Debian Bug report logs - #410548
jailer: Insecure temporary handling in updatejail

version graph

Package: jailer; Maintainer for jailer is Javier Fernandez-Sanguino Pen~a <jfs@debian.org>; Source for jailer is src:jailer.

Reported by: Javier Fernández-Sanguino Peña <jfs@computer.org>

Date: Sun, 11 Feb 2007 17:33:01 UTC

Severity: important

Tags: security

Found in version jailer/0.4-9

Fixed in version jailer/0.4-10

Done: Javier Fernandez-Sanguino Pen~a <jfs@computer.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Javier Fernandez-Sanguino Pen~a <jfs@computer.org>:
Bug#410548; Package jailer. Full text and rfc822 format available.

Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
New Bug report received and forwarded. Copy sent to Javier Fernandez-Sanguino Pen~a <jfs@computer.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: submit@bugs.debian.org
Subject: jailer: Insecure temporary handling in updatejail
Date: Sun, 11 Feb 2007 18:18:54 +0100
[Message part 1 (text/plain, inline)]
Package: jailer
Version: 0.4-9
Severity: important
Tags: security pending

The 'updatejailer' script in jailer uses an unsafe way to create temporary file
to store output:

                find $JAIL -type b > /tmp/$$.updatejail
                find $JAIL -type c >> /tmp/$$.updatejail
                find $JAIL -type p >> /tmp/$$.updatejail
                find $JAIL -type f >> /tmp/$$.updatejail
                find $JAIL -type l >> /tmp/$$.updatejail
                find $JAIL -type s >> /tmp/$$.updatejail

The script does not check wether the /tmp/$$.updatejail file it uses exists
or not, which can result in race conditions and symlink attacks. If an
ordinary user were to create symlinks in /tmp/ following that scheme and in
sufficient numbers (so the chance of the program's PID being one of them is
fairly high), he could have any file in the system overwritten (for example,
/etc/passwd) potentially breaking the system.

The script should use a safe mechanism to create temporary files and should
exit if an error ocurred in order to avoid this attacks.

This bug will be fixed in the next upload to sid.

Javier
[signature.asc (application/pgp-signature, inline)]

Reply sent to Javier Fernandez-Sanguino Pen~a <jfs@computer.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at 410548-close@bugs.debian.org (full text, mbox):

From: Javier Fernandez-Sanguino Pen~a <jfs@computer.org>
To: 410548-close@bugs.debian.org
Subject: Bug#410548: fixed in jailer 0.4-10
Date: Fri, 22 Jun 2007 00:47:08 +0000
Source: jailer
Source-Version: 0.4-10

We believe that the bug you reported is fixed in the latest version of
jailer, which is due to be installed in the Debian FTP archive:

jailer_0.4-10.diff.gz
  to pool/main/j/jailer/jailer_0.4-10.diff.gz
jailer_0.4-10.dsc
  to pool/main/j/jailer/jailer_0.4-10.dsc
jailer_0.4-10_all.deb
  to pool/main/j/jailer/jailer_0.4-10_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 410548@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Javier Fernandez-Sanguino Pen~a <jfs@computer.org> (supplier of updated jailer package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 11 Feb 2007 18:13:21 +0100
Source: jailer
Binary: jailer
Architecture: source all
Version: 0.4-10
Distribution: unstable
Urgency: high
Maintainer: Javier Fernandez-Sanguino Pen~a <jfs@computer.org>
Changed-By: Javier Fernandez-Sanguino Pen~a <jfs@computer.org>
Description: 
 jailer     - Builds and maintains chrooted environments
Closes: 382318 410548
Changes: 
 jailer (0.4-10) unstable; urgency=high
 .
   * Have updatejail use tempfile instead of the unsafe /tmp/$$.updatejail
     construct which makes it vulnerable to symlink attacks in /tmp/.
     Since this tool is run as root this is a severe bug and thus
     the urgency. (Closes: #410548)
   [ Minor program improvements ]
   * Fix updatejail so that the identifier matches exactly the name of the jail
     and does not match jails containing its name (Closes: #382318)
   * Fix a typo in the updatejail program output
   * Do not dump stderr to /dev/null when running cpio. This will make it
     print out a lot of cruft when creating makejails, but at least errors
     will be easy to spot.
   * Improve error messages in updatejail, check that the jail identifier
     is not empty and that the root directory exists.
   [ Documentation improvements ]
   * Rewrite some places of the manpages to fix grammar and typos.
   * Note in updatejail's manpage that the Root: location has to match the
     identifier being used.
   [ Debian package changes ]
   * Use debhelper compatibility version 4
   * Use dh_installman instead of dh_installmanpages
   * Add a space to the Homepage line in debian/control
Files: 
 026ba8e80e9c7fa3e4ea9ffd93abc112 589 admin optional jailer_0.4-10.dsc
 c208c88f9b2a414c5b01dbc29d3a7d65 30498 admin optional jailer_0.4-10.diff.gz
 fc191a9d0f6843de1bb1b525213d68cf 12232 admin optional jailer_0.4-10_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGewYWsandgtyBSwkRAob5AJ4gjG2yNw4fPR6kBKcDZQod/Es2XQCdG1o/
4mhOVCtKf2OrxPa5mIEUtzw=
=aadm
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 24 Jul 2007 07:32:46 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 16:51:52 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.