Report forwarded to debian-bugs-dist@lists.debian.org, md@linux.it, Debian Security Team <team@security.debian.org>, Daniel Baumann <daniel.baumann@panthera-systems.net>: Bug#396277; Package thttpd.
(full text, mbox, link).
Acknowledgement sent to Marco d'Itri <md@linux.it>:
New Bug report received and forwarded. Copy sent to md@linux.it, Debian Security Team <team@security.debian.org>, Daniel Baumann <daniel.baumann@panthera-systems.net>.
(full text, mbox, link).
Package: thttpd
Severity: grave
Tags: security
Insecure use of /tmp in /etc/logrotate.d/thttpd:
if pidof thttpd 2>&1 > /dev/null; then
touch /tmp/start_thttpd
fi
By creating a /tmp/start_thttpd symlink a local attacker will be able to
create/touch any file as root.
--
ciao,
Marco
Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel.baumann@panthera-systems.net>: Bug#396277; Package thttpd.
(full text, mbox, link).
Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <daniel.baumann@panthera-systems.net>.
(full text, mbox, link).
Cc: 396277@bugs.debian.org,
Daniel Baumann <daniel.baumann@panthera-systems.net>
Subject: Re: Bug#396277: allows creating any file as root
Date: Tue, 31 Oct 2006 09:22:16 +0000
On Mon, Oct 30, 2006 at 10:56:28PM +0100, Marco d'Itri wrote:
> By creating a /tmp/start_thttpd symlink a local attacker will be able to
> create/touch any file as root.
Thanks for the report. Once I get a CVE identifier allocated I'll
handle an update for Sarge.
Daniel if you have a preferred patch that would be appreciated,
otherwise I'll come up with a solution and add it to this bug.
Steve
--
Reply sent to Daniel Baumann <daniel@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Marco d'Itri <md@linux.it>:
Bug acknowledged by developer.
(full text, mbox, link).
Source: thttpd
Source-Version: 2.23beta1-5
We believe that the bug you reported is fixed in the latest version of
thttpd, which is due to be installed in the Debian FTP archive:
thttpd-util_2.23beta1-5_i386.deb
to pool/main/t/thttpd/thttpd-util_2.23beta1-5_i386.deb
thttpd_2.23beta1-5.diff.gz
to pool/main/t/thttpd/thttpd_2.23beta1-5.diff.gz
thttpd_2.23beta1-5.dsc
to pool/main/t/thttpd/thttpd_2.23beta1-5.dsc
thttpd_2.23beta1-5_i386.deb
to pool/main/t/thttpd/thttpd_2.23beta1-5_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 396277@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Baumann <daniel@debian.org> (supplier of updated thttpd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 31 Oct 2006 20:13:00 +0200
Source: thttpd
Binary: thttpd-util thttpd
Architecture: source i386
Version: 2.23beta1-5
Distribution: unstable
Urgency: high
Maintainer: Daniel Baumann <daniel.baumann@panthera-systems.net>
Changed-By: Daniel Baumann <daniel@debian.org>
Description:
thttpd - tiny/turbo/throttling HTTP server
thttpd-util - Support utilities for thttpd
Closes: 396277
Changes:
thttpd (2.23beta1-5) unstable; urgency=high
.
* Applied patch from Steve Kemp <skx@debian.org> on thttpd.logrotate to fix
the insecure use of temporary files when invoked by logrotate
[CVE-2006-4248] (Closes: #396277).
Files:
001713be9e39d2662b2b43b2bf80cda3 602 web optional thttpd_2.23beta1-5.dsc
ac9085e9051e8d6d456bd3ebfd447dce 15102 web optional thttpd_2.23beta1-5.diff.gz
18e7b8b8e80975a13b6ef3b9770cecb6 54482 web optional thttpd_2.23beta1-5_i386.deb
afd66763ec36d12704919dd511b0eea4 26420 web optional thttpd-util_2.23beta1-5_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFR6EN+C5cwEsrK54RAiMXAKCyzgZ7Qk5IipkFwLlB2lGsqnIuhwCfQTo+
mNw7zT5nqs/2Eez4KsX40qc=
=Q8CZ
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel.baumann@panthera-systems.net>: Bug#396277; Package thttpd.
(full text, mbox, link).
Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <daniel.baumann@panthera-systems.net>.
(full text, mbox, link).
Daniel
Please find attached the patch I'm going to use for the security
update.
Could you please apply it, or a comparable patch to the version
in unstable and let us know which version will fix the problem?
Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit
kx@desktop:/tmp$ interdiff thttpd_2.23beta1-3sarge1.diff thttpd_2.23beta1-3sarge2.diff
diff -u thttpd-2.23beta1/debian/changelog thttpd-2.23beta1/debian/changelog
--- thttpd-2.23beta1/debian/changelog
+++ thttpd-2.23beta1/debian/changelog
@@ -1,3 +1,11 @@
+thttpd (2.23beta1-3sarge2) stable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Fix the insecure use of temporary files when invoked by logrotate.
+ [CVE-2006-4248]
+
+ -- Steve Kemp <skx@debian.org> Tue, 31 Oct 2006 17:49:34 +0000
+
thttpd (2.23beta1-3sarge1) stable-security; urgency=high
* Non-maintainer upload by the Security Team
diff -u thttpd-2.23beta1/debian/thttpd.logrotate thttpd-2.23beta1/debian/thttpd.logrotate
--- thttpd-2.23beta1/debian/thttpd.logrotate
+++ thttpd-2.23beta1/debian/thttpd.logrotate
@@ -4,15 +4,9 @@
compress
missingok
delaycompress
- prerotate
- if pidof thttpd 2>&1 > /dev/null; then
- touch /tmp/start_thttpd
- fi
- endscript
postrotate
- if [ -f /tmp/start_thttpd ]; then
+ if [ -f /var/run/thttpd.pid ]; then
/etc/init.d/thttpd restart 2>&1 > /dev/null
- rm -f /tmp/start_thttpd
fi
endscript
}
Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel.baumann@panthera-systems.net>: Bug#396277; Package thttpd.
(full text, mbox, link).
Acknowledgement sent to Kees Cook <kees@outflux.net>:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <daniel.baumann@panthera-systems.net>.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel.baumann@panthera-systems.net>: Bug#396277; Package thttpd.
(full text, mbox, link).
Acknowledgement sent to daniel@debian.org:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <daniel.baumann@panthera-systems.net>.
(full text, mbox, link).
Cc: Marco d'Itri <md@linux.it>, 396277@bugs.debian.org
Subject: Re: Bug#396277: allows creating any file as root
Date: Tue, 31 Oct 2006 20:08:59 +0100
Steve Kemp wrote:
> Daniel
>
> Please find attached the patch I'm going to use for the security
> update.
Thanks.
> Could you please apply it, or a comparable patch to the version
> in unstable and let us know which version will fix the problem?
I'll apply your patch, and upload in about 10 minutes.
(JFTR: thttpd is one of the last packages which contains the old
email-address which I'm not reading during the day, therefore you didn't
get an answer earlier.)
--
Address: Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email: daniel.baumann@panthera-systems.net
Internet: http://people.panthera-systems.net/~daniel-baumann/
Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel.baumann@panthera-systems.net>: Bug#396277; Package thttpd.
(full text, mbox, link).
Acknowledgement sent to Sebastian Kiesel <sebi@cip.ei.uni-stuttgart.de>:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <daniel.baumann@panthera-systems.net>.
(full text, mbox, link).
From: Sebastian Kiesel <sebi@cip.ei.uni-stuttgart.de>
To: 216554@bugs.debian.org
Cc: 396277@bugs.debian.org
Subject: Bug 216554 (thttpd) resolved by DSA 1205-1
Date: Wed, 8 Nov 2006 09:43:07 +0100
Hi,
Debian Bug #216554 has been resolved with Debian Security Advisory
DSA 1205-1 (Debian Bug #396277) - seems that I discovered and reported
the problem already 3 years ago but did not realize all security
implications.
regards,
Sebastian
Merged 216554396277.
Request was from "era eriksson" <era@iki.fi>
to control@bugs.debian.org.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 25 Jun 2007 21:55:24 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.