Debian Bug report logs - #332434
storebackup: Several security problems (already fixed in sid/testing)

version graph

Package: storebackup; Maintainer for storebackup is Debian QA Group <packages@qa.debian.org>; Source for storebackup is src:storebackup (PTS, buildd, popcon).

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Thu, 6 Oct 2005 13:18:07 UTC

Severity: grave

Tags: security

Found in version storebackup/1.18.4-2

Fixed in versions 0.1.19-1, 1.19-1

Done: "Steinar H. Gunderson" <sgunderson@bigfoot.com>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Arthur Korn <arthur@debian.org>:
Bug#332434; Package storebackup. (full text, mbox, link).


Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Arthur Korn <arthur@debian.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: storebackup: Several security problems (already fixed in sid/testing)
Date: Thu, 06 Oct 2005 14:37:30 +0200
Package: storebackup
Version: 1.18.4-2
Severity: grave
Tags: security
Justification: user security hole

Although it's not really mentioned in the changelog storebackup 1.19 fixed
several security problems, which are still present in Sarge, they've been
assigned CAN-2005-3150, CAN-2005-3149 and CAN-2005-3148:

Quoting upstream's changelog:
- uid and gid were not set correctly for symbolic links in the
  backups (in the files, not the description of the files)
- check for symbolic links before opening temporary files
- set permissions of backup root directory to 0755
  (independent of umask)
- uid and gid were not set correctly for symbolic links when
  restoring, instead they were changed in the file where the
  symlink pointed to

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-rc1
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)



Information forwarded to debian-bugs-dist@lists.debian.org, Arthur Korn <arthur@debian.org>:
Bug#332434; Package storebackup. (full text, mbox, link).


Acknowledgement sent to arthur@korn.ch (Arthur Korn):
Extra info received and forwarded to list. Copy sent to Arthur Korn <arthur@debian.org>. (full text, mbox, link).


Message #10 received at 332434@bugs.debian.org (full text, mbox, reply):

From: arthur@korn.ch (Arthur Korn)
To: Moritz Muehlenhoff <jmm@inutil.org>, 332434@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#332434: storebackup: Several security problems (already fixed in sid/testing)
Date: Thu, 6 Oct 2005 17:17:48 +0200
[Message part 1 (text/plain, inline)]
Hi

1.19-1 source and binary packages work on stable, and the
differences to 1.18.4-2 are all local bugfixes, so I figure it
doesn't make any sense to separate bugfixes from bugfixes for a
special security fix for stable. Well, we could split out
storeBackupSync, though that new script is explicitely marked as
experimental.

I don't know the details of the security issues, but might have
some time over the weekend to look at it if needed.

Moritz Muehlenhoff schrieb:
> Package: storebackup
> Version: 1.18.4-2
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Although it's not really mentioned in the changelog storebackup 1.19 fixed
> several security problems, which are still present in Sarge, they've been
> assigned CAN-2005-3150, CAN-2005-3149 and CAN-2005-3148:
> 
> Quoting upstream's changelog:
> - uid and gid were not set correctly for symbolic links in the
>   backups (in the files, not the description of the files)
> - check for symbolic links before opening temporary files
> - set permissions of backup root directory to 0755
>   (independent of umask)
> - uid and gid were not set correctly for symbolic links when
>   restoring, instead they were changed in the file where the
>   symlink pointed to

ciao, 2ri
-- 
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Arthur Korn <arthur@debian.org>:
Bug#332434; Package storebackup. (full text, mbox, link).


Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Arthur Korn <arthur@debian.org>. (full text, mbox, link).


Message #15 received at 332434@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Arthur Korn <arthur@korn.ch>
Cc: 332434@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#332434: storebackup: Several security problems (already fixed in sid/testing)
Date: Thu, 6 Oct 2005 18:05:44 +0200
Arthur Korn wrote:

BTW, I made an error in my initial bug report, it's CAN-2005-314[876].

> 1.19-1 source and binary packages work on stable, and the
> differences to 1.18.4-2 are all local bugfixes, so I figure it
> doesn't make any sense to separate bugfixes from bugfixes for a
> special security fix for stable. Well, we could split out
> storeBackupSync, though that new script is explicitely marked as
> experimental.

Security fixes for stable are typically minimal.
 
> I don't know the details of the security issues, but might have
> some time over the weekend to look at it if needed.

A quick view at the interdiff between 18.4-2 and 19-1 shows
that http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3147
seems fixed by this hunk:

--- storebackup-1.18.4/bin/storeBackup.pl       2004-07-23 05:58:47.000000000 +0200
+++ storebackup-1.19/bin/storeBackup.pl 2005-08-12 21:11:18.000000000 +0200
@@ -3164,6 +3183,7 @@
                  ["cannot create <$aktDir>, exiting"],
                  '-exit' => 1)
        unless (mkdir $aktDir);
+    chmod 0755, $aktDir;
     my $chmodDir = $chmodMD5File;
     $chmodDir |= 0100 if $chmodDir & 0400;
     $chmodDir |= 0010 if $chmodDir & 0040;

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3146
seems fixed by the newly introduced checkDelSymlink() function,
which was added to ten different places in the code (not all of which
might be security sensitive, but at least two operate directly
on temporary files).
 
I'm not sure about http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3148,
which would require some more studying of the code.

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Arthur Korn <arthur@debian.org>:
Bug#332434; Package storebackup. (full text, mbox, link).


Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Arthur Korn <arthur@debian.org>. (full text, mbox, link).


Message #20 received at 332434@bugs.debian.org (full text, mbox, reply):

From: Martin Schulze <joey@infodrom.org>
To: Arthur Korn <arthur@korn.ch>
Cc: Moritz Muehlenhoff <jmm@inutil.org>, 332434@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#332434: storebackup: Several security problems (already fixed in sid/testing)
Date: Fri, 7 Oct 2005 08:49:59 +0200
Arthur Korn wrote:
> Hi
> 
> 1.19-1 source and binary packages work on stable, and the
> differences to 1.18.4-2 are all local bugfixes, so I figure it
> doesn't make any sense to separate bugfixes from bugfixes for a
> special security fix for stable. Well, we could split out

Since the diff between 1.18 and 1.19 is some 1385 lines large, I
have some doubts that it only contains security corrections.  Hence,
using the new upstream version does not look like the way to go.

Regards,

	Joey

-- 
Everybody talks about it, but nobody does anything about it!  -- Mark Twain



Information forwarded to debian-bugs-dist@lists.debian.org, Arthur Korn <arthur@debian.org>:
Bug#332434; Package storebackup. (full text, mbox, link).


Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Arthur Korn <arthur@debian.org>. (full text, mbox, link).


Message #25 received at 332434@bugs.debian.org (full text, mbox, reply):

From: Martin Schulze <joey@infodrom.org>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: Arthur Korn <arthur@korn.ch>, 332434@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#332434: storebackup: Several security problems (already fixed in sid/testing)
Date: Fri, 7 Oct 2005 10:01:05 +0200
[Message part 1 (text/plain, inline)]
Moritz Muehlenhoff wrote:
> > 1.19-1 source and binary packages work on stable, and the
> > differences to 1.18.4-2 are all local bugfixes, so I figure it
> > doesn't make any sense to separate bugfixes from bugfixes for a
> > special security fix for stable. Well, we could split out
> > storeBackupSync, though that new script is explicitely marked as
> > experimental.
> 
> Security fixes for stable are typically minimal.

I've extracted the patches from the new upstream version.

> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3146
> seems fixed by the newly introduced checkDelSymlink() function,
> which was added to ten different places in the code (not all of which
> might be security sensitive, but at least two operate directly
> on temporary files).

This does not eliminate the vulnerability but only shortens the vulnerable
window.  An attacker can still re-create the link between the unlink()
and the open() calls.  The proper action would be to use File::Temp
or something similar.

> I'm not sure about http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3148,
> which would require some more studying of the code.

It's the chown call.

It seems that the old version executed "chown uid gid link" which doesn't
work.  The new version executes "chown -h uid:gid link".  My manpage doesn't
document -h though.

Regards,

	Joey

-- 
Everybody talks about it, but nobody does anything about it!  -- Mark Twain

Please always Cc to me when replying to me on the lists.
[patch.CAN-2005-3146.storebackup (text/plain, attachment)]
[patch.CAN-2005-3147.storebackup (text/plain, attachment)]
[patch.CAN-2005-3148.storebackup (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Arthur Korn <arthur@debian.org>:
Bug#332434; Package storebackup. (full text, mbox, link).


Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Arthur Korn <arthur@debian.org>. (full text, mbox, link).


Message #30 received at 332434@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Martin Schulze <joey@infodrom.org>
Cc: Arthur Korn <arthur@korn.ch>, 332434@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#332434: storebackup: Several security problems (already fixed in sid/testing)
Date: Fri, 7 Oct 2005 10:48:02 +0200
Martin Schulze wrote:
> > I'm not sure about http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3148,
> > which would require some more studying of the code.
> 
> It's the chown call.
> 
> It seems that the old version executed "chown uid gid link" which doesn't
> work.  The new version executes "chown -h uid:gid link".  My manpage doesn't
> document -h though.

Sounds correct, my manpage says:
-h, --no-dereference
    affect each symbolic link instead of any referenced file (useful only on
    systems that can change the ownership of a symlink)

However, I think that this hunk is missing for CAN-2005-3148:

diff -Naur storebackup-1.18.4/bin/storeBackupRecover.pl storebackup-1.19/bin/storeBackupRecover.pl
--- storebackup-1.18.4/bin/storeBackupRecover.pl        2005-10-06 17:37:09.000000000 +0200
+++ storebackup-1.19/bin/storeBackupRecover.pl  2005-10-06 17:36:32.000000000 +0200
@@ -364,7 +371,7 @@
                # geaendert, sondern die Datei, auf die er verweist.
                # (dann muss lchown genommen werden -> Inkompatibilitaeten!?)
                my $chown = forkProc->new('-exec' => 'chown',
-                                         '-param' => [$uid, $gid,
+                                         '-param' => ['-h', "$uid:$gid",
                                                       "$targetFile"],
                                          '-outRandom' => "$tmpdir/chown-",
                                          '-prLog' => $prLog);

Otherwise permissions might be incorrectly restored. 

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Arthur Korn <arthur@debian.org>:
Bug#332434; Package storebackup. (full text, mbox, link).


Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Arthur Korn <arthur@debian.org>. (full text, mbox, link).


Message #35 received at 332434@bugs.debian.org (full text, mbox, reply):

From: Martin Schulze <joey@infodrom.org>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: Arthur Korn <arthur@korn.ch>, 332434@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#332434: storebackup: Several security problems (already fixed in sid/testing)
Date: Fri, 7 Oct 2005 11:48:04 +0200
Moritz Muehlenhoff wrote:
> Sounds correct, my manpage says:
> -h, --no-dereference
>     affect each symbolic link instead of any referenced file (useful only on
>     systems that can change the ownership of a symlink)
> 
> However, I think that this hunk is missing for CAN-2005-3148:
> 
> diff -Naur storebackup-1.18.4/bin/storeBackupRecover.pl storebackup-1.19/bin/storeBackupRecover.pl
> --- storebackup-1.18.4/bin/storeBackupRecover.pl        2005-10-06 17:37:09.000000000 +0200
> +++ storebackup-1.19/bin/storeBackupRecover.pl  2005-10-06 17:36:32.000000000 +0200
> @@ -364,7 +371,7 @@
>                 # geaendert, sondern die Datei, auf die er verweist.
>                 # (dann muss lchown genommen werden -> Inkompatibilitaeten!?)
>                 my $chown = forkProc->new('-exec' => 'chown',
> -                                         '-param' => [$uid, $gid,
> +                                         '-param' => ['-h', "$uid:$gid",
>                                                        "$targetFile"],
>                                           '-outRandom' => "$tmpdir/chown-",
>                                           '-prLog' => $prLog);
> 
> Otherwise permissions might be incorrectly restored. 

Oops, indeed.  Thanks.

Regards,

	Joey

-- 
Everybody talks about it, but nobody does anything about it!  -- Mark Twain



Information forwarded to debian-bugs-dist@lists.debian.org, Arthur Korn <arthur@debian.org>:
Bug#332434; Package storebackup. (full text, mbox, link).


Acknowledgement sent to "Arthur Korn" <arthur@korn.ch>:
Extra info received and forwarded to list. Copy sent to Arthur Korn <arthur@debian.org>. (full text, mbox, link).


Message #40 received at 332434@bugs.debian.org (full text, mbox, reply):

From: "Arthur Korn" <arthur@korn.ch>
To: Martin Schulze <joey@infodrom.org>
Cc: Moritz Muehlenhoff <jmm@inutil.org>, 332434@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#332434: storebackup: Several security problems (already fixed in sid/testing)
Date: Sat, 29 Oct 2005 17:01:42 +0200
[Message part 1 (text/plain, inline)]
Hi

Martin Schulze schrieb:
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3146
> > seems fixed by the newly introduced checkDelSymlink() function,
> > which was added to ten different places in the code (not all of which
> > might be security sensitive, but at least two operate directly
> > on temporary files).
> 
> This does not eliminate the vulnerability but only shortens the vulnerable
> window.  An attacker can still re-create the link between the unlink()
> and the open() calls.  The proper action would be to use File::Temp
> or something similar.

Though the whole passing around temporary file names and
reopening them in another function seems broken to me, see
-outRandom and others. Searching for uses of $tmpdir in
StoreBackup.pl and reveals a dozend or so places where filenames
in /tmp are passed to functions which then open them writable
without any checks (though with randomized suffixes). Some of
these files are then opened again later. I'm not competent on
this whole tempfile race issue but I don't like this.

I'm now building a 1.18 package for stable with your fixes, one
day I have to replace the filename passing stuff by filehandle
passing, but this will happen in a current version.

Shall I build a deb with your patches for you?

regards, 2ri
-- 
Secure email, spread GPG, clearsign all mail. http://www.gnupg.org
.
Reality is that which, when you stop believing in it, doesn't go away.
 -- Philip K. Dick
[signature.asc (application/pgp-signature, inline)]

Reply sent to arthur@korn.ch (Arthur Korn):
You have taken responsibility. (full text, mbox, link).


Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (full text, mbox, link).


Message #45 received at 332434-done@bugs.debian.org (full text, mbox, reply):

From: arthur@korn.ch (Arthur Korn)
To: 332434-done@bugs.debian.org
Subject: been fixed in 0.1.19-1
Date: Mon, 9 Jan 2006 19:08:24 +0100
Version: 0.1.19-1


-- 
Secure email, spread GPG, clearsign all mail. http://www.gnupg.org
.
Education is what remains after one has forgotten everything he 
learned in school.
 -- A. Einstein



Reply sent to "Steinar H. Gunderson" <sgunderson@bigfoot.com>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (full text, mbox, link).


Message #50 received at 332434-done@bugs.debian.org (full text, mbox, reply):

From: "Steinar H. Gunderson" <sgunderson@bigfoot.com>
To: Arthur Korn <arthur@korn.ch>
Cc: 332434-done@bugs.debian.org
Subject: Re: been fixed in 0.1.19-1
Date: Mon, 19 Jun 2006 01:49:34 +0200
Version: 1.19-1

On Mon, Jan 09, 2006 at 07:08:24PM +0100, Arthur Korn wrote:
> Version: 0.1.19-1

I assume you meant 1.19-1. Closing, so it doesn't show up for etch/sid.

/* Steinar */
-- 
Homepage: http://www.sesse.net/



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 04:24:33 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 04:19:37 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.