Debian Bug report logs - #488140
checkinstall: Unsafe temp dir creation

version graph

Package: checkinstall; Maintainer for checkinstall is Andreas Noteng <andreas@noteng.no>; Source for checkinstall is src:checkinstall.

Reported by: Felipe Sateler <fsateler@gmail.com>

Date: Thu, 26 Jun 2008 17:18:09 UTC

Severity: grave

Tags: patch, security

Found in version checkinstall/1.6.1-6

Fixed in version 1.6.1-7

Done: Felipe Sateler <fsateler@gmail.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>:
Bug#488140; Package checkinstall. Full text and rfc822 format available.

Acknowledgement sent to Felipe Sateler <fsateler@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Felipe Sateler <fsateler@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: checkinstall: Unsafe temp dir creation
Date: Thu, 26 Jun 2008 13:12:00 -0400
[Message part 1 (text/plain, inline)]
Package: checkinstall
Version: 1.6.1-6
Severity: grave
Tags: security patch
Justification: user security hole

*** Please type ddyour report below this line ***
Checkinstall (and installwatch) create temporary directories manually
instead of using mktemp, which creates a race condition.

The attached patch changes these into calls to mktemp, which is secure.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.25-preempt (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages checkinstall depends on:
ii  dpkg-dev                      1.15.0     Debian package development tools
ii  file                          4.24-2     Determines file type using "magic"
ii  findutils                     4.4.0-2    utilities for finding files--find,
ii  libc6                         2.7-12     GNU C Library: Shared libraries

Versions of packages checkinstall recommends:
ii  make                          3.81-5     The GNU version of the "make" util

-- no debconf information
[tempdir.patch (text/plain, attachment)]

Reply sent to Felipe Sateler <fsateler@gmail.com>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Felipe Sateler <fsateler@gmail.com>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at 488140-done@bugs.debian.org (full text, mbox):

From: Felipe Sateler <fsateler@gmail.com>
To: 488140-done@bugs.debian.org
Subject: Re: checkinstall: Unsafe temp dir creation
Date: Thu, 26 Jun 2008 16:36:10 -0400
[Message part 1 (text/plain, inline)]
Version: 1.6.1-7

The patch was applied on version 1.6.1-7.


Saludos,
Felipe Sateler
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Felipe Sateler <fsateler@gmail.com>:
Bug#488140; Package checkinstall. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Felipe Sateler <fsateler@gmail.com>. Full text and rfc822 format available.

Message #15 received at 488140@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: 488140@bugs.debian.org
Subject: CVE id
Date: Wed, 2 Jul 2008 10:17:21 +0200
[Message part 1 (text/plain, inline)]
Hi

Just as a reference and to inform you, this issue got CVE-2008-2958 assigned.

======================================================
Name: CVE-2008-2958
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2958
Reference: 
MISC:http://lists.alioth.debian.org/pipermail/secure-testing-team/2008-June/001672.html
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=488140
Reference: SECUNIA:30873
Reference: URL:http://secunia.com/advisories/30873
Reference: XF:checkinstall-multiple-symlink(43440)
Reference: URL:http://xforce.iss.net/xforce/xfdb/43440

Race condition in (1) checkinstall 1.6.1 and (2) installwatch allows
local users to overwrite arbitrary files and have other impacts via
symlink and possibly other attacks on temporary working directories.
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 31 Jul 2008 07:32:07 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 11:39:47 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.