Debian Bug report logs - #496362
The possibility of attack with the help of symlinks in some Debian packages

version graph

Package: dtc-common; Maintainer for dtc-common is Thomas Goirand <zigo@debian.org>; Source for dtc-common is src:dtc.

Reported by: "Dmitry E. Oboukhov" <dimka@uvw.ru>

Date: Sun, 24 Aug 2008 18:09:04 UTC

Severity: grave

Tags: confirmed, security

Fixed in version dtc/0.29.10-1

Done: Thomas Goirand <thomas@goirand.fr>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Thomas Goirand <thomas@goirand.fr>:
Bug#496362; Package dtc-common. Full text and rfc822 format available.

Acknowledgement sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
New Bug report received and forwarded. Copy sent to Thomas Goirand <thomas@goirand.fr>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Dmitry E. Oboukhov" <dimka@uvw.ru>
To: submit@bugs.debian.org
Cc: dimka@uvw.ru
Subject: The possibility of attack with the help of symlinks in some Debian packages
Date: Sun, 24 Aug 2008 22:05:28 +0400
Package: dtc-common
Severity: grave

Hi, maintainer!

This message about the error concerns a few packages  at  once.   I've
tested all the packages (for Lenny) on my Debian mirror.  All  scripts
of packages (marked as executable) were tested.

In some packages I've discovered scripts with errors which may be used
by a user for damaging important system files or user's files.

For example if a script uses in its work a temp file which is  created
in /tmp directory, then every user can create symlink  with  the  same
name in this directory in order to  destroy  or  rewrite  some  system
or user file.  Symlink attack may also  lead  not  only  to  the  data
desctruction but to denial of service as well.

Even if you create files or directories with help of function 'RANDOM'
or pid(), then your system is not protected. Attacker can create many
symlinks in order to destroy your data or create 'denial  of  service'
for your package scripts.

Even if you make rm(dir) for files/directories, then  your  system  is
not protected. Attacker can permanently create symlinks.

This list is created with the help of script.  This list is sorted  by
hand. Howewer in some cases mistake is possible.

Please, Be understanding to possible mistakes. :)

I set Severity into grave for this bug. The table of discovered
problems is below.

Discussion of this bug you can see in debian-devel@:
    http://lists.debian.org/debian-devel/2008/08/msg00271.html

Binary-package: r-base-core-ra (1.1.1-1)
    file: /usr/lib/Ra/lib/R/bin/javareconf
Binary-package: rccp (0.9-2)
    file: /usr/lib/rccp/delqueueask
Binary-package: mafft (6.240-1)
    file: /usr/bin/mafft-homologs
Binary-package: openoffice.org-common (1:2.4.1-6)
    file: /usr/lib/openoffice/program/senddoc
Binary-package: crossfire-maps (1.11.0-1)
    file: /usr/share/games/crossfire/maps/Info/combine.pl
Binary-package: sgml2x (1.0.0-11.1)
    file: /usr/bin/rlatex
Binary-package: liguidsoap (0.3.6-4)
    file: /var/lib/liguidsoap/liguidsoap.py
Binary-package: citadel-server (7.37-1)
    file: /usr/lib/citadel-server/migrate_aliases.sh
Binary-package: ampache (3.4.1-1)
    file: /usr/share/ampache/www/locale/base/gather-messages.sh
Binary-package: xen-utils-3.2-1 (3.2.1-2)
    file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug
Binary-package: dtc-common (0.29.6-1)
    file: /usr/share/dtc/admin/accesslog.php
    file: /usr/share/dtc/admin/sa-wrapper
Binary-package: honeyd-common (1.5c-3)
    file: /usr/share/honeyd/scripts/test.sh
Binary-package: lustre-tests (1.6.5-1)
    file: /usr/lib/lustre/tests/runiozone
Binary-package: linuxtrade (3.65-8+b4)
    file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol
    file: /usr/share/linuxtrade/bin/linuxtrade.wn
    file: /usr/share/linuxtrade/bin/moneyam.helper
Binary-package: freevo (1.8.1-0)
    file: /usr/bin/freevo.real
Binary-package: fml (4.0.3.dfsg-2)
    file: /usr/share/fml/libexec/mead.pl
Binary-package: rkhunter (1.3.2-3)
    file: /usr/bin/rkhunter
Binary-package: openswan (1:2.4.12+dfsg-1.1)
    file: /usr/lib/ipsec/livetest
Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1)
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest
Binary-package: aptoncd (0.1-1.1)
    file: /usr/share/aptoncd/xmlfile.py
Binary-package: cdcontrol (1.90-1.1)
    file: /usr/lib/cdcontrol/writtercontrol
Binary-package: newsgate (1.6-23)
    file: /usr/bin/mkmailpost
Binary-package: gpsdrive-scripts (2.10~pre4-3)
    file: /usr/bin/geo-code
Binary-package: impose+ (0.2-11)
    file: /usr/bin/impose
Binary-package: mgt (2.31-5)
    file: /usr/games/mailgo
Binary-package: audiolink (0.05-1)
    file: /usr/bin/audiolink
Binary-package: ibackup (2.27-4.1)
    file: /usr/bin/ibackup
Binary-package: emacspeak (26.0-3)
    file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl
Binary-package: bk2site (1:1.1.9-3.1)
    file: /usr/lib/cgi-bin/bk2site/redirect.pl
Binary-package: datafreedom-perl (0.1.7-1)
    file: /usr/bin/dfxml-invoice
Binary-package: emacs-jabber (0.7.91-1)
    file: /usr/lib/emacsen-common/packages/install/emacs-jabber
Binary-package: lmbench (3.0-a7-1)
    file: /usr/lib/lmbench/scripts/rccs
    file: /usr/lib/lmbench/scripts/STUFF
Binary-package: rancid-util (2.3.2~a8-1)
    file: /var/lib/rancid/getipacctg
Binary-package: ogle (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: firehol (1.256-4)
    file: /sbin/firehol
Binary-package: aview (1.3.0rc1-8)
    file: /usr/bin/asciiview
Binary-package: radiance (3R9+20080530-3)
    file: /usr/bin/optics2rad
    file: /usr/bin/pdelta
    file: /usr/bin/dayfact
    file: /usr/bin/raddepend
Binary-package: vdr-dbg (1.6.0-5)
    file: /usr/bin/vdrleaktest
Binary-package: ogle-mmx (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: convirt (0.8.2-3)
    file: /usr/share/convirt/image_store/_template_/provision.sh
    file: /usr/share/convirt/image_store/Linux_CD_Install/provision.sh
    file: /usr/share/convirt/image_store/Fedora_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/CentOS_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/common/provision.sh
    file: /usr/share/convirt/image_store/example/provision.sh
    file: /usr/share/convirt/image_store/Windows_CD_Install/provision.sh
Binary-package: printfilters-ppd (2.13-9)
    file: /usr/lib/printfilters/master-filter
Binary-package: r-base-core (2.7.1-1)
    file: /usr/lib/R/bin/javareconf
    file: /usr/lib/R/bin/javareconf.orig
Binary-package: xmcd (2.6-19.3)
    file: /usr/share/xmcd/scripts/ncsarmt
    file: /usr/share/xmcd/scripts/ncsawrap
Binary-package: tiger (1:3.2.2-3.1)
    file: /usr/lib/tiger/util/genmsgidx
Binary-package: scilab-bin (4.1.2-5)
    file: /usr/lib/scilab-4.1.2/bin/scilink
    file: /usr/lib/scilab-4.1.2/util/scidoc
    file: /usr/lib/scilab-4.1.2/util/scidem
Binary-package: dpkg-cross (2.3.0)
    file: /usr/share/dpkg-cross/bin/gccross
Binary-package: ltp-network-test (20060918-2.1)
    file: /usr/lib/debian-test/tests/linux/testcases/bin/ftp_setup_vsftp_conf
    file: /usr/lib/debian-test/tests/linux/testcases/bin/nfs_fsstress.sh
Binary-package: cman (2.20080629-1)
    file: /usr/sbin/fence_egenera
Binary-package: scratchbox2 (1.99.0.24-1)
    file: /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps
    file: /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings
Binary-package: sendmail-base (8.14.3-5)
    file: /usr/sbin/checksendmail
    file: /usr/bin/expn
Binary-package: fwbuilder (2.1.19-3)
    file: /usr/bin/fwb_install
Binary-package: sng (1.0.2-5)
    file: /usr/bin/sng_regress
Binary-package: dist (1:3.5-17-1)
    file: /usr/bin/patcil
    file: /usr/bin/patdiff
Binary-package: sympa (5.3.4-5)
    file: /usr/lib/cgi-bin/sympa/wwsympa.fcgi
    file: /usr/lib/sympa/bin/sympa.pl
Binary-package: postfix (2.5.2-2)
    file: /usr/lib/postfix_groups.pl
Binary-package: caudium (3:1.4.12-11)
    file: /usr/share/caudium/configvar
Binary-package: mgetty-fax (1.1.36-1.2)
    file: /usr/bin/faxspool
Binary-package: aegis (4.24-3)
    file: /usr/share/doc/aegis/examples/remind/bng_dvlpd.sh
    file: /usr/share/doc/aegis/examples/remind/bng_rvwd.sh
    file: /usr/share/doc/aegis/examples/remind/awt_dvlp.sh
    file: /usr/share/doc/aegis/examples/remind/awt_intgrtn.sh
Binary-package: aegis-web (4.24-3)
    file: /usr/lib/cgi-bin/aegis.cgi
Binary-package: digitaldj (0.7.5-6+b1)
    file: /usr/share/digitaldj/fest.pl
Binary-package: mon (0.99.2-12)
    file: /usr/lib/mon/alert.d/test.alert
Binary-package: feta (1.4.16)
    file: /usr/share/feta/plugins/to-upgrade
Binary-package: arb-common (0.0.20071207.1-4)
    file: /usr/lib/arb/SH/arb_fastdnaml
    file: /usr/lib/arb/SH/dszmconnect.pl
Binary-package: qemu (0.9.1-5)
    file: /usr/sbin/qemu-make-debian-root
Binary-package: apertium (3.0.7+1-1+b1)
    file: /usr/bin/apertium-gen-deformat
    file: /usr/bin/apertium-gen-reformat
    file: /usr/bin/apertium
Binary-package: xcal (4.1-18.3)
    file: /usr/bin/pscal
Binary-package: myspell-tools (1:3.1-20)
    file: /usr/bin/i2myspell
Binary-package: gccxml (0.9.0+cvs20080525-1)
    file: /usr/share/gccxml-0.9/MIPSpro/find_flags
Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4)
    file: /usr/share/freeradius-dialupadmin/bin/backup_radacct
    file: /usr/share/freeradius-dialupadmin/bin/clean_radacct
    file: /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/truncate_radacct
Binary-package: dhis-server (5.3-1)
    file: /usr/lib/dhis-server/dhis-dummy-log-engine
Binary-package: wims (3.62-13)
    file: /var/lib/wims/public_html/bin/coqweb
    file: /var/lib/wims/bin/account.sh
Binary-package: initramfs-tools (0.92f)
    file: /usr/share/initramfs-tools/init
Binary-package: realtimebattle-common (1.0.8-7)
    file: /usr/lib/realtimebattle/Robots/perl.robot
Binary-package: netmrg (0.20-1)
    file: /usr/bin/rrdedit
Binary-package: bulmages-servers (0.11.1-2)
    file: /usr/share/bulmages/examples/scripts/actualizabulmacont
    file: /usr/share/bulmages/examples/scripts/installbulmages-db
    file: /usr/share/bulmages/examples/scripts/creabulmafact
    file: /usr/share/bulmages/examples/scripts/creabulmacont
    file: /usr/share/bulmages/examples/scripts/actualizabulmafact
Binary-package: xastir (1.9.2-1)
    file: /usr/lib/xastir/get-maptools.sh
    file: /usr/lib/xastir/get_shapelib.sh
Binary-package: plait (1.5.2-1)
    file: /usr/bin/plaiter
    file: /usr/bin/plait
Binary-package: cdrw-taper (0.4-2)
    file: /usr/sbin/amlabel-cdrw
Binary-package: konwert-filters (1.8-11.1)
    file: /usr/share/konwert/filters/any-UTF8
Binary-package: gdrae (0.1-1)
    file: /usr/bin/gdrae
Binary-package: lazarus-src (0.9.24-0-9)
    file: /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#496362; Package dtc-common. Full text and rfc822 format available.

Acknowledgement sent to Thomas Goirand <thomas@goirand.fr>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #10 received at 496362@bugs.debian.org (full text, mbox):

From: Thomas Goirand <thomas@goirand.fr>
To: "Dmitry E. Oboukhov" <dimka@uvw.ru>, 496362@bugs.debian.org
Subject: Re: Bug#496362: The possibility of attack with the help of symlinks in some Debian packages
Date: Mon, 25 Aug 2008 09:52:23 +0800
Dmitry E. Oboukhov wrote:
> Package: dtc-common
> Severity: grave
> 
> Hi, maintainer!
> 
> This message about the error concerns a few packages  at  once.   I've
> tested all the packages (for Lenny) on my Debian mirror.  All  scripts
> of packages (marked as executable) were tested.
> 
> In some packages I've discovered scripts with errors which may be used
> by a user for damaging important system files or user's files.
> 
> For example if a script uses in its work a temp file which is  created
> in /tmp directory, then every user can create symlink  with  the  same
> name in this directory in order to  destroy  or  rewrite  some  system
> or user file.  Symlink attack may also  lead  not  only  to  the  data
> desctruction but to denial of service as well.
> 
> Even if you create files or directories with help of function 'RANDOM'
> or pid(), then your system is not protected. Attacker can create many
> symlinks in order to destroy your data or create 'denial  of  service'
> for your package scripts.
> 
> Even if you make rm(dir) for files/directories, then  your  system  is
> not protected. Attacker can permanently create symlinks.
> 
> This list is created with the help of script.  This list is sorted  by
> hand. Howewer in some cases mistake is possible.
> 
> Please, Be understanding to possible mistakes. :)
> 
> I set Severity into grave for this bug. The table of discovered
> problems is below.
> 
> Discussion of this bug you can see in debian-devel@:
>     http://lists.debian.org/debian-devel/2008/08/msg00271.html
> 
> Binary-package: dtc-common (0.29.6-1)
>     file: /usr/share/dtc/admin/accesslog.php
>     file: /usr/share/dtc/admin/sa-wrapper

Hi,

Clearly, you have been using a SCRIPT to detect for the use of /tmp, and
your script did wrong, in my case. I really don't think that using a
script to just detect the use of /tmp/ is enough, as it can even be a
comment and your script will not see it. Let me show you an example:

--- Quick example ---
#!/bin/sh

# create a temp file for later use in /tmp/
MY_TMP_FILE=`mktemp APP_TMP_FILE_XXXXXX`
--- /Quick example ---

Your script would detect the COMMENT, and mark the script as problematic.

--- accesslog.php ---
Either it detected this:

$fullpath =
$a["path"]."/".$a["name"]."/subdomains/".$a["subdomain_name"]."/tmp";

which is in fact later used to DELETE files (like php sessions):

$cmd = "find $fullpath -atime +6 -exec rm {} \;";

or it detected this:

echo \"\$AWSTATS_LOG_FILE \$AWSTATS_FULL_DOMAIN \$AWSTATS_DIR_DATA\" >>
/tmp/awstats.log

which is in fact commented out.

--- sa-wrapper ---
It seems to me that it detected the use of /tmp/spam_err.log which is in
fact used only if sa-wrapper is in debug mode, which is not the case by
default. I'm not 100% sure as this sa-wrapper is coming from
spamassassin, and there is more than one instance of the use of /tmp,
but I think I'm right saying that it should be safe.

I'm closing this bug. If you find that it still needs to be fixed, let
me know and reopen the bug.

Thomas Goirand




Reply sent to Thomas Goirand <thomas@goirand.fr>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #15 received at 496362-done@bugs.debian.org (full text, mbox):

From: Thomas Goirand <thomas@goirand.fr>
To: 496362-done@bugs.debian.org
Subject: Re: Bug#496362: The possibility of attack with the help of symlinks in some Debian packages
Date: Mon, 25 Aug 2008 09:53:10 +0800
Done as the mass-opening of symlink attack in /tmp was wrong in this case.

Thomas





Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Goirand <thomas@goirand.fr>:
Bug#496362; Package dtc-common. Full text and rfc822 format available.

Acknowledgement sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
Extra info received and forwarded to list. Copy sent to Thomas Goirand <thomas@goirand.fr>. Full text and rfc822 format available.

Message #20 received at 496362@bugs.debian.org (full text, mbox):

From: "Dmitry E. Oboukhov" <dimka@uvw.ru>
To: 496362@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#496362 closed by Thomas Goirand <thomas@goirand.fr> (Re: Bug#496362: The possibility of attack with the help of symlinks in some Debian packages)
Date: Mon, 25 Aug 2008 11:02:18 +0400
[Message part 1 (text/plain, inline)]
reopen 496362
thanks

DBTS> Done as the mass-opening of symlink attack in /tmp was wrong in this case.

Why wrong?
    {
        my $ent = shift;
    
        if ($ent->head->mime_type eq 'message/rfc822') {
            if ($DEBUG) {
                unlink "/tmp/spam.log.$$" if -e "/tmp/spam.log.$$";
                open(OUT, "|$SA_LEARN -D --$spamham --single >>/tmp/spam.log.$$ 2>&1") or die "Cannot pipe $SA_LEARN: $!";
            } else {
                open(OUT, "|$SA_LEARN --$spamham --single") or die "Cannot pipe $SA_LEARN: $!";
            }
    
            $ent->bodyhandle->print(\*OUT);
    --
        die "$sender, I don't recognize your domain ($domain)!";
    }
    
    if ($DEBUG) {
        MIME::Tools->debugging(1);
        open(STDERR, ">/tmp/spam_err.log");
    }
    my $parser = new MIME::Parser;
    $parser->extract_nested_messages(0);
    $parser->output_under($UNPACK_DIR);

unlink tempfile before using is not guarantee form attack.

re-read bugreport, please:

DBTS> Even if you make rm(dir) for files/directories, then  your  system  is
DBTS> not protected. Attacker can permanently create symlinks.

attacker can write script as:

#!perl

$file_for_attack='/path/to/file';

while(1)
{
    exit unless fork;
    symlink $file_for_attack, "/tmp/spam.log.$_" for ($$ .. $$+10000);
}
--

. ''`. Dmitry E. Oboukhov
: :’  : unera@debian.org
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
  `- 1B23 D4F8 8EC0 D902 0555  E438 AB8C 00CF F8E2 6537
[signature.asc (application/pgp-signature, inline)]

Bug reopened, originator not changed. Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru> to control@bugs.debian.org. (Mon, 25 Aug 2008 07:03:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Goirand <thomas@goirand.fr>:
Bug#496362; Package dtc-common. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Thomas Goirand <thomas@goirand.fr>. Full text and rfc822 format available.

Message #27 received at 496362@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 496362@bugs.debian.org
Subject: Re: Bug#496362: The possibility of attack with the help of symlinks in some Debian packages
Date: Mon, 25 Aug 2008 09:30:41 +0200
[Message part 1 (text/plain, inline)]
Hi,

> Done as the mass-opening of symlink attack in /tmp was wrong in this case.

I don't think closing this is the appropriate action. Sure, debug code is not 
top priority. But still, the fix is straghtforward and puts extra protection 
on those running in debug mode. Besides, people tend to copy-paste stuff all 
the time so eliminating it may prevent introducing a more pertinent bug.

I therefore encourage you strongly to just address the issue for lenny, even 
if it's only debug code.


Thijs
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Goirand <thomas@goirand.fr>:
Bug#496362; Package dtc-common. Full text and rfc822 format available.

Acknowledgement sent to Christian Perrier <bubulle@debian.org>:
Extra info received and forwarded to list. Copy sent to Thomas Goirand <thomas@goirand.fr>. Full text and rfc822 format available.

Message #32 received at 496362@bugs.debian.org (full text, mbox):

From: Christian Perrier <bubulle@debian.org>
To: 496362@bugs.debian.org
Subject: Re: Bug#496362: The possibility of attack with the help of symlinks in some Debian packages
Date: Mon, 25 Aug 2008 07:30:34 +0200
[Message part 1 (text/plain, inline)]
Quoting Thomas Goirand (thomas@goirand.fr):

> I'm closing this bug. If you find that it still needs to be fixed, let
> me know and reopen the bug.

But then set it to wishlist....

This MBF is one of the worse I've ever seen.


[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#496362; Package dtc-common. Full text and rfc822 format available.

Acknowledgement sent to Thomas Goirand <thomas@goirand.fr>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #37 received at 496362@bugs.debian.org (full text, mbox):

From: Thomas Goirand <thomas@goirand.fr>
To: Thijs Kinkhorst <thijs@debian.org>, 496362@bugs.debian.org
Subject: Re: Bug#496362: The possibility of attack with the help of symlinks in some Debian packages
Date: Mon, 25 Aug 2008 16:28:23 +0800
Thijs Kinkhorst wrote:
> Hi,
> 
>> Done as the mass-opening of symlink attack in /tmp was wrong in this case.
> 
> I don't think closing this is the appropriate action. Sure, debug code is not 
> top priority. But still, the fix is straghtforward and puts extra protection 
> on those running in debug mode. Besides, people tend to copy-paste stuff all 
> the time so eliminating it may prevent introducing a more pertinent bug.
> 
> I therefore encourage you strongly to just address the issue for lenny, even 
> if it's only debug code.
> 
> 
> Thijs

Ok, I'll be working on it, and it will be fixed asap with a new release.

Thomas




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#496362; Package dtc-common. Full text and rfc822 format available.

Acknowledgement sent to Thomas Goirand <thomas@goirand.fr>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #42 received at 496362@bugs.debian.org (full text, mbox):

From: Thomas Goirand <thomas@goirand.fr>
To: Christian Perrier <bubulle@debian.org>, 496362@bugs.debian.org
Subject: Re: Bug#496362: The possibility of attack with the help of symlinks in some Debian packages
Date: Mon, 25 Aug 2008 16:31:26 +0800
Christian Perrier wrote:
> Quoting Thomas Goirand (thomas@goirand.fr):
> 
>> I'm closing this bug. If you find that it still needs to be fixed, let
>> me know and reopen the bug.
> 
> But then set it to wishlist....
> 
> This MBF is one of the worse I've ever seen.

I'm reopening the issue, as there is a real one behind it. See the
"unlink" at the beginning, as pointed by the person that open the issue
in the first place? That really has to be fixed. I'll work on it and
come back with a fix not later than tomorrow (got other things to do today).

Thomas





Tags added: confirmed Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. (Mon, 25 Aug 2008 11:03:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#496362; Package dtc-common. Full text and rfc822 format available.

Acknowledgement sent to Thomas Goirand <thomas@goirand.fr>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #49 received at 496362@bugs.debian.org (full text, mbox):

From: Thomas Goirand <thomas@goirand.fr>
To: Thijs Kinkhorst <thijs@debian.org>, 496362@bugs.debian.org, "Dmitry E. Oboukhov" <dimka@uvw.ru>, Christian Perrier <bubulle@debian.org>
Subject: Re: Bug#496362: The possibility of attack with the help of symlinks in some Debian packages
Date: Mon, 25 Aug 2008 23:28:45 +0800
Thijs Kinkhorst wrote:
> Hi,
> 
>> Done as the mass-opening of symlink attack in /tmp was wrong in this case.
> 
> I don't think closing this is the appropriate action. Sure, debug code is not 
> top priority. But still, the fix is straghtforward and puts extra protection 
> on those running in debug mode. Besides, people tend to copy-paste stuff all 
> the time so eliminating it may prevent introducing a more pertinent bug.
> 
> I therefore encourage you strongly to just address the issue for lenny, even 
> if it's only debug code.
> 
> 
> Thijs

Hi,

First of all, I didn't realise that this script was in DEBUG mode by
default. So apologies for it, next time, I'll read more carefully the
reports, and take a bigger care when importing code from others (in
fact, my colleague Damien did import the file, so I'll let him know he
should take more care).

Second, do you guys think that setting the variable to DEBUG=0 by
default, then writing a BIG BIG BIG warning next to it in the code is
enough? Like: "WARNING: high security risk here if you set to DEBUG=1,
high risk of symlink attack" then explaining how it works to hack?
That's what I would do, as I don't want to rewrite the entire file that
by the way works pretty well.

Please let me know so I can fix asap.

Thomas




Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Goirand <thomas@goirand.fr>:
Bug#496362; Package dtc-common. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Thomas Goirand <thomas@goirand.fr>. Full text and rfc822 format available.

Message #54 received at 496362@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: Thomas Goirand <thomas@goirand.fr>
Cc: 496362@bugs.debian.org, "Dmitry E. Oboukhov" <dimka@uvw.ru>, Christian Perrier <bubulle@debian.org>
Subject: Re: Bug#496362: The possibility of attack with the help of symlinks in some Debian packages
Date: Mon, 25 Aug 2008 17:37:32 +0200
[Message part 1 (text/plain, inline)]
On Monday 25 August 2008 17:28, Thomas Goirand wrote:
> Second, do you guys think that setting the variable to DEBUG=0 by
> default, then writing a BIG BIG BIG warning next to it in the code is
> enough? Like: "WARNING: high security risk here if you set to DEBUG=1,
> high risk of symlink attack" then explaining how it works to hack?
> That's what I would do, as I don't want to rewrite the entire file that
> by the way works pretty well.

First, I think it's always a good idea not to enable DEBUG by default.

Second, I don't think that it requires a "rewrite of the entire file" to fix 
it. Using PHP's tempnam() function to get the filenames instead of the 
hardcoded path names with PID is a change of just a few lines.

So I propose to do both.


cheers,
Thijs
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#496362; Package dtc-common. Full text and rfc822 format available.

Acknowledgement sent to Thomas Goirand <thomas@goirand.fr>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #59 received at 496362@bugs.debian.org (full text, mbox):

From: Thomas Goirand <thomas@goirand.fr>
To: Thijs Kinkhorst <thijs@debian.org>
Cc: 496362@bugs.debian.org, "Dmitry E. Oboukhov" <dimka@uvw.ru>, Christian Perrier <bubulle@debian.org>
Subject: Re: Bug#496362: The possibility of attack with the help of symlinks in some Debian packages
Date: Tue, 26 Aug 2008 14:17:09 +0800
[Message part 1 (text/plain, inline)]
Thijs Kinkhorst wrote:
> First, I think it's always a good idea not to enable DEBUG by default.

Sure, it's a mistake, I perfectly understand this.

> Second, I don't think that it requires a "rewrite of the entire file" to fix 
> it. Using PHP's tempnam() function to get the filenames instead of the 
> hardcoded path names with PID is a change of just a few lines.

Did you mean Perl mktemp()? It's not a PHP script!!! :) That makes me
think that I might have missed some Perl dependencies. The script uses
the following:

use strict;
use MIME::Tools;
use MIME::Parser;
use File::MkTemp;

does any of you knows what it corresponds in terms of Debian deps?

Last, would a patch like the attached one would do? I'm all but good in
Perl, so I might need help on that one.

Thank you all for your time on this issue,
Cheers,

Thomas

[sa-wrapper.patch (text/x-diff, inline)]
diff --git a/admin/sa-wrapper b/admin/sa-wrapper
index 76a2ddd..67ee4dc 100755
--- a/admin/sa-wrapper
+++ b/admin/sa-wrapper
@@ -15,8 +15,9 @@
 use strict;
 use MIME::Tools;
 use MIME::Parser;
+use File::MkTemp;
 
-my $DEBUG = 1;
+my $DEBUG = 0;
 my $UNPACK_DIR = '/var/lib/amavis/tmp';
 my $SA_LEARN = '/usr/bin/sa-learn';
 # my @DOMAINS = qw/example.com example.org/;
@@ -47,8 +48,8 @@ sub recurs
 
 	if ($ent->head->mime_type eq 'message/rfc822') {
 		if ($DEBUG) {
-			unlink "/tmp/spam.log.$$" if -e "/tmp/spam.log.$$";
-			open(OUT, "|$SA_LEARN -D --$spamham --single >>/tmp/spam.log.$$ 2>&1") or die "Cannot pipe $SA_LEARN: $!";
+			$debug_file = mktemp("/tmp/sa-wrapper.XXXXXX.log");
+			open(OUT, "|$SA_LEARN -D --$spamham --single >>$debug_file 2>&1") or die "Cannot pipe $SA_LEARN: $!";
 		} else {
 			open(OUT, "|$SA_LEARN --$spamham --single") or die "Cannot pipe $SA_LEARN: $!";
 		}
@@ -73,7 +74,8 @@ unless (grep { $_ eq $domain } @DOMAINS) {
 
 if ($DEBUG) {
 	MIME::Tools->debugging(1);
-	open(STDERR, ">/tmp/spam_err.log");
+	$debug_file2 = mktemp("/tmp/sa-wrapper.XXXXXX");
+	open(STDERR, ">$debug_file2");
 }
 my $parser = new MIME::Parser;
 $parser->extract_nested_messages(0);

Tags added: Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru> to control@bugs.debian.org. (Tue, 26 Aug 2008 08:45:07 GMT) Full text and rfc822 format available.

Tags added: security Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru> to control@bugs.debian.org. (Tue, 26 Aug 2008 08:57:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Goirand <thomas@goirand.fr>:
Bug#496362; Package dtc-common. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Thomas Goirand <thomas@goirand.fr>. Full text and rfc822 format available.

Message #68 received at 496362@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: Thomas Goirand <thomas@goirand.fr>
Cc: 496362@bugs.debian.org, "Dmitry E. Oboukhov" <dimka@uvw.ru>, Christian Perrier <bubulle@debian.org>
Subject: Re: Bug#496362: The possibility of attack with the help of symlinks in some Debian packages
Date: Tue, 26 Aug 2008 12:32:11 +0200
[Message part 1 (text/plain, inline)]
Hi Thomas,

On Tuesday 26 August 2008 08:17, Thomas Goirand wrote:
> Thijs Kinkhorst wrote:
> > First, I think it's always a good idea not to enable DEBUG by default.
>
> Sure, it's a mistake, I perfectly understand this.
>
> > Second, I don't think that it requires a "rewrite of the entire file" to
> > fix it. Using PHP's tempnam() function to get the filenames instead of
> > the hardcoded path names with PID is a change of just a few lines.
>
> Did you mean Perl mktemp()? It's not a PHP script!!! :)

Sorry, I confused this bug with another one, there's so many of them all of a 
sudden :-)

> That makes me 
> think that I might have missed some Perl dependencies. The script uses
> the following:
>
> use strict;
> use MIME::Tools;
> use MIME::Parser;
> use File::MkTemp;
>
> does any of you knows what it corresponds in terms of Debian deps?

The file search on packages.debian.org is very helpful for this (search e.g. 
for "Tools.pm" or "Parser.pm").

With respect to the File::MkTemp, I think you need to use File::Temp as the 
MkTemp one is not available in Debian. This module also provides a mktemp 
function.

> Last, would a patch like the attached one would do? I'm all but good in
> Perl, so I might need help on that one.

That would work indeed if you change the included module (and verify that that 
indeed also works, of course).


cheers,
Thijs
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Goirand <thomas@goirand.fr>:
Bug#496362; Package dtc-common. Full text and rfc822 format available.

Acknowledgement sent to Stephen Gran <sgran@debian.org>:
Extra info received and forwarded to list. Copy sent to Thomas Goirand <thomas@goirand.fr>. Full text and rfc822 format available.

Message #73 received at 496362@bugs.debian.org (full text, mbox):

From: Stephen Gran <sgran@debian.org>
To: Thijs Kinkhorst <thijs@debian.org>, 496362@bugs.debian.org
Cc: Thomas Goirand <thomas@goirand.fr>, "Dmitry E. Oboukhov" <dimka@uvw.ru>, Christian Perrier <bubulle@debian.org>
Subject: Re: Bug#496362: The possibility of attack with the help of symlinks in some Debian packages
Date: Tue, 26 Aug 2008 12:18:33 +0100
[Message part 1 (text/plain, inline)]
This one time, at band camp, Thijs Kinkhorst said:
> > Last, would a patch like the attached one would do? I'm all but good in
> > Perl, so I might need help on that one.
> 
> That would work indeed if you change the included module (and verify that that 
> indeed also works, of course).

http://git.debian.org/?p=collab-maint/freeradius.git;a=commitdiff;h=e741df7ca28c2d139d30573ca5e7e80b9cdc59c3

is the fix for a very similar bug in freeradius.  It should at least get
you started on the way to fixing your bug.

Cheers,
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------
[signature.asc (application/pgp-signature, inline)]

Reply sent to Thomas Goirand <thomas@goirand.fr>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #78 received at 496362-close@bugs.debian.org (full text, mbox):

From: Thomas Goirand <thomas@goirand.fr>
To: 496362-close@bugs.debian.org
Subject: Bug#496362: fixed in dtc 0.29.10-1
Date: Tue, 26 Aug 2008 21:02:13 +0000
Source: dtc
Source-Version: 0.29.10-1

We believe that the bug you reported is fixed in the latest version of
dtc, which is due to be installed in the Debian FTP archive:

dtc-common_0.29.10-1_all.deb
  to pool/main/d/dtc/dtc-common_0.29.10-1_all.deb
dtc-core_0.29.10-1_all.deb
  to pool/main/d/dtc/dtc-core_0.29.10-1_all.deb
dtc-cyrus_0.29.10-1_all.deb
  to pool/main/d/dtc/dtc-cyrus_0.29.10-1_all.deb
dtc-postfix-courier_0.29.10-1_all.deb
  to pool/main/d/dtc/dtc-postfix-courier_0.29.10-1_all.deb
dtc-stats-daemon_0.29.10-1_all.deb
  to pool/main/d/dtc/dtc-stats-daemon_0.29.10-1_all.deb
dtc-toaster_0.29.10-1_all.deb
  to pool/main/d/dtc/dtc-toaster_0.29.10-1_all.deb
dtc_0.29.10-1.diff.gz
  to pool/main/d/dtc/dtc_0.29.10-1.diff.gz
dtc_0.29.10-1.dsc
  to pool/main/d/dtc/dtc_0.29.10-1.dsc
dtc_0.29.10.orig.tar.gz
  to pool/main/d/dtc/dtc_0.29.10.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 496362@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <thomas@goirand.fr> (supplier of updated dtc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 26 Aug 2008 05:07:11 +0800
Source: dtc
Binary: dtc-common dtc-core dtc-cyrus dtc-postfix-courier dtc-stats-daemon dtc-toaster
Architecture: source all
Version: 0.29.10-1
Distribution: unstable
Urgency: low
Maintainer: Thomas Goirand <thomas@goirand.fr>
Changed-By: Thomas Goirand <thomas@goirand.fr>
Description: 
 dtc-common - web control panel for admin and accounting hosting services (comm
 dtc-core   - web control panel for admin and accounting hosting services (fewe
 dtc-cyrus  - web control panel for admin and accounting hosting services (cyru
 dtc-postfix-courier - web control panel for admin and accounting hosting services (more
 dtc-stats-daemon - dtc-xen VM statistics for the dtc web control panel
 dtc-toaster - web control panel for admin and accounting hosting services (meta
Closes: 496362
Changes: 
 dtc (0.29.10-1) unstable; urgency=low
 .
   * New upstream release with corrections for Lenny, backported from the master
     branch of the Git, to add corrections and not features as follow:
     - Big problem with the pending payment thing that was setting things as
     validated when they were in fact just pending.
     - the CPU rrd data collection (the rrd call was commented out)
     - the setup of the default index.php & 404 subdomain files
     - sa-wrapper symlink attack vulnerability fix (Closes: #496362)
     - removed the paylog.txt logging
     - [v0.29.8] phpmyadmin blowfish_secret owner change
     - [v0.29.8] Cleaning the spam folder with -mtime instead of -atime
     - [v0.29.8] Added a full Simplified Chinese translation by Wei Cao
     <caowei@gplhost.com>, including debconf and the software itself
     - [v0.29.8] Removed the "limit 1" when setting the id_client to zero
     when deleting an admin.
     - [v0.29.8] Solved the mysql users & db deletion bug when deleting an
     admin, removed the old mysql manager code that was remaining.
     - [v0.29.8] Needed a global $pro_mysql_pop_table in the spam folder
     cleanup
     - [v0.29.8] Removed a bug when there is no install log at all that was
     preventing the VPS install tab to be displayed
     - [v0.29.8] Some global variables for the vps table names where missing
     in deleteVPS()
     - [v0.29.8] The cron job needed to be modified for gen_named='yes',
     reload_named='yes' when modifying the wildcard DNS thing.
     - [v0.29.8] A Tags: was still there in debian/control, it's now removed.
Checksums-Sha1: 
 d23c5773f8d120bbbbd504199692c6ea6b66937e 1214 dtc_0.29.10-1.dsc
 f3038648a34d7d0be036bdf6d9db3ad7aaea5a03 11045527 dtc_0.29.10.orig.tar.gz
 248837e5c146fb5841a2983d15e83d9889c0cc3d 75665 dtc_0.29.10-1.diff.gz
 ede51edbaf2007e8ea18d7a2b60025916e765df0 5035238 dtc-common_0.29.10-1_all.deb
 dcc1eef1f3ce3dc3a8d5348646d7a34a36dc4df6 68440 dtc-core_0.29.10-1_all.deb
 e4dcff497046cf0e594beee53b2a13d9a9395b03 68524 dtc-cyrus_0.29.10-1_all.deb
 84e5065a7de4f9ab6aa3f043308f4ab6cadb7066 69896 dtc-postfix-courier_0.29.10-1_all.deb
 a9107ba009a9a5e75e8afe2eff8dedd415d0f523 30160 dtc-stats-daemon_0.29.10-1_all.deb
 c26d1361240766fdf0ee44d895bf6667a5704262 24308 dtc-toaster_0.29.10-1_all.deb
Checksums-Sha256: 
 2dc647f30ee6e96dc5587c054633000e0cdde3359aaa01e87a8255364f2eb68a 1214 dtc_0.29.10-1.dsc
 856b72ed9ecedf368534a972951edbce43e91481679602ca77cbfeb9ab15d32e 11045527 dtc_0.29.10.orig.tar.gz
 6150e3d95dff0d7d01409cfeae3ff0aae7557efa35edc6df43629cfde9150083 75665 dtc_0.29.10-1.diff.gz
 b366407fa8d4045f56dfd194872a1c54395aae351325a1d952473362fc3ea3f9 5035238 dtc-common_0.29.10-1_all.deb
 72efe7229e94caaa5f239e60145357ffdbc647d5552a262caf2a7952c5fa4f5e 68440 dtc-core_0.29.10-1_all.deb
 785c623a27aed24ffb2c89ca820b55c4d3246d13cdf7952df78cbf9f2edd1290 68524 dtc-cyrus_0.29.10-1_all.deb
 e5ddfaff33280dbb581226382fb50fea362f69c5720a9e539fd66540574ee796 69896 dtc-postfix-courier_0.29.10-1_all.deb
 e507595ff209aabb8e0eb09ad0ad89bc33f85d3c1887543c1f61fed9bc719bff 30160 dtc-stats-daemon_0.29.10-1_all.deb
 9fbeb9645e9fa596039f63fb51687a43218163d475055a64204b73dded247451 24308 dtc-toaster_0.29.10-1_all.deb
Files: 
 a9bb154e4631d26c86ef0b773c376459 1214 admin extra dtc_0.29.10-1.dsc
 c3231b30bfe3473a9e2d140851fb463b 11045527 admin extra dtc_0.29.10.orig.tar.gz
 32b6698363c1f8f82408d18831814274 75665 admin extra dtc_0.29.10-1.diff.gz
 d90395a448f54f4a4fc9928d92879df0 5035238 admin extra dtc-common_0.29.10-1_all.deb
 08eab02caa37a80f7393e9d1c61c094f 68440 admin extra dtc-core_0.29.10-1_all.deb
 817d47cf465463a26186b178e5d89e61 68524 admin extra dtc-cyrus_0.29.10-1_all.deb
 9bc6147920aa7204bcfcd86ebf57f998 69896 admin extra dtc-postfix-courier_0.29.10-1_all.deb
 95cb01709837cd7546258fda4fd807cf 30160 admin extra dtc-stats-daemon_0.29.10-1_all.deb
 d81eaae99a816bcde70762579fc56eb0 24308 admin extra dtc-toaster_0.29.10-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFItGkV5SXWIKfIlGQRAg5nAKDE4tDZvIPwGqDce73yL3IWrLC0QQCgokFX
B++vckTraAyoEhLnf1zFllM=
=YFdp
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 05 Oct 2008 07:29:29 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 07:12:12 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.