@@ -23,6 +23,7 @@
use diagnostics;
use strict;
+use File::Temp qw/tempfile/;
use lib '/usr/share/bugzilla/lib';
@@ -238,7 +239,7 @@
}
Verbose("Locking entire database");
SendSQL($query);
- my $tempfile = "$tempdir/tmpsyncshadow.$$";
+ my ($tfh, $tempfile) = tempfile("syncshadowdb.XXXXX", DIR => File::Spec->tmpdir, UNLINK => 1);
Verbose("Dumping database to a temp file ($tempfile).");
my @ARGS = ("-u", $::db_user);
if ($::db_pass) { push @ARGS, "-p$::db_pass" }
----- End forwarded message -----
To: Alexis Sukrieh <sukria@sukria.net>, 329387@bugs.debian.org
Cc: team@security.debian.org, frankie@debian.org
Subject: Re: Bug#329387: bugzilla security update for sarge (2.16.7-7sarge2)
Date: Fri, 23 Dec 2005 15:21:58 +0100
* Alexis Sukrieh (sukria@sukria.net) disait :
> I'm the maintainer of the backup manager package.
^^^^^^^^^^^^^^
Of course I was speaking about bugzilla, not backup-manager, sorry!
(Hopefully I'm on holydays this evening ;)
--
Alexis Sukrieh <sukria@sukria.net>
0x1EE5DD34
Debian http://www.debian.org
Backup Manager http://www.backup-manager.org
Information forwarded to debian-bugs-dist@lists.debian.org, Alexis Sukrieh <sukria@sukria.net>: Bug#329387; Package bugzilla.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Alexis Sukrieh <sukria@sukria.net>.
(full text, mbox, link).
Subject: Re: bugzilla security update for sarge (2.16.7-7sarge2)
Date: Fri, 23 Dec 2005 19:22:25 +0100
Alexis Sukrieh wrote:
> Hi,
>
> I'm the maintainer of the backup manager package.
> There are currently one security issue in our sarge package (0.5.7-7sarge1).
>
> I made a package with the patch submitted against the bug #329387 which
> closes the issue.
Umh... I don't have a CVE name to share anymore. Will provide one
when I got a new bunch.
Do you happen to know about the package in woody?
> Can we plan to upload that package to security updates?
Yes. I've copied it into the private security archive.
Next steps:
a) what about woody
b) what about sid
c) release advisory
Regards,
Joey
--
The MS-DOS filesystem is nice for removable media. -- H. Peter Anvin
Information forwarded to debian-bugs-dist@lists.debian.org: Bug#329387; Package bugzilla.
(full text, mbox, link).
Acknowledgement sent to Alexis Sukrieh <sukria@sukria.net>:
Extra info received and forwarded to list.
(full text, mbox, link).
Subject: Re: bugzilla security update for sarge (2.16.7-7sarge2)
Date: Sat, 24 Dec 2005 14:05:21 +0100
* Martin Schulze (joey@infodrom.org) disait :
> Do you happen to know about the package in woody?
Well, I don't know. Where can I grab woody's source packages?
> a) what about woody
As soon as I know where to fetch woody's sources, I will tell you.
> b) what about sid
Sid is not affected, the vulnerable script does not exist in the sid
version.
--
Alexis Sukrieh <sukria@sukria.net>
0x1EE5DD34
Debian http://www.debian.org
Backup Manager http://www.backup-manager.org
Information forwarded to debian-bugs-dist@lists.debian.org, Alexis Sukrieh <sukria@sukria.net>: Bug#329387; Package bugzilla.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Alexis Sukrieh <sukria@sukria.net>.
(full text, mbox, link).
Subject: Re: bugzilla security update for sarge (2.16.7-7sarge2)
Date: Sat, 24 Dec 2005 14:30:37 +0100
Martin Schulze wrote:
> Yes. I've copied it into the private security archive.
>
> Next steps:
>
> a) what about woody
Woody is vulnerable as well, the vulnerable code is present in
syncshadowdb:164
Alexis, you can download the Woody sources through packages.debian.org.
Cheers,
Moritz
Tags added: security
Request was from Moritz Muehlenhoff <jmm@inutil.org>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Alexis Sukrieh <sukria@sukria.net>: Bug#329387; Package bugzilla.
(full text, mbox, link).
Acknowledgement sent to David Miller <justdave@bugzilla.org>:
Extra info received and forwarded to list. Copy sent to Alexis Sukrieh <sukria@sukria.net>.
(full text, mbox, link).
Subject: Bugzilla: Unsafe use of temporary files in the syncshadowdb script
Date: Mon, 26 Dec 2005 18:10:52 -0500
FYI, the reporter was mistaken, the upstream bug was NOT public. He
could see it because he reported it. It might as well be now. (I just
removed the security flag from it, so it is indeed public now).
The patch he supplied (while a good start) was stated to be untested,
and we also determined that it did not, in fact, solve the problem
(because it re-opened the file from scratch after creating the secure
temp file, rather than using the handle passed back from File::Temp).
We have an upstream patch ready to go, which was awaiting the 2.16.11
release expected in the next couple weeks. No point in waiting now.
--
Dave Miller http://www.justdave.net/
System Administrator, Mozilla Corporation http://www.mozilla.com/
Project Leader, Bugzilla Bug Tracking System http://www.bugzilla.org/
Information forwarded to debian-bugs-dist@lists.debian.org, Alexis Sukrieh <sukria@sukria.net>: Bug#329387; Package bugzilla.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Alexis Sukrieh <sukria@sukria.net>.
(full text, mbox, link).
Dave,
this has been assigned CVE-2005-4534 by MITRE. Please refer to it
in the 2.16.11 release notes.
Cheers,
Moritz
Information forwarded to debian-bugs-dist@lists.debian.org, Alexis Sukrieh <sukria@sukria.net>: Bug#329387; Package bugzilla.
(full text, mbox, link).
Acknowledgement sent to David Miller <justdave@bugzilla.org>:
Extra info received and forwarded to list. Copy sent to Alexis Sukrieh <sukria@sukria.net>.
(full text, mbox, link).
Subject: Re: CVE assignment for syncshadowdb issue
Date: Tue, 27 Dec 2005 21:22:37 -0500
Moritz Muehlenhoff wrote on 12/27/05 8:30 PM:
> this has been assigned CVE-2005-4534 by MITRE. Please refer to it
> in the 2.16.11 release notes.
Thanks! I'm not getting any traction on trying to push a full release
out for this. Seems nobody cares about the 2.16 branch anymore (it's
two stable releases back, and due for EOL on security support by us in a
couple weeks anyway). Or it could be that anyone who cares is still on
Christmas vacation. Anyhow, I'll have an advisory going out in a few
hours which just points at the patch. In reality there's probably very
few sites using this feature. There will be a 2.16.11 release, just not
tonight.
--
Dave Miller http://www.justdave.net/
System Administrator, Mozilla Corporation http://www.mozilla.com/
Project Leader, Bugzilla Bug Tracking System http://www.bugzilla.org/
Information forwarded to debian-bugs-dist@lists.debian.org, Alexis Sukrieh <sukria@sukria.net>: Bug#329387; Package bugzilla.
(full text, mbox, link).
Acknowledgement sent to David Miller <justdave@bugzilla.org>:
Extra info received and forwarded to list. Copy sent to Alexis Sukrieh <sukria@sukria.net>.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Alexis Sukrieh <sukria@sukria.net>: Bug#329387; Package bugzilla.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Alexis Sukrieh <sukria@sukria.net>.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Alexis Sukrieh <sukria@sukria.net>: Bug#329387; Package bugzilla.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Alexis Sukrieh <sukria@sukria.net>.
(full text, mbox, link).
Cc: Debian Security Team <team@security.debian.org>,
frankie@debian.org, 329387@bugs.debian.org
Subject: Re: bugzilla security update for sarge (2.16.7-7sarge2)
Date: Wed, 11 Jan 2006 19:58:08 +0100
Martin Schulze wrote:
> Alexis Sukrieh wrote:
> > * Martin Schulze (joey@infodrom.org) disait :
> > > Do you happen to know about the package in woody?
Btw. this issue has been assigned CVE-2005-4534, so please add it to the
changelog if you prepare a fixed package for woody as well.
Regards,
Joey
--
Never trust an operating system you don't have source for!
Please always Cc to me when replying to me on the lists.
Information forwarded to debian-bugs-dist@lists.debian.org: Bug#329387; Package bugzilla.
(full text, mbox, link).
Acknowledgement sent to Alexis Sukrieh <sukria@sukria.net>:
Extra info received and forwarded to list.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Alexis Sukrieh <sukria@sukria.net>: Bug#329387; Package bugzilla.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Alexis Sukrieh <sukria@sukria.net>.
(full text, mbox, link).
Subject: Re: [bugzilla #329387] new sarge package that fixes CVE-2005-4534
Date: Thu, 10 Aug 2006 19:02:52 +0200
Alexis Sukrieh wrote:
> tags 329387 + pending
> thanks
>
> Hello,
>
> I've packaged a new version of bugzilla for closing a security issue
> reported on sarge:
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=329387
>
> This package is 2.16.7-7sarge2 and is available here:
>
> http://www.sukria.net/debian/source/bugzilla_2.16.7-7sarge2_i386.changes
> http://www.sukria.net/debian/source/bugzilla_2.16.7-7sarge2.diff.gz
> http://www.sukria.net/debian/source/bugzilla_2.16.7-7sarge2.dsc
> http://www.sukria.net/debian/source/bugzilla_2.16.7.orig.tar.gz
>
> It only provides the upstream patch (backported from 2.16.11) that
> closes that security issue : CVE-2005-4534
>
> If an upload is possible to the security archive, that would be great.
The distribution should be stable-security instead of
testing-proposed-updates. Please also remove all the i18n updates:
jmm@galadriel:~/chroots/sarge/home/jmm$ debdiff bugzilla_2.16.7-7sarge1.dsc bugzilla_2.16.7-7sarge2.dsc | diffstat
debian/changelog | 10 +++
debian/po/ca.po | 144 ++++++++++++++++++++++++----------------------
debian/po/cs.po | 140 ++++++++++++++++++++++++---------------------
debian/po/de.po | 144 ++++++++++++++++++++++++----------------------
debian/po/fr.po | 142 ++++++++++++++++++++++++----------------------
debian/po/ja.po | 142 ++++++++++++++++++++++++----------------------
debian/po/nl.po | 144 ++++++++++++++++++++++++----------------------
debian/po/pt_BR.po | 144 ++++++++++++++++++++++++----------------------
debian/po/templates.pot | 148 ++++++++++++++++++++++++------------------------
syncshadowdb | 12 ++-
The security fix itself is fine.
Cheers,
Moritz
Tags added: pending
Request was from Alexis Sukrieh <sukria@sukria.net>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org: Bug#329387; Package bugzilla.
(full text, mbox, link).
Acknowledgement sent to Alexis Sukrieh <sukria@sukria.net>:
Extra info received and forwarded to list.
(full text, mbox, link).
Subject: Re: [bugzilla #329387] new sarge package that fixes CVE-2005-4534
Date: Fri, 11 Aug 2006 21:39:15 +0200
Moritz Muehlenhoff wrote:
> The distribution should be stable-security instead of
> testing-proposed-updates. Please also remove all the i18n updates:
Ok, I'll make a new package with the correct distribution.
The i18n updates are automatically made by the build process, it's only
timtestamp updates, how can I safely disable this?
Regards,
Alexis
Information forwarded to debian-bugs-dist@lists.debian.org, Alexis Sukrieh <sukria@sukria.net>: Bug#329387; Package bugzilla.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Alexis Sukrieh <sukria@sukria.net>.
(full text, mbox, link).
Cc: Moritz Muehlenhoff <jmm@inutil.org>, 329387@bugs.debian.org,
team@security.debian.org, frankie@debian.org
Subject: Re: [bugzilla #329387] new sarge package that fixes CVE-2005-4534
Date: Sat, 12 Aug 2006 01:14:45 +0200
Alexis Sukrieh wrote:
> Moritz Muehlenhoff wrote:
> >The distribution should be stable-security instead of
> >testing-proposed-updates. Please also remove all the i18n updates:
>
> Ok, I'll make a new package with the correct distribution.
>
> The i18n updates are automatically made by the build process, it's only
> timtestamp updates, how can I safely disable this?
You simply build the source package before you are working on the
binary package and don't build the source package after you've built
the binary packages.
Regards,
Joey
--
Long noun chains don't automatically imply security. -- Bruce Schneier
Please always Cc to me when replying to me on the lists.
Reply sent to Neil McGovern <neilm@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.