Debian Bug report logs - #476588
possible symlink attack and arbitrary code execution

version graph

Package: aptlinex; Maintainer for aptlinex is José L. Redrejo Rodríguez <jredrejo@debian.org>;

Reported by: Nico Golde <nion@debian.org>

Date: Thu, 17 Apr 2008 19:27:01 UTC

Severity: grave

Tags: security

Fixed in version aptlinex/0.91-1

Done: jredrejo@debian.org (José L. Redrejo Rodríguez)

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, jredrejo@debian.org (José L. Redrejo Rodríguez):
Bug#476588; Package aptlinex. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to jredrejo@debian.org (José L. Redrejo Rodríguez). Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: [aptlinex] aptlinex
Date: Thu, 17 Apr 2008 21:23:24 +0200
[Message part 1 (text/plain, inline)]
Package: aptlinex
Severity: normal
Tags: security

Hi,
looking at the code of aptlinex because of #476572 I 
stumbled over another security issue:

Insecure temporary file usage in ModMain.module:
 90   IF User.Name <> "root" THEN
 91     'EXEC [graphicalSu(), "gambas-apt.gambas", User.Name, Buf] WAIT
 92     PRINT graphicalSu() & " gambas-apt.gambas " & user.Name & " " & Buf
 93     SHELL graphicalSu() & " gambas-apt.gambas " & user.Name & " " & Buf WAIT
 94     IF Exist("/tmp/gambas-apt-exec") THEN sExec = File.Load("/tmp/gambas-apt-exec")
 95     TRY EXEC [sExec] WAIT
 96     RETURN
 97   END IF
 98 
 99   TRY File.Save("/tmp/gambas-apt.lock", Application.Id)

Adding a symlink /tmp/gambas-apt.lock -> someimportant file an attacker could
overwrite any file on the system with the process id of aptline since this process
runs as root.

The code before that looks like this would load gambas code from a file called /tmp/gambas-apt-exec
and then execute it but I am not sure cause I have no real idea about gambas.

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Changed Bug title to `aptlinex: insecure tmp file usage' from `[aptlinex] aptlinex'. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Thu, 17 Apr 2008 19:30:04 GMT) Full text and rfc822 format available.

Severity set to `grave' from `normal' Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Thu, 17 Apr 2008 19:30:05 GMT) Full text and rfc822 format available.

Reply sent to jredrejo@debian.org (José L. Redrejo Rodríguez):
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #14 received at 476588-close@bugs.debian.org (full text, mbox):

From: jredrejo@debian.org (José L. Redrejo Rodríguez)
To: 476588-close@bugs.debian.org
Subject: Bug#476588: fixed in aptlinex 0.91-1
Date: Sat, 19 Apr 2008 12:47:02 +0000
Source: aptlinex
Source-Version: 0.91-1

We believe that the bug you reported is fixed in the latest version of
aptlinex, which is due to be installed in the Debian FTP archive:

aptlinex_0.91-1.diff.gz
  to pool/main/a/aptlinex/aptlinex_0.91-1.diff.gz
aptlinex_0.91-1.dsc
  to pool/main/a/aptlinex/aptlinex_0.91-1.dsc
aptlinex_0.91-1_all.deb
  to pool/main/a/aptlinex/aptlinex_0.91-1_all.deb
aptlinex_0.91.orig.tar.gz
  to pool/main/a/aptlinex/aptlinex_0.91.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 476588@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
José L. Redrejo Rodríguez <jredrejo@debian.org> (supplier of updated aptlinex package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 19 Apr 2008 14:27:58 +0200
Source: aptlinex
Binary: aptlinex
Architecture: source all
Version: 0.91-1
Distribution: unstable
Urgency: high
Maintainer: José L. Redrejo Rodríguez <jredrejo@debian.org>
Changed-By: José L. Redrejo Rodríguez <jredrejo@debian.org>
Description: 
 aptlinex   - Web browser addon to install Debian packages with a click
Closes: 476572 476588 476590
Changes: 
 aptlinex (0.91-1) unstable; urgency=high
 .
   * New upstream release to fix several security bugs:
   * Check if the package really exists before acting (Closes: #476572)
   * Always uses Temp$() when creating temp files (Closes: #476588)
   * It does not use lock files anymore
   * Now apt:foo uris are also accepted (Closes: #476590)
Checksums-Sha1: 
 1d194fdbf3f56deddaaaa82f3fb2f1ff3ac92303 1000 aptlinex_0.91-1.dsc
 1f18a5e163d471559ad66e2c40f42b429dc11a8b 78048 aptlinex_0.91.orig.tar.gz
 cc6ee09ee8f39270080d32042ca40de8f7e39e9b 4126 aptlinex_0.91-1.diff.gz
 1525109c15e3a466123039761c44b559c58f2def 17902 aptlinex_0.91-1_all.deb
Checksums-Sha256: 
 99831c21bdd02431baff6347b1734132ec7fdbee21017834c40404a2e781f215 1000 aptlinex_0.91-1.dsc
 eaa0b6f66a97860796737f02a33a05510d61b20a52fba6c466fb684d2348c172 78048 aptlinex_0.91.orig.tar.gz
 a73a755806c5d1ee519a403471bd4e3a0cc1734cea0f961d921827324eac71fb 4126 aptlinex_0.91-1.diff.gz
 d83678846ce02b22919ecd1ff96415a5c2fc2fd8f9f022219ad3a4d553f8ce2d 17902 aptlinex_0.91-1_all.deb
Files: 
 66a0643d4ccc7a5298400199566497c3 1000 utils optional aptlinex_0.91-1.dsc
 0268d5163b1d29e2840fdd6322958aa5 78048 utils optional aptlinex_0.91.orig.tar.gz
 3294ee576f5a8ab3673c2411c3ba9fdb 4126 utils optional aptlinex_0.91-1.diff.gz
 9fa3738eb3233e3018c203a97830588b 17902 utils optional aptlinex_0.91-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFICedqmqVR2WapDeIRAqpiAJ4wrq4VVVzgQaj6MpEs3gdi8qWkPgCfXZ8U
rSSgBgLQpVceqiF41bvsCcw=
=hWQx
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, jredrejo@debian.org (José L. Redrejo Rodríguez):
Bug#476588; Package aptlinex. Full text and rfc822 format available.

Acknowledgement sent to José "L. Redrejo" Rodríguez <jredrejo@edu.juntaextremadura.net>:
Extra info received and forwarded to list. Copy sent to jredrejo@debian.org (José L. Redrejo Rodríguez). Full text and rfc822 format available.

Message #19 received at submit@bugs.debian.org (full text, mbox):

From: José "L. Redrejo" Rodríguez <jredrejo@edu.juntaextremadura.net>
To: Nico Golde <nion@debian.org>, 476588@bugs.debian.org
Cc: submit@bugs.debian.org
Subject: Re: Bug#476588: [aptlinex] aptlinex
Date: Sat, 19 Apr 2008 15:17:18 +0200
[Message part 1 (text/plain, inline)]
This mail is just to confirm the second bug that Nico discovered,
executing code from a file called /tmp/gambas-apt-exec.

There was not a bug number on Debian for this issue, but it has also
been fixed in the same upload that fixed #476588.

Regards.
José L.

El jue, 17-04-2008 a las 21:23 +0200, Nico Golde escribió:
> Package: aptlinex
> Severity: normal
> Tags: security
> 
> Hi,
> looking at the code of aptlinex because of #476572 I 
> stumbled over another security issue:
> 
> Insecure temporary file usage in ModMain.module:
>  90   IF User.Name <> "root" THEN
>  91     'EXEC [graphicalSu(), "gambas-apt.gambas", User.Name, Buf] WAIT
>  92     PRINT graphicalSu() & " gambas-apt.gambas " & user.Name & " " & Buf
>  93     SHELL graphicalSu() & " gambas-apt.gambas " & user.Name & " " & Buf WAIT
>  94     IF Exist("/tmp/gambas-apt-exec") THEN sExec = File.Load("/tmp/gambas-apt-exec")
>  95     TRY EXEC [sExec] WAIT
>  96     RETURN
>  97   END IF
>  98 
>  99   TRY File.Save("/tmp/gambas-apt.lock", Application.Id)
> 
> Adding a symlink /tmp/gambas-apt.lock -> someimportant file an attacker could
> overwrite any file on the system with the process id of aptline since this process
> runs as root.
> 
> The code before that looks like this would load gambas code from a file called /tmp/gambas-apt-exec
> and then execute it but I am not sure cause I have no real idea about gambas.
> 
> Kind regards
> Nico
> 
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, jredrejo@debian.org (José L. Redrejo Rodríguez):
Bug#476588; Package aptlinex. Full text and rfc822 format available.

Acknowledgement sent to José "L. Redrejo" Rodríguez <jredrejo@edu.juntaextremadura.net>:
Extra info received and forwarded to list. Copy sent to jredrejo@debian.org (José L. Redrejo Rodríguez). Full text and rfc822 format available.

Changed Bug title to `possible symlink attack and arbitrary code execution' from `aptlinex: insecure tmp file usage'. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Sat, 19 Apr 2008 14:21:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, jredrejo@debian.org (José L. Redrejo Rodríguez):
Bug#476588; Package aptlinex. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to jredrejo@debian.org (José L. Redrejo Rodríguez). Full text and rfc822 format available.

Message #31 received at 476588@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 476588@bugs.debian.org
Subject: CVE id assigned
Date: Tue, 22 Apr 2008 13:18:50 +0200
[Message part 1 (text/plain, inline)]
HI,
CVE-2008-1901 was assigned to this.

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 21 May 2008 07:43:39 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 19:26:04 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.