Debian Bug report logs - #494969
sympa: Leftover debug code may lead to data loss

version graph

Package: sympa; Maintainer for sympa is Debian Sympa team <sympa@packages.debian.org>; Source for sympa is src:sympa (PTS, buildd, popcon).

Reported by: Olivier Berger <olivier.berger@it-sudparis.eu>

Date: Wed, 13 Aug 2008 14:00:07 UTC

Severity: critical

Tags: patch, security

Merged with 496405

Found in versions sympa/5.2.3-1.2+etch1, sympa/5.3.4-5

Fixed in version 5.3.4-5.1

Done: Nico Golde <nion@debian.org>

Bug is archived. No further changes may be made.

Forwarded to http://sourcesup.cru.fr/tracker/index.php?func=detail&aid=4430

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Stefan Hornburg (Racke) <racke@linuxia.de>:
Bug#494969; Package sympa. (full text, mbox, link).


Acknowledgement sent to Olivier Berger <olivier.berger@it-sudparis.eu>:
New Bug report received and forwarded. Copy sent to Stefan Hornburg (Racke) <racke@linuxia.de>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Olivier Berger <olivier.berger@it-sudparis.eu>
To: submit@bugs.debian.org
Cc: "Dmitry E. Oboukhov" <unera@debian.org>
Subject: sympa: Leftover debug code may lead to data loss
Date: Wed, 13 Aug 2008 15:55:46 +0200
Package: sympa
Version: 5.2.3-1.2+etch1
Severity: critical
Justification: causes serious data loss
Tags: security

Thanks to Dmitry E. Oboukhov, for spotting that the following code in Sympa leads to potential data loss due to symlink attacks (I think) :

In wwsympa.fcgi :
     open TMP, ">/tmp/dump";
     $document->dump(\*TMP);
     close TMP;

     open TMP, ">/tmp/dump2";
     &tools::dump_var ($param, 0, \*TMP);
     close TMP;

I'm not completely sure this may be called nor when, but if it may, then better not have /tmp/dump linked to something the CGI could write to.

In any case, such code seems like debug to me, so should be removed I guess (to be notified upstream, too).

Code in sympa.pl about --make_alias_file option may exhibit a similar vulnerability too, although that may not be invoked unless under admin control with a more or less changing filename... so may need more testing and analysis on that second one.

Source : http://uvw.ru/report.lenny.txt, http://lists.debian.org/debian-devel/2008/08/msg00312.html

Hope this helps,


-- System Information:
Debian Release: lenny/sid
  APT prefers testing-proposed-updates
  APT policy: (500, 'testing-proposed-updates'), (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.24-openvz-24-004.1d1-686 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages sympa depends on:
ii  adduser                      3.108       add and remove users and groups
ii  debconf [debconf-2.0]        1.5.22      Debian configuration management sy
ii  exim4-daemon-light [mail-tra 4.69-6      lightweight Exim MTA (v4) daemon
pn  libarchive-zip-perl          <none>      (no description available)
ii  libc6                        2.7-13      GNU C Library: Shared libraries
pn  libcgi-fast-perl             <none>      (no description available)
pn  libcrypt-ciphersaber-perl    <none>      (no description available)
pn  libdbd-mysql-perl | libdbd-p <none>      (no description available)
ii  libdbi-perl                  1.605-1     Perl5 database interface by Tim Bu
ii  libfcgi-perl                 0.67-2.1+b1 FastCGI Perl module
ii  libintl-perl                 1.16-4      Uniforum message translations syst
ii  libio-stringy-perl           2.110-4     Perl modules for IO from scalars a
ii  libmailtools-perl            2.03-1      Manipulate email in perl programs
pn  libmd5-perl                  <none>      (no description available)
ii  libmime-perl                 5.427-1     transitional dummy package
ii  libmime-tools-perl [libmime- 5.427-1     Perl5 modules for MIME-compliant m
pn  libmsgcat-perl               <none>      (no description available)
pn  libnet-ldap-perl             <none>      (no description available)
pn  libtemplate-perl             <none>      (no description available)
ii  libxml-libxml-perl           1.66-1+b1   Perl module for using the GNOME li
pn  mhonarc                      <none>      (no description available)
ii  perl [libmime-base64-perl]   5.10.0-11.1 Larry Wall's Practical Extraction 
pn  perl-suid                    <none>      (no description available)
ii  sysklogd [system-log-daemon] 1.5-5       System Logging Daemon

Versions of packages sympa recommends:
ii  doc-base                      0.8.16     utilities to manage online documen
ii  logrotate                     3.7.1-3    Log rotation utility

Versions of packages sympa suggests:
ii  apache2-mpm-prefork [httpd]   2.2.9-6    Apache HTTP Server - traditional n
pn  libapache-mod-fastcgi         <none>     (no description available)
pn  mysql-server | postgresql     <none>     (no description available)
ii  openssl                       0.9.8g-12  Secure Socket Layer (SSL) binary a

-- 
Olivier BERGER <olivier.berger@it-sudparis.eu>
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC
Ingénieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)





Bug marked as found in version 5.3.4-5. Request was from Olivier Berger <olivier.berger@it-sudparis.eu> to control@bugs.debian.org. (Wed, 13 Aug 2008 14:15:04 GMT) (full text, mbox, link).


Noted your statement that Bug has been forwarded to http://sourcesup.cru.fr/tracker/index.php?func=detail&aid=4430. Request was from Olivier Berger <olivier.berger@it-sudparis.eu> to control@bugs.debian.org. (Wed, 13 Aug 2008 14:21:05 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Stefan Hornburg (Racke) <racke@linuxia.de>:
Bug#494969; Package sympa. (full text, mbox, link).


Acknowledgement sent to Olivier Berger <olivier.berger@it-sudparis.eu>:
Extra info received and forwarded to list. Copy sent to Stefan Hornburg (Racke) <racke@linuxia.de>. (full text, mbox, link).


Message #14 received at 494969@bugs.debian.org (full text, mbox, reply):

From: Olivier Berger <olivier.berger@it-sudparis.eu>
To: 494969@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#494969: sympa: Leftover debug code may lead to data loss
Date: Thu, 14 Aug 2008 18:02:40 +0200
[Message part 1 (text/plain, inline)]
tags 494969 + patch
thanks

Here's a copy of upstream's response (http://sourcesup.cru.fr/tracker/?func=detail&atid=167&aid=4430&group_id=23) :

-----
Date: 14/08/2008 17:15
Expéditeur: Olivier Salaün

Thanks for reporting your thoughts about potential attacks, however it does not seem to be a legitimate threat for the following reasons :

  1. new_d_read() in wwsympa.fcgi is a dead function (aimed at
     replacing wwsympa::do_d_read() ) and therefore this code cannot be run
  2. the make_alias_file code in sympa.pl does create a file in /tmp
     directory, however the data it writes are hard-coded, no
     possibility of data injection

On a more general perspective, I don't consider symlink attacks as significant threats on a mailing list server because these attacks require a user to login an define a symlink. You would not have
user accounts on a mailing list server.

However, we're going to make some cleanup in the code to a) remove the debug code you mentioned, b) use Sympa's own tmp/ directory instead of /tmp when needed. 

Patches have been applied on the trunk only :
  http://sourcesup.cru.fr/cgi/viewvc.cgi/trunk/src/sympa.pl?r1=5071&r2=5111
  http://sourcesup.cru.fr/cgi/viewvc.cgi/trunk/wwsympa/wwsympa.fcgi?r1=5106&r2=5110

-----

I guess both patches need to be applied to the package then.

See attached patch.

Anyway some second opinion may be valuable.

Best regards,

On Wed, Aug 13, 2008 at 03:55:46PM +0200, Olivier Berger wrote:
> 
> Thanks to Dmitry E. Oboukhov, for spotting that the following code in Sympa leads to potential data loss due to symlink attacks (I think) :
> 
> In wwsympa.fcgi :
>      open TMP, ">/tmp/dump";
>      $document->dump(\*TMP);
>      close TMP;
> 
>      open TMP, ">/tmp/dump2";
>      &tools::dump_var ($param, 0, \*TMP);
>      close TMP;
> 
> I'm not completely sure this may be called nor when, but if it may, then better not have /tmp/dump linked to something the CGI could write to.
> 
> In any case, such code seems like debug to me, so should be removed I guess (to be notified upstream, too).
> 
> Code in sympa.pl about --make_alias_file option may exhibit a similar vulnerability too, although that may not be invoked unless under admin control with a more or less changing filename... so may need more testing and analysis on that second one.
> 
> Source : http://uvw.ru/report.lenny.txt, http://lists.debian.org/debian-devel/2008/08/msg00312.html
> 
> Hope this helps,
> 
[494969.patch (text/x-diff, attachment)]

Tags added: patch Request was from Olivier Berger <olivier.berger@it-sudparis.eu> to control@bugs.debian.org. (Thu, 14 Aug 2008 16:06:03 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Stefan Hornburg (Racke) <racke@linuxia.de>:
Bug#494969; Package sympa. (full text, mbox, link).


Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Stefan Hornburg (Racke) <racke@linuxia.de>. (full text, mbox, link).


Message #21 received at 494969@bugs.debian.org (full text, mbox, reply):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: 494969@bugs.debian.org
Cc: "Olivier Berger" <olivier.berger@it-sudparis.eu>, "Dmitry E. Oboukhov" <unera@debian.org>
Subject: Re: Bug#494969: sympa: Leftover debug code may lead to data loss
Date: Thu, 21 Aug 2008 16:14:23 +0200 (CEST)
Hi,

> Thanks for reporting your thoughts about potential attacks, however it does
> not seem to be a legitimate threat for the following reasons :
>
>  1. new_d_read() in wwsympa.fcgi is a dead function (aimed at
>     replacing wwsympa::do_d_read() ) and therefore this code cannot be run
>
>  2. the make_alias_file code in sympa.pl does create a file in /tmp
>     directory, however the data it writes are hard-coded, no
>     possibility of data injection
>

I verified that (1) holds so isn't a critical bug to fix, although it
would be good to remove it just in case someone enables that function
again or copies the code.

The explanation of the upstream author for (2) only means the attack is
more limited, but you can of course still trash the system with it.

As I understand it, sympa.pl does not run as root, am I correct? In any
case the code as in make_alias_file should not be in Lenny so the bug is
still RC.

When grepping the sympa source for "/tmp" I find quite some occurances of
other files directly in tmp with insecure filenames. It should be checked
for each if that code is executed and whether or not they should be moved
to Sympa's private tempdir.

> On a more general perspective, I don't consider symlink attacks as
> significant threats on a mailing list server because these attacks
> require a user to login an define a symlink. You would not have
> user accounts on a mailing list server.

He may consider that, for Debian that doesn't hold as we've never claimed
that these packages may only be used on systems with only fully trusted
users.


cheers,
Thijs





Reply sent to Christian Perrier <bubulle@debian.org>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Olivier Berger <olivier.berger@it-sudparis.eu>:
Bug acknowledged by developer. (full text, mbox, link).


Message #26 received at 494969-close@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>
To: 494969-close@bugs.debian.org
Subject: Bug#494969: fixed in sympa 5.3.4-5.1
Date: Fri, 22 Aug 2008 21:33:45 +0000
Source: sympa
Source-Version: 5.3.4-5.1

We believe that the bug you reported is fixed in the latest version of
sympa, which is due to be installed in the Debian FTP archive:

sympa_5.3.4-5.1.diff.gz
  to pool/main/s/sympa/sympa_5.3.4-5.1.diff.gz
sympa_5.3.4-5.1.dsc
  to pool/main/s/sympa/sympa_5.3.4-5.1.dsc
sympa_5.3.4-5.1_i386.deb
  to pool/main/s/sympa/sympa_5.3.4-5.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 494969@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Perrier <bubulle@debian.org> (supplier of updated sympa package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 21 Aug 2008 15:10:38 +0200
Source: sympa
Binary: sympa
Architecture: source i386
Version: 5.3.4-5.1
Distribution: unstable
Urgency: low
Maintainer: Stefan Hornburg (Racke) <racke@linuxia.de>
Changed-By: Christian Perrier <bubulle@debian.org>
Description: 
 sympa      - Modern mailing list manager
Closes: 411983 473655 480987 491959 494969 495087 495572 495588 495723
Changes: 
 sympa (5.3.4-5.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Bug fix: "(re)configuring sympa won't define soap_url to non-fixed
     value", this time for good, hopefully (Closes: #411983).
   * Fix insecure files creation in /tmp, backporting upstream fix
     (Closes: #494969)
   * Remove extra space in debconf templates. Translations unfuzzied
     Closes: #473655
   * Fix pending l10n issues
   * Debconf translations:
     - Galician. Closes: #480987
     - Swedish. Closes: #491959
     - Czech. Closes: #495087
     - Russian. Closes: #495572
     - Basque. Closes: #495588
     - Brazilian Portuguese. Closes: #495723
   * [Lintian] Change Depends from obsolete libmime-perl to libmime-tools-perl
   * [Lintian] Change "can can handle" to "can handle" in package description
   * [Lintian] Set debhelper compatibility level through debian/compat
Checksums-Sha1: 
 8929161d91d762275667f023a39d973e8b841506 992 sympa_5.3.4-5.1.dsc
 ad4ce1634cdf724239779d30b3b9f20f2cd43d8c 111988 sympa_5.3.4-5.1.diff.gz
 feb7903256b59eba9a288c6fa347979a0feb4b24 3096090 sympa_5.3.4-5.1_i386.deb
Checksums-Sha256: 
 e3838ff4f8d26c6bd46c67480be6334378307724452312e3f288d29cd24c898e 992 sympa_5.3.4-5.1.dsc
 0a4bbf66a4534bb4ee06711aa4c07f8ef87fd9977e223aa789684628b669b98e 111988 sympa_5.3.4-5.1.diff.gz
 1d78ce6209cbd1ea5d5a85d0202fcc9994685a51d78e3386a5b2223a7862f593 3096090 sympa_5.3.4-5.1_i386.deb
Files: 
 ded2d701a669009dc3be1c986f5dd7f4 992 mail optional sympa_5.3.4-5.1.dsc
 227ee7719fc97d87086a161f729a8631 111988 mail optional sympa_5.3.4-5.1.diff.gz
 707a274a6d2ace5defa682474044e153 3096090 mail optional sympa_5.3.4-5.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkitpeEACgkQ1OXtrMAUPS2zqwCgs+Bg5vFDS1aEBkwQSuOfnPbi
KDsAoIhnSOxZDI8Q20YoZH5f39iAUwTr
=aVtD
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Stefan Hornburg (Racke) <racke@linuxia.de>:
Bug#494969; Package sympa. (full text, mbox, link).


Acknowledgement sent to Olivier Berger <olivier.berger@it-sudparis.eu>:
Extra info received and forwarded to list. Copy sent to Stefan Hornburg (Racke) <racke@linuxia.de>. (full text, mbox, link).


Message #31 received at 494969@bugs.debian.org (full text, mbox, reply):

From: Olivier Berger <olivier.berger@it-sudparis.eu>
To: Thijs Kinkhorst <thijs@debian.org>
Cc: 494969@bugs.debian.org, "Dmitry E. Oboukhov" <unera@debian.org>, 496405@bugs.debian.org
Subject: Re: Bug#494969: sympa: Leftover debug code may lead to data loss
Date: Mon, 25 Aug 2008 11:59:46 +0200
Le jeudi 21 août 2008 à 16:14 +0200, Thijs Kinkhorst a écrit :

> When grepping the sympa source for "/tmp" I find quite some occurances
> of
> other files directly in tmp with insecure filenames. It should be
> checked
> for each if that code is executed and whether or not they should be
> moved
> to Sympa's private tempdir.
> 

Indeed, grepping through contents of binary package gives quite some
occurrences :

./usr/share/doc/sympa/examples/config/sympa.conf:tmpdir /var/spool/sympa/tmp
./usr/lib/sympa/bin/Log.pm:    #open TMP, ">/tmp/logs.dump";
./usr/lib/sympa/bin/tt2.pl:     open my $fh, ">/tmp/tt2/$newname";
./usr/lib/sympa/bin/tools.pl:    ## first step is the msg signing OK ; /tmp/sympa-smime.$$ is created
./usr/lib/sympa/bin/tools.pl:    my $temporary_file = "/tmp/smime-sender.".$$ ;
./usr/lib/sympa/bin/List.pm:#   $parser->output_dir($Conf{'spool'} ."/tmp");    
./usr/lib/sympa/bin/List.pm:#    open TMP2, ">/tmp/digdump"; &tools::dump_var($param, 0, \*TMP2); close TMP2;
./usr/lib/sympa/bin/List.pm:#    open TMP2, ">/tmp/digdump"; &tools::dump_var($param, 0, \*TMP2); close TMP2;
./usr/lib/sympa/bin/sympasoap.pm:#    open TMP2, ">>/tmp/yy"; printf TMP2 "xxxxxxxxxx  parameters \n"; &tools::dump_var($proxy_vs, 0, \*TMP2);printf TMP2 "--------\n"; close TMP2;
./usr/lib/sympa/bin/CAS.pm:  $cas->proxyMode(pgtFile => '/tmp/pgt.txt',
./usr/lib/sympa/bin/sympa_wizard.pl:my $new_wwsympa_conf = '/tmp/wwsympa.conf';
./usr/lib/sympa/bin/sympa_wizard.pl:my $new_sympa_conf = '/tmp/sympa.conf';
./usr/lib/sympa/bin/Conf.pm:    $o{'tmpdir'}[0] = "$spool/tmp";
./usr/lib/sympa/bin/Conf.pm:    # open TMP, ">/tmp/dump1";&tools::dump_var(&load_generic_conf_file($config,\%trusted_applications);, 0,\*TMP);close TMP;
./usr/lib/sympa/bin/Conf.pm:#open TMP2, ">>/tmp/sss"; printf TMP2 "xxxxxxxxxxxxxxxxxxx--------structure admin\n"; &tools::dump_var(\%admin, 0, \*TMP2);printf TMP2 "xxxxxxxxxxxxxxxxxxx--------\n"; close TMP2;
./usr/lib/sympa/bin/sympa_soap_client.pl:#                                   file => '/tmp/my_cookies' );
./usr/lib/sympa/bin/sympa_soap_client.pl:                                    file => '/tmp/my_cookies' );
./usr/lib/sympa/bin/Family.pm: #   open TMP, ">/tmp/dump1";
./usr/lib/sympa/bin/Auth.pm:    # open TMP2, ">>/tmp/yy"; printf TMP2 "xxxxxxxxxxx\@ trusted_apps \n"; &tools::dump_var(\@trusted_apps, 0, \*TMP2);printf TMP2 "--------\n"; close TMP2;
./usr/lib/sympa/bin/sympa.pl:   --make_alias_file                     : create file in /tmp with all aliases (usefull when aliases.tpl is changed)
./usr/lib/cgi-bin/sympa/wwsympa.fcgi: #    open TMP, ">/tmp/dump1";
./usr/lib/cgi-bin/sympa/wwsympa.fcgi: #    open TMP, ">/tmp/dump2";
./usr/lib/cgi-bin/sympa/wwsympa.fcgi:     #open TMP, ">/tmp/dump1";
./usr/bin/sympa:   --make_alias_file                     : create file in /tmp with all aliases (usefull when aliases.tpl is changed)
./usr/bin/sympa_wizard:my $new_wwsympa_conf = '/tmp/wwsympa.conf';
./usr/bin/sympa_wizard:my $new_sympa_conf = '/tmp/sympa.conf';

I think that even though the first ones reported on /usr/lib/cgi-bin/sympa/wwsympa.fcgi and /usr/lib/sympa/bin/sympa.pl are now fixed by uploaded 5.3.4-5.1, there's some more need for analysis (checking with upstream too).

I think that opening a distinct bug would probably be better too.

Hope this helps.

-- 
Olivier BERGER <olivier.berger@it-sudparis.eu>
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC
Ingénieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)





Forcibly Merged 494969 496405. Request was from Olivier Berger <olivier.berger@it-sudparis.eu> to control@bugs.debian.org. (Mon, 25 Aug 2008 12:42:17 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Stefan Hornburg (Racke) <racke@linuxia.de>:
Bug#494969; Package sympa. (full text, mbox, link).


Acknowledgement sent to Olivier Berger <olivier.berger@it-sudparis.eu>:
Extra info received and forwarded to list. Copy sent to Stefan Hornburg (Racke) <racke@linuxia.de>. (full text, mbox, link).


Message #38 received at 494969@bugs.debian.org (full text, mbox, reply):

From: Olivier Berger <olivier.berger@it-sudparis.eu>
To: Thijs Kinkhorst <thijs@debian.org>
Cc: "Dmitry E. Oboukhov" <unera@debian.org>, 494969@bugs.debian.org
Subject: Re: Bug#494969: sympa: Leftover debug code may lead to data loss
Date: Mon, 25 Aug 2008 14:42:19 +0200
FYI, I have checked the code and filed 2 more bugs (the rest being false
positives, I think).

#496518 : Insecure use of /tmp in sympa_wizard may lead to system damage
#496520 : Insecure use of /tmp in sympa scripts

The first one is the most serious. The second one is minor.

Thanks for spotting this.

Best regards,

Le lundi 25 août 2008 à 11:59 +0200, Olivier Berger a écrit :
> Le jeudi 21 août 2008 à 16:14 +0200, Thijs Kinkhorst a écrit :
> 
> > When grepping the sympa source for "/tmp" I find quite some occurances
> > of
> > other files directly in tmp with insecure filenames. It should be
> > checked
> > for each if that code is executed and whether or not they should be
> > moved
> > to Sympa's private tempdir.
> > 
> 
> Indeed, grepping through contents of binary package gives quite some
> occurrences :
> 
> ./usr/share/doc/sympa/examples/config/sympa.conf:tmpdir /var/spool/sympa/tmp
> ./usr/lib/sympa/bin/Log.pm:    #open TMP, ">/tmp/logs.dump";
> ./usr/lib/sympa/bin/tt2.pl:     open my $fh, ">/tmp/tt2/$newname";
> ./usr/lib/sympa/bin/tools.pl:    ## first step is the msg signing OK ; /tmp/sympa-smime.$$ is created
> ./usr/lib/sympa/bin/tools.pl:    my $temporary_file = "/tmp/smime-sender.".$$ ;
> ./usr/lib/sympa/bin/List.pm:#   $parser->output_dir($Conf{'spool'} ."/tmp");    
> ./usr/lib/sympa/bin/List.pm:#    open TMP2, ">/tmp/digdump"; &tools::dump_var($param, 0, \*TMP2); close TMP2;
> ./usr/lib/sympa/bin/List.pm:#    open TMP2, ">/tmp/digdump"; &tools::dump_var($param, 0, \*TMP2); close TMP2;
> ./usr/lib/sympa/bin/sympasoap.pm:#    open TMP2, ">>/tmp/yy"; printf TMP2 "xxxxxxxxxx  parameters \n"; &tools::dump_var($proxy_vs, 0, \*TMP2);printf TMP2 "--------\n"; close TMP2;
> ./usr/lib/sympa/bin/CAS.pm:  $cas->proxyMode(pgtFile => '/tmp/pgt.txt',
> ./usr/lib/sympa/bin/sympa_wizard.pl:my $new_wwsympa_conf = '/tmp/wwsympa.conf';
> ./usr/lib/sympa/bin/sympa_wizard.pl:my $new_sympa_conf = '/tmp/sympa.conf';
> ./usr/lib/sympa/bin/Conf.pm:    $o{'tmpdir'}[0] = "$spool/tmp";
> ./usr/lib/sympa/bin/Conf.pm:    # open TMP, ">/tmp/dump1";&tools::dump_var(&load_generic_conf_file($config,\%trusted_applications);, 0,\*TMP);close TMP;
> ./usr/lib/sympa/bin/Conf.pm:#open TMP2, ">>/tmp/sss"; printf TMP2 "xxxxxxxxxxxxxxxxxxx--------structure admin\n"; &tools::dump_var(\%admin, 0, \*TMP2);printf TMP2 "xxxxxxxxxxxxxxxxxxx--------\n"; close TMP2;
> ./usr/lib/sympa/bin/sympa_soap_client.pl:#                                   file => '/tmp/my_cookies' );
> ./usr/lib/sympa/bin/sympa_soap_client.pl:                                    file => '/tmp/my_cookies' );
> ./usr/lib/sympa/bin/Family.pm: #   open TMP, ">/tmp/dump1";
> ./usr/lib/sympa/bin/Auth.pm:    # open TMP2, ">>/tmp/yy"; printf TMP2 "xxxxxxxxxxx\@ trusted_apps \n"; &tools::dump_var(\@trusted_apps, 0, \*TMP2);printf TMP2 "--------\n"; close TMP2;
> ./usr/lib/sympa/bin/sympa.pl:   --make_alias_file                     : create file in /tmp with all aliases (usefull when aliases.tpl is changed)
> ./usr/lib/cgi-bin/sympa/wwsympa.fcgi: #    open TMP, ">/tmp/dump1";
> ./usr/lib/cgi-bin/sympa/wwsympa.fcgi: #    open TMP, ">/tmp/dump2";
> ./usr/lib/cgi-bin/sympa/wwsympa.fcgi:     #open TMP, ">/tmp/dump1";
> ./usr/bin/sympa:   --make_alias_file                     : create file in /tmp with all aliases (usefull when aliases.tpl is changed)
> ./usr/bin/sympa_wizard:my $new_wwsympa_conf = '/tmp/wwsympa.conf';
> ./usr/bin/sympa_wizard:my $new_sympa_conf = '/tmp/sympa.conf';
> 
> I think that even though the first ones reported on /usr/lib/cgi-bin/sympa/wwsympa.fcgi and /usr/lib/sympa/bin/sympa.pl are now fixed by uploaded 5.3.4-5.1, there's some more need for analysis (checking with upstream too).
> 
> I think that opening a distinct bug would probably be better too.
> 
> Hope this helps.
> 
-- 
Olivier BERGER <olivier.berger@it-sudparis.eu>
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC
Ingénieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)





Bug reopened, originator not changed. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Wed, 27 Aug 2008 15:27:03 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Stefan Hornburg (Racke) <racke@linuxia.de>:
Bug#494969; Package sympa. (full text, mbox, link).


Acknowledgement sent to Olivier Berger <olivier.berger@it-sudparis.eu>:
Extra info received and forwarded to list. Copy sent to Stefan Hornburg (Racke) <racke@linuxia.de>. (full text, mbox, link).


Message #45 received at 494969@bugs.debian.org (full text, mbox, reply):

From: Olivier Berger <olivier.berger@it-sudparis.eu>
To: Nico Golde <nion@debian.org>
Cc: 494969@bugs.debian.org
Subject: Re: reopening sympa tmp races
Date: Thu, 28 Aug 2008 11:29:26 +0200
On Wed, Aug 27, 2008 at 05:24:20PM +0200, Nico Golde wrote:
> reopen 494969
> thanks
> 
> Hi,
> I am reopening this bug as I can confirm that there are lots
> of other tmp races in the sympa source. See Oliver Berges
> mail.
> 

The other bug is #496518 ?

I'm not sure the current bug needed reopening though...

If it needs indeed reopening, why not (force)merging it with #496518 ?

Anyway... I guess we should prepare an improved version with patch http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;filename=sympa_wizard.patch;att=1;bug=496518 for lenny, then ?

Best regards,






Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Olivier Berger <olivier.berger@it-sudparis.eu>:
Bug acknowledged by developer. (full text, mbox, link).


Message #50 received at 494969-done@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: Olivier Berger <olivier.berger@it-sudparis.eu>
Cc: 494969-done@bugs.debian.org
Subject: Re: reopening sympa tmp races
Date: Thu, 28 Aug 2008 19:03:36 +0200
[Message part 1 (text/plain, inline)]
Version: 5.3.4-5.1

Hi Olivier,
* Olivier Berger <olivier.berger@it-sudparis.eu> [2008-08-28 11:48]:
> On Wed, Aug 27, 2008 at 05:24:20PM +0200, Nico Golde wrote:
[...] 
> The other bug is #496518 ?
> 
> I'm not sure the current bug needed reopening though...

Closed again, sorry I didn't see there was a new bug 
openened for the other issues.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. (full text, mbox, link).


Notification sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
Bug acknowledged by developer. (full text, mbox, link).


Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Feb 2009 07:40:54 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 13:03:44 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.