Debian Bug report logs - #488140
checkinstall: Unsafe temp dir creation

version graph

Package: checkinstall; Maintainer for checkinstall is Stephen Gelman <ssgelm@debian.org>; Source for checkinstall is src:checkinstall (PTS, buildd, popcon).

Reported by: Felipe Sateler <fsateler@gmail.com>

Date: Thu, 26 Jun 2008 17:18:09 UTC

Severity: grave

Tags: patch, security

Found in version checkinstall/1.6.1-6

Fixed in version 1.6.1-7

Done: Felipe Sateler <fsateler@gmail.com>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>:
Bug#488140; Package checkinstall. (full text, mbox, link).


Acknowledgement sent to Felipe Sateler <fsateler@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Felipe Sateler <fsateler@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: checkinstall: Unsafe temp dir creation
Date: Thu, 26 Jun 2008 13:12:00 -0400
[Message part 1 (text/plain, inline)]
Package: checkinstall
Version: 1.6.1-6
Severity: grave
Tags: security patch
Justification: user security hole

*** Please type ddyour report below this line ***
Checkinstall (and installwatch) create temporary directories manually
instead of using mktemp, which creates a race condition.

The attached patch changes these into calls to mktemp, which is secure.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.25-preempt (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages checkinstall depends on:
ii  dpkg-dev                      1.15.0     Debian package development tools
ii  file                          4.24-2     Determines file type using "magic"
ii  findutils                     4.4.0-2    utilities for finding files--find,
ii  libc6                         2.7-12     GNU C Library: Shared libraries

Versions of packages checkinstall recommends:
ii  make                          3.81-5     The GNU version of the "make" util

-- no debconf information
[tempdir.patch (text/plain, attachment)]

Reply sent to Felipe Sateler <fsateler@gmail.com>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Felipe Sateler <fsateler@gmail.com>:
Bug acknowledged by developer. (full text, mbox, link).


Message #10 received at 488140-done@bugs.debian.org (full text, mbox, reply):

From: Felipe Sateler <fsateler@gmail.com>
To: 488140-done@bugs.debian.org
Subject: Re: checkinstall: Unsafe temp dir creation
Date: Thu, 26 Jun 2008 16:36:10 -0400
[Message part 1 (text/plain, inline)]
Version: 1.6.1-7

The patch was applied on version 1.6.1-7.


Saludos,
Felipe Sateler
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Felipe Sateler <fsateler@gmail.com>:
Bug#488140; Package checkinstall. (full text, mbox, link).


Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Felipe Sateler <fsateler@gmail.com>. (full text, mbox, link).


Message #15 received at 488140@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: 488140@bugs.debian.org
Subject: CVE id
Date: Wed, 2 Jul 2008 10:17:21 +0200
[Message part 1 (text/plain, inline)]
Hi

Just as a reference and to inform you, this issue got CVE-2008-2958 assigned.

======================================================
Name: CVE-2008-2958
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2958
Reference: 
MISC:http://lists.alioth.debian.org/pipermail/secure-testing-team/2008-June/001672.html
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=488140
Reference: SECUNIA:30873
Reference: URL:http://secunia.com/advisories/30873
Reference: XF:checkinstall-multiple-symlink(43440)
Reference: URL:http://xforce.iss.net/xforce/xfdb/43440

Race condition in (1) checkinstall 1.6.1 and (2) installwatch allows
local users to overwrite arbitrary files and have other impacts via
symlink and possibly other attacks on temporary working directories.
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 31 Jul 2008 07:32:07 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 02:26:12 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.