Debian Bug report logs - #396277
allows creating any file as root

version graph

Package: thttpd; Maintainer for thttpd is Debian QA Group <packages@qa.debian.org>;

Reported by: Marco d'Itri <md@linux.it>

Date: Mon, 30 Oct 2006 22:18:17 UTC

Severity: grave

Tags: security

Merged with 216554

Found in version 2.21b-11

Fixed in versions 2.23beta1-5, thttpd/2.23beta1-5

Done: Daniel Baumann <daniel@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, md@linux.it, Debian Security Team <team@security.debian.org>, Daniel Baumann <daniel.baumann@panthera-systems.net>:
Bug#396277; Package thttpd. Full text and rfc822 format available.

Acknowledgement sent to Marco d'Itri <md@linux.it>:
New Bug report received and forwarded. Copy sent to md@linux.it, Debian Security Team <team@security.debian.org>, Daniel Baumann <daniel.baumann@panthera-systems.net>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Marco d'Itri <md@linux.it>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: allows creating any file as root
Date: Mon, 30 Oct 2006 22:56:28 +0100
[Message part 1 (text/plain, inline)]
Package: thttpd
Severity: grave
Tags: security

Insecure use of /tmp in /etc/logrotate.d/thttpd:

        if pidof thttpd 2>&1 > /dev/null; then
            touch /tmp/start_thttpd
        fi

By creating a /tmp/start_thttpd symlink a local attacker will be able to
create/touch any file as root.

-- 
ciao,
Marco
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel.baumann@panthera-systems.net>:
Bug#396277; Package thttpd. Full text and rfc822 format available.

Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <daniel.baumann@panthera-systems.net>. Full text and rfc822 format available.

Message #10 received at 396277@bugs.debian.org (full text, mbox):

From: Steve Kemp <skx@debian.org>
To: Marco d'Itri <md@linux.it>
Cc: 396277@bugs.debian.org, Daniel Baumann <daniel.baumann@panthera-systems.net>
Subject: Re: Bug#396277: allows creating any file as root
Date: Tue, 31 Oct 2006 09:22:16 +0000
On Mon, Oct 30, 2006 at 10:56:28PM +0100, Marco d'Itri wrote:

> By creating a /tmp/start_thttpd symlink a local attacker will be able to
> create/touch any file as root.

  Thanks for the report.  Once I get a CVE identifier allocated I'll
 handle an update for Sarge.

  Daniel if you have a preferred patch that would be appreciated,
 otherwise I'll come up with a solution and add it to this bug.

Steve
-- 



Reply sent to Daniel Baumann <daniel@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Marco d'Itri <md@linux.it>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #15 received at 396277-close@bugs.debian.org (full text, mbox):

From: Daniel Baumann <daniel@debian.org>
To: 396277-close@bugs.debian.org
Subject: Bug#396277: fixed in thttpd 2.23beta1-5
Date: Tue, 31 Oct 2006 11:34:05 -0800
Source: thttpd
Source-Version: 2.23beta1-5

We believe that the bug you reported is fixed in the latest version of
thttpd, which is due to be installed in the Debian FTP archive:

thttpd-util_2.23beta1-5_i386.deb
  to pool/main/t/thttpd/thttpd-util_2.23beta1-5_i386.deb
thttpd_2.23beta1-5.diff.gz
  to pool/main/t/thttpd/thttpd_2.23beta1-5.diff.gz
thttpd_2.23beta1-5.dsc
  to pool/main/t/thttpd/thttpd_2.23beta1-5.dsc
thttpd_2.23beta1-5_i386.deb
  to pool/main/t/thttpd/thttpd_2.23beta1-5_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 396277@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Baumann <daniel@debian.org> (supplier of updated thttpd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 31 Oct 2006 20:13:00 +0200
Source: thttpd
Binary: thttpd-util thttpd
Architecture: source i386
Version: 2.23beta1-5
Distribution: unstable
Urgency: high
Maintainer: Daniel Baumann <daniel.baumann@panthera-systems.net>
Changed-By: Daniel Baumann <daniel@debian.org>
Description: 
 thttpd     - tiny/turbo/throttling HTTP server
 thttpd-util - Support utilities for thttpd
Closes: 396277
Changes: 
 thttpd (2.23beta1-5) unstable; urgency=high
 .
   * Applied patch from Steve Kemp <skx@debian.org> on thttpd.logrotate to fix
     the insecure use of temporary files when invoked by logrotate
     [CVE-2006-4248] (Closes: #396277).
Files: 
 001713be9e39d2662b2b43b2bf80cda3 602 web optional thttpd_2.23beta1-5.dsc
 ac9085e9051e8d6d456bd3ebfd447dce 15102 web optional thttpd_2.23beta1-5.diff.gz
 18e7b8b8e80975a13b6ef3b9770cecb6 54482 web optional thttpd_2.23beta1-5_i386.deb
 afd66763ec36d12704919dd511b0eea4 26420 web optional thttpd-util_2.23beta1-5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFR6EN+C5cwEsrK54RAiMXAKCyzgZ7Qk5IipkFwLlB2lGsqnIuhwCfQTo+
mNw7zT5nqs/2Eez4KsX40qc=
=Q8CZ
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel.baumann@panthera-systems.net>:
Bug#396277; Package thttpd. Full text and rfc822 format available.

Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <daniel.baumann@panthera-systems.net>. Full text and rfc822 format available.

Message #20 received at 396277@bugs.debian.org (full text, mbox):

From: Steve Kemp <skx@debian.org>
To: Marco d'Itri <md@linux.it>, 396277@bugs.debian.org
Cc: daniel.baumann@panthera-systems.net
Subject: Re: Bug#396277: allows creating any file as root
Date: Tue, 31 Oct 2006 17:53:52 +0000
[Message part 1 (text/plain, inline)]
Daniel

  Please find attached the patch I'm going to use for the security
 update.

  Could you please apply it, or a comparable patch to the version
 in unstable and let us know which version will fix the problem?

Steve
-- 
# The Debian Security Audit Project.
http://www.debian.org/security/audit

kx@desktop:/tmp$ interdiff thttpd_2.23beta1-3sarge1.diff  thttpd_2.23beta1-3sarge2.diff
diff -u thttpd-2.23beta1/debian/changelog thttpd-2.23beta1/debian/changelog
--- thttpd-2.23beta1/debian/changelog
+++ thttpd-2.23beta1/debian/changelog
@@ -1,3 +1,11 @@
+thttpd (2.23beta1-3sarge2) stable-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix the insecure use of temporary files when invoked by logrotate.
+    [CVE-2006-4248]
+
+ -- Steve Kemp <skx@debian.org>  Tue, 31 Oct 2006 17:49:34 +0000
+
 thttpd (2.23beta1-3sarge1) stable-security; urgency=high

   * Non-maintainer upload by the Security Team
diff -u thttpd-2.23beta1/debian/thttpd.logrotate thttpd-2.23beta1/debian/thttpd.logrotate
--- thttpd-2.23beta1/debian/thttpd.logrotate
+++ thttpd-2.23beta1/debian/thttpd.logrotate
@@ -4,15 +4,9 @@
     compress
     missingok
     delaycompress
-    prerotate
-       if pidof thttpd 2>&1 > /dev/null; then
-           touch /tmp/start_thttpd
-       fi
-    endscript
     postrotate
-       if [ -f /tmp/start_thttpd ]; then
+        if [ -f /var/run/thttpd.pid ]; then
            /etc/init.d/thttpd restart 2>&1 > /dev/null
-           rm -f /tmp/start_thttpd
        fi
     endscript
 }

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel.baumann@panthera-systems.net>:
Bug#396277; Package thttpd. Full text and rfc822 format available.

Acknowledgement sent to Kees Cook <kees@outflux.net>:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <daniel.baumann@panthera-systems.net>. Full text and rfc822 format available.

Message #25 received at 396277@bugs.debian.org (full text, mbox):

From: Kees Cook <kees@outflux.net>
To: 396277@bugs.debian.org
Subject: possible fix?
Date: Tue, 31 Oct 2006 10:55:13 -0800
[Message part 1 (text/plain, inline)]
Tags: patch

Seems like the tmp file isn't needed at all?  Possible patch attached.

-- 
Kees Cook                                            @outflux.net
[thttpd.patch (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel.baumann@panthera-systems.net>:
Bug#396277; Package thttpd. Full text and rfc822 format available.

Acknowledgement sent to daniel@debian.org:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <daniel.baumann@panthera-systems.net>. Full text and rfc822 format available.

Message #30 received at 396277@bugs.debian.org (full text, mbox):

From: Daniel Baumann <daniel@debian.org>
To: Steve Kemp <skx@debian.org>
Cc: Marco d'Itri <md@linux.it>, 396277@bugs.debian.org
Subject: Re: Bug#396277: allows creating any file as root
Date: Tue, 31 Oct 2006 20:08:59 +0100
Steve Kemp wrote:
> Daniel
> 
>   Please find attached the patch I'm going to use for the security
>  update.

Thanks.

>   Could you please apply it, or a comparable patch to the version
>  in unstable and let us know which version will fix the problem?

I'll apply your patch, and upload in about 10 minutes.

(JFTR: thttpd is one of the last packages which contains the old
email-address which I'm not reading during the day, therefore you didn't
get an answer earlier.)

-- 
Address:        Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:          daniel.baumann@panthera-systems.net
Internet:       http://people.panthera-systems.net/~daniel-baumann/



Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel.baumann@panthera-systems.net>:
Bug#396277; Package thttpd. Full text and rfc822 format available.

Acknowledgement sent to Sebastian Kiesel <sebi@cip.ei.uni-stuttgart.de>:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <daniel.baumann@panthera-systems.net>. Full text and rfc822 format available.

Message #35 received at 396277@bugs.debian.org (full text, mbox):

From: Sebastian Kiesel <sebi@cip.ei.uni-stuttgart.de>
To: 216554@bugs.debian.org
Cc: 396277@bugs.debian.org
Subject: Bug 216554 (thttpd) resolved by DSA 1205-1
Date: Wed, 8 Nov 2006 09:43:07 +0100
Hi,

Debian Bug #216554 has been resolved with Debian Security Advisory
DSA 1205-1 (Debian Bug #396277) - seems that I discovered and reported
the problem already 3 years ago but did not realize all security
implications.

regards,
Sebastian



Merged 216554 396277. Request was from "era eriksson" <era@iki.fi> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 21:55:24 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 19:39:21 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.