Debian Bug report logs - #463907
Creates tempfiles in a unsafe way

version graph

Package: wml; Maintainer for wml is Debian WML Packaging Team <pkg-wml-maintainers@lists.alioth.debian.org>; Source for wml is src:wml.

Reported by: Frank Lichtenheld <djpig@debian.org>

Date: Mon, 4 Feb 2008 04:54:01 UTC

Severity: grave

Tags: confirmed, patch, security

Found in version wml/2.0.11-1

Fixed in versions wml/2.0.11-3.1, wml/2.0.11-1etch1

Done: Frank Lichtenheld <djpig@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Felipe Augusto van de Wiel (faw) <faw@debian.org>:
Bug#463907; Package wml. Full text and rfc822 format available.

Acknowledgement sent to Frank Lichtenheld <djpig@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Felipe Augusto van de Wiel (faw) <faw@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Frank Lichtenheld <djpig@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Creates tempfiles in a unsafe way
Date: Mon, 04 Feb 2008 05:53:47 +0100
Package: wml
Version: 2.0.11-1
Severity: serious
Tags: security

The following code in wml_backend/p1_ipp/ipp.src is obviously unsafe
(and actually causing practical problems during the Debian website
build):

$tmpdir = $ENV{'TMPDIR'} || '/tmp';
$tmpfile = $tmpdir . "/ipp.$$.tmp";
unlink($tmpfile);
$tmp = new IO::File;
$tmp->open(">$tmpfile") || error("cannot write into $tmpfile: $!");

Sadly enough this was fixed by the former maintainer for sarge but
apparently got lost when the new upstream was packaged for etch. See
the following code in sarge's version:

my $tmpldir = ($ENV{'TMPDIR'} || '/tmp') . '/ipp.XXXXXX';
$tmpdir = mkdtemp($tmpldir) or die "Unable to create temporary directory: $!\n";
$tmpfile = $tmpdir . "/ipp.$$.tmp";
unlink($tmpfile);
$tmp = new IO::File;
$tmp->open(">$tmpfile") || error("cannot write into $tmpfile: $!");

You could probably just use that again.

Gruesse,
	Frank Lichtenheld

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (900, 'unstable'), (900, 'testing'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.23-1-686 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages wml depends on:
ii  eperl                     2.2.14-15      Embedded Perl 5 Language
ii  iselect                   1.3.1-3        An interactive line selection tool
ii  libbit-vector-perl        6.4-7          Perl and C library for bit vectors
ii  libc6                     2.7-6          GNU C Library: Shared libraries
ii  libimage-size-perl        3.1-3          determine the size of images in se
ii  libpng12-0                1.2.15~beta5-3 PNG library - runtime
ii  libterm-readkey-perl      2.30-3         A perl module for simple terminal 
ii  m4                        1.4.10-1       a macro processing language
ii  mp4h                      1.3.1-4        Macro processor for HTML documents
ii  perl                      5.8.8-12       Larry Wall's Practical Extraction 
ii  perl-base [perlapi-5.8.8] 5.8.8-12       The Pathologically Eclectic Rubbis
ii  slice                     1.3.8-9        Extract out pre-defined slices of 

Versions of packages wml recommends:
ii  libhtml-clean-perl         0.8-10        Cleans up HTML code for web browse
ii  linklint                   2.3.5-5       A fast link checker and web site m
ii  tidy                       20080116cvs-2 HTML syntax checker and reformatte
ii  txt2html                   2.50-2        Text to HTML converter

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, Felipe Augusto van de Wiel (faw) <faw@debian.org>:
Bug#463907; Package wml. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Felipe Augusto van de Wiel (faw) <faw@debian.org>. Full text and rfc822 format available.

Message #10 received at 463907@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 463907@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#463907: Creates tempfiles in a unsafe way
Date: Mon, 4 Feb 2008 13:16:11 +0100
[Message part 1 (text/plain, inline)]
severity 463907 grave
thanks

Hi,
* Frank Lichtenheld <djpig@debian.org> [2008-02-04 12:56]:
> Package: wml
> Version: 2.0.11-1
> Severity: serious
> Tags: security
> 
> The following code in wml_backend/p1_ipp/ipp.src is obviously unsafe
> (and actually causing practical problems during the Debian website
> build):
> 
> $tmpdir = $ENV{'TMPDIR'} || '/tmp';
> $tmpfile = $tmpdir . "/ipp.$$.tmp";
> unlink($tmpfile);
> $tmp = new IO::File;
> $tmp->open(">$tmpfile") || error("cannot write into $tmpfile: $!");
[...] 

Thanks I confirmed this, a CVE id is pending.
Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Severity set to `grave' from `serious' Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Mon, 04 Feb 2008 12:21:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Felipe Augusto van de Wiel (faw) <faw@debian.org>:
Bug#463907; Package wml. Full text and rfc822 format available.

Acknowledgement sent to "Felipe Augusto van de Wiel (faw)" <faw@debian.org>:
Extra info received and forwarded to list. Copy sent to Felipe Augusto van de Wiel (faw) <faw@debian.org>. Full text and rfc822 format available.

Message #17 received at 463907@bugs.debian.org (full text, mbox):

From: "Felipe Augusto van de Wiel (faw)" <faw@debian.org>
To: Nico Golde <nion@debian.org>, 463907@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#463907: Creates tempfiles in a unsafe way
Date: Wed, 06 Feb 2008 15:17:35 -0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

tags 463907 + confirmed
thanks

On 04-02-2008 10:16, Nico Golde wrote:
> * Frank Lichtenheld <djpig@debian.org> [2008-02-04 12:56]:
>> Package: wml
>> Version: 2.0.11-1
>> Severity: serious
>> Tags: security
>>
>> The following code in wml_backend/p1_ipp/ipp.src is obviously unsafe
>> (and actually causing practical problems during the Debian website
>> build):
>>
>> $tmpdir = $ENV{'TMPDIR'} || '/tmp';
>> $tmpfile = $tmpdir . "/ipp.$$.tmp";
>> unlink($tmpfile);
>> $tmp = new IO::File;
>> $tmp->open(">$tmpfile") || error("cannot write into $tmpfile: $!");
> [...] 
> 
> Thanks I confirmed this, a CVE id is pending.
> Kind regards
> Nico

	Just for the record, there is a new version of wml that
should be packaged, I will take care to properly keep this fix
if it is not present upstream. Would you like me to prepare a
package to fix this? Or should I wait for Debian Security Team?
I'm OK with a NMU.

	As soon as possible, I will work on the new package and
also to clean up the BTS for wml. Sorry for the delay.

Kind regards,
- --
Felipe Augusto van de Wiel (faw)
"Debian. Freedom to code. Code to freedom!"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHqeuvCjAO0JDlykYRAu8dAJsHOipcdRwmkEZrSEWbwCUa8sIufACeMHXT
jbRk9HEtScmQCp7Ucru89TM=
=ScIt
-----END PGP SIGNATURE-----




Tags added: confirmed Request was from "Felipe Augusto van de Wiel (faw)" <faw@debian.org> to control@bugs.debian.org. (Wed, 06 Feb 2008 17:15:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Felipe Augusto van de Wiel (faw) <faw@debian.org>:
Bug#463907; Package wml. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Felipe Augusto van de Wiel (faw) <faw@debian.org>. Full text and rfc822 format available.

Message #24 received at 463907@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: "Felipe Augusto van de Wiel (faw)" <faw@debian.org>, 463907@bugs.debian.org
Subject: Re: Bug#463907: Creates tempfiles in a unsafe way
Date: Wed, 6 Feb 2008 21:29:18 +0100
[Message part 1 (text/plain, inline)]
Hi Felipe,
* Felipe Augusto van de Wiel (faw) <faw@debian.org> [2008-02-06 18:26]:
> On 04-02-2008 10:16, Nico Golde wrote:
> > * Frank Lichtenheld <djpig@debian.org> [2008-02-04 12:56]:
[...] 
> >> $tmpdir = $ENV{'TMPDIR'} || '/tmp';
> >> $tmpfile = $tmpdir . "/ipp.$$.tmp";
> >> unlink($tmpfile);
> >> $tmp = new IO::File;
> >> $tmp->open(">$tmpfile") || error("cannot write into $tmpfile: $!");
> > [...] 
> > 
> > Thanks I confirmed this, a CVE id is pending.

I tried to catch you up in #debian-security but you didn't 
join for some days :)

> 	Just for the record, there is a new version of wml that
> should be packaged, I will take care to properly keep this fix
> if it is not present upstream. Would you like me to prepare a
> package to fix this? Or should I wait for Debian Security Team?
> I'm OK with a NMU.

If you can upload a fix before tomorrow do it, otherwise 
I'll take care of this tomorrow.

> 	As soon as possible, I will work on the new package and
> also to clean up the BTS for wml. Sorry for the delay.

No problem :)
Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Felipe Augusto van de Wiel (faw) <faw@debian.org>:
Bug#463907; Package wml. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Felipe Augusto van de Wiel (faw) <faw@debian.org>. Full text and rfc822 format available.

Message #29 received at 463907@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 463907@bugs.debian.org
Subject: Re: Creates tempfiles in a unsafe way
Date: Thu, 7 Feb 2008 12:00:54 +0100
[Message part 1 (text/plain, inline)]
Hi,
I found a similar issue in wml_contrib/wmg.cgi which we also install in our
package:

 369             $tmpfile = "/tmp/pe.tmp.$$";
 370             unlink($tmpfile);
 371             open(TMP, ">$tmpfile");
 372             print TMP $contents;
 373             close(TMP);
 374             open(TMP, "<$tmpfile");
 375             $tmpimg = newFromGif GD::Image(TMP);
 376             close(TMP);
 377             unlink($tmpfile);

And one in wml_backend/p3_eperl/eperl_sys.c:
210 char *mytmpfile(char *id)
211 {
212     char ca[1024];
213     char *cp, *tmpdir;
214     int i;
215
216     tmpdir = getenv ("TMPDIR");
217     if (tmpdir == (char *) NULL)
218         tmpdir="/tmp";
219
220     snprintf(ca, sizeof(ca), "%s/%s.%d.tmp%d", tmpdir, id, (int)getpid(), mytmpfilecnt++);
221     ca[sizeof(ca)-1] = NUL;
222     cp = strdup(ca);
223     for (i = 0; mytmpfiles[i] != NULL; i++)
224         ;
225     mytmpfiles[i++] = cp;
226     mytmpfiles[i] = NULL;
227     return cp;
228 }

I am going to fix this using mkstemp, however the fix won't
be race free because ideally you also need you have to open the
file via the file descriptor returned by mkstemp to ensure
that the file did not change. For this I would need to completely
change the function and I don't want to do such an intrusive change.
However this is not a big issue and more theoretical but should be
fixed by upstream later.

I am going to fix this as well.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Felipe Augusto van de Wiel (faw) <faw@debian.org>:
Bug#463907; Package wml. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Felipe Augusto van de Wiel (faw) <faw@debian.org>. Full text and rfc822 format available.

Message #34 received at 463907@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 463907@bugs.debian.org
Subject: intent to NMU
Date: Thu, 7 Feb 2008 14:41:43 +0100
[Message part 1 (text/plain, inline)]
Hi,
attached is a patch that fixes the mentioned issues.

It will be also archived on:
http://people.debian.org/~nion/nmu-diff/wml-2.0.11-3_2.0.11-3.1.patch

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[wml-2.0.11-3_2.0.11-3.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Felipe Augusto van de Wiel (faw) <faw@debian.org>:
Bug#463907; Package wml. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Felipe Augusto van de Wiel (faw) <faw@debian.org>. Full text and rfc822 format available.

Message #39 received at 463907@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 463907@bugs.debian.org
Subject: Re: Creates tempfiles in a unsafe way
Date: Thu, 7 Feb 2008 19:26:33 +0100
[Message part 1 (text/plain, inline)]
Hi,
attached is an updated patch which I will upload as a 0-day 
NMU with permission of the maintainer.
Many thanks to Frank for his input!

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[wml-2.0.11-3_2.0.11-3.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Frank Lichtenheld <djpig@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #44 received at 463907-close@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 463907-close@bugs.debian.org
Subject: Bug#463907: fixed in wml 2.0.11-3.1
Date: Thu, 07 Feb 2008 19:17:05 +0000
Source: wml
Source-Version: 2.0.11-3.1

We believe that the bug you reported is fixed in the latest version of
wml, which is due to be installed in the Debian FTP archive:

wml_2.0.11-3.1.diff.gz
  to pool/main/w/wml/wml_2.0.11-3.1.diff.gz
wml_2.0.11-3.1.dsc
  to pool/main/w/wml/wml_2.0.11-3.1.dsc
wml_2.0.11-3.1_i386.deb
  to pool/main/w/wml/wml_2.0.11-3.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 463907@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated wml package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 07 Feb 2008 12:01:43 +0100
Source: wml
Binary: wml
Architecture: source i386
Version: 2.0.11-3.1
Distribution: unstable
Urgency: high
Maintainer: Felipe Augusto van de Wiel (faw) <faw@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 wml        - off-line HTML generation toolkit
Closes: 463907
Changes: 
 wml (2.0.11-3.1) unstable; urgency=high
 .
   * Non-maintainer upload by security team.
   * Fix insecure temporary file creations in eperl and ipp
     backends and a similar issue in the wmg.cgi contrib file
     leading to possible symlink attacks.
     If you already use wmg.cgi please update your copy (Closes: #463907).
Files: 
 0001104f9f320183a90ac97b61754797 623 web optional wml_2.0.11-3.1.dsc
 ddde9afc6b85dd4a2c6320bc851a77af 63122 web optional wml_2.0.11-3.1.diff.gz
 4aa71d0ea89861e2ab0c03e4ef3a96ee 449164 web optional wml_2.0.11-3.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHq033HYflSXNkfP8RAoKuAJ4r2/jJsn+kV81N6CVpagEFlVjQ3QCcDhSj
P1HxwVxC8mEvOqweOyHlexo=
=nRfv
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Felipe Augusto van de Wiel (faw) <faw@debian.org>:
Bug#463907; Package wml. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Felipe Augusto van de Wiel (faw) <faw@debian.org>. Full text and rfc822 format available.

Message #49 received at 463907@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 463907@bugs.debian.org
Cc: control@bugs.debian.org
Subject: intent to NMU
Date: Thu, 7 Feb 2008 22:19:03 +0100
[Message part 1 (text/plain, inline)]
tags 463907 + patch
thanks

Hi,
attached is an NMU that fixes the mentioned security issue.
It will be also archived on:
http://people.debian.org/~nion/nmu-diff/netpbm-free-10.0-11_10.0-11.1.patch

I am going to upload this as 0-day NMU with the maintainers 
permission.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[netpbm-free-10.0-11_10.0-11.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Tags added: patch Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Thu, 07 Feb 2008 21:21:41 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Felipe Augusto van de Wiel (faw) <faw@debian.org>:
Bug#463907; Package wml. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Felipe Augusto van de Wiel (faw) <faw@debian.org>. Full text and rfc822 format available.

Message #56 received at 463907@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 463907@bugs.debian.org
Subject: Re: Creates tempfiles in a unsafe way
Date: Fri, 8 Feb 2008 09:31:33 +0100
[Message part 1 (text/plain, inline)]
Hi,
the first issue got CVE id CVE-2008-0665 and the other 
issues got CVE-2008-0666.

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Felipe Augusto van de Wiel (faw) <faw@debian.org>:
Bug#463907; Package wml. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Felipe Augusto van de Wiel (faw) <faw@debian.org>. Full text and rfc822 format available.

Message #61 received at 463907@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 463907@bugs.debian.org
Subject: Re: intent to NMU
Date: Fri, 8 Feb 2008 13:19:39 +0100
[Message part 1 (text/plain, inline)]
Args,
ignore the second NMU patch, using bug numbers out of your 
shell history is considered to be a bad idea ;-P

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Frank Lichtenheld <djpig@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Frank Lichtenheld <djpig@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #66 received at 463907-close@bugs.debian.org (full text, mbox):

From: Frank Lichtenheld <djpig@debian.org>
To: 463907-close@bugs.debian.org
Subject: Bug#463907: fixed in wml 2.0.11-1etch1
Date: Fri, 15 Feb 2008 19:52:33 +0000
Source: wml
Source-Version: 2.0.11-1etch1

We believe that the bug you reported is fixed in the latest version of
wml, which is due to be installed in the Debian FTP archive:

wml_2.0.11-1etch1.diff.gz
  to pool/main/w/wml/wml_2.0.11-1etch1.diff.gz
wml_2.0.11-1etch1.dsc
  to pool/main/w/wml/wml_2.0.11-1etch1.dsc
wml_2.0.11-1etch1_i386.deb
  to pool/main/w/wml/wml_2.0.11-1etch1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 463907@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Frank Lichtenheld <djpig@debian.org> (supplier of updated wml package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 08 Feb 2008 23:11:21 +0100
Source: wml
Binary: wml
Architecture: source i386
Version: 2.0.11-1etch1
Distribution: stable-security
Urgency: high
Maintainer: Frank Lichtenheld <djpig@debian.org>
Changed-By: Frank Lichtenheld <djpig@debian.org>
Description: 
 wml        - off-line HTML generation toolkit
Closes: 463907
Changes: 
 wml (2.0.11-1etch1) stable-security; urgency=high
 .
   * Non-maintainer upload by security team.
   * CVE-2008-0665, CVE-2008-0666:
     Fix insecure temporary file creations in eperl and ipp
     backends and a similar issue in the wmg.cgi contrib file
     leading to possible symlink attacks.
     If you already use wmg.cgi please update your copy (Closes: #463907).
     Patch by Nico Golde and Frank Lichtenheld.
   * Add libpng-dev to build-depends since apparently it was previously
     compiled against it.
Files: 
 3c12d2b00552d3db815957c01c73b2cf 656 web optional wml_2.0.11-1etch1.dsc
 3242a88ced8598120cf6aba2bf9f69c4 24577 web optional wml_2.0.11-1etch1.diff.gz
 be10fe25928ce83aadf119d98eb5cd43 451672 web optional wml_2.0.11-1etch1_i386.deb
 a26feebf4e59e9a6940f54c69dde05b5 3115230 web optional wml_2.0.11.orig.tar.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHrOyoXm3vHE4uyloRAvQ8AKDnPciCI2DenvjBYj6/LKI+FdovdgCfe4/9
szTGceCOPTAd1rzn6M9VE1E=
=lOZi
-----END PGP SIGNATURE-----





Reply sent to Frank Lichtenheld <djpig@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Frank Lichtenheld <djpig@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #71 received at 463907-close@bugs.debian.org (full text, mbox):

From: Frank Lichtenheld <djpig@debian.org>
To: 463907-close@bugs.debian.org
Subject: Bug#463907: fixed in wml 2.0.11-1etch1
Date: Sat, 16 Feb 2008 12:17:33 +0000
Source: wml
Source-Version: 2.0.11-1etch1

We believe that the bug you reported is fixed in the latest version of
wml, which is due to be installed in the Debian FTP archive:

wml_2.0.11-1etch1.diff.gz
  to pool/main/w/wml/wml_2.0.11-1etch1.diff.gz
wml_2.0.11-1etch1.dsc
  to pool/main/w/wml/wml_2.0.11-1etch1.dsc
wml_2.0.11-1etch1_i386.deb
  to pool/main/w/wml/wml_2.0.11-1etch1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 463907@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Frank Lichtenheld <djpig@debian.org> (supplier of updated wml package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 08 Feb 2008 23:11:21 +0100
Source: wml
Binary: wml
Architecture: source i386
Version: 2.0.11-1etch1
Distribution: stable-security
Urgency: high
Maintainer: Frank Lichtenheld <djpig@debian.org>
Changed-By: Frank Lichtenheld <djpig@debian.org>
Description: 
 wml        - off-line HTML generation toolkit
Closes: 463907
Changes: 
 wml (2.0.11-1etch1) stable-security; urgency=high
 .
   * Non-maintainer upload by security team.
   * CVE-2008-0665, CVE-2008-0666:
     Fix insecure temporary file creations in eperl and ipp
     backends and a similar issue in the wmg.cgi contrib file
     leading to possible symlink attacks.
     If you already use wmg.cgi please update your copy (Closes: #463907).
     Patch by Nico Golde and Frank Lichtenheld.
   * Add libpng-dev to build-depends since apparently it was previously
     compiled against it.
Files: 
 3c12d2b00552d3db815957c01c73b2cf 656 web optional wml_2.0.11-1etch1.dsc
 3242a88ced8598120cf6aba2bf9f69c4 24577 web optional wml_2.0.11-1etch1.diff.gz
 be10fe25928ce83aadf119d98eb5cd43 451672 web optional wml_2.0.11-1etch1_i386.deb
 a26feebf4e59e9a6940f54c69dde05b5 3115230 web optional wml_2.0.11.orig.tar.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHrOyoXm3vHE4uyloRAvQ8AKDnPciCI2DenvjBYj6/LKI+FdovdgCfe4/9
szTGceCOPTAd1rzn6M9VE1E=
=lOZi
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Felipe Augusto van de Wiel (faw) <faw@debian.org>:
Bug#463907; Package wml. Full text and rfc822 format available.

Acknowledgement sent to Jochen Sprickerhof <jochen@sprickerhof.de>:
Extra info received and forwarded to list. Copy sent to Felipe Augusto van de Wiel (faw) <faw@debian.org>. Full text and rfc822 format available.

Message #76 received at 463907@bugs.debian.org (full text, mbox):

From: Jochen Sprickerhof <jochen@sprickerhof.de>
To: 463907@bugs.debian.org
Cc: Nico Golde <nion@debian.org>
Subject: uncomplete patch of wml-2.0.11/wml_backend/p1_ipp/ipp.src
Date: Thu, 21 Feb 2008 20:33:51 +0100
[Message part 1 (text/plain, inline)]
Hi,

Nicos patch of ipp.src is not complete. It doesn't delete the created
tempdir. The attached one corrects two minor things as well (adapted
from the sarge package). I haven't looked at the changes in eperl_sys.c
but I think there exists a similar problem.

regards,

Jochen

-- 
diesen tag / begehen / wie einen grund / oder wie ein fest
ohne grund zu einem fest / ohne festen grund
     -- Ernst Jandl
[ipp.src.patch (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Felipe Augusto van de Wiel (faw) <faw@debian.org>:
Bug#463907; Package wml. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Felipe Augusto van de Wiel (faw) <faw@debian.org>. Full text and rfc822 format available.

Message #81 received at 463907@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Jochen Sprickerhof <jochen@sprickerhof.de>, 463907@bugs.debian.org
Subject: Re: Bug#463907: uncomplete patch of wml-2.0.11/wml_backend/p1_ipp/ipp.src
Date: Thu, 21 Feb 2008 20:57:43 +0100
[Message part 1 (text/plain, inline)]
Hi Jochen,
* Jochen Sprickerhof <jochen@sprickerhof.de> [2008-02-21 20:42]:
> Nicos patch of ipp.src is not complete. It doesn't delete the created
> tempdir.

True but calling this an incomplete patch goes a bit too far 
as the security issue itself is fixed. This is a minor bug 
not having any security impact.

> The attached one corrects two minor things as well (adapted
> from the sarge package). I haven't looked at the changes in eperl_sys.c
> but I think there exists a similar problem.

I politely disagree cause all I did was changing the name of 
the tmpfile, nothing more.
Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 21 Mar 2008 07:26:43 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 15:21:29 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.