Debian Bug report logs - #496369
The possibility of attack with the help of symlinks in some Debian packages

version graph

Package: ampache; Maintainer for ampache is Charlie Smotherman <cjsmo@cableone.net>; Source for ampache is src:ampache.

Reported by: "Dmitry E. Oboukhov" <dimka@uvw.ru>

Date: Sun, 24 Aug 2008 18:09:24 UTC

Severity: normal

Tags: confirmed, security

Fixed in version ampache/3.4.1-2

Done: Charlie Smotherman <cjsmo@cableone.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Charlie Smotherman <cjsmo@cableone.net>:
Bug#496369; Package ampache. Full text and rfc822 format available.

Acknowledgement sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
New Bug report received and forwarded. Copy sent to Charlie Smotherman <cjsmo@cableone.net>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Dmitry E. Oboukhov" <dimka@uvw.ru>
To: submit@bugs.debian.org
Cc: dimka@uvw.ru
Subject: The possibility of attack with the help of symlinks in some Debian packages
Date: Sun, 24 Aug 2008 22:05:28 +0400
Package: ampache
Severity: grave

Hi, maintainer!

This message about the error concerns a few packages  at  once.   I've
tested all the packages (for Lenny) on my Debian mirror.  All  scripts
of packages (marked as executable) were tested.

In some packages I've discovered scripts with errors which may be used
by a user for damaging important system files or user's files.

For example if a script uses in its work a temp file which is  created
in /tmp directory, then every user can create symlink  with  the  same
name in this directory in order to  destroy  or  rewrite  some  system
or user file.  Symlink attack may also  lead  not  only  to  the  data
desctruction but to denial of service as well.

Even if you create files or directories with help of function 'RANDOM'
or pid(), then your system is not protected. Attacker can create many
symlinks in order to destroy your data or create 'denial  of  service'
for your package scripts.

Even if you make rm(dir) for files/directories, then  your  system  is
not protected. Attacker can permanently create symlinks.

This list is created with the help of script.  This list is sorted  by
hand. Howewer in some cases mistake is possible.

Please, Be understanding to possible mistakes. :)

I set Severity into grave for this bug. The table of discovered
problems is below.

Discussion of this bug you can see in debian-devel@:
    http://lists.debian.org/debian-devel/2008/08/msg00271.html

Binary-package: r-base-core-ra (1.1.1-1)
    file: /usr/lib/Ra/lib/R/bin/javareconf
Binary-package: rccp (0.9-2)
    file: /usr/lib/rccp/delqueueask
Binary-package: mafft (6.240-1)
    file: /usr/bin/mafft-homologs
Binary-package: openoffice.org-common (1:2.4.1-6)
    file: /usr/lib/openoffice/program/senddoc
Binary-package: crossfire-maps (1.11.0-1)
    file: /usr/share/games/crossfire/maps/Info/combine.pl
Binary-package: sgml2x (1.0.0-11.1)
    file: /usr/bin/rlatex
Binary-package: liguidsoap (0.3.6-4)
    file: /var/lib/liguidsoap/liguidsoap.py
Binary-package: citadel-server (7.37-1)
    file: /usr/lib/citadel-server/migrate_aliases.sh
Binary-package: ampache (3.4.1-1)
    file: /usr/share/ampache/www/locale/base/gather-messages.sh
Binary-package: xen-utils-3.2-1 (3.2.1-2)
    file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug
Binary-package: dtc-common (0.29.6-1)
    file: /usr/share/dtc/admin/accesslog.php
    file: /usr/share/dtc/admin/sa-wrapper
Binary-package: honeyd-common (1.5c-3)
    file: /usr/share/honeyd/scripts/test.sh
Binary-package: lustre-tests (1.6.5-1)
    file: /usr/lib/lustre/tests/runiozone
Binary-package: linuxtrade (3.65-8+b4)
    file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol
    file: /usr/share/linuxtrade/bin/linuxtrade.wn
    file: /usr/share/linuxtrade/bin/moneyam.helper
Binary-package: freevo (1.8.1-0)
    file: /usr/bin/freevo.real
Binary-package: fml (4.0.3.dfsg-2)
    file: /usr/share/fml/libexec/mead.pl
Binary-package: rkhunter (1.3.2-3)
    file: /usr/bin/rkhunter
Binary-package: openswan (1:2.4.12+dfsg-1.1)
    file: /usr/lib/ipsec/livetest
Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1)
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest
Binary-package: aptoncd (0.1-1.1)
    file: /usr/share/aptoncd/xmlfile.py
Binary-package: cdcontrol (1.90-1.1)
    file: /usr/lib/cdcontrol/writtercontrol
Binary-package: newsgate (1.6-23)
    file: /usr/bin/mkmailpost
Binary-package: gpsdrive-scripts (2.10~pre4-3)
    file: /usr/bin/geo-code
Binary-package: impose+ (0.2-11)
    file: /usr/bin/impose
Binary-package: mgt (2.31-5)
    file: /usr/games/mailgo
Binary-package: audiolink (0.05-1)
    file: /usr/bin/audiolink
Binary-package: ibackup (2.27-4.1)
    file: /usr/bin/ibackup
Binary-package: emacspeak (26.0-3)
    file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl
Binary-package: bk2site (1:1.1.9-3.1)
    file: /usr/lib/cgi-bin/bk2site/redirect.pl
Binary-package: datafreedom-perl (0.1.7-1)
    file: /usr/bin/dfxml-invoice
Binary-package: emacs-jabber (0.7.91-1)
    file: /usr/lib/emacsen-common/packages/install/emacs-jabber
Binary-package: lmbench (3.0-a7-1)
    file: /usr/lib/lmbench/scripts/rccs
    file: /usr/lib/lmbench/scripts/STUFF
Binary-package: rancid-util (2.3.2~a8-1)
    file: /var/lib/rancid/getipacctg
Binary-package: ogle (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: firehol (1.256-4)
    file: /sbin/firehol
Binary-package: aview (1.3.0rc1-8)
    file: /usr/bin/asciiview
Binary-package: radiance (3R9+20080530-3)
    file: /usr/bin/optics2rad
    file: /usr/bin/pdelta
    file: /usr/bin/dayfact
    file: /usr/bin/raddepend
Binary-package: vdr-dbg (1.6.0-5)
    file: /usr/bin/vdrleaktest
Binary-package: ogle-mmx (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: convirt (0.8.2-3)
    file: /usr/share/convirt/image_store/_template_/provision.sh
    file: /usr/share/convirt/image_store/Linux_CD_Install/provision.sh
    file: /usr/share/convirt/image_store/Fedora_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/CentOS_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/common/provision.sh
    file: /usr/share/convirt/image_store/example/provision.sh
    file: /usr/share/convirt/image_store/Windows_CD_Install/provision.sh
Binary-package: printfilters-ppd (2.13-9)
    file: /usr/lib/printfilters/master-filter
Binary-package: r-base-core (2.7.1-1)
    file: /usr/lib/R/bin/javareconf
    file: /usr/lib/R/bin/javareconf.orig
Binary-package: xmcd (2.6-19.3)
    file: /usr/share/xmcd/scripts/ncsarmt
    file: /usr/share/xmcd/scripts/ncsawrap
Binary-package: tiger (1:3.2.2-3.1)
    file: /usr/lib/tiger/util/genmsgidx
Binary-package: scilab-bin (4.1.2-5)
    file: /usr/lib/scilab-4.1.2/bin/scilink
    file: /usr/lib/scilab-4.1.2/util/scidoc
    file: /usr/lib/scilab-4.1.2/util/scidem
Binary-package: dpkg-cross (2.3.0)
    file: /usr/share/dpkg-cross/bin/gccross
Binary-package: ltp-network-test (20060918-2.1)
    file: /usr/lib/debian-test/tests/linux/testcases/bin/ftp_setup_vsftp_conf
    file: /usr/lib/debian-test/tests/linux/testcases/bin/nfs_fsstress.sh
Binary-package: cman (2.20080629-1)
    file: /usr/sbin/fence_egenera
Binary-package: scratchbox2 (1.99.0.24-1)
    file: /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps
    file: /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings
Binary-package: sendmail-base (8.14.3-5)
    file: /usr/sbin/checksendmail
    file: /usr/bin/expn
Binary-package: fwbuilder (2.1.19-3)
    file: /usr/bin/fwb_install
Binary-package: sng (1.0.2-5)
    file: /usr/bin/sng_regress
Binary-package: dist (1:3.5-17-1)
    file: /usr/bin/patcil
    file: /usr/bin/patdiff
Binary-package: sympa (5.3.4-5)
    file: /usr/lib/cgi-bin/sympa/wwsympa.fcgi
    file: /usr/lib/sympa/bin/sympa.pl
Binary-package: postfix (2.5.2-2)
    file: /usr/lib/postfix_groups.pl
Binary-package: caudium (3:1.4.12-11)
    file: /usr/share/caudium/configvar
Binary-package: mgetty-fax (1.1.36-1.2)
    file: /usr/bin/faxspool
Binary-package: aegis (4.24-3)
    file: /usr/share/doc/aegis/examples/remind/bng_dvlpd.sh
    file: /usr/share/doc/aegis/examples/remind/bng_rvwd.sh
    file: /usr/share/doc/aegis/examples/remind/awt_dvlp.sh
    file: /usr/share/doc/aegis/examples/remind/awt_intgrtn.sh
Binary-package: aegis-web (4.24-3)
    file: /usr/lib/cgi-bin/aegis.cgi
Binary-package: digitaldj (0.7.5-6+b1)
    file: /usr/share/digitaldj/fest.pl
Binary-package: mon (0.99.2-12)
    file: /usr/lib/mon/alert.d/test.alert
Binary-package: feta (1.4.16)
    file: /usr/share/feta/plugins/to-upgrade
Binary-package: arb-common (0.0.20071207.1-4)
    file: /usr/lib/arb/SH/arb_fastdnaml
    file: /usr/lib/arb/SH/dszmconnect.pl
Binary-package: qemu (0.9.1-5)
    file: /usr/sbin/qemu-make-debian-root
Binary-package: apertium (3.0.7+1-1+b1)
    file: /usr/bin/apertium-gen-deformat
    file: /usr/bin/apertium-gen-reformat
    file: /usr/bin/apertium
Binary-package: xcal (4.1-18.3)
    file: /usr/bin/pscal
Binary-package: myspell-tools (1:3.1-20)
    file: /usr/bin/i2myspell
Binary-package: gccxml (0.9.0+cvs20080525-1)
    file: /usr/share/gccxml-0.9/MIPSpro/find_flags
Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4)
    file: /usr/share/freeradius-dialupadmin/bin/backup_radacct
    file: /usr/share/freeradius-dialupadmin/bin/clean_radacct
    file: /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/truncate_radacct
Binary-package: dhis-server (5.3-1)
    file: /usr/lib/dhis-server/dhis-dummy-log-engine
Binary-package: wims (3.62-13)
    file: /var/lib/wims/public_html/bin/coqweb
    file: /var/lib/wims/bin/account.sh
Binary-package: initramfs-tools (0.92f)
    file: /usr/share/initramfs-tools/init
Binary-package: realtimebattle-common (1.0.8-7)
    file: /usr/lib/realtimebattle/Robots/perl.robot
Binary-package: netmrg (0.20-1)
    file: /usr/bin/rrdedit
Binary-package: bulmages-servers (0.11.1-2)
    file: /usr/share/bulmages/examples/scripts/actualizabulmacont
    file: /usr/share/bulmages/examples/scripts/installbulmages-db
    file: /usr/share/bulmages/examples/scripts/creabulmafact
    file: /usr/share/bulmages/examples/scripts/creabulmacont
    file: /usr/share/bulmages/examples/scripts/actualizabulmafact
Binary-package: xastir (1.9.2-1)
    file: /usr/lib/xastir/get-maptools.sh
    file: /usr/lib/xastir/get_shapelib.sh
Binary-package: plait (1.5.2-1)
    file: /usr/bin/plaiter
    file: /usr/bin/plait
Binary-package: cdrw-taper (0.4-2)
    file: /usr/sbin/amlabel-cdrw
Binary-package: konwert-filters (1.8-11.1)
    file: /usr/share/konwert/filters/any-UTF8
Binary-package: gdrae (0.1-1)
    file: /usr/bin/gdrae
Binary-package: lazarus-src (0.9.24-0-9)
    file: /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh




Tags added: Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru> to control@bugs.debian.org. (Tue, 26 Aug 2008 08:45:15 GMT) Full text and rfc822 format available.

Tags added: security Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru> to control@bugs.debian.org. (Tue, 26 Aug 2008 08:57:10 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Charlie Smotherman <cjsmo@cableone.net>:
Bug#496369; Package ampache. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Charlie Smotherman <cjsmo@cableone.net>. Full text and rfc822 format available.

Message #14 received at 496369@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: 496369@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: The possibility of attack with the help of symlinks in some Debian packages
Date: Tue, 26 Aug 2008 12:11:59 +0200
[Message part 1 (text/plain, inline)]
3Rseverity 496369 normal
tag 496369 confirmed

Dmitry E. Oboukhov wrote:
> Binary-package: ampache (3.4.1-1)
>     file: /usr/share/ampache/www/locale/base/gather-messages.sh

Since this script is only used for translating ampache and not for
the general package usage, I'm lowering the severity to "normal". 

A patch to fix the script by using mktemp is attached.

Cheers,
        Moritz
[ampache-tmp-file.diff (text/x-diff, attachment)]

Tags added: confirmed Request was from Moritz Muehlenhoff <jmm@inutil.org> to control@bugs.debian.org. (Tue, 26 Aug 2008 10:21:11 GMT) Full text and rfc822 format available.

Severity set to `normal' from `grave' Request was from Moritz Muehlenhoff <jmm@inutil.org> to control@bugs.debian.org. (Tue, 26 Aug 2008 11:06:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Charlie Smotherman <cjsmo@cableone.net>:
Bug#496369; Package ampache. Full text and rfc822 format available.

Acknowledgement sent to Charliej <cjsmo@cableone.net>:
Extra info received and forwarded to list. Copy sent to Charlie Smotherman <cjsmo@cableone.net>. Full text and rfc822 format available.

Message #23 received at 496369@bugs.debian.org (full text, mbox):

From: Charliej <cjsmo@cableone.net>
To: Moritz Muehlenhoff <jmm@inutil.org>, 496369@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#496369: The possibility of attack with the help of symlinks in some Debian packages
Date: Tue, 26 Aug 2008 07:59:36 -0500
Moritz Muehlenhoff wrote:
> 3Rseverity 496369 normal
> tag 496369 confirmed
>
> Dmitry E. Oboukhov wrote:
>   
>> Binary-package: ampache (3.4.1-1)
>>     file: /usr/share/ampache/www/locale/base/gather-messages.sh
>>     
>
> Since this script is only used for translating ampache and not for
> the general package usage, I'm lowering the severity to "normal". 
>
> A patch to fix the script by using mktemp is attached.
>
> Cheers,
>         Moritz
>   
Moritz,

I will apply this patch to the current version of ampache and close this
bug with the next upload.  With lenny in release freeze I am not sure if
this will make it into lenny.

I am also forwarding this to upstream so it will also be included into
future version of ampache.

Thank you for your time and effort in providing this patch.
Charlie




Information forwarded to debian-bugs-dist@lists.debian.org, Charlie Smotherman <cjsmo@cableone.net>:
Bug#496369; Package ampache. Full text and rfc822 format available.

Acknowledgement sent to Charliej <cjsmo@cableone.net>:
Extra info received and forwarded to list. Copy sent to Charlie Smotherman <cjsmo@cableone.net>. Full text and rfc822 format available.

Message #28 received at 496369@bugs.debian.org (full text, mbox):

From: Charliej <cjsmo@cableone.net>
To: 496369@bugs.debian.org
Subject: Bug#496369: The possibility of attack with the help of symlinks in some Debian packages
Date: Thu, 28 Aug 2008 23:20:59 -0500
I have discussed this bug with upstream and it has been decided to not
use the patch provided but to add -Xgather-messages.sh option to
dh_install in debian/rules.  This way the offending file is not
installed onto the user's system and thus not a security risk. 

/locale/base/gather-messages.sh is provided to assist users in
developing/updating translation files and is actually not used by
ampache proper.

As stated in the earlier post I will close this bug with the next
sponsored upload.

Charlie




Reply sent to Charlie Smotherman <cjsmo@cableone.net>:
You have taken responsibility. (Sun, 02 Nov 2008 10:57:02 GMT) Full text and rfc822 format available.

Notification sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
Bug acknowledged by developer. (Sun, 02 Nov 2008 10:57:02 GMT) Full text and rfc822 format available.

Message #33 received at 496369-close@bugs.debian.org (full text, mbox):

From: Charlie Smotherman <cjsmo@cableone.net>
To: 496369-close@bugs.debian.org
Subject: Bug#496369: fixed in ampache 3.4.1-2
Date: Sun, 02 Nov 2008 10:47:03 +0000
Source: ampache
Source-Version: 3.4.1-2

We believe that the bug you reported is fixed in the latest version of
ampache, which is due to be installed in the Debian FTP archive:

ampache_3.4.1-2.diff.gz
  to pool/main/a/ampache/ampache_3.4.1-2.diff.gz
ampache_3.4.1-2.dsc
  to pool/main/a/ampache/ampache_3.4.1-2.dsc
ampache_3.4.1-2_all.deb
  to pool/main/a/ampache/ampache_3.4.1-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 496369@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Charlie Smotherman <cjsmo@cableone.net> (supplier of updated ampache package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 01 Nov 2008 13:47:43 -0500
Source: ampache
Binary: ampache
Architecture: source all
Version: 3.4.1-2
Distribution: unstable
Urgency: low
Maintainer: Charlie Smotherman <cjsmo@cableone.net>
Changed-By: Charlie Smotherman <cjsmo@cableone.net>
Description: 
 ampache    - web-based audio file management system
Closes: 496369 504169
Changes: 
 ampache (3.4.1-2) unstable; urgency=low
 .
     * Made package to depend on libjs-prototype to correct a lintian error of
       "courtousy copies of code".  Adjusted debian/control, debian/rules,
       debian/links, postinst, postrm to reflect this dependency.
     * Made package to depend on libphp-snoopy due to CVE-2008-4796.  Adjusted
       debian/control, debian/rules, debian/links, postinst, postrm to reflect
       this dependency. Closes: #504169
     * Removed /usr/share/ampache/www/locale/base/gather-messages.sh from package
       to close a potential security hole.  Closes: #496369
Checksums-Sha1: 
 cfff5618783b365b02dba631f52a59905e2f4240 986 ampache_3.4.1-2.dsc
 7c2a4aa5101a91ff198f5453762896bfcb260840 15090 ampache_3.4.1-2.diff.gz
 5da0c5ede3e1f8a9013c308c787669e1a96970e3 1329464 ampache_3.4.1-2_all.deb
Checksums-Sha256: 
 ca95ac1ed22e5c5b1d5c6f48cc2de14cf1e6d6e7c1cba9a209a502a47a0a2234 986 ampache_3.4.1-2.dsc
 b14c3c01f957f2dfe10541e18ebdd76d23bc1473f0dd26e76a458c9504a1f595 15090 ampache_3.4.1-2.diff.gz
 e3a17c8fc9cb11a80b5da5fc3aeeed45c0c6f3d8d405a778490a954644faeafe 1329464 ampache_3.4.1-2_all.deb
Files: 
 b8bc62045116145a8fd722d0a8bbfcbe 986 web optional ampache_3.4.1-2.dsc
 9efd757cc5132e0630e5afcd4258e33c 15090 web optional ampache_3.4.1-2.diff.gz
 fc90f8a1e35e45117de09b7586b8002c 1329464 web optional ampache_3.4.1-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkNg7YACgkQ62zWxYk/rQfl3gCgg8/JlBw2LOM7jvKIIhZ1E3uK
hM8AnRmKJNjcZgP+LQkcdBEgVt0oDS35
=foBo
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 12 Dec 2008 07:29:03 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 07:12:38 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.