Acknowledgement sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
New Bug report received and forwarded. Copy sent to Dirk Eddelbuettel <edd@debian.org>.
(full text, mbox, link).
To: "Dmitry E. Oboukhov" <dimka@uvw.ru>,
496363@bugs.debian.org
Subject: Re: Bug#496363: The possibility of attack with the help of symlinks in some Debian packages
Date: Sun, 24 Aug 2008 19:13:29 -0500
I think it is a false positive:
# test functionality of the compiler
javac_works='not present'
if test -n "$JAVAC"; then
javac_works='not functional'
rm -rf /tmp/A.java /tmp/A.class ## <- note the rm -rf
echo "public class A { }" > /tmp/A.java
if test -e /tmp/A.java; then
if "${JAVAC}" /tmp/A.java >/dev/null; then
if test -e /tmp/A.class; then
javac_works=yes
fi
fi
fi
rm -rf /tmp/A.java /tmp/A.class
fi
Right before /tmp/A.* are being used, they are being wiped. No symlink
attack.
Unless I hear objections, I plan to close this one.
Dirk
--
Three out of two people have difficulties with fractions.
Information forwarded to debian-bugs-dist@lists.debian.org, Dirk Eddelbuettel <edd@debian.org>: Bug#496363; Package r-base-core-ra.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Dirk Eddelbuettel <edd@debian.org>.
(full text, mbox, link).
Hi Dirk,
* Dirk Eddelbuettel <edd@debian.org> [2008-08-25 03:07]:
> I think it is a false positive:
>
> # test functionality of the compiler
> javac_works='not present'
> if test -n "$JAVAC"; then
> javac_works='not functional'
> rm -rf /tmp/A.java /tmp/A.class ## <- note the rm -rf
> echo "public class A { }" > /tmp/A.java
> if test -e /tmp/A.java; then
> if "${JAVAC}" /tmp/A.java >/dev/null; then
> if test -e /tmp/A.class; then
> javac_works=yes
> fi
> fi
> fi
> rm -rf /tmp/A.java /tmp/A.class
> fi
>
> Right before /tmp/A.* are being used, they are being wiped. No symlink
> attack.
>
> Unless I hear objections, I plan to close this one.
Please don't. There is still a race condition here. The
chance is not that high but it's still possible in theory to
create the symlink after the unlink. Using mktemp shouldn't
be a big effort but solve this problem.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
To: Nico Golde <nion@debian.org>,
496363@bugs.debian.org
Cc: Stephen Gran <sgran@debian.org>,
"Dmitry E. Oboukhov" <dimka@uvw.ru>
Subject: Re: Bug#496363: The possibility of attack with the help of symlinks in some Debian packages
Date: Sun, 24 Aug 2008 21:38:23 -0500
On 25 August 2008 at 04:11, Nico Golde wrote:
| Hi Dirk,
| * Dirk Eddelbuettel <edd@debian.org> [2008-08-25 03:07]:
| > I think it is a false positive:
| >
| > # test functionality of the compiler
| > javac_works='not present'
| > if test -n "$JAVAC"; then
| > javac_works='not functional'
| > rm -rf /tmp/A.java /tmp/A.class ## <- note the rm -rf
| > echo "public class A { }" > /tmp/A.java
| > if test -e /tmp/A.java; then
| > if "${JAVAC}" /tmp/A.java >/dev/null; then
| > if test -e /tmp/A.class; then
| > javac_works=yes
| > fi
| > fi
| > fi
| > rm -rf /tmp/A.java /tmp/A.class
| > fi
| >
| > Right before /tmp/A.* are being used, they are being wiped. No symlink
| > attack.
| >
| > Unless I hear objections, I plan to close this one.
|
| Please don't. There is still a race condition here. The
| chance is not that high but it's still possible in theory to
| create the symlink after the unlink. Using mktemp shouldn't
| be a big effort but solve this problem.
Right. Stephen said so too. Trouble is that we then accumulate yet another
Debian-only patch... Oh well.
So something like
# test functionality of the compiler
javac_works='not present'
if test -n "$JAVAC"; then
javac_works='not functional'
#rm -rf /tmp/A.java /tmp/A.class
tempdir=`mktemp -d`
echo "public class A { }" > ${tempdir}/A.java
if test -e ${tempdir}/A.java; then
if "${JAVAC}" ${tempdir}/A.java >/dev/null; then
if test -e ${tempdir}/A.class; then
javac_works=yes
fi
fi
fi
#rm -rf /tmp/A.java /tmp/A.class
rm -rf ${tempdir}
fi
should do, right?
Dirk
--
Three out of two people have difficulties with fractions.
Information forwarded to debian-bugs-dist@lists.debian.org, Dirk Eddelbuettel <edd@debian.org>: Bug#496363; Package r-base-core-ra.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Dirk Eddelbuettel <edd@debian.org>.
(full text, mbox, link).
Hi Dirk,
* Dirk Eddelbuettel <edd@debian.org> [2008-08-25 13:06]:
> On 25 August 2008 at 04:11, Nico Golde wrote:
> | * Dirk Eddelbuettel <edd@debian.org> [2008-08-25 03:07]:
[...]
> | > Right before /tmp/A.* are being used, they are being wiped. No symlink
> | > attack.
> | >
> | > Unless I hear objections, I plan to close this one.
> |
> | Please don't. There is still a race condition here. The
> | chance is not that high but it's still possible in theory to
> | create the symlink after the unlink. Using mktemp shouldn't
> | be a big effort but solve this problem.
>
> Right. Stephen said so too. Trouble is that we then accumulate yet another
> Debian-only patch... Oh well.
That shouldn't be really a problem.
> So something like
>
> # test functionality of the compiler
> javac_works='not present'
> if test -n "$JAVAC"; then
> javac_works='not functional'
> #rm -rf /tmp/A.java /tmp/A.class
> tempdir=`mktemp -d`
> echo "public class A { }" > ${tempdir}/A.java
> if test -e ${tempdir}/A.java; then
> if "${JAVAC}" ${tempdir}/A.java >/dev/null; then
> if test -e ${tempdir}/A.class; then
> javac_works=yes
> fi
> fi
> fi
> #rm -rf /tmp/A.java /tmp/A.class
> rm -rf ${tempdir}
> fi
>
> should do, right?
Looks correct to me!
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Tags added: confirmed
Request was from Thijs Kinkhorst <thijs@debian.org>
to control@bugs.debian.org.
(Mon, 25 Aug 2008 11:18:13 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Dirk Eddelbuettel <edd@debian.org>: Bug#496363; Package r-base-core-ra.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Dirk Eddelbuettel <edd@debian.org>.
(full text, mbox, link).
>Trouble is that we then accumulate yet another Debian-only patch... Oh well.
Why wouldn't it be acceptable to upstream?
> So something like
>
> # test functionality of the compiler
> javac_works='not present'
> if test -n "$JAVAC"; then
> javac_works='not functional'
> #rm -rf /tmp/A.java /tmp/A.class
> tempdir=`mktemp -d`
> echo "public class A { }" > ${tempdir}/A.java
> if test -e ${tempdir}/A.java; then
> if "${JAVAC}" ${tempdir}/A.java >/dev/null; then
> if test -e ${tempdir}/A.class; then
> javac_works=yes
> fi
> fi
> fi
> #rm -rf /tmp/A.java /tmp/A.class
> rm -rf ${tempdir}
> fi
>
> should do, right?
Yes, that looks good. Thanks for working on this!
Thijs
To: Thijs Kinkhorst <thijs@debian.org>,
496363@bugs.debian.org
Subject: Re: Bug#496363: The possibility of attack with the help of symlinks in some Debian packages
Date: Mon, 25 Aug 2008 06:36:54 -0500
On 25 August 2008 at 13:19, Thijs Kinkhorst wrote:
| >Trouble is that we then accumulate yet another Debian-only patch... Oh well.
|
| Why wouldn't it be acceptable to upstream?
I'll talk to them but mktemp is not universal, is it?
| > So something like
| >
| > # test functionality of the compiler
| > javac_works='not present'
| > if test -n "$JAVAC"; then
| > javac_works='not functional'
| > #rm -rf /tmp/A.java /tmp/A.class
| > tempdir=`mktemp -d`
| > echo "public class A { }" > ${tempdir}/A.java
| > if test -e ${tempdir}/A.java; then
| > if "${JAVAC}" ${tempdir}/A.java >/dev/null; then
| > if test -e ${tempdir}/A.class; then
| > javac_works=yes
| > fi
| > fi
| > fi
| > #rm -rf /tmp/A.java /tmp/A.class
| > rm -rf ${tempdir}
| > fi
| >
| > should do, right?
|
| Yes, that looks good. Thanks for working on this!
Pleasure.
A new release happens to have come out this morning (as per a timeline
announced a few weeks ago).
Dirk
--
Three out of two people have difficulties with fractions.
Information forwarded to debian-bugs-dist@lists.debian.org, Dirk Eddelbuettel <edd@debian.org>: Bug#496363; Package r-base-core-ra.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Dirk Eddelbuettel <edd@debian.org>.
(full text, mbox, link).
On Monday 25 August 2008 13:36, Dirk Eddelbuettel wrote:
> On 25 August 2008 at 13:19, Thijs Kinkhorst wrote:
> | >Trouble is that we then accumulate yet another Debian-only patch... Oh
> | > well.
> |
> | Why wouldn't it be acceptable to upstream?
>
> I'll talk to them but mktemp is not universal, is it?
It's in coreutils since last year, and before that several distros provided
versions of it.
cheers,
Thijs
Subject: Re: Bug#496363: The possibility of attack with the help of symlinks in some Debian packages
Date: Mon, 25 Aug 2008 06:57:13 -0500
On 25 August 2008 at 13:44, Thijs Kinkhorst wrote:
| On Monday 25 August 2008 13:36, Dirk Eddelbuettel wrote:
| > On 25 August 2008 at 13:19, Thijs Kinkhorst wrote:
| > | >Trouble is that we then accumulate yet another Debian-only patch... Oh
| > | > well.
| > |
| > | Why wouldn't it be acceptable to upstream?
| >
| > I'll talk to them but mktemp is not universal, is it?
|
| It's in coreutils since last year, and before that several distros provided
| versions of it.
Upstream covers more than just Linux distros: Aix, Solaris, OS X, HP-UX,
... and even Windoze (though the javareconf script may not matter there).
But I just emailed the point person for javareconf. Maybe we can move
creation of the temp.dir into a helper function which use mktemp if present
and default to what it currently does.
New version with patched javareconf now uploaded.
Dirk
--
Three out of two people have difficulties with fractions.
Tags added:
Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru>
to control@bugs.debian.org.
(Tue, 26 Aug 2008 08:45:07 GMT) (full text, mbox, link).
Tags added: security
Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru>
to control@bugs.debian.org.
(Tue, 26 Aug 2008 08:57:06 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Dirk Eddelbuettel <edd@debian.org>: Bug#496363; Package r-base-core-ra.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Dirk Eddelbuettel <edd@debian.org>.
(full text, mbox, link).
Hi Dirk,
On Monday 25 August 2008 13:57, Dirk Eddelbuettel wrote:
> Upstream covers more than just Linux distros: Aix, Solaris, OS X, HP-UX,
> ... and even Windoze (though the javareconf script may not matter there).
>
> But I just emailed the point person for javareconf. Maybe we can move
> creation of the temp.dir into a helper function which use mktemp if present
> and default to what it currently does.
>
> New version with patched javareconf now uploaded.
I see an upload of r-base-core but not (yet) of r-base-core-ra, is that
intentional?
cheers,
Thijs
Subject: Re: Bug#496363: The possibility of attack with the help of symlinks in some Debian packages
Date: Wed, 27 Aug 2008 07:12:33 -0500
Hi Thijs,
On 27 August 2008 at 13:57, Thijs Kinkhorst wrote:
| Hi Dirk,
|
| On Monday 25 August 2008 13:57, Dirk Eddelbuettel wrote:
| > Upstream covers more than just Linux distros: Aix, Solaris, OS X, HP-UX,
| > ... and even Windoze (though the javareconf script may not matter there).
| >
| > But I just emailed the point person for javareconf. Maybe we can move
| > creation of the temp.dir into a helper function which use mktemp if present
| > and default to what it currently does.
| >
| > New version with patched javareconf now uploaded.
|
| I see an upload of r-base-core but not (yet) of r-base-core-ra, is that
| intentional?
It was. R 2.7.2 came out on Monday, so r-base-core was a natural candidate.
Yesterday I worked on the RC bug requiring GSL docs to go to non-free for
dfsg / gfdl reasons. So for r-base-core-ra, a build will follow shortly.
There will be a new release too (corresponding to R 2.7.2), but as we don't
know when I'll just preempt it with a new build with a patched javareconf.
Hth, Dirk
--
Three out of two people have difficulties with fractions.
Reply sent to Dirk Eddelbuettel <edd@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
Bug acknowledged by developer.
(full text, mbox, link).
Subject: Bug#496363: fixed in r-base-core-ra 1.1.1-2
Date: Wed, 27 Aug 2008 13:02:13 +0000
Source: r-base-core-ra
Source-Version: 1.1.1-2
We believe that the bug you reported is fixed in the latest version of
r-base-core-ra, which is due to be installed in the Debian FTP archive:
r-base-core-ra_1.1.1-2.diff.gz
to pool/main/r/r-base-core-ra/r-base-core-ra_1.1.1-2.diff.gz
r-base-core-ra_1.1.1-2.dsc
to pool/main/r/r-base-core-ra/r-base-core-ra_1.1.1-2.dsc
r-base-core-ra_1.1.1-2_i386.deb
to pool/main/r/r-base-core-ra/r-base-core-ra_1.1.1-2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 496363@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dirk Eddelbuettel <edd@debian.org> (supplier of updated r-base-core-ra package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 27 Aug 2008 07:13:09 -0500
Source: r-base-core-ra
Binary: r-base-core-ra
Architecture: source i386
Version: 1.1.1-2
Distribution: unstable
Urgency: low
Maintainer: Dirk Eddelbuettel <edd@debian.org>
Changed-By: Dirk Eddelbuettel <edd@debian.org>
Description:
r-base-core-ra - 'ra' variant of GNU R core of statistical computing language and
Closes: 496363
Changes:
r-base-core-ra (1.1.1-2) unstable; urgency=low
.
* debian/rules: Patch javareconf as we do for r-base-core
* src/scripts/javareconf: Replace use of /tmp with result of
`mktemp -t -d` to avoid symlink attacks (Closes: #496363)
Checksums-Sha1:
c26079906c51844f46ce6c345b442a011c3ab8a0 1486 r-base-core-ra_1.1.1-2.dsc
25a811c46a6835ae24f6a3b12f4d5825f126a693 42782 r-base-core-ra_1.1.1-2.diff.gz
c7a5708bd8e1c298ed6403affcf479aeb9811356 8605134 r-base-core-ra_1.1.1-2_i386.deb
Checksums-Sha256:
77c936313d7b2d6079599c8e350d53a87aac682366158f1899913ec420d575f4 1486 r-base-core-ra_1.1.1-2.dsc
cbd752a76530f5ffd00abe8a5e260698be53e5204bc6545f7c24984dd49dd6c5 42782 r-base-core-ra_1.1.1-2.diff.gz
1b72bcdac730199c027d876d05616bfc7106b5792865f11157e4e49b4cb595cc 8605134 r-base-core-ra_1.1.1-2_i386.deb
Files:
39fb8f7cc808abe26dcf9e3eac9c3a3c 1486 math optional r-base-core-ra_1.1.1-2.dsc
7d682d404b04577f3373736cc5252096 42782 math optional r-base-core-ra_1.1.1-2.diff.gz
d7d3675e2dff4de2392e5d103a5bd24e 8605134 math optional r-base-core-ra_1.1.1-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFItU5JCZSR95Gw07cRAix9AJ0QC9ASSHj4CEJrWX6E60Afn/f5SACfbzQN
+9i0ZrIM4FDuzl6EK02Yzzk=
=XX55
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 25 Oct 2008 07:28:46 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.