Debian Bug report logs - #413658
CVE-2007-1444 netserver logs to insecure temporary file

version graph

Package: netperf; Maintainer for netperf is netperf Debian Maintainers <netperf@packages.debian.org>; Source for netperf is src:netperf (PTS, buildd, popcon).

Reported by: rzr@users.sf.net

Date: Tue, 6 Mar 2007 13:03:04 UTC

Severity: serious

Tags: patch, security

Found in version netperf/2.4.3-2

Fixed in versions netperf/2.4.3-7, netperf/2.4.3-8

Done: Erik Wenzel <erik@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Erik Wenzel <erik@debian.org>:
Bug#413658; Package netperf. (full text, mbox, link).


Acknowledgement sent to rzr@users.sf.net:
New Bug report received and forwarded. Copy sent to Erik Wenzel <erik@debian.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Philippe Coval <rzr@users.sf.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: netserver can be locked by /tmp/netperf.debug
Date: Tue, 06 Mar 2007 13:56:40 +0100
Package: netperf
Version: 2.4.3-2
Severity: wishlist

Hello,
I've been confronted to this inconvenience, 
so I guess it could help others too

On lunch netperf's server creates the file /tmp/netperf.debug
with  user's ownership (default root)

And this can cause trouble if serveral users start netserver 
(on different port of course).

Maybe this can be workarounded by adding port number in debug filename

Also when deamon is stopped, the file is still here, 
which may lock users uage of netserver

Last Wishes :
* '--version' option on client and server 
* csv output  is welcome too

Regards


-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.20-k7-amiloa-rt
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages netperf depends on:
ii  libc6                       2.3.6.ds1-13 GNU C Library: Shared libraries

netperf recommends no packages.

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Erik Wenzel <erik@debian.org>:
Bug#413658; Package netperf. (full text, mbox, link).


Acknowledgement sent to Erik Wenzel <erik@code.de>:
Extra info received and forwarded to list. Copy sent to Erik Wenzel <erik@debian.org>. (full text, mbox, link).


Message #10 received at 413658@bugs.debian.org (full text, mbox, reply):

From: Erik Wenzel <erik@code.de>
To: rzr@users.sourceforge.net, 413658@bugs.debian.org
Subject: Re: Bug#413658: netserver can be locked by /tmp/netperf.debug
Date: Tue, 06 Mar 2007 18:53:17 +0100
Am Dienstag, den 06.03.2007, 13:56 +0100 schrieb Philippe Coval:
> Package: netperf
> Version: 2.4.3-2
> Severity: wishlist
> 
> Hello,
> I've been confronted to this inconvenience, 
> so I guess it could help others too
> 
> On lunch netperf's server creates the file /tmp/netperf.debug
> with  user's ownership (default root)
> 
> And this can cause trouble if serveral users start netserver 
> (on different port of course).
> 
> Maybe this can be workarounded by adding port number in debug filename
> 
> Also when deamon is stopped, the file is still here, 
> which may lock users uage of netserver
> 
> Last Wishes :
> * '--version' option on client and server 
> * csv output  is welcome too
> 
> Regards
> 
> 
> -- System Information:
> Debian Release: 4.0
>   APT prefers testing
>   APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
> Architecture: i386 (i686)
> Shell:  /bin/sh linked to /bin/bash
> Kernel: Linux 2.6.20-k7-amiloa-rt
> Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
> 
> Versions of packages netperf depends on:
> ii  libc6                       2.3.6.ds1-13 GNU C Library: Shared libraries
> 
> netperf recommends no packages.
> 
> -- no debconf information
> 

This 3 bug reports are forwarded to upstream.

-- 
erik@debian.org




Information forwarded to debian-bugs-dist@lists.debian.org, Erik Wenzel <erik@debian.org>:
Bug#413658; Package netperf. (full text, mbox, link).


Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to Erik Wenzel <erik@debian.org>. (full text, mbox, link).


Message #15 received at 413658@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>
To: control@bugs.debian.org, 413658@bugs.debian.org
Subject: Re: netserver can be locked by /tmp/netperf.debug
Date: Sat, 10 Mar 2007 22:50:03 +0000
[Message part 1 (text/plain, inline)]
package netperf
severity 413658 serious
tags 413658 security
retitle 413658 netserver logs to insecure temporary file
thanks

Since /tmp/netperf.debug is opened without the O_EXCL mode, it's
possible to carry out a serious denial-of-service on another user by
creating it as a symbolic link to one of their files before they run
netperf.

It's also given mode 644 which means it can leak information, though
this is unlikely to be sensitive.

Finally, this is a violation of FHS: when netserver is run as a daemon
its log file should be under /var/log.

Ben.

-- 
Ben Hutchings
Any sufficiently advanced bug is indistinguishable from a feature.
[signature.asc (application/pgp-signature, inline)]

Severity set to `serious' from `wishlist' Request was from Ben Hutchings <ben@decadent.org.uk> to control@bugs.debian.org. (full text, mbox, link).


Tags added: security Request was from Ben Hutchings <ben@decadent.org.uk> to control@bugs.debian.org. (full text, mbox, link).


Changed Bug title. Request was from Ben Hutchings <ben@decadent.org.uk> to control@bugs.debian.org. (full text, mbox, link).


Changed Bug title to `CVE-2007-1444 netserver logs to insecure temporary file' from `netserver logs to insecure temporary file'. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Sun, 14 Oct 2007 20:51:05 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Erik Wenzel <erik@debian.org>:
Bug#413658; Package netperf. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Erik Wenzel <erik@debian.org>. (full text, mbox, link).


Message #28 received at 413658@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: 413658@bugs.debian.org
Subject: Re: CVE-2007-1444 netserver logs to insecure temporary file
Date: Mon, 15 Oct 2007 09:09:01 +0200
[Message part 1 (text/plain, inline)]
tags 413658 + patch
thanks

Hi,
attached is a patch (untested, please do so), it's not really nice because 
of the global variables but it won't work without them 
without bigger code changes.
Kind regards
Nico

-- 
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Tags added: patch Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Mon, 15 Oct 2007 07:09:03 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Erik Wenzel <erik@debian.org>:
Bug#413658; Package netperf. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Erik Wenzel <erik@debian.org>. (full text, mbox, link).


Message #35 received at 413658@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: 413658@bugs.debian.org
Subject: Re: CVE-2007-1444 netserver logs to insecure temporary file
Date: Mon, 15 Oct 2007 11:10:36 +0200
[Message part 1 (text/plain, inline)]
Hi,
forgot to attach the patch.
Cheers
Nico

-- 
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[CVE-2007-1444.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Reply sent to Erik Wenzel <erik@debian.org>:
You have taken responsibility. (full text, mbox, link).


Notification sent to rzr@users.sf.net:
Bug acknowledged by developer. (full text, mbox, link).


Message #40 received at 413658-close@bugs.debian.org (full text, mbox, reply):

From: Erik Wenzel <erik@debian.org>
To: 413658-close@bugs.debian.org
Subject: Bug#413658: fixed in netperf 2.4.3-7
Date: Wed, 17 Oct 2007 07:47:03 +0000
Source: netperf
Source-Version: 2.4.3-7

We believe that the bug you reported is fixed in the latest version of
netperf, which is due to be installed in the Debian FTP archive:

netperf_2.4.3-7.diff.gz
  to pool/non-free/n/netperf/netperf_2.4.3-7.diff.gz
netperf_2.4.3-7.dsc
  to pool/non-free/n/netperf/netperf_2.4.3-7.dsc
netperf_2.4.3-7_i386.deb
  to pool/non-free/n/netperf/netperf_2.4.3-7_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 413658@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Erik Wenzel <erik@debian.org> (supplier of updated netperf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 17 Oct 2007 04:39:28 +0000
Source: netperf
Binary: netperf
Architecture: source i386
Version: 2.4.3-7
Distribution: unstable
Urgency: low
Maintainer: Erik Wenzel <erik@debian.org>
Changed-By: Erik Wenzel <erik@debian.org>
Description: 
 netperf    - Network performance benchmark
Closes: 413658 438146
Changes: 
 netperf (2.4.3-7) unstable; urgency=low
 .
   * misleading changelog.gz (Closes: #438146)
   * moved examples list from rules to examples
   * CVE-2007-1444 netserver logs to insecure temporary file (Closes:
     #413658) Thanks Nico Golde <nion@debian.org> for the hotfix
Files: 
 c5126df9f3ca88a4efb255c628af0817 603 non-free/net optional netperf_2.4.3-7.dsc
 f28a5271da7ff0e268ff6e2462c27ede 7893 non-free/net optional netperf_2.4.3-7.diff.gz
 2e83723284bd88961cbee04e3df43524 349164 non-free/net optional netperf_2.4.3-7_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHFbyQmMmei9uJhBARAmDKAJ4h4xodjWs4paN6PwYQAeSe91WIdACg3UGG
DuUR5lR+qT/weblgSDk8Eg4=
=Qtbq
-----END PGP SIGNATURE-----





Reply sent to Erik Wenzel <erik@debian.org>:
You have taken responsibility. (full text, mbox, link).


Notification sent to rzr@users.sf.net:
Bug acknowledged by developer. (full text, mbox, link).


Message #45 received at 413658-close@bugs.debian.org (full text, mbox, reply):

From: Erik Wenzel <erik@debian.org>
To: 413658-close@bugs.debian.org
Subject: Bug#413658: fixed in netperf 2.4.3-8
Date: Wed, 17 Oct 2007 09:17:08 +0000
Source: netperf
Source-Version: 2.4.3-8

We believe that the bug you reported is fixed in the latest version of
netperf, which is due to be installed in the Debian FTP archive:

netperf_2.4.3-8.diff.gz
  to pool/non-free/n/netperf/netperf_2.4.3-8.diff.gz
netperf_2.4.3-8.dsc
  to pool/non-free/n/netperf/netperf_2.4.3-8.dsc
netperf_2.4.3-8_i386.deb
  to pool/non-free/n/netperf/netperf_2.4.3-8_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 413658@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Erik Wenzel <erik@debian.org> (supplier of updated netperf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 17 Oct 2007 08:55:57 +0000
Source: netperf
Binary: netperf
Architecture: source i386
Version: 2.4.3-8
Distribution: unstable
Urgency: low
Maintainer: Erik Wenzel <erik@debian.org>
Changed-By: Erik Wenzel <erik@debian.org>
Description: 
 netperf    - Network performance benchmark
Closes: 413658
Changes: 
 netperf (2.4.3-8) unstable; urgency=low
 .
   * CVE-2007-1444 netserver logs to insecure temporary file
     (Closes: #413658) Thanks to Nico Golde <nion@debian.org> for the
     hotfix
Files: 
 177fb019431c5be89ac7474e04e52b94 603 non-free/net optional netperf_2.4.3-8.dsc
 be439c4c9d48cd4a070567168f8e7745 7918 non-free/net optional netperf_2.4.3-8.diff.gz
 7d92d07530bdb826a7b587c5dc3ab0ba 349162 non-free/net optional netperf_2.4.3-8_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHFc60mMmei9uJhBARAoGQAJ9CUdtalI4AoNx0WxSpTaHEzbh0qQCg3fph
5DrfxawewQz3XiBknif/Tag=
=TRRI
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 15 Nov 2007 07:28:47 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 07:54:07 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.