Debian Bug report logs - #449149
ircii-pana: CVE-2007-5839 insecure temporary file creation

version graph

Package: ircii-pana; Maintainer for ircii-pana is (unknown);

Reported by: Nico Golde <nion@debian.org>

Date: Sat, 3 Nov 2007 14:48:02 UTC

Severity: important

Tags: security

Found in version 1:1.1-1

Fixed in version 1:1.1-5+rm

Done: Lucas Nussbaum <lucas@lucas-nussbaum.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, William Vera <billy@billy.com.mx>:
Bug#449149; Package ircii-pana. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to William Vera <billy@billy.com.mx>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: insecure temporary file creation
Date: Sat, 3 Nov 2007 15:46:02 +0100
[Message part 1 (text/plain, inline)]
Package: ircii-pana
Version: 1:1.1-1
Severity: important
Tags: security

During looking into #443544 I stumbled into another security issue in ircii-pana
in bitchx' hostname command.
The e_hostname function (commands.c) uses tmpnam to create a temporary file which is
known to be insecure.

From commands.c
2620 char filename[81];
2621 char comm[200];
2622 FILE *fptr;
2623 char *p = NULL, *q;
[...]
2635 tmpnam(filename);
2636 #if defined(_BSDI_VERSION) && _BSDI_VERSION < 199701
2637     if (!(p = path_search("netstat", "/sbin:/usr/sbin:/bin:/usr/bin")))
2638     {
2639         yell("No Netstat to be found");
2640         return;
2641     }
2642     sprintf(comm, "%s -in >%s", p, filename);
2643 #elif defined(__EMX__)
2644 sprintf(comm, "netstat -a > %s", filename);
2645 #else
2646     if (!(p = path_search("ifconfig", "/sbin:/usr/sbin:/bin:/usr/bin")))
2647     {
2648         yell("Can't find ifconfig");
2649         return;
2650     }
2651                 sprintf(comm, "%s -a >%s", p, filename);
2652 #endif
2653     system(comm);

This code creates a "unique" file name in line 2635 using the insecure tmpnam
function, copies a netstat command which redirects its output to filename into
the comm buffer and then executes comm with system in line 2653.

This would enable local users to overwrite arbitrary files of the user running
bitchx and invoking the hostname command via a symlink attack.

We really should remove bitchx, the code is really bad and it seems to be unmaintained
upstream.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Changed Bug title to `ircii-pana: CVE-2007-5839 insecure temporary file creation' from `insecure temporary file creation'. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Tue, 06 Nov 2007 22:27:04 GMT) Full text and rfc822 format available.

Reply sent to Lucas Nussbaum <lucas@lucas-nussbaum.net>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #12 received at 449149-done@bugs.debian.org (full text, mbox):

From: Lucas Nussbaum <lucas@lucas-nussbaum.net>
To: 449149-done@bugs.debian.org
Subject: ircii-pana has been removed from Debian, closing #449149
Date: Sun, 13 Apr 2008 23:16:00 +0200
Version: 1:1.1-5+rm

The ircii-pana package has been removed from Debian testing, unstable and
experimental, so I am now closing the bugs that were still opened
against it.

For more information about this package's removal, read
http://bugs.debian.org/451373 . That bug might give the reasons why
this package was removed, and suggestions of possible replacements.

Don't hesitate to reply to this mail if you have any question.

Thank you for your contribution to Debian.
-- 
Lucas




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 11 Aug 2008 07:50:44 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 18:12:41 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.