Debian Bug report logs - #334350
flexbackup: CVE-2005-4802: default config insecure temporary file creation

version graph

Package: flexbackup; Maintainer for flexbackup is Kurt B. Kaiser <kbk@shore.net>; Source for flexbackup is src:flexbackup.

Reported by: Anibal Monsalve Salazar <anibal@debian.org>

Date: Mon, 17 Oct 2005 12:18:06 UTC

Severity: grave

Tags: patch, sarge, security

Found in version 1.2.1-2

Fixed in versions 1.2.1-3, flexbackup/1.2.1-2sarge1

Done: kbk@shore.net (Kurt B. Kaiser)

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Brian Bassett <brianb@debian.org>:
Bug#334350; Package flexbackup. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
New Bug report received and forwarded. Copy sent to Brian Bassett <brianb@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: submit@bugs.debian.org
Subject: flexbackup default config insecure temporary file creation
Date: Mon, 17 Oct 2005 14:06:30 +0200
Package: flexbackup
Severity: grave
Tags: security

"ZATAZ Audits" has published an advisory concerning flexbackup.  Based
on a cursory investigation of the source package, Debian is affected
as well.

From: ZATAZ Audits <exploits@zataz.net>
Subject: [Full-disclosure] flexbackup default config insecure temporary file
	creation
Date: Mon, 17 Oct 2005 10:06:06 +0200
Organization: ZATAZ Audits
Message-ID: <43535B6E.2050005@zataz.net>

#########################################################

flexbackup default config insecure temporary file creation

Vendor: http://flexbackup.sourceforge.net/
Advisory: http://www.zataz.net/adviso/flexbackup-09192005.txt
Vendor informed: yes
Exploit available: yes
Impact : low
Exploitation : low

#########################################################

The vulnerabilities ared due to insecure temporary files creations due 
to a default config.

[...]



Information forwarded to debian-bugs-dist@lists.debian.org, security@debian.org, secure-testing-team@lists.alioth.debian.org, Brian Bassett <brianb@debian.org>:
Bug#334350; Package flexbackup. Full text and rfc822 format available.

Acknowledgement sent to Alec Berryman <alec@thened.net>:
Extra info received and forwarded to list. Copy sent to security@debian.org, secure-testing-team@lists.alioth.debian.org, Brian Bassett <brianb@debian.org>. Full text and rfc822 format available.

Message #10 received at 334350@bugs.debian.org (full text, mbox):

From: Alec Berryman <alec@thened.net>
To: Debian Bug Tracking System <334350@bugs.debian.org>
Subject: fix from Gentoo for "flexbackup default config insecure temporary file creation"
Date: Mon, 15 May 2006 16:01:24 +0100
[Message part 1 (text/plain, inline)]
Package: flexbackup
Followup-For: Bug #334350

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gentoo has two patches for this issue.  The first [1], attached to bug
#105000 [2], is supposedly from Debian, but was apparently never
uploaded.  The patch reportedly breaks remote backups [3], though, and
bug #116510 [4] has a patch [5] that fixes both the original
vulnerability and the subsequent issues with remote backup.  The second
patch applies cleanly to Debian's version, but I have not tested it.

The second patch is attached unmodified.

[1] http://bugs.gentoo.org/attachment.cgi?id=69694&action=view
[2] http://bugs.gentoo.org/show_bug.cgi?id=105000
[3] http://bugs.gentoo.org/show_bug.cgi?id=105000#c15
[4] http://bugs.gentoo.org/show_bug.cgi?id=116510
[5] http://bugs.gentoo.org/attachment.cgi?id=86773&action=view


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEaJfEAud/2YgchcQRAgvBAJ94NMAlnvYNvVNykdoTB8ftmcfmbACdHBsg
8TsMQ1YhxSSi5H+TAcSSYXQ=
=M/2d
-----END PGP SIGNATURE-----
[334350.diff (text/plain, attachment)]

Tags added: patch Request was from Alec Berryman <alec@thened.net> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug title. Request was from Alec Berryman <alec@thened.net> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Anibal Monsalve Salazar <anibal@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Florian Weimer <fw@deneb.enyo.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #19 received at 334350-close@bugs.debian.org (full text, mbox):

From: Anibal Monsalve Salazar <anibal@debian.org>
To: 334350-close@bugs.debian.org
Subject: Bug#334350: fixed in flexbackup 1.2.1-3
Date: Sat, 09 Sep 2006 19:32:12 -0700
Source: flexbackup
Source-Version: 1.2.1-3

We believe that the bug you reported is fixed in the latest version of
flexbackup, which is due to be installed in the Debian FTP archive:

flexbackup_1.2.1-3.diff.gz
  to pool/main/f/flexbackup/flexbackup_1.2.1-3.diff.gz
flexbackup_1.2.1-3.dsc
  to pool/main/f/flexbackup/flexbackup_1.2.1-3.dsc
flexbackup_1.2.1-3_all.deb
  to pool/main/f/flexbackup/flexbackup_1.2.1-3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 334350@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <anibal@debian.org> (supplier of updated flexbackup package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 10 Sep 2006 11:23:47 +1000
Source: flexbackup
Binary: flexbackup
Architecture: source all
Version: 1.2.1-3
Distribution: unstable
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Anibal Monsalve Salazar <anibal@debian.org>
Description: 
 flexbackup - Flexible backup tool for small to medium sized installations
Closes: 250615 273750 293884 312259 334350
Changes: 
 flexbackup (1.2.1-3) unstable; urgency=high
 .
   * QA upload.
   * Fixed "CVE-2005-4802: default config insecure temporary file creation".
     Patch by Alec Berryman <alec@thened.net>. Closes: #334350.
   * Fixed "sub backup_dump does not use %path hash for dump". Patch by
     Artem Chuprina <ran@ran.pp.ru>. Closes: #293884.
   * Fixed "flexbackup unable to complete a backup". Patch by
     Jose Luis Fernandez Barros <jlinform@worldonline.es>. Closes: #273750.
   * Fixed man page errors. Closes: #250615, #312259.
   * Fixed the following lintian messages:
     W: out-of-date-standards-version 3.6.1 (current is 3.7.2)
     E: build-depends-indep-should-be-build-depends debhelper
     W: old-fsf-address-in-copyright-file
     E: depends-on-essential-package-without-using-version recommends: tar
Files: 
 fbb3fd9c7ad9a5c33f0080d69aaea4df 575 admin optional flexbackup_1.2.1-3.dsc
 0a99efeb959de0f051dbc2ba51ce29a6 4305 admin optional flexbackup_1.2.1-3.diff.gz
 24034de62ec29936d4e08ef6d9e49563 76160 admin optional flexbackup_1.2.1-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFFA3WVipBneRiAKDwRAnTPAJ44m33eVNgaXTP65joXd8uW9BqswgCeNQhR
xoZqtXr2WZ8KbjMOjfljiFc=
=od3E
-----END PGP SIGNATURE-----




Bug reopened, originator set to Anibal Monsalve Salazar <anibal@debian.org>. Request was from Aníbal Monsalve Salazar <anibal@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: sarge Request was from Aníbal Monsalve Salazar <anibal@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#334350; Package flexbackup. Full text and rfc822 format available.

Acknowledgement sent to "Steinar H. Gunderson" <sgunderson@bigfoot.com>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>. Full text and rfc822 format available.

Message #28 received at 334350@bugs.debian.org (full text, mbox):

From: "Steinar H. Gunderson" <sgunderson@bigfoot.com>
To: Aníbal Monsalve Salazar <anibal@debian.org>
Cc: 334350@bugs.debian.org, control@bugs.debian.org
Subject: Re: flexbackup: CVE-2005-4802: default config insecure temporary file creation
Date: Fri, 22 Sep 2006 13:26:05 +0200
found 334350 1.2.1-2
close 334350 1.2.1-3
thanks

On Sun, Sep 10, 2006 at 01:26:21PM +1000, Aníbal Monsalve Salazar wrote:
> reopen 334350 Anibal Monsalve Salazar <anibal@debian.org>
> tags 334350 sarge
> thanks

I'm sorry, but this won't work anymore; if you reopen a bug, you remove all
its version tracking information, and it shows up as applicable to etch and
sid. I'm setting it as found in the stable version and fixed in
testing/unstable; this will mark it as “closed” with the old-style statuses,
but it's still marked as open in stable with the version tracking:

  http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=flexbackup;dist=stable

HTH :-)

/* Steinar */
-- 
Homepage: http://www.sesse.net/



Bug marked as found in version 1.2.1-2. Request was from "Steinar H. Gunderson" <sgunderson@bigfoot.com> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as fixed in version 1.2.1-3, send any further explanations to Anibal Monsalve Salazar <anibal@debian.org> Request was from "Steinar H. Gunderson" <sgunderson@bigfoot.com> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to kbk@shore.net (Kurt B. Kaiser):
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Anibal Monsalve Salazar <anibal@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #37 received at 334350-close@bugs.debian.org (full text, mbox):

From: kbk@shore.net (Kurt B. Kaiser)
To: 334350-close@bugs.debian.org
Subject: Bug#334350: fixed in flexbackup 1.2.1-2sarge1
Date: Sat, 17 Feb 2007 12:10:01 +0000
Source: flexbackup
Source-Version: 1.2.1-2sarge1

We believe that the bug you reported is fixed in the latest version of
flexbackup, which is due to be installed in the Debian FTP archive:

flexbackup_1.2.1-2sarge1.diff.gz
  to pool/main/f/flexbackup/flexbackup_1.2.1-2sarge1.diff.gz
flexbackup_1.2.1-2sarge1.dsc
  to pool/main/f/flexbackup/flexbackup_1.2.1-2sarge1.dsc
flexbackup_1.2.1-2sarge1_all.deb
  to pool/main/f/flexbackup/flexbackup_1.2.1-2sarge1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 334350@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kurt B. Kaiser <kbk@shore.net> (supplier of updated flexbackup package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat,  7 Oct 2006 16:27:37 -0700
Source: flexbackup
Binary: flexbackup
Architecture: source all
Version: 1.2.1-2sarge1
Distribution: stable-security
Urgency: high
Maintainer: Kurt B. Kaiser <kbk@shore.net>
Changed-By: Kurt B. Kaiser <kbk@shore.net>
Description: 
 flexbackup - Flexible backup tool for small to medium sized installations
Closes: 334350
Changes: 
 flexbackup (1.2.1-2sarge1) stable-security; urgency=high
 .
   * Fix RC bug: unsafe use of temp file, CVE-2005-4802.  (Closes: #334350)
     http://bugs.gentoo.org/show_bug.cgi?id=105000
     http://bugs.gentoo.org/show_bug.cgi?id=116510
Files: 
 06539319d0534272e216306562677723 587 admin optional flexbackup_1.2.1-2sarge1.dsc
 4955c89dbee354248f354a9bf0a480dd 80158 admin optional flexbackup_1.2.1.orig.tar.gz
 3365f545bd49464f4e58bacc503f8b28 3546 admin optional flexbackup_1.2.1-2sarge1.diff.gz
 240f8792a65a0d80b8ef85d4343a4827 75836 admin optional flexbackup_1.2.1-2sarge1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFFYNAyXm3vHE4uyloRAvx+AJ9bbMoejBdIRB3IHA191ljBs7OmTwCeI43b
7CQ/3ZMVtoDDZHUhjjTGDQQ=
=dZMt
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 13:46:21 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 08:12:29 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.