Debian Bug report logs - #496367
The possibility of attack with the help of symlinks in some Debian packages

version graph

Package: xen-utils-3.2-1; Maintainer for xen-utils-3.2-1 is (unknown);

Reported by: "Dmitry E. Oboukhov" <>

Date: Sun, 24 Aug 2008 18:09:19 UTC

Severity: normal

Tags: security

Fixed in version xen-3/3.4.0-1

Done: Bastian Blank <>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to, Debian Xen Team <>:
Bug#496367; Package xen-utils-3.2-1. Full text and rfc822 format available.

Acknowledgement sent to "Dmitry E. Oboukhov" <>:
New Bug report received and forwarded. Copy sent to Debian Xen Team <>. Full text and rfc822 format available.

Message #5 received at (full text, mbox):

From: "Dmitry E. Oboukhov" <>
Subject: The possibility of attack with the help of symlinks in some Debian packages
Date: Sun, 24 Aug 2008 22:05:28 +0400
Package: xen-utils-3.2-1
Severity: grave

Hi, maintainer!

This message about the error concerns a few packages  at  once.   I've
tested all the packages (for Lenny) on my Debian mirror.  All  scripts
of packages (marked as executable) were tested.

In some packages I've discovered scripts with errors which may be used
by a user for damaging important system files or user's files.

For example if a script uses in its work a temp file which is  created
in /tmp directory, then every user can create symlink  with  the  same
name in this directory in order to  destroy  or  rewrite  some  system
or user file.  Symlink attack may also  lead  not  only  to  the  data
desctruction but to denial of service as well.

Even if you create files or directories with help of function 'RANDOM'
or pid(), then your system is not protected. Attacker can create many
symlinks in order to destroy your data or create 'denial  of  service'
for your package scripts.

Even if you make rm(dir) for files/directories, then  your  system  is
not protected. Attacker can permanently create symlinks.

This list is created with the help of script.  This list is sorted  by
hand. Howewer in some cases mistake is possible.

Please, Be understanding to possible mistakes. :)

I set Severity into grave for this bug. The table of discovered
problems is below.

Discussion of this bug you can see in debian-devel@:

Binary-package: r-base-core-ra (1.1.1-1)
    file: /usr/lib/Ra/lib/R/bin/javareconf
Binary-package: rccp (0.9-2)
    file: /usr/lib/rccp/delqueueask
Binary-package: mafft (6.240-1)
    file: /usr/bin/mafft-homologs
Binary-package: (1:2.4.1-6)
    file: /usr/lib/openoffice/program/senddoc
Binary-package: crossfire-maps (1.11.0-1)
    file: /usr/share/games/crossfire/maps/Info/
Binary-package: sgml2x (1.0.0-11.1)
    file: /usr/bin/rlatex
Binary-package: liguidsoap (0.3.6-4)
    file: /var/lib/liguidsoap/
Binary-package: citadel-server (7.37-1)
    file: /usr/lib/citadel-server/
Binary-package: ampache (3.4.1-1)
    file: /usr/share/ampache/www/locale/base/
Binary-package: xen-utils-3.2-1 (3.2.1-2)
    file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug
Binary-package: dtc-common (0.29.6-1)
    file: /usr/share/dtc/admin/accesslog.php
    file: /usr/share/dtc/admin/sa-wrapper
Binary-package: honeyd-common (1.5c-3)
    file: /usr/share/honeyd/scripts/
Binary-package: lustre-tests (1.6.5-1)
    file: /usr/lib/lustre/tests/runiozone
Binary-package: linuxtrade (3.65-8+b4)
    file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol
    file: /usr/share/linuxtrade/bin/linuxtrade.wn
    file: /usr/share/linuxtrade/bin/moneyam.helper
Binary-package: freevo (1.8.1-0)
    file: /usr/bin/freevo.real
Binary-package: fml (4.0.3.dfsg-2)
    file: /usr/share/fml/libexec/
Binary-package: rkhunter (1.3.2-3)
    file: /usr/bin/rkhunter
Binary-package: openswan (1:2.4.12+dfsg-1.1)
    file: /usr/lib/ipsec/livetest
Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1)
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest
Binary-package: aptoncd (0.1-1.1)
    file: /usr/share/aptoncd/
Binary-package: cdcontrol (1.90-1.1)
    file: /usr/lib/cdcontrol/writtercontrol
Binary-package: newsgate (1.6-23)
    file: /usr/bin/mkmailpost
Binary-package: gpsdrive-scripts (2.10~pre4-3)
    file: /usr/bin/geo-code
Binary-package: impose+ (0.2-11)
    file: /usr/bin/impose
Binary-package: mgt (2.31-5)
    file: /usr/games/mailgo
Binary-package: audiolink (0.05-1)
    file: /usr/bin/audiolink
Binary-package: ibackup (2.27-4.1)
    file: /usr/bin/ibackup
Binary-package: emacspeak (26.0-3)
    file: /usr/share/emacs/site-lisp/emacspeak/etc/
Binary-package: bk2site (1:1.1.9-3.1)
    file: /usr/lib/cgi-bin/bk2site/
Binary-package: datafreedom-perl (0.1.7-1)
    file: /usr/bin/dfxml-invoice
Binary-package: emacs-jabber (0.7.91-1)
    file: /usr/lib/emacsen-common/packages/install/emacs-jabber
Binary-package: lmbench (3.0-a7-1)
    file: /usr/lib/lmbench/scripts/rccs
    file: /usr/lib/lmbench/scripts/STUFF
Binary-package: rancid-util (2.3.2~a8-1)
    file: /var/lib/rancid/getipacctg
Binary-package: ogle (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: firehol (1.256-4)
    file: /sbin/firehol
Binary-package: aview (1.3.0rc1-8)
    file: /usr/bin/asciiview
Binary-package: radiance (3R9+20080530-3)
    file: /usr/bin/optics2rad
    file: /usr/bin/pdelta
    file: /usr/bin/dayfact
    file: /usr/bin/raddepend
Binary-package: vdr-dbg (1.6.0-5)
    file: /usr/bin/vdrleaktest
Binary-package: ogle-mmx (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: convirt (0.8.2-3)
    file: /usr/share/convirt/image_store/_template_/
    file: /usr/share/convirt/image_store/Linux_CD_Install/
    file: /usr/share/convirt/image_store/Fedora_PV_Install/
    file: /usr/share/convirt/image_store/CentOS_PV_Install/
    file: /usr/share/convirt/image_store/common/
    file: /usr/share/convirt/image_store/example/
    file: /usr/share/convirt/image_store/Windows_CD_Install/
Binary-package: printfilters-ppd (2.13-9)
    file: /usr/lib/printfilters/master-filter
Binary-package: r-base-core (2.7.1-1)
    file: /usr/lib/R/bin/javareconf
    file: /usr/lib/R/bin/javareconf.orig
Binary-package: xmcd (2.6-19.3)
    file: /usr/share/xmcd/scripts/ncsarmt
    file: /usr/share/xmcd/scripts/ncsawrap
Binary-package: tiger (1:3.2.2-3.1)
    file: /usr/lib/tiger/util/genmsgidx
Binary-package: scilab-bin (4.1.2-5)
    file: /usr/lib/scilab-4.1.2/bin/scilink
    file: /usr/lib/scilab-4.1.2/util/scidoc
    file: /usr/lib/scilab-4.1.2/util/scidem
Binary-package: dpkg-cross (2.3.0)
    file: /usr/share/dpkg-cross/bin/gccross
Binary-package: ltp-network-test (20060918-2.1)
    file: /usr/lib/debian-test/tests/linux/testcases/bin/ftp_setup_vsftp_conf
    file: /usr/lib/debian-test/tests/linux/testcases/bin/
Binary-package: cman (2.20080629-1)
    file: /usr/sbin/fence_egenera
Binary-package: scratchbox2 (
    file: /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps
    file: /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings
Binary-package: sendmail-base (8.14.3-5)
    file: /usr/sbin/checksendmail
    file: /usr/bin/expn
Binary-package: fwbuilder (2.1.19-3)
    file: /usr/bin/fwb_install
Binary-package: sng (1.0.2-5)
    file: /usr/bin/sng_regress
Binary-package: dist (1:3.5-17-1)
    file: /usr/bin/patcil
    file: /usr/bin/patdiff
Binary-package: sympa (5.3.4-5)
    file: /usr/lib/cgi-bin/sympa/wwsympa.fcgi
    file: /usr/lib/sympa/bin/
Binary-package: postfix (2.5.2-2)
    file: /usr/lib/
Binary-package: caudium (3:1.4.12-11)
    file: /usr/share/caudium/configvar
Binary-package: mgetty-fax (1.1.36-1.2)
    file: /usr/bin/faxspool
Binary-package: aegis (4.24-3)
    file: /usr/share/doc/aegis/examples/remind/
    file: /usr/share/doc/aegis/examples/remind/
    file: /usr/share/doc/aegis/examples/remind/
    file: /usr/share/doc/aegis/examples/remind/
Binary-package: aegis-web (4.24-3)
    file: /usr/lib/cgi-bin/aegis.cgi
Binary-package: digitaldj (0.7.5-6+b1)
    file: /usr/share/digitaldj/
Binary-package: mon (0.99.2-12)
    file: /usr/lib/mon/alert.d/test.alert
Binary-package: feta (1.4.16)
    file: /usr/share/feta/plugins/to-upgrade
Binary-package: arb-common (0.0.20071207.1-4)
    file: /usr/lib/arb/SH/arb_fastdnaml
    file: /usr/lib/arb/SH/
Binary-package: qemu (0.9.1-5)
    file: /usr/sbin/qemu-make-debian-root
Binary-package: apertium (3.0.7+1-1+b1)
    file: /usr/bin/apertium-gen-deformat
    file: /usr/bin/apertium-gen-reformat
    file: /usr/bin/apertium
Binary-package: xcal (4.1-18.3)
    file: /usr/bin/pscal
Binary-package: myspell-tools (1:3.1-20)
    file: /usr/bin/i2myspell
Binary-package: gccxml (0.9.0+cvs20080525-1)
    file: /usr/share/gccxml-0.9/MIPSpro/find_flags
Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4)
    file: /usr/share/freeradius-dialupadmin/bin/backup_radacct
    file: /usr/share/freeradius-dialupadmin/bin/clean_radacct
    file: /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/truncate_radacct
Binary-package: dhis-server (5.3-1)
    file: /usr/lib/dhis-server/dhis-dummy-log-engine
Binary-package: wims (3.62-13)
    file: /var/lib/wims/public_html/bin/coqweb
    file: /var/lib/wims/bin/
Binary-package: initramfs-tools (0.92f)
    file: /usr/share/initramfs-tools/init
Binary-package: realtimebattle-common (1.0.8-7)
    file: /usr/lib/realtimebattle/Robots/perl.robot
Binary-package: netmrg (0.20-1)
    file: /usr/bin/rrdedit
Binary-package: bulmages-servers (0.11.1-2)
    file: /usr/share/bulmages/examples/scripts/actualizabulmacont
    file: /usr/share/bulmages/examples/scripts/installbulmages-db
    file: /usr/share/bulmages/examples/scripts/creabulmafact
    file: /usr/share/bulmages/examples/scripts/creabulmacont
    file: /usr/share/bulmages/examples/scripts/actualizabulmafact
Binary-package: xastir (1.9.2-1)
    file: /usr/lib/xastir/
    file: /usr/lib/xastir/
Binary-package: plait (1.5.2-1)
    file: /usr/bin/plaiter
    file: /usr/bin/plait
Binary-package: cdrw-taper (0.4-2)
    file: /usr/sbin/amlabel-cdrw
Binary-package: konwert-filters (1.8-11.1)
    file: /usr/share/konwert/filters/any-UTF8
Binary-package: gdrae (0.1-1)
    file: /usr/bin/gdrae
Binary-package: lazarus-src (0.9.24-0-9)
    file: /usr/lib/lazarus/tools/install/

Tags added: pending Request was from Julien Danjou <> to (Mon, 25 Aug 2008 08:42:02 GMT) Full text and rfc822 format available.

Information forwarded to, Debian Xen Team <>:
Bug#496367; Package xen-utils-3.2-1. Full text and rfc822 format available.

Acknowledgement sent to Julien Danjou <>:
Extra info received and forwarded to list. Copy sent to Debian Xen Team <>. Full text and rfc822 format available.

Message #12 received at (full text, mbox):

From: Julien Danjou <>
To: "Dmitry E. Oboukhov" <>,
Subject: Re: [Pkg-xen-devel] Bug#496367: The possibility of attack with the help of symlinks in some Debian packages
Date: Mon, 25 Aug 2008 13:51:13 +0200
[Message part 1 (text/plain, inline)]
severity 496367 normal

At 1219601128 time_t, Dmitry E. Oboukhov wrote:
> Binary-package: xen-utils-3.2-1 (3.2.1-2)
>     file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug

Since this is a poor buggy debug-script, I'm setting the severity to
normal. It won't affect anyone sane.
I've also pushed a fix in the svn repository which fix it.

Julien Danjou
.''`.  Debian Developer
: :' :
`. `'
  `-   9A0D 5FD9 EB42 22F6 8974  C95C A462 B51E C2FE E5CD
[signature.asc (application/pgp-signature, inline)]

Severity set to `normal' from `grave' Request was from Julien Danjou <> to (Mon, 25 Aug 2008 11:54:10 GMT) Full text and rfc822 format available.

Tags added: Request was from "Dmitry E. Oboukhov" <> to (Tue, 26 Aug 2008 08:45:12 GMT) Full text and rfc822 format available.

Tags added: security Request was from "Dmitry E. Oboukhov" <> to (Tue, 26 Aug 2008 08:57:09 GMT) Full text and rfc822 format available.

Reply sent to Bastian Blank <>:
You have taken responsibility. (Wed, 01 Jul 2009 17:51:08 GMT) Full text and rfc822 format available.

Notification sent to "Dmitry E. Oboukhov" <>:
Bug acknowledged by developer. (Wed, 01 Jul 2009 17:51:08 GMT) Full text and rfc822 format available.

Message #23 received at (full text, mbox):

From: Bastian Blank <>
Subject: Bug#496367: fixed in xen-3 3.4.0-1
Date: Wed, 01 Jul 2009 17:41:17 +0000
Source: xen-3
Source-Version: 3.4.0-1

We believe that the bug you reported is fixed in the latest version of
xen-3, which is due to be installed in the Debian FTP archive:

  to pool/main/x/xen-3/libxen-dev_3.4.0-1_amd64.deb
  to pool/main/x/xen-3/libxenstore3.0_3.4.0-1_amd64.deb
  to pool/main/x/xen-3/xen-3_3.4.0-1.diff.gz
  to pool/main/x/xen-3/xen-3_3.4.0-1.dsc
  to pool/main/x/xen-3/xen-3_3.4.0.orig.tar.gz
  to pool/main/x/xen-3/xen-docs-3.4_3.4.0-1_all.deb
  to pool/main/x/xen-3/xen-hypervisor-3.4-amd64_3.4.0-1_amd64.deb
  to pool/main/x/xen-3/xen-utils-3.4_3.4.0-1_amd64.deb
  to pool/main/x/xen-3/xenstore-utils_3.4.0-1_amd64.deb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Bastian Blank <> (supplier of updated xen-3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing

Hash: SHA1

Format: 1.8
Date: Tue, 30 Jun 2009 22:33:22 +0200
Source: xen-3
Binary: xen-docs-3.4 libxenstore3.0 libxen-dev xenstore-utils xen-utils-3.4 xen-hypervisor-3.4-amd64 xen-hypervisor-3.4-i386
Architecture: source all amd64
Version: 3.4.0-1
Distribution: unstable
Urgency: low
Maintainer: Debian Xen Team <>
Changed-By: Bastian Blank <>
 libxen-dev - Public headers and libs for Xen
 libxenstore3.0 - Xenstore communications library for Xen
 xen-docs-3.4 - Documentation for Xen
 xen-hypervisor-3.4-amd64 - The Xen Hypervisor on AMD64
 xen-hypervisor-3.4-i386 - The Xen Hypervisor on i386
 xen-utils-3.4 - XEN administrative tools
 xenstore-utils - Xenstore utilities for Xen
Closes: 490409 496367
 xen-3 (3.4.0-1) unstable; urgency=low
   [ Bastian Blank ]
   * New upstream version.
   * Remove ioemu for now. (closes: #490409, #496367)
   * Remove non-pae hypervisor.
   * Use debhelper compat level 7.
   * Make the init script start all daemons.
 3dff5ca6400e0d1089f7603921005e4ccdd22bfc 1552 xen-3_3.4.0-1.dsc
 b046be446866205f8c0700edd98cf0b90f7c5d18 8402789 xen-3_3.4.0.orig.tar.gz
 1b8026af405e51cd04ce897ddb98f7d760af60cb 30169 xen-3_3.4.0-1.diff.gz
 d5e21dc1d1b858cdf585c0022313657e7dc13607 1289060 xen-docs-3.4_3.4.0-1_all.deb
 65cfb53a5d82d588ac3ea759cae1a3f8a17872a9 562648 xen-hypervisor-3.4-amd64_3.4.0-1_amd64.deb
 2f48025ec24827be86f07d68bb0ebc2a44e1adf9 226046 libxen-dev_3.4.0-1_amd64.deb
 4ab2983bcc67900df89fe4b67cbf726f44896f0a 20028 libxenstore3.0_3.4.0-1_amd64.deb
 55c00e7852a57ea627e7e11ae2b884b4d4bf513c 996470 xen-utils-3.4_3.4.0-1_amd64.deb
 a2e646fe3a741d5be280e00fdafbcc075b8d0e0c 17902 xenstore-utils_3.4.0-1_amd64.deb
 0ed4306440dc27157fa2a21e7cd3b98d1a4503151ec2c1641a8e39c1104c65e5 1552 xen-3_3.4.0-1.dsc
 9f0a04d8ca35de2af469ae7c4f63043c237d733a263a13290c360d454c6fe37a 8402789 xen-3_3.4.0.orig.tar.gz
 777be9450582074415806903a0c2ded323b1d49e5ba4ba768e92b1bd82be2c61 30169 xen-3_3.4.0-1.diff.gz
 8d3f1078aecf23dfafade1f51ff7b866f684dd5896ef80758afd0ce56aaa9b80 1289060 xen-docs-3.4_3.4.0-1_all.deb
 c750cf0b51419c08fd0744dda82b4e49fa29ff99a0f280a064d04315b66d26e9 562648 xen-hypervisor-3.4-amd64_3.4.0-1_amd64.deb
 f2ebb41795553b49f123525f13a987ad6b787e91583e18e4bc5b0da57fd11085 226046 libxen-dev_3.4.0-1_amd64.deb
 6fe2dfbaa84400c238d39b5a62be0fc46414ad88c3d5ede187b573cf9ac347ea 20028 libxenstore3.0_3.4.0-1_amd64.deb
 1c72bcf8bc07599aa09a924a8cf5985e7417342faf9ce7633dc6fc0ca439ab34 996470 xen-utils-3.4_3.4.0-1_amd64.deb
 dbce32be16577221460487d9d1b339cb30b0639536f6150e6a9bc6dea9e3432a 17902 xenstore-utils_3.4.0-1_amd64.deb
 69cda48499c4e239f9decf1f1fb47737 1552 misc extra xen-3_3.4.0-1.dsc
 e3951ca3ab531036944871f37a05ce11 8402789 misc extra xen-3_3.4.0.orig.tar.gz
 036ffc1452ea0dc29fb00f8c88f15004 30169 misc extra xen-3_3.4.0-1.diff.gz
 fa8ac6d49279e4715a9be8c8b96ae20d 1289060 doc extra xen-docs-3.4_3.4.0-1_all.deb
 c3b7dca46afd7d764bfeff96040a403c 562648 misc extra xen-hypervisor-3.4-amd64_3.4.0-1_amd64.deb
 5d1921d4052d47e3747006b537f00c80 226046 libdevel extra libxen-dev_3.4.0-1_amd64.deb
 91bb611521f5a9968a16093897bfe4f0 20028 libs extra libxenstore3.0_3.4.0-1_amd64.deb
 d1f17533793c140cc1a49e1ab960daa1 996470 misc extra xen-utils-3.4_3.4.0-1_amd64.deb
 0d0eb2385df1a6f1a17923181ced6ee3 17902 admin extra xenstore-utils_3.4.0-1_amd64.deb

Version: GnuPG v1.4.9 (GNU/Linux)


Bug archived. Request was from Debbugs Internal Request <> to (Sat, 15 Aug 2009 07:38:18 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.

Debian bug tracking system administrator <>. Last modified: Fri Apr 18 16:26:46 2014; Machine Name:

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.