Report forwarded to debian-bugs-dist@lists.debian.org, William Vera <billy@billy.com.mx>: Bug#449149; Package ircii-pana.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to William Vera <billy@billy.com.mx>.
(full text, mbox, link).
Package: ircii-pana
Version: 1:1.1-1
Severity: important
Tags: security
During looking into #443544 I stumbled into another security issue in ircii-pana
in bitchx' hostname command.
The e_hostname function (commands.c) uses tmpnam to create a temporary file which is
known to be insecure.
From commands.c
2620 char filename[81];
2621 char comm[200];
2622 FILE *fptr;
2623 char *p = NULL, *q;
[...]
2635 tmpnam(filename);
2636 #if defined(_BSDI_VERSION) && _BSDI_VERSION < 199701
2637 if (!(p = path_search("netstat", "/sbin:/usr/sbin:/bin:/usr/bin")))
2638 {
2639 yell("No Netstat to be found");
2640 return;
2641 }
2642 sprintf(comm, "%s -in >%s", p, filename);
2643 #elif defined(__EMX__)
2644 sprintf(comm, "netstat -a > %s", filename);
2645 #else
2646 if (!(p = path_search("ifconfig", "/sbin:/usr/sbin:/bin:/usr/bin")))
2647 {
2648 yell("Can't find ifconfig");
2649 return;
2650 }
2651 sprintf(comm, "%s -a >%s", p, filename);
2652 #endif
2653 system(comm);
This code creates a "unique" file name in line 2635 using the insecure tmpnam
function, copies a netstat command which redirects its output to filename into
the comm buffer and then executes comm with system in line 2653.
This would enable local users to overwrite arbitrary files of the user running
bitchx and invoking the hostname command via a symlink attack.
We really should remove bitchx, the code is really bad and it seems to be unmaintained
upstream.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Changed Bug title to `ircii-pana: CVE-2007-5839 insecure temporary file creation' from `insecure temporary file creation'.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Tue, 06 Nov 2007 22:27:04 GMT) (full text, mbox, link).
Reply sent to Lucas Nussbaum <lucas@lucas-nussbaum.net>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Subject: ircii-pana has been removed from Debian, closing #449149
Date: Sun, 13 Apr 2008 23:16:00 +0200
Version: 1:1.1-5+rm
The ircii-pana package has been removed from Debian testing, unstable and
experimental, so I am now closing the bugs that were still opened
against it.
For more information about this package's removal, read
http://bugs.debian.org/451373 . That bug might give the reasons why
this package was removed, and suggestions of possible replacements.
Don't hesitate to reply to this mail if you have any question.
Thank you for your contribution to Debian.
--
Lucas
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 11 Aug 2008 07:50:44 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.