Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Nathan Scott <nathans@debian.org>: Bug#417894; Package xfsdump.
(full text, mbox, link).
Acknowledgement sent to Paul Martin <pm@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Nathan Scott <nathans@debian.org>.
(full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: xfsdump: xfs_fsr makes world writeable temporary directories
Date: Thu, 05 Apr 2007 11:41:41 +0100
Package: xfsdump
Version: 2.2.38-1
Severity: grave
Tags: security
Whilst xfs_fsr is running, it creates a directory of known name, .fsr,
in the root of the filesystem it's working on. This directory and the
subdirectories it creates are world writeable.
$ ls -la /store/.fsr
total 8
drwxrwxrwx 18 root root 4096 2007-04-05 11:17 .
drwxr-xr-x 25 pm pm 4096 2007-04-05 11:17 ..
drwxrwxrwx 2 root root 6 2007-04-05 11:21 ag0
drwxrwxrwx 2 root root 6 2007-04-05 11:21 ag1
drwxrwxrwx 2 root root 6 2007-04-05 11:19 ag10
drwxrwxrwx 2 root root 6 2007-04-05 11:19 ag11
drwxrwxrwx 2 root root 6 2007-04-05 11:19 ag12
drwxrwxrwx 2 root root 6 2007-04-05 11:20 ag13
drwxrwxrwx 2 root root 6 2007-04-05 11:20 ag14
drwxrwxrwx 2 root root 6 2007-04-05 11:21 ag15
drwxrwxrwx 2 root root 6 2007-04-05 11:21 ag2
drwxrwxrwx 2 root root 6 2007-04-05 11:22 ag3
drwxrwxrwx 2 root root 6 2007-04-05 11:22 ag4
drwxrwxrwx 2 root root 6 2007-04-05 11:22 ag5
drwxrwxrwx 2 root root 6 2007-04-05 11:22 ag6
drwxrwxrwx 2 root root 6 2007-04-05 11:22 ag7
drwxrwxrwx 2 root root 6 2007-04-05 11:22 ag8
drwxrwxrwx 2 root root 6 2007-04-05 11:23 ag9
Looking at fsr/xfs_fsr.c, I find...
static void
tmp_init(char *mnt)
{
int i;
static char buf[SMBUFSZ];
mode_t mask;
tmp_agi = 0;
sprintf(buf, "%s/.fsr", mnt);
mask = umask(0);
if (mkdir(buf, 0777) < 0) {
if (errno == EEXIST) {
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (99, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-686
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Versions of packages xfsdump depends on:
ii libattr1 1:2.4.32-1.1 Extended attribute shared library
ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries
ii libdm0 2.2.4-1 Data Management API runtime enviro
ii libncurs 5.5-5 Shared libraries for terminal hand
ii libuuid1 1.39+1.40-WIP-2006.11.14+dfsg-2 universally unique id library
ii xfsprogs 2.8.18-1 Utilities for managing the XFS fil
xfsdump recommends no packages.
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org, Nathan Scott <nathans@debian.org>: Bug#417894; Package xfsdump.
(full text, mbox, link).
Acknowledgement sent to nscott@aconex.com:
Extra info received and forwarded to list. Copy sent to Nathan Scott <nathans@debian.org>.
(full text, mbox, link).
To: Paul Martin <pm@debian.org>, 417894@bugs.debian.org
Subject: Re: Bug#417894: xfsdump: xfs_fsr makes world writeable temporary
directories
Date: Tue, 10 Apr 2007 08:49:56 +1000
Thanks Paul, I've initiated a discussion with upstream, will get
back to you soon. Sorry about the delay, been away over Easter.
cheers.
--
Nathan
Information forwarded to debian-bugs-dist@lists.debian.org, Nathan Scott <nathans@debian.org>: Bug#417894; Package xfsdump.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Nathan Scott <nathans@debian.org>.
(full text, mbox, link).
Cc: Paul Martin <pm@debian.org>, 417894@bugs.debian.org
Subject: Re: Bug#417894: xfsdump: xfs_fsr makes world writeable temporary directories
Date: Sat, 5 May 2007 23:49:01 +0200
Nathan Scott wrote:
> Thanks Paul, I've initiated a discussion with upstream, will get
> back to you soon. Sorry about the delay, been away over Easter.
What's the outcome?
Cheers,
Moritz
Information forwarded to debian-bugs-dist@lists.debian.org, Nathan Scott <nathans@debian.org>: Bug#417894; Package xfsdump.
(full text, mbox, link).
Acknowledgement sent to nscott@aconex.com:
Extra info received and forwarded to list. Copy sent to Nathan Scott <nathans@debian.org>.
(full text, mbox, link).
To: Moritz Muehlenhoff <jmm@inutil.org>, 417894@bugs.debian.org
Cc: Paul Martin <pm@debian.org>
Subject: Re: Bug#417894: xfsdump: xfs_fsr makes world writeable temporary
directories
Date: Mon, 21 May 2007 09:47:10 +1000
On Sat, 2007-05-05 at 23:49 +0200, Moritz Muehlenhoff wrote:
> Nathan Scott wrote:
> > Thanks Paul, I've initiated a discussion with upstream, will get
> > back to you soon. Sorry about the delay, been away over Easter.
>
> What's the outcome?
My timing sucks; I'd just left for 2 weeks vacation on the 5th when
you asked this. Status is: discussed with upstream, they've merged
the fix, I'll upload an update soon (just want to look over their
change a bit more, after catching up on my mail from being away).
cheers.
--
Nathan
Reply sent to Nathan Scott <nathans@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Paul Martin <pm@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Source: xfsdump
Source-Version: 2.2.45-1
We believe that the bug you reported is fixed in the latest version of
xfsdump, which is due to be installed in the Debian FTP archive:
xfsdump_2.2.45-1.dsc
to pool/main/x/xfsdump/xfsdump_2.2.45-1.dsc
xfsdump_2.2.45-1.tar.gz
to pool/main/x/xfsdump/xfsdump_2.2.45-1.tar.gz
xfsdump_2.2.45-1_i386.deb
to pool/main/x/xfsdump/xfsdump_2.2.45-1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 417894@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nathan Scott <nathans@debian.org> (supplier of updated xfsdump package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 28 May 2007 16:09:14 +1000
Source: xfsdump
Binary: xfsdump
Architecture: source i386
Version: 2.2.45-1
Distribution: unstable
Urgency: low
Maintainer: Nathan Scott <nathans@debian.org>
Changed-By: Nathan Scott <nathans@debian.org>
Description:
xfsdump - Administrative utilities for the XFS filesystem
Closes: 417894
Changes:
xfsdump (2.2.45-1) unstable; urgency=low
.
* New upstream release (closes: #417894).
Files:
9f90b4ffb1427acdb35747514a676a2d 597 admin optional xfsdump_2.2.45-1.dsc
f1b0db5d998e7ad949b6af65fa09d952 557005 admin optional xfsdump_2.2.45-1.tar.gz
4bc8e744223e29d225fa0ef3778e904a 303224 admin optional xfsdump_2.2.45-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGWnNSm8fl3HSIa2MRAuL4AJ9IEwuvQLqaCvo9SsAHWN6eCIkoGACgmbAj
pTYWkuhzBOwgcsn4wr0YVBo=
=AnJP
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 08 Jul 2007 08:07:51 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.