To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: netserver can be locked by /tmp/netperf.debug
Date: Tue, 06 Mar 2007 13:56:40 +0100
Package: netperf
Version: 2.4.3-2
Severity: wishlist
Hello,
I've been confronted to this inconvenience,
so I guess it could help others too
On lunch netperf's server creates the file /tmp/netperf.debug
with user's ownership (default root)
And this can cause trouble if serveral users start netserver
(on different port of course).
Maybe this can be workarounded by adding port number in debug filename
Also when deamon is stopped, the file is still here,
which may lock users uage of netserver
Last Wishes :
* '--version' option on client and server
* csv output is welcome too
Regards
-- System Information:
Debian Release: 4.0
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.20-k7-amiloa-rt
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages netperf depends on:
ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries
netperf recommends no packages.
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org, Erik Wenzel <erik@debian.org>: Bug#413658; Package netperf.
(full text, mbox, link).
Acknowledgement sent to Erik Wenzel <erik@code.de>:
Extra info received and forwarded to list. Copy sent to Erik Wenzel <erik@debian.org>.
(full text, mbox, link).
To: rzr@users.sourceforge.net, 413658@bugs.debian.org
Subject: Re: Bug#413658: netserver can be locked by /tmp/netperf.debug
Date: Tue, 06 Mar 2007 18:53:17 +0100
Am Dienstag, den 06.03.2007, 13:56 +0100 schrieb Philippe Coval:
> Package: netperf
> Version: 2.4.3-2
> Severity: wishlist
>
> Hello,
> I've been confronted to this inconvenience,
> so I guess it could help others too
>
> On lunch netperf's server creates the file /tmp/netperf.debug
> with user's ownership (default root)
>
> And this can cause trouble if serveral users start netserver
> (on different port of course).
>
> Maybe this can be workarounded by adding port number in debug filename
>
> Also when deamon is stopped, the file is still here,
> which may lock users uage of netserver
>
> Last Wishes :
> * '--version' option on client and server
> * csv output is welcome too
>
> Regards
>
>
> -- System Information:
> Debian Release: 4.0
> APT prefers testing
> APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
> Architecture: i386 (i686)
> Shell: /bin/sh linked to /bin/bash
> Kernel: Linux 2.6.20-k7-amiloa-rt
> Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
>
> Versions of packages netperf depends on:
> ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries
>
> netperf recommends no packages.
>
> -- no debconf information
>
This 3 bug reports are forwarded to upstream.
--
erik@debian.org
Information forwarded to debian-bugs-dist@lists.debian.org, Erik Wenzel <erik@debian.org>: Bug#413658; Package netperf.
(full text, mbox, link).
Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to Erik Wenzel <erik@debian.org>.
(full text, mbox, link).
package netperf
severity 413658 serious
tags 413658 security
retitle 413658 netserver logs to insecure temporary file
thanks
Since /tmp/netperf.debug is opened without the O_EXCL mode, it's
possible to carry out a serious denial-of-service on another user by
creating it as a symbolic link to one of their files before they run
netperf.
It's also given mode 644 which means it can leak information, though
this is unlikely to be sensitive.
Finally, this is a violation of FHS: when netserver is run as a daemon
its log file should be under /var/log.
Ben.
--
Ben Hutchings
Any sufficiently advanced bug is indistinguishable from a feature.
Severity set to `serious' from `wishlist'
Request was from Ben Hutchings <ben@decadent.org.uk>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: security
Request was from Ben Hutchings <ben@decadent.org.uk>
to control@bugs.debian.org.
(full text, mbox, link).
Changed Bug title.
Request was from Ben Hutchings <ben@decadent.org.uk>
to control@bugs.debian.org.
(full text, mbox, link).
Changed Bug title to `CVE-2007-1444 netserver logs to insecure temporary file' from `netserver logs to insecure temporary file'.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Sun, 14 Oct 2007 20:51:05 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Erik Wenzel <erik@debian.org>: Bug#413658; Package netperf.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Erik Wenzel <erik@debian.org>.
(full text, mbox, link).
tags 413658 + patch
thanks
Hi,
attached is a patch (untested, please do so), it's not really nice because
of the global variables but it won't work without them
without bigger code changes.
Kind regards
Nico
--
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Tags added: patch
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Mon, 15 Oct 2007 07:09:03 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Erik Wenzel <erik@debian.org>: Bug#413658; Package netperf.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Erik Wenzel <erik@debian.org>.
(full text, mbox, link).
Hi,
forgot to attach the patch.
Cheers
Nico
--
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Source: netperf
Source-Version: 2.4.3-7
We believe that the bug you reported is fixed in the latest version of
netperf, which is due to be installed in the Debian FTP archive:
netperf_2.4.3-7.diff.gz
to pool/non-free/n/netperf/netperf_2.4.3-7.diff.gz
netperf_2.4.3-7.dsc
to pool/non-free/n/netperf/netperf_2.4.3-7.dsc
netperf_2.4.3-7_i386.deb
to pool/non-free/n/netperf/netperf_2.4.3-7_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 413658@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Erik Wenzel <erik@debian.org> (supplier of updated netperf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 17 Oct 2007 04:39:28 +0000
Source: netperf
Binary: netperf
Architecture: source i386
Version: 2.4.3-7
Distribution: unstable
Urgency: low
Maintainer: Erik Wenzel <erik@debian.org>
Changed-By: Erik Wenzel <erik@debian.org>
Description:
netperf - Network performance benchmark
Closes: 413658438146
Changes:
netperf (2.4.3-7) unstable; urgency=low
.
* misleading changelog.gz (Closes: #438146)
* moved examples list from rules to examples
* CVE-2007-1444 netserver logs to insecure temporary file (Closes:
#413658) Thanks Nico Golde <nion@debian.org> for the hotfix
Files:
c5126df9f3ca88a4efb255c628af0817 603 non-free/net optional netperf_2.4.3-7.dsc
f28a5271da7ff0e268ff6e2462c27ede 7893 non-free/net optional netperf_2.4.3-7.diff.gz
2e83723284bd88961cbee04e3df43524 349164 non-free/net optional netperf_2.4.3-7_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHFbyQmMmei9uJhBARAmDKAJ4h4xodjWs4paN6PwYQAeSe91WIdACg3UGG
DuUR5lR+qT/weblgSDk8Eg4=
=Qtbq
-----END PGP SIGNATURE-----
Reply sent to Erik Wenzel <erik@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to rzr@users.sf.net:
Bug acknowledged by developer.
(full text, mbox, link).
Source: netperf
Source-Version: 2.4.3-8
We believe that the bug you reported is fixed in the latest version of
netperf, which is due to be installed in the Debian FTP archive:
netperf_2.4.3-8.diff.gz
to pool/non-free/n/netperf/netperf_2.4.3-8.diff.gz
netperf_2.4.3-8.dsc
to pool/non-free/n/netperf/netperf_2.4.3-8.dsc
netperf_2.4.3-8_i386.deb
to pool/non-free/n/netperf/netperf_2.4.3-8_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 413658@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Erik Wenzel <erik@debian.org> (supplier of updated netperf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 17 Oct 2007 08:55:57 +0000
Source: netperf
Binary: netperf
Architecture: source i386
Version: 2.4.3-8
Distribution: unstable
Urgency: low
Maintainer: Erik Wenzel <erik@debian.org>
Changed-By: Erik Wenzel <erik@debian.org>
Description:
netperf - Network performance benchmark
Closes: 413658
Changes:
netperf (2.4.3-8) unstable; urgency=low
.
* CVE-2007-1444 netserver logs to insecure temporary file
(Closes: #413658) Thanks to Nico Golde <nion@debian.org> for the
hotfix
Files:
177fb019431c5be89ac7474e04e52b94 603 non-free/net optional netperf_2.4.3-8.dsc
be439c4c9d48cd4a070567168f8e7745 7918 non-free/net optional netperf_2.4.3-8.diff.gz
7d92d07530bdb826a7b587c5dc3ab0ba 349162 non-free/net optional netperf_2.4.3-8_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHFc60mMmei9uJhBARAoGQAJ9CUdtalI4AoNx0WxSpTaHEzbh0qQCg3fph
5DrfxawewQz3XiBknif/Tag=
=TRRI
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 15 Nov 2007 07:28:47 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.