Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Arthur Korn <arthur@debian.org>: Bug#332434; Package storebackup.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Arthur Korn <arthur@debian.org>.
(full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: storebackup: Several security problems (already fixed in sid/testing)
Date: Thu, 06 Oct 2005 14:37:30 +0200
Package: storebackup
Version: 1.18.4-2
Severity: grave
Tags: security
Justification: user security hole
Although it's not really mentioned in the changelog storebackup 1.19 fixed
several security problems, which are still present in Sarge, they've been
assigned CAN-2005-3150, CAN-2005-3149 and CAN-2005-3148:
Quoting upstream's changelog:
- uid and gid were not set correctly for symbolic links in the
backups (in the files, not the description of the files)
- check for symbolic links before opening temporary files
- set permissions of backup root directory to 0755
(independent of umask)
- uid and gid were not set correctly for symbolic links when
restoring, instead they were changed in the file where the
symlink pointed to
Cheers,
Moritz
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-rc1
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Information forwarded to debian-bugs-dist@lists.debian.org, Arthur Korn <arthur@debian.org>: Bug#332434; Package storebackup.
(full text, mbox, link).
Acknowledgement sent to arthur@korn.ch (Arthur Korn):
Extra info received and forwarded to list. Copy sent to Arthur Korn <arthur@debian.org>.
(full text, mbox, link).
Hi
1.19-1 source and binary packages work on stable, and the
differences to 1.18.4-2 are all local bugfixes, so I figure it
doesn't make any sense to separate bugfixes from bugfixes for a
special security fix for stable. Well, we could split out
storeBackupSync, though that new script is explicitely marked as
experimental.
I don't know the details of the security issues, but might have
some time over the weekend to look at it if needed.
Moritz Muehlenhoff schrieb:
> Package: storebackup
> Version: 1.18.4-2
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Although it's not really mentioned in the changelog storebackup 1.19 fixed
> several security problems, which are still present in Sarge, they've been
> assigned CAN-2005-3150, CAN-2005-3149 and CAN-2005-3148:
>
> Quoting upstream's changelog:
> - uid and gid were not set correctly for symbolic links in the
> backups (in the files, not the description of the files)
> - check for symbolic links before opening temporary files
> - set permissions of backup root directory to 0755
> (independent of umask)
> - uid and gid were not set correctly for symbolic links when
> restoring, instead they were changed in the file where the
> symlink pointed to
ciao, 2ri
--
Information forwarded to debian-bugs-dist@lists.debian.org, Arthur Korn <arthur@debian.org>: Bug#332434; Package storebackup.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Arthur Korn <arthur@debian.org>.
(full text, mbox, link).
Subject: Re: Bug#332434: storebackup: Several security problems (already fixed in sid/testing)
Date: Thu, 6 Oct 2005 18:05:44 +0200
Arthur Korn wrote:
BTW, I made an error in my initial bug report, it's CAN-2005-314[876].
> 1.19-1 source and binary packages work on stable, and the
> differences to 1.18.4-2 are all local bugfixes, so I figure it
> doesn't make any sense to separate bugfixes from bugfixes for a
> special security fix for stable. Well, we could split out
> storeBackupSync, though that new script is explicitely marked as
> experimental.
Security fixes for stable are typically minimal.
> I don't know the details of the security issues, but might have
> some time over the weekend to look at it if needed.
A quick view at the interdiff between 18.4-2 and 19-1 shows
that http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3147
seems fixed by this hunk:
--- storebackup-1.18.4/bin/storeBackup.pl 2004-07-23 05:58:47.000000000 +0200
+++ storebackup-1.19/bin/storeBackup.pl 2005-08-12 21:11:18.000000000 +0200
@@ -3164,6 +3183,7 @@
["cannot create <$aktDir>, exiting"],
'-exit' => 1)
unless (mkdir $aktDir);
+ chmod 0755, $aktDir;
my $chmodDir = $chmodMD5File;
$chmodDir |= 0100 if $chmodDir & 0400;
$chmodDir |= 0010 if $chmodDir & 0040;
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3146
seems fixed by the newly introduced checkDelSymlink() function,
which was added to ten different places in the code (not all of which
might be security sensitive, but at least two operate directly
on temporary files).
I'm not sure about http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3148,
which would require some more studying of the code.
Cheers,
Moritz
Information forwarded to debian-bugs-dist@lists.debian.org, Arthur Korn <arthur@debian.org>: Bug#332434; Package storebackup.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Arthur Korn <arthur@debian.org>.
(full text, mbox, link).
Cc: Moritz Muehlenhoff <jmm@inutil.org>, 332434@bugs.debian.org,
team@security.debian.org
Subject: Re: Bug#332434: storebackup: Several security problems (already fixed in sid/testing)
Date: Fri, 7 Oct 2005 08:49:59 +0200
Arthur Korn wrote:
> Hi
>
> 1.19-1 source and binary packages work on stable, and the
> differences to 1.18.4-2 are all local bugfixes, so I figure it
> doesn't make any sense to separate bugfixes from bugfixes for a
> special security fix for stable. Well, we could split out
Since the diff between 1.18 and 1.19 is some 1385 lines large, I
have some doubts that it only contains security corrections. Hence,
using the new upstream version does not look like the way to go.
Regards,
Joey
--
Everybody talks about it, but nobody does anything about it! -- Mark Twain
Information forwarded to debian-bugs-dist@lists.debian.org, Arthur Korn <arthur@debian.org>: Bug#332434; Package storebackup.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Arthur Korn <arthur@debian.org>.
(full text, mbox, link).
Moritz Muehlenhoff wrote:
> > 1.19-1 source and binary packages work on stable, and the
> > differences to 1.18.4-2 are all local bugfixes, so I figure it
> > doesn't make any sense to separate bugfixes from bugfixes for a
> > special security fix for stable. Well, we could split out
> > storeBackupSync, though that new script is explicitely marked as
> > experimental.
>
> Security fixes for stable are typically minimal.
I've extracted the patches from the new upstream version.
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3146
> seems fixed by the newly introduced checkDelSymlink() function,
> which was added to ten different places in the code (not all of which
> might be security sensitive, but at least two operate directly
> on temporary files).
This does not eliminate the vulnerability but only shortens the vulnerable
window. An attacker can still re-create the link between the unlink()
and the open() calls. The proper action would be to use File::Temp
or something similar.
> I'm not sure about http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3148,
> which would require some more studying of the code.
It's the chown call.
It seems that the old version executed "chown uid gid link" which doesn't
work. The new version executes "chown -h uid:gid link". My manpage doesn't
document -h though.
Regards,
Joey
--
Everybody talks about it, but nobody does anything about it! -- Mark Twain
Please always Cc to me when replying to me on the lists.
Information forwarded to debian-bugs-dist@lists.debian.org, Arthur Korn <arthur@debian.org>: Bug#332434; Package storebackup.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Arthur Korn <arthur@debian.org>.
(full text, mbox, link).
Cc: Arthur Korn <arthur@korn.ch>, 332434@bugs.debian.org,
team@security.debian.org
Subject: Re: Bug#332434: storebackup: Several security problems (already fixed in sid/testing)
Date: Fri, 7 Oct 2005 10:48:02 +0200
Martin Schulze wrote:
> > I'm not sure about http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3148,
> > which would require some more studying of the code.
>
> It's the chown call.
>
> It seems that the old version executed "chown uid gid link" which doesn't
> work. The new version executes "chown -h uid:gid link". My manpage doesn't
> document -h though.
Sounds correct, my manpage says:
-h, --no-dereference
affect each symbolic link instead of any referenced file (useful only on
systems that can change the ownership of a symlink)
However, I think that this hunk is missing for CAN-2005-3148:
diff -Naur storebackup-1.18.4/bin/storeBackupRecover.pl storebackup-1.19/bin/storeBackupRecover.pl
--- storebackup-1.18.4/bin/storeBackupRecover.pl 2005-10-06 17:37:09.000000000 +0200
+++ storebackup-1.19/bin/storeBackupRecover.pl 2005-10-06 17:36:32.000000000 +0200
@@ -364,7 +371,7 @@
# geaendert, sondern die Datei, auf die er verweist.
# (dann muss lchown genommen werden -> Inkompatibilitaeten!?)
my $chown = forkProc->new('-exec' => 'chown',
- '-param' => [$uid, $gid,
+ '-param' => ['-h', "$uid:$gid",
"$targetFile"],
'-outRandom' => "$tmpdir/chown-",
'-prLog' => $prLog);
Otherwise permissions might be incorrectly restored.
Cheers,
Moritz
Information forwarded to debian-bugs-dist@lists.debian.org, Arthur Korn <arthur@debian.org>: Bug#332434; Package storebackup.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Arthur Korn <arthur@debian.org>.
(full text, mbox, link).
Cc: Arthur Korn <arthur@korn.ch>, 332434@bugs.debian.org,
team@security.debian.org
Subject: Re: Bug#332434: storebackup: Several security problems (already fixed in sid/testing)
Date: Fri, 7 Oct 2005 11:48:04 +0200
Moritz Muehlenhoff wrote:
> Sounds correct, my manpage says:
> -h, --no-dereference
> affect each symbolic link instead of any referenced file (useful only on
> systems that can change the ownership of a symlink)
>
> However, I think that this hunk is missing for CAN-2005-3148:
>
> diff -Naur storebackup-1.18.4/bin/storeBackupRecover.pl storebackup-1.19/bin/storeBackupRecover.pl
> --- storebackup-1.18.4/bin/storeBackupRecover.pl 2005-10-06 17:37:09.000000000 +0200
> +++ storebackup-1.19/bin/storeBackupRecover.pl 2005-10-06 17:36:32.000000000 +0200
> @@ -364,7 +371,7 @@
> # geaendert, sondern die Datei, auf die er verweist.
> # (dann muss lchown genommen werden -> Inkompatibilitaeten!?)
> my $chown = forkProc->new('-exec' => 'chown',
> - '-param' => [$uid, $gid,
> + '-param' => ['-h', "$uid:$gid",
> "$targetFile"],
> '-outRandom' => "$tmpdir/chown-",
> '-prLog' => $prLog);
>
> Otherwise permissions might be incorrectly restored.
Oops, indeed. Thanks.
Regards,
Joey
--
Everybody talks about it, but nobody does anything about it! -- Mark Twain
Information forwarded to debian-bugs-dist@lists.debian.org, Arthur Korn <arthur@debian.org>: Bug#332434; Package storebackup.
(full text, mbox, link).
Acknowledgement sent to "Arthur Korn" <arthur@korn.ch>:
Extra info received and forwarded to list. Copy sent to Arthur Korn <arthur@debian.org>.
(full text, mbox, link).
Hi
Martin Schulze schrieb:
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3146
> > seems fixed by the newly introduced checkDelSymlink() function,
> > which was added to ten different places in the code (not all of which
> > might be security sensitive, but at least two operate directly
> > on temporary files).
>
> This does not eliminate the vulnerability but only shortens the vulnerable
> window. An attacker can still re-create the link between the unlink()
> and the open() calls. The proper action would be to use File::Temp
> or something similar.
Though the whole passing around temporary file names and
reopening them in another function seems broken to me, see
-outRandom and others. Searching for uses of $tmpdir in
StoreBackup.pl and reveals a dozend or so places where filenames
in /tmp are passed to functions which then open them writable
without any checks (though with randomized suffixes). Some of
these files are then opened again later. I'm not competent on
this whole tempfile race issue but I don't like this.
I'm now building a 1.18 package for stable with your fixes, one
day I have to replace the filename passing stuff by filehandle
passing, but this will happen in a current version.
Shall I build a deb with your patches for you?
regards, 2ri
--
Secure email, spread GPG, clearsign all mail. http://www.gnupg.org
.
Reality is that which, when you stop believing in it, doesn't go away.
-- Philip K. Dick
Version: 0.1.19-1
--
Secure email, spread GPG, clearsign all mail. http://www.gnupg.org
.
Education is what remains after one has forgotten everything he
learned in school.
-- A. Einstein
Reply sent to "Steinar H. Gunderson" <sgunderson@bigfoot.com>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(full text, mbox, link).
From: "Steinar H. Gunderson" <sgunderson@bigfoot.com>
To: Arthur Korn <arthur@korn.ch>
Cc: 332434-done@bugs.debian.org
Subject: Re: been fixed in 0.1.19-1
Date: Mon, 19 Jun 2006 01:49:34 +0200
Version: 1.19-1
On Mon, Jan 09, 2006 at 07:08:24PM +0100, Arthur Korn wrote:
> Version: 0.1.19-1
I assume you meant 1.19-1. Closing, so it doesn't show up for etch/sid.
/* Steinar */
--
Homepage: http://www.sesse.net/
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 25 Jun 2007 04:24:33 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.