Debian Bug report logs - #496359
The possibility of attack with the help of symlinks in some Debian packages

version graph

Package: citadel-server; Maintainer for citadel-server is Debian Citadel Team <pkg-citadel-devel@lists.alioth.debian.org>; Source for citadel-server is src:citadel.

Reported by: "Dmitry E. Oboukhov" <dimka@uvw.ru>

Date: Sun, 24 Aug 2008 18:06:10 UTC

Severity: grave

Tags: confirmed, patch, security

Fixed in version citadel/7.37-3

Done: Michael Meskes <meskes@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Citadel Team <pkg-citadel-devel@lists.alioth.debian.org>:
Bug#496359; Package citadel-server. Full text and rfc822 format available.

Acknowledgement sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
New Bug report received and forwarded. Copy sent to Debian Citadel Team <pkg-citadel-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Dmitry E. Oboukhov" <dimka@uvw.ru>
To: submit@bugs.debian.org
Cc: dimka@uvw.ru
Subject: The possibility of attack with the help of symlinks in some Debian packages
Date: Sun, 24 Aug 2008 22:05:28 +0400
Package: citadel-server
Severity: grave

Hi, maintainer!

This message about the error concerns a few packages  at  once.   I've
tested all the packages (for Lenny) on my Debian mirror.  All  scripts
of packages (marked as executable) were tested.

In some packages I've discovered scripts with errors which may be used
by a user for damaging important system files or user's files.

For example if a script uses in its work a temp file which is  created
in /tmp directory, then every user can create symlink  with  the  same
name in this directory in order to  destroy  or  rewrite  some  system
or user file.  Symlink attack may also  lead  not  only  to  the  data
desctruction but to denial of service as well.

Even if you create files or directories with help of function 'RANDOM'
or pid(), then your system is not protected. Attacker can create many
symlinks in order to destroy your data or create 'denial  of  service'
for your package scripts.

Even if you make rm(dir) for files/directories, then  your  system  is
not protected. Attacker can permanently create symlinks.

This list is created with the help of script.  This list is sorted  by
hand. Howewer in some cases mistake is possible.

Please, Be understanding to possible mistakes. :)

I set Severity into grave for this bug. The table of discovered
problems is below.

Discussion of this bug you can see in debian-devel@:
    http://lists.debian.org/debian-devel/2008/08/msg00271.html

Binary-package: r-base-core-ra (1.1.1-1)
    file: /usr/lib/Ra/lib/R/bin/javareconf
Binary-package: rccp (0.9-2)
    file: /usr/lib/rccp/delqueueask
Binary-package: mafft (6.240-1)
    file: /usr/bin/mafft-homologs
Binary-package: openoffice.org-common (1:2.4.1-6)
    file: /usr/lib/openoffice/program/senddoc
Binary-package: crossfire-maps (1.11.0-1)
    file: /usr/share/games/crossfire/maps/Info/combine.pl
Binary-package: sgml2x (1.0.0-11.1)
    file: /usr/bin/rlatex
Binary-package: liguidsoap (0.3.6-4)
    file: /var/lib/liguidsoap/liguidsoap.py
Binary-package: citadel-server (7.37-1)
    file: /usr/lib/citadel-server/migrate_aliases.sh
Binary-package: ampache (3.4.1-1)
    file: /usr/share/ampache/www/locale/base/gather-messages.sh
Binary-package: xen-utils-3.2-1 (3.2.1-2)
    file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug
Binary-package: dtc-common (0.29.6-1)
    file: /usr/share/dtc/admin/accesslog.php
    file: /usr/share/dtc/admin/sa-wrapper
Binary-package: honeyd-common (1.5c-3)
    file: /usr/share/honeyd/scripts/test.sh
Binary-package: lustre-tests (1.6.5-1)
    file: /usr/lib/lustre/tests/runiozone
Binary-package: linuxtrade (3.65-8+b4)
    file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol
    file: /usr/share/linuxtrade/bin/linuxtrade.wn
    file: /usr/share/linuxtrade/bin/moneyam.helper
Binary-package: freevo (1.8.1-0)
    file: /usr/bin/freevo.real
Binary-package: fml (4.0.3.dfsg-2)
    file: /usr/share/fml/libexec/mead.pl
Binary-package: rkhunter (1.3.2-3)
    file: /usr/bin/rkhunter
Binary-package: openswan (1:2.4.12+dfsg-1.1)
    file: /usr/lib/ipsec/livetest
Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1)
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest
Binary-package: aptoncd (0.1-1.1)
    file: /usr/share/aptoncd/xmlfile.py
Binary-package: cdcontrol (1.90-1.1)
    file: /usr/lib/cdcontrol/writtercontrol
Binary-package: newsgate (1.6-23)
    file: /usr/bin/mkmailpost
Binary-package: gpsdrive-scripts (2.10~pre4-3)
    file: /usr/bin/geo-code
Binary-package: impose+ (0.2-11)
    file: /usr/bin/impose
Binary-package: mgt (2.31-5)
    file: /usr/games/mailgo
Binary-package: audiolink (0.05-1)
    file: /usr/bin/audiolink
Binary-package: ibackup (2.27-4.1)
    file: /usr/bin/ibackup
Binary-package: emacspeak (26.0-3)
    file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl
Binary-package: bk2site (1:1.1.9-3.1)
    file: /usr/lib/cgi-bin/bk2site/redirect.pl
Binary-package: datafreedom-perl (0.1.7-1)
    file: /usr/bin/dfxml-invoice
Binary-package: emacs-jabber (0.7.91-1)
    file: /usr/lib/emacsen-common/packages/install/emacs-jabber
Binary-package: lmbench (3.0-a7-1)
    file: /usr/lib/lmbench/scripts/rccs
    file: /usr/lib/lmbench/scripts/STUFF
Binary-package: rancid-util (2.3.2~a8-1)
    file: /var/lib/rancid/getipacctg
Binary-package: ogle (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: firehol (1.256-4)
    file: /sbin/firehol
Binary-package: aview (1.3.0rc1-8)
    file: /usr/bin/asciiview
Binary-package: radiance (3R9+20080530-3)
    file: /usr/bin/optics2rad
    file: /usr/bin/pdelta
    file: /usr/bin/dayfact
    file: /usr/bin/raddepend
Binary-package: vdr-dbg (1.6.0-5)
    file: /usr/bin/vdrleaktest
Binary-package: ogle-mmx (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: convirt (0.8.2-3)
    file: /usr/share/convirt/image_store/_template_/provision.sh
    file: /usr/share/convirt/image_store/Linux_CD_Install/provision.sh
    file: /usr/share/convirt/image_store/Fedora_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/CentOS_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/common/provision.sh
    file: /usr/share/convirt/image_store/example/provision.sh
    file: /usr/share/convirt/image_store/Windows_CD_Install/provision.sh
Binary-package: printfilters-ppd (2.13-9)
    file: /usr/lib/printfilters/master-filter
Binary-package: r-base-core (2.7.1-1)
    file: /usr/lib/R/bin/javareconf
    file: /usr/lib/R/bin/javareconf.orig
Binary-package: xmcd (2.6-19.3)
    file: /usr/share/xmcd/scripts/ncsarmt
    file: /usr/share/xmcd/scripts/ncsawrap
Binary-package: tiger (1:3.2.2-3.1)
    file: /usr/lib/tiger/util/genmsgidx
Binary-package: scilab-bin (4.1.2-5)
    file: /usr/lib/scilab-4.1.2/bin/scilink
    file: /usr/lib/scilab-4.1.2/util/scidoc
    file: /usr/lib/scilab-4.1.2/util/scidem
Binary-package: dpkg-cross (2.3.0)
    file: /usr/share/dpkg-cross/bin/gccross
Binary-package: ltp-network-test (20060918-2.1)
    file: /usr/lib/debian-test/tests/linux/testcases/bin/ftp_setup_vsftp_conf
    file: /usr/lib/debian-test/tests/linux/testcases/bin/nfs_fsstress.sh
Binary-package: cman (2.20080629-1)
    file: /usr/sbin/fence_egenera
Binary-package: scratchbox2 (1.99.0.24-1)
    file: /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps
    file: /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings
Binary-package: sendmail-base (8.14.3-5)
    file: /usr/sbin/checksendmail
    file: /usr/bin/expn
Binary-package: fwbuilder (2.1.19-3)
    file: /usr/bin/fwb_install
Binary-package: sng (1.0.2-5)
    file: /usr/bin/sng_regress
Binary-package: dist (1:3.5-17-1)
    file: /usr/bin/patcil
    file: /usr/bin/patdiff
Binary-package: sympa (5.3.4-5)
    file: /usr/lib/cgi-bin/sympa/wwsympa.fcgi
    file: /usr/lib/sympa/bin/sympa.pl
Binary-package: postfix (2.5.2-2)
    file: /usr/lib/postfix_groups.pl
Binary-package: caudium (3:1.4.12-11)
    file: /usr/share/caudium/configvar
Binary-package: mgetty-fax (1.1.36-1.2)
    file: /usr/bin/faxspool
Binary-package: aegis (4.24-3)
    file: /usr/share/doc/aegis/examples/remind/bng_dvlpd.sh
    file: /usr/share/doc/aegis/examples/remind/bng_rvwd.sh
    file: /usr/share/doc/aegis/examples/remind/awt_dvlp.sh
    file: /usr/share/doc/aegis/examples/remind/awt_intgrtn.sh
Binary-package: aegis-web (4.24-3)
    file: /usr/lib/cgi-bin/aegis.cgi
Binary-package: digitaldj (0.7.5-6+b1)
    file: /usr/share/digitaldj/fest.pl
Binary-package: mon (0.99.2-12)
    file: /usr/lib/mon/alert.d/test.alert
Binary-package: feta (1.4.16)
    file: /usr/share/feta/plugins/to-upgrade
Binary-package: arb-common (0.0.20071207.1-4)
    file: /usr/lib/arb/SH/arb_fastdnaml
    file: /usr/lib/arb/SH/dszmconnect.pl
Binary-package: qemu (0.9.1-5)
    file: /usr/sbin/qemu-make-debian-root
Binary-package: apertium (3.0.7+1-1+b1)
    file: /usr/bin/apertium-gen-deformat
    file: /usr/bin/apertium-gen-reformat
    file: /usr/bin/apertium
Binary-package: xcal (4.1-18.3)
    file: /usr/bin/pscal
Binary-package: myspell-tools (1:3.1-20)
    file: /usr/bin/i2myspell
Binary-package: gccxml (0.9.0+cvs20080525-1)
    file: /usr/share/gccxml-0.9/MIPSpro/find_flags
Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4)
    file: /usr/share/freeradius-dialupadmin/bin/backup_radacct
    file: /usr/share/freeradius-dialupadmin/bin/clean_radacct
    file: /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/truncate_radacct
Binary-package: dhis-server (5.3-1)
    file: /usr/lib/dhis-server/dhis-dummy-log-engine
Binary-package: wims (3.62-13)
    file: /var/lib/wims/public_html/bin/coqweb
    file: /var/lib/wims/bin/account.sh
Binary-package: initramfs-tools (0.92f)
    file: /usr/share/initramfs-tools/init
Binary-package: realtimebattle-common (1.0.8-7)
    file: /usr/lib/realtimebattle/Robots/perl.robot
Binary-package: netmrg (0.20-1)
    file: /usr/bin/rrdedit
Binary-package: bulmages-servers (0.11.1-2)
    file: /usr/share/bulmages/examples/scripts/actualizabulmacont
    file: /usr/share/bulmages/examples/scripts/installbulmages-db
    file: /usr/share/bulmages/examples/scripts/creabulmafact
    file: /usr/share/bulmages/examples/scripts/creabulmacont
    file: /usr/share/bulmages/examples/scripts/actualizabulmafact
Binary-package: xastir (1.9.2-1)
    file: /usr/lib/xastir/get-maptools.sh
    file: /usr/lib/xastir/get_shapelib.sh
Binary-package: plait (1.5.2-1)
    file: /usr/bin/plaiter
    file: /usr/bin/plait
Binary-package: cdrw-taper (0.4-2)
    file: /usr/sbin/amlabel-cdrw
Binary-package: konwert-filters (1.8-11.1)
    file: /usr/share/konwert/filters/any-UTF8
Binary-package: gdrae (0.1-1)
    file: /usr/bin/gdrae
Binary-package: lazarus-src (0.9.24-0-9)
    file: /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh




Tags added: Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru> to control@bugs.debian.org. (Tue, 26 Aug 2008 08:45:05 GMT) Full text and rfc822 format available.

Tags added: security Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru> to control@bugs.debian.org. (Tue, 26 Aug 2008 08:57:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Citadel Team <pkg-citadel-devel@lists.alioth.debian.org>:
Bug#496359; Package citadel-server. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Citadel Team <pkg-citadel-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #14 received at 496359@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: 496359@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: The possibility of attack with the help of symlinks in some Debian packages
Date: Tue, 26 Aug 2008 22:59:28 +0200
[Message part 1 (text/plain, inline)]
tags 496359 confirmed patch
thanks

Dmitry E. Oboukhov wrote:
> Package: citadel-server
> Severity: grave
> 
> Hi, maintainer!
> 
> In some packages I've discovered scripts with errors which may be used
> by a user for damaging important system files or user's files.

This can indeed be used for symlink attacks during postinst phase,
attached patch fixes it.

Cheers,
        Moritz
[citadel-tmp.diff (text/x-diff, attachment)]

Tags added: confirmed, patch Request was from Moritz Muehlenhoff <jmm@inutil.org> to control@bugs.debian.org. (Tue, 26 Aug 2008 21:03:04 GMT) Full text and rfc822 format available.

Reply sent to Michael Meskes <meskes@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #21 received at 496359-close@bugs.debian.org (full text, mbox):

From: Michael Meskes <meskes@debian.org>
To: 496359-close@bugs.debian.org
Subject: Bug#496359: fixed in citadel 7.37-3
Date: Thu, 28 Aug 2008 14:02:04 +0000
Source: citadel
Source-Version: 7.37-3

We believe that the bug you reported is fixed in the latest version of
citadel, which is due to be installed in the Debian FTP archive:

citadel-client_7.37-3_i386.deb
  to pool/main/c/citadel/citadel-client_7.37-3_i386.deb
citadel-common_7.37-3_all.deb
  to pool/main/c/citadel/citadel-common_7.37-3_all.deb
citadel-doc_7.37-3_all.deb
  to pool/main/c/citadel/citadel-doc_7.37-3_all.deb
citadel-mta_7.37-3_i386.deb
  to pool/main/c/citadel/citadel-mta_7.37-3_i386.deb
citadel-server_7.37-3_i386.deb
  to pool/main/c/citadel/citadel-server_7.37-3_i386.deb
citadel-suite_7.37-3_all.deb
  to pool/main/c/citadel/citadel-suite_7.37-3_all.deb
citadel_7.37-3.diff.gz
  to pool/main/c/citadel/citadel_7.37-3.diff.gz
citadel_7.37-3.dsc
  to pool/main/c/citadel/citadel_7.37-3.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 496359@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Meskes <meskes@debian.org> (supplier of updated citadel package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 25 Aug 2008 10:51:15 +0200
Source: citadel
Binary: citadel-server citadel-suite citadel-common citadel-mta citadel-client citadel-doc
Architecture: source i386 all
Version: 7.37-3
Distribution: unstable
Urgency: low
Maintainer: Debian Citadel Team <pkg-citadel-devel@lists.alioth.debian.org>
Changed-By: Michael Meskes <meskes@debian.org>
Description: 
 citadel-client - complete and feature-rich groupware server (command line client)
 citadel-common - complete and feature-rich groupware server
 citadel-doc - complete and feature-rich groupware server (documentation)
 citadel-mta - complete and feature-rich groupware server (mail transport agent)
 citadel-server - complete and feature-rich groupware server
 citadel-suite - complete and feature-rich groupware server; metapackage for full 
Closes: 496359
Changes: 
 citadel (7.37-3) unstable; urgency=low
 .
   [ Wilfried Goesgens ]
   * [r6544] add upstream prepatch; fix off by one in the QP encoder
   * remove use of tempfiles from migrate_aliases.sh, closes: #496359
   * [r6535] add upstream prepatch; stop the autopurger from messing with
     system rooms
Checksums-Sha1: 
 ce92fb602e8741192df9cc99d50c28034cddda49 1382 citadel_7.37-3.dsc
 528dadcd822182fbc020c010615822e5c3ff84fc 25717 citadel_7.37-3.diff.gz
 5f357f2ecae677a37269721953b4ac52238e216d 551092 citadel-server_7.37-3_i386.deb
 c1fb69372ff66fbdf5c71b69db57cafb6e9bf080 15042 citadel-mta_7.37-3_i386.deb
 5c9056dbac80f1e2cc95926054113430bc735b8d 113692 citadel-client_7.37-3_i386.deb
 32b2623c7a426984d9c9914312a9683e946df0ff 8082 citadel-suite_7.37-3_all.deb
 5e7bb1e90116cf22364c0ba7df441a86a6acfa06 8226 citadel-common_7.37-3_all.deb
 f887ee2125ba57bcf268c45c4a66a7cdc0cacb1f 96126 citadel-doc_7.37-3_all.deb
Checksums-Sha256: 
 bf77951f04d296074d4f3f9677a43a7b15dd39980faacb2628ee9569eda24cb7 1382 citadel_7.37-3.dsc
 f9f03c46498b8e063b885d05d86adf6da2b722b5948005f6ccca93b51a59bbee 25717 citadel_7.37-3.diff.gz
 e1f975a4c23f90d2cf76db5d7379c38ac3335b4747547111c7455f03f520de49 551092 citadel-server_7.37-3_i386.deb
 fc09c931ee10356be2ce7523bce25420f142cdb2a2ae86a5507180a457aa25b4 15042 citadel-mta_7.37-3_i386.deb
 599b1de54417a08acd645f75c95886b065dc59caa878101e9cfc52b4926a8886 113692 citadel-client_7.37-3_i386.deb
 5b3cb40b80ab52cfc6cf0dd0b9de8a3aa919c7006d04fb8f63f745ecde38bca6 8082 citadel-suite_7.37-3_all.deb
 fa22cd935436d5d9329b51436205745ae967b675b9368a2a67755f9d49481f53 8226 citadel-common_7.37-3_all.deb
 a5b268272002923add66abc4a188174eb3d39a14d405bd5ff441698870dc26bd 96126 citadel-doc_7.37-3_all.deb
Files: 
 ae3b33753a29ea45cbabc6dfdf6fc8bf 1382 mail extra citadel_7.37-3.dsc
 3cebc6432aca46e30974131e2b652815 25717 mail extra citadel_7.37-3.diff.gz
 958ddf58dedd8e1140ea715db738f3b0 551092 mail extra citadel-server_7.37-3_i386.deb
 382eaca96cdc8b1fa6e4efd72b91af8c 15042 mail extra citadel-mta_7.37-3_i386.deb
 9eede5eb3c89a4f20a2b0b22a4c27d04 113692 mail extra citadel-client_7.37-3_i386.deb
 65395cdf3134c7d7c79d862421de9d6d 8082 mail extra citadel-suite_7.37-3_all.deb
 740d07fae025ec54feab0839e5adae4c 8226 mail extra citadel-common_7.37-3_all.deb
 bc9bc9bf6cce7916d3426c1f33dca1ed 96126 doc extra citadel-doc_7.37-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFItqPBVkEm8inxm9ERAs2GAJsFT0eaBt2lcDdUBfBS4ZqMzYXTpgCePc4K
kHMupU5sTxBHsBOA4xK47SI=
=V7Bu
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 07 Oct 2008 07:30:36 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 10:43:02 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.