Report forwarded to debian-bugs-dist@lists.debian.org, Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>: Bug#496367; Package xen-utils-3.2-1.
(full text, mbox, link).
Acknowledgement sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
New Bug report received and forwarded. Copy sent to Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>.
(full text, mbox, link).
Subject: The possibility of attack with the help of symlinks in some Debian packages
Date: Sun, 24 Aug 2008 22:05:28 +0400
Package: xen-utils-3.2-1
Severity: grave
Hi, maintainer!
This message about the error concerns a few packages at once. I've
tested all the packages (for Lenny) on my Debian mirror. All scripts
of packages (marked as executable) were tested.
In some packages I've discovered scripts with errors which may be used
by a user for damaging important system files or user's files.
For example if a script uses in its work a temp file which is created
in /tmp directory, then every user can create symlink with the same
name in this directory in order to destroy or rewrite some system
or user file. Symlink attack may also lead not only to the data
desctruction but to denial of service as well.
Even if you create files or directories with help of function 'RANDOM'
or pid(), then your system is not protected. Attacker can create many
symlinks in order to destroy your data or create 'denial of service'
for your package scripts.
Even if you make rm(dir) for files/directories, then your system is
not protected. Attacker can permanently create symlinks.
This list is created with the help of script. This list is sorted by
hand. Howewer in some cases mistake is possible.
Please, Be understanding to possible mistakes. :)
I set Severity into grave for this bug. The table of discovered
problems is below.
Discussion of this bug you can see in debian-devel@:
http://lists.debian.org/debian-devel/2008/08/msg00271.html
Binary-package: r-base-core-ra (1.1.1-1)
file: /usr/lib/Ra/lib/R/bin/javareconf
Binary-package: rccp (0.9-2)
file: /usr/lib/rccp/delqueueask
Binary-package: mafft (6.240-1)
file: /usr/bin/mafft-homologs
Binary-package: openoffice.org-common (1:2.4.1-6)
file: /usr/lib/openoffice/program/senddoc
Binary-package: crossfire-maps (1.11.0-1)
file: /usr/share/games/crossfire/maps/Info/combine.pl
Binary-package: sgml2x (1.0.0-11.1)
file: /usr/bin/rlatex
Binary-package: liguidsoap (0.3.6-4)
file: /var/lib/liguidsoap/liguidsoap.py
Binary-package: citadel-server (7.37-1)
file: /usr/lib/citadel-server/migrate_aliases.sh
Binary-package: ampache (3.4.1-1)
file: /usr/share/ampache/www/locale/base/gather-messages.sh
Binary-package: xen-utils-3.2-1 (3.2.1-2)
file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug
Binary-package: dtc-common (0.29.6-1)
file: /usr/share/dtc/admin/accesslog.php
file: /usr/share/dtc/admin/sa-wrapper
Binary-package: honeyd-common (1.5c-3)
file: /usr/share/honeyd/scripts/test.sh
Binary-package: lustre-tests (1.6.5-1)
file: /usr/lib/lustre/tests/runiozone
Binary-package: linuxtrade (3.65-8+b4)
file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol
file: /usr/share/linuxtrade/bin/linuxtrade.wn
file: /usr/share/linuxtrade/bin/moneyam.helper
Binary-package: freevo (1.8.1-0)
file: /usr/bin/freevo.real
Binary-package: fml (4.0.3.dfsg-2)
file: /usr/share/fml/libexec/mead.pl
Binary-package: rkhunter (1.3.2-3)
file: /usr/bin/rkhunter
Binary-package: openswan (1:2.4.12+dfsg-1.1)
file: /usr/lib/ipsec/livetest
Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1)
file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap
file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest
Binary-package: aptoncd (0.1-1.1)
file: /usr/share/aptoncd/xmlfile.py
Binary-package: cdcontrol (1.90-1.1)
file: /usr/lib/cdcontrol/writtercontrol
Binary-package: newsgate (1.6-23)
file: /usr/bin/mkmailpost
Binary-package: gpsdrive-scripts (2.10~pre4-3)
file: /usr/bin/geo-code
Binary-package: impose+ (0.2-11)
file: /usr/bin/impose
Binary-package: mgt (2.31-5)
file: /usr/games/mailgo
Binary-package: audiolink (0.05-1)
file: /usr/bin/audiolink
Binary-package: ibackup (2.27-4.1)
file: /usr/bin/ibackup
Binary-package: emacspeak (26.0-3)
file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl
Binary-package: bk2site (1:1.1.9-3.1)
file: /usr/lib/cgi-bin/bk2site/redirect.pl
Binary-package: datafreedom-perl (0.1.7-1)
file: /usr/bin/dfxml-invoice
Binary-package: emacs-jabber (0.7.91-1)
file: /usr/lib/emacsen-common/packages/install/emacs-jabber
Binary-package: lmbench (3.0-a7-1)
file: /usr/lib/lmbench/scripts/rccs
file: /usr/lib/lmbench/scripts/STUFF
Binary-package: rancid-util (2.3.2~a8-1)
file: /var/lib/rancid/getipacctg
Binary-package: ogle (0.9.2-5.2)
file: /usr/lib/ogle/ogle_audio_debug
file: /usr/lib/ogle/ogle_cli_debug
file: /usr/lib/ogle/ogle_ctrl_debug
file: /usr/lib/ogle/ogle_gui_debug
file: /usr/lib/ogle/ogle_mpeg_ps_debug
file: /usr/lib/ogle/ogle_mpeg_vs_debug
file: /usr/lib/ogle/ogle_nav_debug
file: /usr/lib/ogle/ogle_vout_debug
Binary-package: firehol (1.256-4)
file: /sbin/firehol
Binary-package: aview (1.3.0rc1-8)
file: /usr/bin/asciiview
Binary-package: radiance (3R9+20080530-3)
file: /usr/bin/optics2rad
file: /usr/bin/pdelta
file: /usr/bin/dayfact
file: /usr/bin/raddepend
Binary-package: vdr-dbg (1.6.0-5)
file: /usr/bin/vdrleaktest
Binary-package: ogle-mmx (0.9.2-5.2)
file: /usr/lib/ogle/ogle_audio_debug
file: /usr/lib/ogle/ogle_cli_debug
file: /usr/lib/ogle/ogle_ctrl_debug
file: /usr/lib/ogle/ogle_gui_debug
file: /usr/lib/ogle/ogle_mpeg_ps_debug
file: /usr/lib/ogle/ogle_mpeg_vs_debug
file: /usr/lib/ogle/ogle_nav_debug
file: /usr/lib/ogle/ogle_vout_debug
Binary-package: convirt (0.8.2-3)
file: /usr/share/convirt/image_store/_template_/provision.sh
file: /usr/share/convirt/image_store/Linux_CD_Install/provision.sh
file: /usr/share/convirt/image_store/Fedora_PV_Install/provision.sh
file: /usr/share/convirt/image_store/CentOS_PV_Install/provision.sh
file: /usr/share/convirt/image_store/common/provision.sh
file: /usr/share/convirt/image_store/example/provision.sh
file: /usr/share/convirt/image_store/Windows_CD_Install/provision.sh
Binary-package: printfilters-ppd (2.13-9)
file: /usr/lib/printfilters/master-filter
Binary-package: r-base-core (2.7.1-1)
file: /usr/lib/R/bin/javareconf
file: /usr/lib/R/bin/javareconf.orig
Binary-package: xmcd (2.6-19.3)
file: /usr/share/xmcd/scripts/ncsarmt
file: /usr/share/xmcd/scripts/ncsawrap
Binary-package: tiger (1:3.2.2-3.1)
file: /usr/lib/tiger/util/genmsgidx
Binary-package: scilab-bin (4.1.2-5)
file: /usr/lib/scilab-4.1.2/bin/scilink
file: /usr/lib/scilab-4.1.2/util/scidoc
file: /usr/lib/scilab-4.1.2/util/scidem
Binary-package: dpkg-cross (2.3.0)
file: /usr/share/dpkg-cross/bin/gccross
Binary-package: ltp-network-test (20060918-2.1)
file: /usr/lib/debian-test/tests/linux/testcases/bin/ftp_setup_vsftp_conf
file: /usr/lib/debian-test/tests/linux/testcases/bin/nfs_fsstress.sh
Binary-package: cman (2.20080629-1)
file: /usr/sbin/fence_egenera
Binary-package: scratchbox2 (1.99.0.24-1)
file: /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps
file: /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings
Binary-package: sendmail-base (8.14.3-5)
file: /usr/sbin/checksendmail
file: /usr/bin/expn
Binary-package: fwbuilder (2.1.19-3)
file: /usr/bin/fwb_install
Binary-package: sng (1.0.2-5)
file: /usr/bin/sng_regress
Binary-package: dist (1:3.5-17-1)
file: /usr/bin/patcil
file: /usr/bin/patdiff
Binary-package: sympa (5.3.4-5)
file: /usr/lib/cgi-bin/sympa/wwsympa.fcgi
file: /usr/lib/sympa/bin/sympa.pl
Binary-package: postfix (2.5.2-2)
file: /usr/lib/postfix_groups.pl
Binary-package: caudium (3:1.4.12-11)
file: /usr/share/caudium/configvar
Binary-package: mgetty-fax (1.1.36-1.2)
file: /usr/bin/faxspool
Binary-package: aegis (4.24-3)
file: /usr/share/doc/aegis/examples/remind/bng_dvlpd.sh
file: /usr/share/doc/aegis/examples/remind/bng_rvwd.sh
file: /usr/share/doc/aegis/examples/remind/awt_dvlp.sh
file: /usr/share/doc/aegis/examples/remind/awt_intgrtn.sh
Binary-package: aegis-web (4.24-3)
file: /usr/lib/cgi-bin/aegis.cgi
Binary-package: digitaldj (0.7.5-6+b1)
file: /usr/share/digitaldj/fest.pl
Binary-package: mon (0.99.2-12)
file: /usr/lib/mon/alert.d/test.alert
Binary-package: feta (1.4.16)
file: /usr/share/feta/plugins/to-upgrade
Binary-package: arb-common (0.0.20071207.1-4)
file: /usr/lib/arb/SH/arb_fastdnaml
file: /usr/lib/arb/SH/dszmconnect.pl
Binary-package: qemu (0.9.1-5)
file: /usr/sbin/qemu-make-debian-root
Binary-package: apertium (3.0.7+1-1+b1)
file: /usr/bin/apertium-gen-deformat
file: /usr/bin/apertium-gen-reformat
file: /usr/bin/apertium
Binary-package: xcal (4.1-18.3)
file: /usr/bin/pscal
Binary-package: myspell-tools (1:3.1-20)
file: /usr/bin/i2myspell
Binary-package: gccxml (0.9.0+cvs20080525-1)
file: /usr/share/gccxml-0.9/MIPSpro/find_flags
Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4)
file: /usr/share/freeradius-dialupadmin/bin/backup_radacct
file: /usr/share/freeradius-dialupadmin/bin/clean_radacct
file: /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats
file: /usr/share/freeradius-dialupadmin/bin/tot_stats
file: /usr/share/freeradius-dialupadmin/bin/truncate_radacct
Binary-package: dhis-server (5.3-1)
file: /usr/lib/dhis-server/dhis-dummy-log-engine
Binary-package: wims (3.62-13)
file: /var/lib/wims/public_html/bin/coqweb
file: /var/lib/wims/bin/account.sh
Binary-package: initramfs-tools (0.92f)
file: /usr/share/initramfs-tools/init
Binary-package: realtimebattle-common (1.0.8-7)
file: /usr/lib/realtimebattle/Robots/perl.robot
Binary-package: netmrg (0.20-1)
file: /usr/bin/rrdedit
Binary-package: bulmages-servers (0.11.1-2)
file: /usr/share/bulmages/examples/scripts/actualizabulmacont
file: /usr/share/bulmages/examples/scripts/installbulmages-db
file: /usr/share/bulmages/examples/scripts/creabulmafact
file: /usr/share/bulmages/examples/scripts/creabulmacont
file: /usr/share/bulmages/examples/scripts/actualizabulmafact
Binary-package: xastir (1.9.2-1)
file: /usr/lib/xastir/get-maptools.sh
file: /usr/lib/xastir/get_shapelib.sh
Binary-package: plait (1.5.2-1)
file: /usr/bin/plaiter
file: /usr/bin/plait
Binary-package: cdrw-taper (0.4-2)
file: /usr/sbin/amlabel-cdrw
Binary-package: konwert-filters (1.8-11.1)
file: /usr/share/konwert/filters/any-UTF8
Binary-package: gdrae (0.1-1)
file: /usr/bin/gdrae
Binary-package: lazarus-src (0.9.24-0-9)
file: /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh
Tags added: pending
Request was from Julien Danjou <acid@debian.org>
to control@bugs.debian.org.
(Mon, 25 Aug 2008 08:42:02 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>: Bug#496367; Package xen-utils-3.2-1.
(full text, mbox, link).
Acknowledgement sent to Julien Danjou <acid@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>.
(full text, mbox, link).
severity 496367 normal
thanks
At 1219601128 time_t, Dmitry E. Oboukhov wrote:
> Binary-package: xen-utils-3.2-1 (3.2.1-2)
> file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug
Since this is a poor buggy debug-script, I'm setting the severity to
normal. It won't affect anyone sane.
I've also pushed a fix in the svn repository which fix it.
Cheers,
--
Julien Danjou
.''`. Debian Developer
: :' : http://julien.danjou.info
`. `' http://people.debian.org/~acid
`- 9A0D 5FD9 EB42 22F6 8974 C95C A462 B51E C2FE E5CD
Severity set to `normal' from `grave'
Request was from Julien Danjou <acid@debian.org>
to control@bugs.debian.org.
(Mon, 25 Aug 2008 11:54:10 GMT) (full text, mbox, link).
Tags added:
Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru>
to control@bugs.debian.org.
(Tue, 26 Aug 2008 08:45:12 GMT) (full text, mbox, link).
Tags added: security
Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru>
to control@bugs.debian.org.
(Tue, 26 Aug 2008 08:57:09 GMT) (full text, mbox, link).
Reply sent
to Bastian Blank <waldi@debian.org>:
You have taken responsibility.
(Wed, 01 Jul 2009 17:51:08 GMT) (full text, mbox, link).
Notification sent
to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
Bug acknowledged by developer.
(Wed, 01 Jul 2009 17:51:08 GMT) (full text, mbox, link).
Source: xen-3
Source-Version: 3.4.0-1
We believe that the bug you reported is fixed in the latest version of
xen-3, which is due to be installed in the Debian FTP archive:
libxen-dev_3.4.0-1_amd64.deb
to pool/main/x/xen-3/libxen-dev_3.4.0-1_amd64.deb
libxenstore3.0_3.4.0-1_amd64.deb
to pool/main/x/xen-3/libxenstore3.0_3.4.0-1_amd64.deb
xen-3_3.4.0-1.diff.gz
to pool/main/x/xen-3/xen-3_3.4.0-1.diff.gz
xen-3_3.4.0-1.dsc
to pool/main/x/xen-3/xen-3_3.4.0-1.dsc
xen-3_3.4.0.orig.tar.gz
to pool/main/x/xen-3/xen-3_3.4.0.orig.tar.gz
xen-docs-3.4_3.4.0-1_all.deb
to pool/main/x/xen-3/xen-docs-3.4_3.4.0-1_all.deb
xen-hypervisor-3.4-amd64_3.4.0-1_amd64.deb
to pool/main/x/xen-3/xen-hypervisor-3.4-amd64_3.4.0-1_amd64.deb
xen-utils-3.4_3.4.0-1_amd64.deb
to pool/main/x/xen-3/xen-utils-3.4_3.4.0-1_amd64.deb
xenstore-utils_3.4.0-1_amd64.deb
to pool/main/x/xen-3/xenstore-utils_3.4.0-1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 496367@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastian Blank <waldi@debian.org> (supplier of updated xen-3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 30 Jun 2009 22:33:22 +0200
Source: xen-3
Binary: xen-docs-3.4 libxenstore3.0 libxen-dev xenstore-utils xen-utils-3.4 xen-hypervisor-3.4-amd64 xen-hypervisor-3.4-i386
Architecture: source all amd64
Version: 3.4.0-1
Distribution: unstable
Urgency: low
Maintainer: Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>
Changed-By: Bastian Blank <waldi@debian.org>
Description:
libxen-dev - Public headers and libs for Xen
libxenstore3.0 - Xenstore communications library for Xen
xen-docs-3.4 - Documentation for Xen
xen-hypervisor-3.4-amd64 - The Xen Hypervisor on AMD64
xen-hypervisor-3.4-i386 - The Xen Hypervisor on i386
xen-utils-3.4 - XEN administrative tools
xenstore-utils - Xenstore utilities for Xen
Closes: 490409496367
Changes:
xen-3 (3.4.0-1) unstable; urgency=low
.
[ Bastian Blank ]
* New upstream version.
* Remove ioemu for now. (closes: #490409, #496367)
* Remove non-pae hypervisor.
* Use debhelper compat level 7.
* Make the init script start all daemons.
Checksums-Sha1:
3dff5ca6400e0d1089f7603921005e4ccdd22bfc 1552 xen-3_3.4.0-1.dsc
b046be446866205f8c0700edd98cf0b90f7c5d18 8402789 xen-3_3.4.0.orig.tar.gz
1b8026af405e51cd04ce897ddb98f7d760af60cb 30169 xen-3_3.4.0-1.diff.gz
d5e21dc1d1b858cdf585c0022313657e7dc13607 1289060 xen-docs-3.4_3.4.0-1_all.deb
65cfb53a5d82d588ac3ea759cae1a3f8a17872a9 562648 xen-hypervisor-3.4-amd64_3.4.0-1_amd64.deb
2f48025ec24827be86f07d68bb0ebc2a44e1adf9 226046 libxen-dev_3.4.0-1_amd64.deb
4ab2983bcc67900df89fe4b67cbf726f44896f0a 20028 libxenstore3.0_3.4.0-1_amd64.deb
55c00e7852a57ea627e7e11ae2b884b4d4bf513c 996470 xen-utils-3.4_3.4.0-1_amd64.deb
a2e646fe3a741d5be280e00fdafbcc075b8d0e0c 17902 xenstore-utils_3.4.0-1_amd64.deb
Checksums-Sha256:
0ed4306440dc27157fa2a21e7cd3b98d1a4503151ec2c1641a8e39c1104c65e5 1552 xen-3_3.4.0-1.dsc
9f0a04d8ca35de2af469ae7c4f63043c237d733a263a13290c360d454c6fe37a 8402789 xen-3_3.4.0.orig.tar.gz
777be9450582074415806903a0c2ded323b1d49e5ba4ba768e92b1bd82be2c61 30169 xen-3_3.4.0-1.diff.gz
8d3f1078aecf23dfafade1f51ff7b866f684dd5896ef80758afd0ce56aaa9b80 1289060 xen-docs-3.4_3.4.0-1_all.deb
c750cf0b51419c08fd0744dda82b4e49fa29ff99a0f280a064d04315b66d26e9 562648 xen-hypervisor-3.4-amd64_3.4.0-1_amd64.deb
f2ebb41795553b49f123525f13a987ad6b787e91583e18e4bc5b0da57fd11085 226046 libxen-dev_3.4.0-1_amd64.deb
6fe2dfbaa84400c238d39b5a62be0fc46414ad88c3d5ede187b573cf9ac347ea 20028 libxenstore3.0_3.4.0-1_amd64.deb
1c72bcf8bc07599aa09a924a8cf5985e7417342faf9ce7633dc6fc0ca439ab34 996470 xen-utils-3.4_3.4.0-1_amd64.deb
dbce32be16577221460487d9d1b339cb30b0639536f6150e6a9bc6dea9e3432a 17902 xenstore-utils_3.4.0-1_amd64.deb
Files:
69cda48499c4e239f9decf1f1fb47737 1552 misc extra xen-3_3.4.0-1.dsc
e3951ca3ab531036944871f37a05ce11 8402789 misc extra xen-3_3.4.0.orig.tar.gz
036ffc1452ea0dc29fb00f8c88f15004 30169 misc extra xen-3_3.4.0-1.diff.gz
fa8ac6d49279e4715a9be8c8b96ae20d 1289060 doc extra xen-docs-3.4_3.4.0-1_all.deb
c3b7dca46afd7d764bfeff96040a403c 562648 misc extra xen-hypervisor-3.4-amd64_3.4.0-1_amd64.deb
5d1921d4052d47e3747006b537f00c80 226046 libdevel extra libxen-dev_3.4.0-1_amd64.deb
91bb611521f5a9968a16093897bfe4f0 20028 libs extra libxenstore3.0_3.4.0-1_amd64.deb
d1f17533793c140cc1a49e1ab960daa1 996470 misc extra xen-utils-3.4_3.4.0-1_amd64.deb
0d0eb2385df1a6f1a17923181ced6ee3 17902 admin extra xenstore-utils_3.4.0-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkpKeSQACgkQLkAIIn9ODhFcTQCfYuKBeRk+Ts9WZzxJT/TAqLgf
hykAoKgXxbzf/cmtYdftYRSB+/TUnita
=PCBS
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 15 Aug 2009 07:38:18 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.