Report forwarded to debian-bugs-dist@lists.debian.org, Debian Citadel Team <pkg-citadel-devel@lists.alioth.debian.org>: Bug#496359; Package citadel-server.
(full text, mbox, link).
Acknowledgement sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
New Bug report received and forwarded. Copy sent to Debian Citadel Team <pkg-citadel-devel@lists.alioth.debian.org>.
(full text, mbox, link).
Subject: The possibility of attack with the help of symlinks in some Debian packages
Date: Sun, 24 Aug 2008 22:05:28 +0400
Package: citadel-server
Severity: grave
Hi, maintainer!
This message about the error concerns a few packages at once. I've
tested all the packages (for Lenny) on my Debian mirror. All scripts
of packages (marked as executable) were tested.
In some packages I've discovered scripts with errors which may be used
by a user for damaging important system files or user's files.
For example if a script uses in its work a temp file which is created
in /tmp directory, then every user can create symlink with the same
name in this directory in order to destroy or rewrite some system
or user file. Symlink attack may also lead not only to the data
desctruction but to denial of service as well.
Even if you create files or directories with help of function 'RANDOM'
or pid(), then your system is not protected. Attacker can create many
symlinks in order to destroy your data or create 'denial of service'
for your package scripts.
Even if you make rm(dir) for files/directories, then your system is
not protected. Attacker can permanently create symlinks.
This list is created with the help of script. This list is sorted by
hand. Howewer in some cases mistake is possible.
Please, Be understanding to possible mistakes. :)
I set Severity into grave for this bug. The table of discovered
problems is below.
Discussion of this bug you can see in debian-devel@:
http://lists.debian.org/debian-devel/2008/08/msg00271.html
Binary-package: r-base-core-ra (1.1.1-1)
file: /usr/lib/Ra/lib/R/bin/javareconf
Binary-package: rccp (0.9-2)
file: /usr/lib/rccp/delqueueask
Binary-package: mafft (6.240-1)
file: /usr/bin/mafft-homologs
Binary-package: openoffice.org-common (1:2.4.1-6)
file: /usr/lib/openoffice/program/senddoc
Binary-package: crossfire-maps (1.11.0-1)
file: /usr/share/games/crossfire/maps/Info/combine.pl
Binary-package: sgml2x (1.0.0-11.1)
file: /usr/bin/rlatex
Binary-package: liguidsoap (0.3.6-4)
file: /var/lib/liguidsoap/liguidsoap.py
Binary-package: citadel-server (7.37-1)
file: /usr/lib/citadel-server/migrate_aliases.sh
Binary-package: ampache (3.4.1-1)
file: /usr/share/ampache/www/locale/base/gather-messages.sh
Binary-package: xen-utils-3.2-1 (3.2.1-2)
file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug
Binary-package: dtc-common (0.29.6-1)
file: /usr/share/dtc/admin/accesslog.php
file: /usr/share/dtc/admin/sa-wrapper
Binary-package: honeyd-common (1.5c-3)
file: /usr/share/honeyd/scripts/test.sh
Binary-package: lustre-tests (1.6.5-1)
file: /usr/lib/lustre/tests/runiozone
Binary-package: linuxtrade (3.65-8+b4)
file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol
file: /usr/share/linuxtrade/bin/linuxtrade.wn
file: /usr/share/linuxtrade/bin/moneyam.helper
Binary-package: freevo (1.8.1-0)
file: /usr/bin/freevo.real
Binary-package: fml (4.0.3.dfsg-2)
file: /usr/share/fml/libexec/mead.pl
Binary-package: rkhunter (1.3.2-3)
file: /usr/bin/rkhunter
Binary-package: openswan (1:2.4.12+dfsg-1.1)
file: /usr/lib/ipsec/livetest
Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1)
file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap
file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest
Binary-package: aptoncd (0.1-1.1)
file: /usr/share/aptoncd/xmlfile.py
Binary-package: cdcontrol (1.90-1.1)
file: /usr/lib/cdcontrol/writtercontrol
Binary-package: newsgate (1.6-23)
file: /usr/bin/mkmailpost
Binary-package: gpsdrive-scripts (2.10~pre4-3)
file: /usr/bin/geo-code
Binary-package: impose+ (0.2-11)
file: /usr/bin/impose
Binary-package: mgt (2.31-5)
file: /usr/games/mailgo
Binary-package: audiolink (0.05-1)
file: /usr/bin/audiolink
Binary-package: ibackup (2.27-4.1)
file: /usr/bin/ibackup
Binary-package: emacspeak (26.0-3)
file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl
Binary-package: bk2site (1:1.1.9-3.1)
file: /usr/lib/cgi-bin/bk2site/redirect.pl
Binary-package: datafreedom-perl (0.1.7-1)
file: /usr/bin/dfxml-invoice
Binary-package: emacs-jabber (0.7.91-1)
file: /usr/lib/emacsen-common/packages/install/emacs-jabber
Binary-package: lmbench (3.0-a7-1)
file: /usr/lib/lmbench/scripts/rccs
file: /usr/lib/lmbench/scripts/STUFF
Binary-package: rancid-util (2.3.2~a8-1)
file: /var/lib/rancid/getipacctg
Binary-package: ogle (0.9.2-5.2)
file: /usr/lib/ogle/ogle_audio_debug
file: /usr/lib/ogle/ogle_cli_debug
file: /usr/lib/ogle/ogle_ctrl_debug
file: /usr/lib/ogle/ogle_gui_debug
file: /usr/lib/ogle/ogle_mpeg_ps_debug
file: /usr/lib/ogle/ogle_mpeg_vs_debug
file: /usr/lib/ogle/ogle_nav_debug
file: /usr/lib/ogle/ogle_vout_debug
Binary-package: firehol (1.256-4)
file: /sbin/firehol
Binary-package: aview (1.3.0rc1-8)
file: /usr/bin/asciiview
Binary-package: radiance (3R9+20080530-3)
file: /usr/bin/optics2rad
file: /usr/bin/pdelta
file: /usr/bin/dayfact
file: /usr/bin/raddepend
Binary-package: vdr-dbg (1.6.0-5)
file: /usr/bin/vdrleaktest
Binary-package: ogle-mmx (0.9.2-5.2)
file: /usr/lib/ogle/ogle_audio_debug
file: /usr/lib/ogle/ogle_cli_debug
file: /usr/lib/ogle/ogle_ctrl_debug
file: /usr/lib/ogle/ogle_gui_debug
file: /usr/lib/ogle/ogle_mpeg_ps_debug
file: /usr/lib/ogle/ogle_mpeg_vs_debug
file: /usr/lib/ogle/ogle_nav_debug
file: /usr/lib/ogle/ogle_vout_debug
Binary-package: convirt (0.8.2-3)
file: /usr/share/convirt/image_store/_template_/provision.sh
file: /usr/share/convirt/image_store/Linux_CD_Install/provision.sh
file: /usr/share/convirt/image_store/Fedora_PV_Install/provision.sh
file: /usr/share/convirt/image_store/CentOS_PV_Install/provision.sh
file: /usr/share/convirt/image_store/common/provision.sh
file: /usr/share/convirt/image_store/example/provision.sh
file: /usr/share/convirt/image_store/Windows_CD_Install/provision.sh
Binary-package: printfilters-ppd (2.13-9)
file: /usr/lib/printfilters/master-filter
Binary-package: r-base-core (2.7.1-1)
file: /usr/lib/R/bin/javareconf
file: /usr/lib/R/bin/javareconf.orig
Binary-package: xmcd (2.6-19.3)
file: /usr/share/xmcd/scripts/ncsarmt
file: /usr/share/xmcd/scripts/ncsawrap
Binary-package: tiger (1:3.2.2-3.1)
file: /usr/lib/tiger/util/genmsgidx
Binary-package: scilab-bin (4.1.2-5)
file: /usr/lib/scilab-4.1.2/bin/scilink
file: /usr/lib/scilab-4.1.2/util/scidoc
file: /usr/lib/scilab-4.1.2/util/scidem
Binary-package: dpkg-cross (2.3.0)
file: /usr/share/dpkg-cross/bin/gccross
Binary-package: ltp-network-test (20060918-2.1)
file: /usr/lib/debian-test/tests/linux/testcases/bin/ftp_setup_vsftp_conf
file: /usr/lib/debian-test/tests/linux/testcases/bin/nfs_fsstress.sh
Binary-package: cman (2.20080629-1)
file: /usr/sbin/fence_egenera
Binary-package: scratchbox2 (1.99.0.24-1)
file: /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps
file: /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings
Binary-package: sendmail-base (8.14.3-5)
file: /usr/sbin/checksendmail
file: /usr/bin/expn
Binary-package: fwbuilder (2.1.19-3)
file: /usr/bin/fwb_install
Binary-package: sng (1.0.2-5)
file: /usr/bin/sng_regress
Binary-package: dist (1:3.5-17-1)
file: /usr/bin/patcil
file: /usr/bin/patdiff
Binary-package: sympa (5.3.4-5)
file: /usr/lib/cgi-bin/sympa/wwsympa.fcgi
file: /usr/lib/sympa/bin/sympa.pl
Binary-package: postfix (2.5.2-2)
file: /usr/lib/postfix_groups.pl
Binary-package: caudium (3:1.4.12-11)
file: /usr/share/caudium/configvar
Binary-package: mgetty-fax (1.1.36-1.2)
file: /usr/bin/faxspool
Binary-package: aegis (4.24-3)
file: /usr/share/doc/aegis/examples/remind/bng_dvlpd.sh
file: /usr/share/doc/aegis/examples/remind/bng_rvwd.sh
file: /usr/share/doc/aegis/examples/remind/awt_dvlp.sh
file: /usr/share/doc/aegis/examples/remind/awt_intgrtn.sh
Binary-package: aegis-web (4.24-3)
file: /usr/lib/cgi-bin/aegis.cgi
Binary-package: digitaldj (0.7.5-6+b1)
file: /usr/share/digitaldj/fest.pl
Binary-package: mon (0.99.2-12)
file: /usr/lib/mon/alert.d/test.alert
Binary-package: feta (1.4.16)
file: /usr/share/feta/plugins/to-upgrade
Binary-package: arb-common (0.0.20071207.1-4)
file: /usr/lib/arb/SH/arb_fastdnaml
file: /usr/lib/arb/SH/dszmconnect.pl
Binary-package: qemu (0.9.1-5)
file: /usr/sbin/qemu-make-debian-root
Binary-package: apertium (3.0.7+1-1+b1)
file: /usr/bin/apertium-gen-deformat
file: /usr/bin/apertium-gen-reformat
file: /usr/bin/apertium
Binary-package: xcal (4.1-18.3)
file: /usr/bin/pscal
Binary-package: myspell-tools (1:3.1-20)
file: /usr/bin/i2myspell
Binary-package: gccxml (0.9.0+cvs20080525-1)
file: /usr/share/gccxml-0.9/MIPSpro/find_flags
Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4)
file: /usr/share/freeradius-dialupadmin/bin/backup_radacct
file: /usr/share/freeradius-dialupadmin/bin/clean_radacct
file: /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats
file: /usr/share/freeradius-dialupadmin/bin/tot_stats
file: /usr/share/freeradius-dialupadmin/bin/truncate_radacct
Binary-package: dhis-server (5.3-1)
file: /usr/lib/dhis-server/dhis-dummy-log-engine
Binary-package: wims (3.62-13)
file: /var/lib/wims/public_html/bin/coqweb
file: /var/lib/wims/bin/account.sh
Binary-package: initramfs-tools (0.92f)
file: /usr/share/initramfs-tools/init
Binary-package: realtimebattle-common (1.0.8-7)
file: /usr/lib/realtimebattle/Robots/perl.robot
Binary-package: netmrg (0.20-1)
file: /usr/bin/rrdedit
Binary-package: bulmages-servers (0.11.1-2)
file: /usr/share/bulmages/examples/scripts/actualizabulmacont
file: /usr/share/bulmages/examples/scripts/installbulmages-db
file: /usr/share/bulmages/examples/scripts/creabulmafact
file: /usr/share/bulmages/examples/scripts/creabulmacont
file: /usr/share/bulmages/examples/scripts/actualizabulmafact
Binary-package: xastir (1.9.2-1)
file: /usr/lib/xastir/get-maptools.sh
file: /usr/lib/xastir/get_shapelib.sh
Binary-package: plait (1.5.2-1)
file: /usr/bin/plaiter
file: /usr/bin/plait
Binary-package: cdrw-taper (0.4-2)
file: /usr/sbin/amlabel-cdrw
Binary-package: konwert-filters (1.8-11.1)
file: /usr/share/konwert/filters/any-UTF8
Binary-package: gdrae (0.1-1)
file: /usr/bin/gdrae
Binary-package: lazarus-src (0.9.24-0-9)
file: /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh
Tags added:
Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru>
to control@bugs.debian.org.
(Tue, 26 Aug 2008 08:45:05 GMT) (full text, mbox, link).
Tags added: security
Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru>
to control@bugs.debian.org.
(Tue, 26 Aug 2008 08:57:04 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Citadel Team <pkg-citadel-devel@lists.alioth.debian.org>: Bug#496359; Package citadel-server.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Citadel Team <pkg-citadel-devel@lists.alioth.debian.org>.
(full text, mbox, link).
tags 496359 confirmed patch
thanks
Dmitry E. Oboukhov wrote:
> Package: citadel-server
> Severity: grave
>
> Hi, maintainer!
>
> In some packages I've discovered scripts with errors which may be used
> by a user for damaging important system files or user's files.
This can indeed be used for symlink attacks during postinst phase,
attached patch fixes it.
Cheers,
Moritz
Tags added: confirmed, patch
Request was from Moritz Muehlenhoff <jmm@inutil.org>
to control@bugs.debian.org.
(Tue, 26 Aug 2008 21:03:04 GMT) (full text, mbox, link).
Reply sent to Michael Meskes <meskes@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
Bug acknowledged by developer.
(full text, mbox, link).
Source: citadel
Source-Version: 7.37-3
We believe that the bug you reported is fixed in the latest version of
citadel, which is due to be installed in the Debian FTP archive:
citadel-client_7.37-3_i386.deb
to pool/main/c/citadel/citadel-client_7.37-3_i386.deb
citadel-common_7.37-3_all.deb
to pool/main/c/citadel/citadel-common_7.37-3_all.deb
citadel-doc_7.37-3_all.deb
to pool/main/c/citadel/citadel-doc_7.37-3_all.deb
citadel-mta_7.37-3_i386.deb
to pool/main/c/citadel/citadel-mta_7.37-3_i386.deb
citadel-server_7.37-3_i386.deb
to pool/main/c/citadel/citadel-server_7.37-3_i386.deb
citadel-suite_7.37-3_all.deb
to pool/main/c/citadel/citadel-suite_7.37-3_all.deb
citadel_7.37-3.diff.gz
to pool/main/c/citadel/citadel_7.37-3.diff.gz
citadel_7.37-3.dsc
to pool/main/c/citadel/citadel_7.37-3.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 496359@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Meskes <meskes@debian.org> (supplier of updated citadel package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 25 Aug 2008 10:51:15 +0200
Source: citadel
Binary: citadel-server citadel-suite citadel-common citadel-mta citadel-client citadel-doc
Architecture: source i386 all
Version: 7.37-3
Distribution: unstable
Urgency: low
Maintainer: Debian Citadel Team <pkg-citadel-devel@lists.alioth.debian.org>
Changed-By: Michael Meskes <meskes@debian.org>
Description:
citadel-client - complete and feature-rich groupware server (command line client)
citadel-common - complete and feature-rich groupware server
citadel-doc - complete and feature-rich groupware server (documentation)
citadel-mta - complete and feature-rich groupware server (mail transport agent)
citadel-server - complete and feature-rich groupware server
citadel-suite - complete and feature-rich groupware server; metapackage for full
Closes: 496359
Changes:
citadel (7.37-3) unstable; urgency=low
.
[ Wilfried Goesgens ]
* [r6544] add upstream prepatch; fix off by one in the QP encoder
* remove use of tempfiles from migrate_aliases.sh, closes: #496359
* [r6535] add upstream prepatch; stop the autopurger from messing with
system rooms
Checksums-Sha1:
ce92fb602e8741192df9cc99d50c28034cddda49 1382 citadel_7.37-3.dsc
528dadcd822182fbc020c010615822e5c3ff84fc 25717 citadel_7.37-3.diff.gz
5f357f2ecae677a37269721953b4ac52238e216d 551092 citadel-server_7.37-3_i386.deb
c1fb69372ff66fbdf5c71b69db57cafb6e9bf080 15042 citadel-mta_7.37-3_i386.deb
5c9056dbac80f1e2cc95926054113430bc735b8d 113692 citadel-client_7.37-3_i386.deb
32b2623c7a426984d9c9914312a9683e946df0ff 8082 citadel-suite_7.37-3_all.deb
5e7bb1e90116cf22364c0ba7df441a86a6acfa06 8226 citadel-common_7.37-3_all.deb
f887ee2125ba57bcf268c45c4a66a7cdc0cacb1f 96126 citadel-doc_7.37-3_all.deb
Checksums-Sha256:
bf77951f04d296074d4f3f9677a43a7b15dd39980faacb2628ee9569eda24cb7 1382 citadel_7.37-3.dsc
f9f03c46498b8e063b885d05d86adf6da2b722b5948005f6ccca93b51a59bbee 25717 citadel_7.37-3.diff.gz
e1f975a4c23f90d2cf76db5d7379c38ac3335b4747547111c7455f03f520de49 551092 citadel-server_7.37-3_i386.deb
fc09c931ee10356be2ce7523bce25420f142cdb2a2ae86a5507180a457aa25b4 15042 citadel-mta_7.37-3_i386.deb
599b1de54417a08acd645f75c95886b065dc59caa878101e9cfc52b4926a8886 113692 citadel-client_7.37-3_i386.deb
5b3cb40b80ab52cfc6cf0dd0b9de8a3aa919c7006d04fb8f63f745ecde38bca6 8082 citadel-suite_7.37-3_all.deb
fa22cd935436d5d9329b51436205745ae967b675b9368a2a67755f9d49481f53 8226 citadel-common_7.37-3_all.deb
a5b268272002923add66abc4a188174eb3d39a14d405bd5ff441698870dc26bd 96126 citadel-doc_7.37-3_all.deb
Files:
ae3b33753a29ea45cbabc6dfdf6fc8bf 1382 mail extra citadel_7.37-3.dsc
3cebc6432aca46e30974131e2b652815 25717 mail extra citadel_7.37-3.diff.gz
958ddf58dedd8e1140ea715db738f3b0 551092 mail extra citadel-server_7.37-3_i386.deb
382eaca96cdc8b1fa6e4efd72b91af8c 15042 mail extra citadel-mta_7.37-3_i386.deb
9eede5eb3c89a4f20a2b0b22a4c27d04 113692 mail extra citadel-client_7.37-3_i386.deb
65395cdf3134c7d7c79d862421de9d6d 8082 mail extra citadel-suite_7.37-3_all.deb
740d07fae025ec54feab0839e5adae4c 8226 mail extra citadel-common_7.37-3_all.deb
bc9bc9bf6cce7916d3426c1f33dca1ed 96126 doc extra citadel-doc_7.37-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFItqPBVkEm8inxm9ERAs2GAJsFT0eaBt2lcDdUBfBS4ZqMzYXTpgCePc4K
kHMupU5sTxBHsBOA4xK47SI=
=V7Bu
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 07 Oct 2008 07:30:36 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.