Debian Bug report logs - #449149
ircii-pana: CVE-2007-5839 insecure temporary file creation

version graph

Package: ircii-pana; Maintainer for ircii-pana is (unknown);

Reported by: Nico Golde <nion@debian.org>

Date: Sat, 3 Nov 2007 14:48:02 UTC

Severity: important

Tags: security

Found in version 1:1.1-1

Fixed in version 1:1.1-5+rm

Done: Lucas Nussbaum <lucas@lucas-nussbaum.net>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, William Vera <billy@billy.com.mx>:
Bug#449149; Package ircii-pana. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to William Vera <billy@billy.com.mx>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: insecure temporary file creation
Date: Sat, 3 Nov 2007 15:46:02 +0100
[Message part 1 (text/plain, inline)]
Package: ircii-pana
Version: 1:1.1-1
Severity: important
Tags: security

During looking into #443544 I stumbled into another security issue in ircii-pana
in bitchx' hostname command.
The e_hostname function (commands.c) uses tmpnam to create a temporary file which is
known to be insecure.

From commands.c
2620 char filename[81];
2621 char comm[200];
2622 FILE *fptr;
2623 char *p = NULL, *q;
[...]
2635 tmpnam(filename);
2636 #if defined(_BSDI_VERSION) && _BSDI_VERSION < 199701
2637     if (!(p = path_search("netstat", "/sbin:/usr/sbin:/bin:/usr/bin")))
2638     {
2639         yell("No Netstat to be found");
2640         return;
2641     }
2642     sprintf(comm, "%s -in >%s", p, filename);
2643 #elif defined(__EMX__)
2644 sprintf(comm, "netstat -a > %s", filename);
2645 #else
2646     if (!(p = path_search("ifconfig", "/sbin:/usr/sbin:/bin:/usr/bin")))
2647     {
2648         yell("Can't find ifconfig");
2649         return;
2650     }
2651                 sprintf(comm, "%s -a >%s", p, filename);
2652 #endif
2653     system(comm);

This code creates a "unique" file name in line 2635 using the insecure tmpnam
function, copies a netstat command which redirects its output to filename into
the comm buffer and then executes comm with system in line 2653.

This would enable local users to overwrite arbitrary files of the user running
bitchx and invoking the hostname command via a symlink attack.

We really should remove bitchx, the code is really bad and it seems to be unmaintained
upstream.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Changed Bug title to `ircii-pana: CVE-2007-5839 insecure temporary file creation' from `insecure temporary file creation'. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Tue, 06 Nov 2007 22:27:04 GMT) (full text, mbox, link).


Reply sent to Lucas Nussbaum <lucas@lucas-nussbaum.net>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. (full text, mbox, link).


Message #12 received at 449149-done@bugs.debian.org (full text, mbox, reply):

From: Lucas Nussbaum <lucas@lucas-nussbaum.net>
To: 449149-done@bugs.debian.org
Subject: ircii-pana has been removed from Debian, closing #449149
Date: Sun, 13 Apr 2008 23:16:00 +0200
Version: 1:1.1-5+rm

The ircii-pana package has been removed from Debian testing, unstable and
experimental, so I am now closing the bugs that were still opened
against it.

For more information about this package's removal, read
http://bugs.debian.org/451373 . That bug might give the reasons why
this package was removed, and suggestions of possible replacements.

Don't hesitate to reply to this mail if you have any question.

Thank you for your contribution to Debian.
-- 
Lucas




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 11 Aug 2008 07:50:44 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 12:22:35 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.