Debian Bug report logs - #496374
The possibility of attack with the help of symlinks in some Debian packages

version graph

Package: openswan; Maintainer for openswan is Rene Mayrhofer <rmayr@debian.org>; Source for openswan is src:openswan.

Reported by: "Dmitry E. Oboukhov" <dimka@uvw.ru>

Date: Sun, 24 Aug 2008 18:09:38 UTC

Severity: grave

Tags: patch, security

Fixed in version openswan/1:2.4.12+dfsg-1.3

Done: Christian Perrier <bubulle@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Rene Mayrhofer <rmayr@debian.org>:
Bug#496374; Package openswan. Full text and rfc822 format available.

Acknowledgement sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
New Bug report received and forwarded. Copy sent to Rene Mayrhofer <rmayr@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Dmitry E. Oboukhov" <dimka@uvw.ru>
To: submit@bugs.debian.org
Cc: dimka@uvw.ru
Subject: The possibility of attack with the help of symlinks in some Debian packages
Date: Sun, 24 Aug 2008 22:05:28 +0400
Package: openswan
Severity: grave

Hi, maintainer!

This message about the error concerns a few packages  at  once.   I've
tested all the packages (for Lenny) on my Debian mirror.  All  scripts
of packages (marked as executable) were tested.

In some packages I've discovered scripts with errors which may be used
by a user for damaging important system files or user's files.

For example if a script uses in its work a temp file which is  created
in /tmp directory, then every user can create symlink  with  the  same
name in this directory in order to  destroy  or  rewrite  some  system
or user file.  Symlink attack may also  lead  not  only  to  the  data
desctruction but to denial of service as well.

Even if you create files or directories with help of function 'RANDOM'
or pid(), then your system is not protected. Attacker can create many
symlinks in order to destroy your data or create 'denial  of  service'
for your package scripts.

Even if you make rm(dir) for files/directories, then  your  system  is
not protected. Attacker can permanently create symlinks.

This list is created with the help of script.  This list is sorted  by
hand. Howewer in some cases mistake is possible.

Please, Be understanding to possible mistakes. :)

I set Severity into grave for this bug. The table of discovered
problems is below.

Discussion of this bug you can see in debian-devel@:
    http://lists.debian.org/debian-devel/2008/08/msg00271.html

Binary-package: r-base-core-ra (1.1.1-1)
    file: /usr/lib/Ra/lib/R/bin/javareconf
Binary-package: rccp (0.9-2)
    file: /usr/lib/rccp/delqueueask
Binary-package: mafft (6.240-1)
    file: /usr/bin/mafft-homologs
Binary-package: openoffice.org-common (1:2.4.1-6)
    file: /usr/lib/openoffice/program/senddoc
Binary-package: crossfire-maps (1.11.0-1)
    file: /usr/share/games/crossfire/maps/Info/combine.pl
Binary-package: sgml2x (1.0.0-11.1)
    file: /usr/bin/rlatex
Binary-package: liguidsoap (0.3.6-4)
    file: /var/lib/liguidsoap/liguidsoap.py
Binary-package: citadel-server (7.37-1)
    file: /usr/lib/citadel-server/migrate_aliases.sh
Binary-package: ampache (3.4.1-1)
    file: /usr/share/ampache/www/locale/base/gather-messages.sh
Binary-package: xen-utils-3.2-1 (3.2.1-2)
    file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug
Binary-package: dtc-common (0.29.6-1)
    file: /usr/share/dtc/admin/accesslog.php
    file: /usr/share/dtc/admin/sa-wrapper
Binary-package: honeyd-common (1.5c-3)
    file: /usr/share/honeyd/scripts/test.sh
Binary-package: lustre-tests (1.6.5-1)
    file: /usr/lib/lustre/tests/runiozone
Binary-package: linuxtrade (3.65-8+b4)
    file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol
    file: /usr/share/linuxtrade/bin/linuxtrade.wn
    file: /usr/share/linuxtrade/bin/moneyam.helper
Binary-package: freevo (1.8.1-0)
    file: /usr/bin/freevo.real
Binary-package: fml (4.0.3.dfsg-2)
    file: /usr/share/fml/libexec/mead.pl
Binary-package: rkhunter (1.3.2-3)
    file: /usr/bin/rkhunter
Binary-package: openswan (1:2.4.12+dfsg-1.1)
    file: /usr/lib/ipsec/livetest
Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1)
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest
Binary-package: aptoncd (0.1-1.1)
    file: /usr/share/aptoncd/xmlfile.py
Binary-package: cdcontrol (1.90-1.1)
    file: /usr/lib/cdcontrol/writtercontrol
Binary-package: newsgate (1.6-23)
    file: /usr/bin/mkmailpost
Binary-package: gpsdrive-scripts (2.10~pre4-3)
    file: /usr/bin/geo-code
Binary-package: impose+ (0.2-11)
    file: /usr/bin/impose
Binary-package: mgt (2.31-5)
    file: /usr/games/mailgo
Binary-package: audiolink (0.05-1)
    file: /usr/bin/audiolink
Binary-package: ibackup (2.27-4.1)
    file: /usr/bin/ibackup
Binary-package: emacspeak (26.0-3)
    file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl
Binary-package: bk2site (1:1.1.9-3.1)
    file: /usr/lib/cgi-bin/bk2site/redirect.pl
Binary-package: datafreedom-perl (0.1.7-1)
    file: /usr/bin/dfxml-invoice
Binary-package: emacs-jabber (0.7.91-1)
    file: /usr/lib/emacsen-common/packages/install/emacs-jabber
Binary-package: lmbench (3.0-a7-1)
    file: /usr/lib/lmbench/scripts/rccs
    file: /usr/lib/lmbench/scripts/STUFF
Binary-package: rancid-util (2.3.2~a8-1)
    file: /var/lib/rancid/getipacctg
Binary-package: ogle (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: firehol (1.256-4)
    file: /sbin/firehol
Binary-package: aview (1.3.0rc1-8)
    file: /usr/bin/asciiview
Binary-package: radiance (3R9+20080530-3)
    file: /usr/bin/optics2rad
    file: /usr/bin/pdelta
    file: /usr/bin/dayfact
    file: /usr/bin/raddepend
Binary-package: vdr-dbg (1.6.0-5)
    file: /usr/bin/vdrleaktest
Binary-package: ogle-mmx (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: convirt (0.8.2-3)
    file: /usr/share/convirt/image_store/_template_/provision.sh
    file: /usr/share/convirt/image_store/Linux_CD_Install/provision.sh
    file: /usr/share/convirt/image_store/Fedora_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/CentOS_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/common/provision.sh
    file: /usr/share/convirt/image_store/example/provision.sh
    file: /usr/share/convirt/image_store/Windows_CD_Install/provision.sh
Binary-package: printfilters-ppd (2.13-9)
    file: /usr/lib/printfilters/master-filter
Binary-package: r-base-core (2.7.1-1)
    file: /usr/lib/R/bin/javareconf
    file: /usr/lib/R/bin/javareconf.orig
Binary-package: xmcd (2.6-19.3)
    file: /usr/share/xmcd/scripts/ncsarmt
    file: /usr/share/xmcd/scripts/ncsawrap
Binary-package: tiger (1:3.2.2-3.1)
    file: /usr/lib/tiger/util/genmsgidx
Binary-package: scilab-bin (4.1.2-5)
    file: /usr/lib/scilab-4.1.2/bin/scilink
    file: /usr/lib/scilab-4.1.2/util/scidoc
    file: /usr/lib/scilab-4.1.2/util/scidem
Binary-package: dpkg-cross (2.3.0)
    file: /usr/share/dpkg-cross/bin/gccross
Binary-package: ltp-network-test (20060918-2.1)
    file: /usr/lib/debian-test/tests/linux/testcases/bin/ftp_setup_vsftp_conf
    file: /usr/lib/debian-test/tests/linux/testcases/bin/nfs_fsstress.sh
Binary-package: cman (2.20080629-1)
    file: /usr/sbin/fence_egenera
Binary-package: scratchbox2 (1.99.0.24-1)
    file: /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps
    file: /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings
Binary-package: sendmail-base (8.14.3-5)
    file: /usr/sbin/checksendmail
    file: /usr/bin/expn
Binary-package: fwbuilder (2.1.19-3)
    file: /usr/bin/fwb_install
Binary-package: sng (1.0.2-5)
    file: /usr/bin/sng_regress
Binary-package: dist (1:3.5-17-1)
    file: /usr/bin/patcil
    file: /usr/bin/patdiff
Binary-package: sympa (5.3.4-5)
    file: /usr/lib/cgi-bin/sympa/wwsympa.fcgi
    file: /usr/lib/sympa/bin/sympa.pl
Binary-package: postfix (2.5.2-2)
    file: /usr/lib/postfix_groups.pl
Binary-package: caudium (3:1.4.12-11)
    file: /usr/share/caudium/configvar
Binary-package: mgetty-fax (1.1.36-1.2)
    file: /usr/bin/faxspool
Binary-package: aegis (4.24-3)
    file: /usr/share/doc/aegis/examples/remind/bng_dvlpd.sh
    file: /usr/share/doc/aegis/examples/remind/bng_rvwd.sh
    file: /usr/share/doc/aegis/examples/remind/awt_dvlp.sh
    file: /usr/share/doc/aegis/examples/remind/awt_intgrtn.sh
Binary-package: aegis-web (4.24-3)
    file: /usr/lib/cgi-bin/aegis.cgi
Binary-package: digitaldj (0.7.5-6+b1)
    file: /usr/share/digitaldj/fest.pl
Binary-package: mon (0.99.2-12)
    file: /usr/lib/mon/alert.d/test.alert
Binary-package: feta (1.4.16)
    file: /usr/share/feta/plugins/to-upgrade
Binary-package: arb-common (0.0.20071207.1-4)
    file: /usr/lib/arb/SH/arb_fastdnaml
    file: /usr/lib/arb/SH/dszmconnect.pl
Binary-package: qemu (0.9.1-5)
    file: /usr/sbin/qemu-make-debian-root
Binary-package: apertium (3.0.7+1-1+b1)
    file: /usr/bin/apertium-gen-deformat
    file: /usr/bin/apertium-gen-reformat
    file: /usr/bin/apertium
Binary-package: xcal (4.1-18.3)
    file: /usr/bin/pscal
Binary-package: myspell-tools (1:3.1-20)
    file: /usr/bin/i2myspell
Binary-package: gccxml (0.9.0+cvs20080525-1)
    file: /usr/share/gccxml-0.9/MIPSpro/find_flags
Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4)
    file: /usr/share/freeradius-dialupadmin/bin/backup_radacct
    file: /usr/share/freeradius-dialupadmin/bin/clean_radacct
    file: /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/truncate_radacct
Binary-package: dhis-server (5.3-1)
    file: /usr/lib/dhis-server/dhis-dummy-log-engine
Binary-package: wims (3.62-13)
    file: /var/lib/wims/public_html/bin/coqweb
    file: /var/lib/wims/bin/account.sh
Binary-package: initramfs-tools (0.92f)
    file: /usr/share/initramfs-tools/init
Binary-package: realtimebattle-common (1.0.8-7)
    file: /usr/lib/realtimebattle/Robots/perl.robot
Binary-package: netmrg (0.20-1)
    file: /usr/bin/rrdedit
Binary-package: bulmages-servers (0.11.1-2)
    file: /usr/share/bulmages/examples/scripts/actualizabulmacont
    file: /usr/share/bulmages/examples/scripts/installbulmages-db
    file: /usr/share/bulmages/examples/scripts/creabulmafact
    file: /usr/share/bulmages/examples/scripts/creabulmacont
    file: /usr/share/bulmages/examples/scripts/actualizabulmafact
Binary-package: xastir (1.9.2-1)
    file: /usr/lib/xastir/get-maptools.sh
    file: /usr/lib/xastir/get_shapelib.sh
Binary-package: plait (1.5.2-1)
    file: /usr/bin/plaiter
    file: /usr/bin/plait
Binary-package: cdrw-taper (0.4-2)
    file: /usr/sbin/amlabel-cdrw
Binary-package: konwert-filters (1.8-11.1)
    file: /usr/share/konwert/filters/any-UTF8
Binary-package: gdrae (0.1-1)
    file: /usr/bin/gdrae
Binary-package: lazarus-src (0.9.24-0-9)
    file: /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh




Tags added: Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru> to control@bugs.debian.org. (Tue, 26 Aug 2008 08:45:20 GMT) Full text and rfc822 format available.

Tags added: security Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru> to control@bugs.debian.org. (Tue, 26 Aug 2008 08:57:13 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Rene Mayrhofer <rmayr@debian.org>:
Bug#496374; Package openswan. Full text and rfc822 format available.

Acknowledgement sent to Frank Lichtenheld <djpig@debian.org>:
Extra info received and forwarded to list. Copy sent to Rene Mayrhofer <rmayr@debian.org>. Full text and rfc822 format available.

Message #14 received at 496374@bugs.debian.org (full text, mbox):

From: Frank Lichtenheld <djpig@debian.org>
To: 496374@bugs.debian.org
Subject: Patch
Date: Sun, 14 Sep 2008 02:02:56 +0200
tag 496374 patch
thanks

The following patch should fix this issue (fully untested though, I
will not upload this):

#! /bin/sh /usr/share/dpatch/dpatch-run
## livetest-temp-files.dpatch by Frank Lichtenheld <djpig@debian.org>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Fix some insecure tempfile usages.

@DPATCH@
diff -urNad openswan-2.4.12+dfsg~/programs/livetest/livetest.in openswan-2.4.12+dfsg/programs/livetest/livetest.in
--- openswan-2.4.12+dfsg~/programs/livetest/livetest.in	2005-07-15 18:39:25.000000000 +0200
+++ openswan-2.4.12+dfsg/programs/livetest/livetest.in	2008-09-14 01:43:43.000000000 +0200
@@ -36,13 +36,17 @@
 
 #echo wget  http://192.168.0.1/olts/?leftid=$leftid\&$leftrsasigkey&$version
 
-wget -o /dev/null  -O /tmp/ipseclive.conn "http://192.168.0.1/olts/?leftid=$leftid&$leftrsasigkey&version=$version"
+connection=$(mktemp -t ipseclive.conn.XXXXXX)
+local_log=$(mktemp -t ipsec.olts.local.log.XXXXXX)
+remote_log=$(mktemp -t ipsec.olts.remote.log.XXXXXX)
 
-sh < /tmp/ipseclive.conn
+wget -o /dev/null  -O $connection "http://192.168.0.1/olts/?leftid=$leftid&$leftrsasigkey&version=$version"
+
+sh < $connection
 ipsec eroute.pl
 leftid=`echo $leftid | sed "s/@//"`
-ipsec whack --delete --name olts-$leftid >> /tmp/ipsec.olts.local.log
-wget -o /dev/null -O /tmp/ipsec.olts.remote.log "http://192.168.0.1/olts/log.php?leftid=$leftid"
+ipsec whack --delete --name olts-$leftid > $local_log
+wget -o /dev/null -O $remote_log "http://192.168.0.1/olts/log.php?leftid=$leftid"
 
 #
 # $Log: livetest.in,v $

Gruesse,
-- 
Frank Lichtenheld <djpig@debian.org>
www: http://www.djpig.de/




Tags added: patch Request was from Frank Lichtenheld <djpig@debian.org> to control@bugs.debian.org. (Sun, 14 Sep 2008 00:12:06 GMT) Full text and rfc822 format available.

Reply sent to Christian Perrier <bubulle@debian.org>:
You have taken responsibility. (Sun, 28 Sep 2008 13:30:18 GMT) Full text and rfc822 format available.

Notification sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
Bug acknowledged by developer. (Sun, 28 Sep 2008 13:30:18 GMT) Full text and rfc822 format available.

Message #21 received at 496374-close@bugs.debian.org (full text, mbox):

From: Christian Perrier <bubulle@debian.org>
To: 496374-close@bugs.debian.org
Subject: Bug#496374: fixed in openswan 1:2.4.12+dfsg-1.3
Date: Sun, 28 Sep 2008 13:17:06 +0000
Source: openswan
Source-Version: 1:2.4.12+dfsg-1.3

We believe that the bug you reported is fixed in the latest version of
openswan, which is due to be installed in the Debian FTP archive:

linux-patch-openswan_2.4.12+dfsg-1.3_all.deb
  to pool/main/o/openswan/linux-patch-openswan_2.4.12+dfsg-1.3_all.deb
openswan-modules-source_2.4.12+dfsg-1.3_all.deb
  to pool/main/o/openswan/openswan-modules-source_2.4.12+dfsg-1.3_all.deb
openswan_2.4.12+dfsg-1.3.diff.gz
  to pool/main/o/openswan/openswan_2.4.12+dfsg-1.3.diff.gz
openswan_2.4.12+dfsg-1.3.dsc
  to pool/main/o/openswan/openswan_2.4.12+dfsg-1.3.dsc
openswan_2.4.12+dfsg-1.3_i386.deb
  to pool/main/o/openswan/openswan_2.4.12+dfsg-1.3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 496374@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Perrier <bubulle@debian.org> (supplier of updated openswan package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 28 Sep 2008 13:07:56 +0200
Source: openswan
Binary: openswan openswan-modules-source linux-patch-openswan
Architecture: source all i386
Version: 1:2.4.12+dfsg-1.3
Distribution: unstable
Urgency: high
Maintainer: Rene Mayrhofer <rmayr@debian.org>
Changed-By: Christian Perrier <bubulle@debian.org>
Description: 
 linux-patch-openswan - IPSEC Linux kernel support for Openswan
 openswan   - IPSEC utilities for Openswan
 openswan-modules-source - IPSEC kernel modules source for Openswan
Closes: 489437 496374
Changes: 
 openswan (1:2.4.12+dfsg-1.3) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Fix insucure /tmp file creation. Patch by Frank Lichtenheld
     (untested from his own words but better this than nothing)
     Closes: #496374
   * Fix pending l10n bugs. Debconf translations:
   * Czech. Closes: #489437
Checksums-Sha1: 
 e750bcfa1f1f6a5743048f2801d13f9c5a30b015 1287 openswan_2.4.12+dfsg-1.3.dsc
 fc3165533a84b1f1a4eb73dbe608cbde1179ee2e 127691 openswan_2.4.12+dfsg-1.3.diff.gz
 b18e8ac36132cfed3fa8ba450c3aefa0361d7d19 540524 openswan-modules-source_2.4.12+dfsg-1.3_all.deb
 e83a192e5d2cddd9a09c3b7a9fe6b06223eaf59d 609478 linux-patch-openswan_2.4.12+dfsg-1.3_all.deb
 e6629bfa91f9afaa1f9401715ae5760d51f15b72 1664748 openswan_2.4.12+dfsg-1.3_i386.deb
Checksums-Sha256: 
 54801a5893099180b32be3bdf2c2955740431e8ba8c6a55ce7655397e340da10 1287 openswan_2.4.12+dfsg-1.3.dsc
 c13c3486dce656e5e27e176c45df04c43b5b5f071a9d1b4f3372b2b2d70d78bb 127691 openswan_2.4.12+dfsg-1.3.diff.gz
 7125f74096da6ca55eb633a15b32a27a08c84ebe161fa52b6d989d114ab133a9 540524 openswan-modules-source_2.4.12+dfsg-1.3_all.deb
 fed5d37149ad99d8af9ae80bb47798a70abff1b6df88c495d499bc0b1967b003 609478 linux-patch-openswan_2.4.12+dfsg-1.3_all.deb
 d3ff164a4c63ed727d4b20c4db51a168c0a3d2c88341a0ba6b780b5279678a11 1664748 openswan_2.4.12+dfsg-1.3_i386.deb
Files: 
 149ebcfb1dbe7b491c21a81dd9211143 1287 net optional openswan_2.4.12+dfsg-1.3.dsc
 556dcd54b8d7475527568346c7aa98fa 127691 net optional openswan_2.4.12+dfsg-1.3.diff.gz
 70cf4c002946f46be8e563200f723f23 540524 net optional openswan-modules-source_2.4.12+dfsg-1.3_all.deb
 21f798bd7f6d84605994e3a4fe68d1ac 609478 net optional linux-patch-openswan_2.4.12+dfsg-1.3_all.deb
 9cec801eee0ccdb6d1069839b79ec418 1664748 net optional openswan_2.4.12+dfsg-1.3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkjffnEACgkQ1OXtrMAUPS0NsACfSkwQ8dC7cWKXkeBDcqkxHwL2
TAsAnjfHhIuz/P6UQHb27tkEoGhzS+gT
=ODaN
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 30 Nov 2008 08:25:47 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 16:23:42 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.