Debian Bug report logs - #496378
The possibility of attack with the help of symlinks in some Debian packages

version graph

Package: gdrae; Maintainer for gdrae is (unknown);

Reported by: "Dmitry E. Oboukhov" <dimka@uvw.ru>

Date: Sun, 24 Aug 2008 18:09:48 UTC

Severity: grave

Tags: security

Fixed in version gdrae/0.1-1.1

Done: Chris Lamb <chris@chris-lamb.co.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Alejandro Garrido Mota <garridomota@gmail.com>:
Bug#496378; Package gdrae. Full text and rfc822 format available.

Acknowledgement sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
New Bug report received and forwarded. Copy sent to Alejandro Garrido Mota <garridomota@gmail.com>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Dmitry E. Oboukhov" <dimka@uvw.ru>
To: submit@bugs.debian.org
Cc: dimka@uvw.ru
Subject: The possibility of attack with the help of symlinks in some Debian packages
Date: Sun, 24 Aug 2008 22:05:30 +0400
Package: gdrae
Severity: grave

Hi, maintainer!

This message about the error concerns a few packages  at  once.   I've
tested all the packages (for Lenny) on my Debian mirror.  All  scripts
of packages (marked as executable) were tested.

In some packages I've discovered scripts with errors which may be used
by a user for damaging important system files or user's files.

For example if a script uses in its work a temp file which is  created
in /tmp directory, then every user can create symlink  with  the  same
name in this directory in order to  destroy  or  rewrite  some  system
or user file.  Symlink attack may also  lead  not  only  to  the  data
desctruction but to denial of service as well.

Even if you create files or directories with help of function 'RANDOM'
or pid(), then your system is not protected. Attacker can create many
symlinks in order to destroy your data or create 'denial  of  service'
for your package scripts.

Even if you make rm(dir) for files/directories, then  your  system  is
not protected. Attacker can permanently create symlinks.

This list is created with the help of script.  This list is sorted  by
hand. Howewer in some cases mistake is possible.

Please, Be understanding to possible mistakes. :)

I set Severity into grave for this bug. The table of discovered
problems is below.

Discussion of this bug you can see in debian-devel@:
    http://lists.debian.org/debian-devel/2008/08/msg00271.html

Binary-package: r-base-core-ra (1.1.1-1)
    file: /usr/lib/Ra/lib/R/bin/javareconf
Binary-package: rccp (0.9-2)
    file: /usr/lib/rccp/delqueueask
Binary-package: mafft (6.240-1)
    file: /usr/bin/mafft-homologs
Binary-package: openoffice.org-common (1:2.4.1-6)
    file: /usr/lib/openoffice/program/senddoc
Binary-package: crossfire-maps (1.11.0-1)
    file: /usr/share/games/crossfire/maps/Info/combine.pl
Binary-package: sgml2x (1.0.0-11.1)
    file: /usr/bin/rlatex
Binary-package: liguidsoap (0.3.6-4)
    file: /var/lib/liguidsoap/liguidsoap.py
Binary-package: citadel-server (7.37-1)
    file: /usr/lib/citadel-server/migrate_aliases.sh
Binary-package: ampache (3.4.1-1)
    file: /usr/share/ampache/www/locale/base/gather-messages.sh
Binary-package: xen-utils-3.2-1 (3.2.1-2)
    file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug
Binary-package: dtc-common (0.29.6-1)
    file: /usr/share/dtc/admin/accesslog.php
    file: /usr/share/dtc/admin/sa-wrapper
Binary-package: honeyd-common (1.5c-3)
    file: /usr/share/honeyd/scripts/test.sh
Binary-package: lustre-tests (1.6.5-1)
    file: /usr/lib/lustre/tests/runiozone
Binary-package: linuxtrade (3.65-8+b4)
    file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol
    file: /usr/share/linuxtrade/bin/linuxtrade.wn
    file: /usr/share/linuxtrade/bin/moneyam.helper
Binary-package: freevo (1.8.1-0)
    file: /usr/bin/freevo.real
Binary-package: fml (4.0.3.dfsg-2)
    file: /usr/share/fml/libexec/mead.pl
Binary-package: rkhunter (1.3.2-3)
    file: /usr/bin/rkhunter
Binary-package: openswan (1:2.4.12+dfsg-1.1)
    file: /usr/lib/ipsec/livetest
Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1)
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest
Binary-package: aptoncd (0.1-1.1)
    file: /usr/share/aptoncd/xmlfile.py
Binary-package: cdcontrol (1.90-1.1)
    file: /usr/lib/cdcontrol/writtercontrol
Binary-package: newsgate (1.6-23)
    file: /usr/bin/mkmailpost
Binary-package: gpsdrive-scripts (2.10~pre4-3)
    file: /usr/bin/geo-code
Binary-package: impose+ (0.2-11)
    file: /usr/bin/impose
Binary-package: mgt (2.31-5)
    file: /usr/games/mailgo
Binary-package: audiolink (0.05-1)
    file: /usr/bin/audiolink
Binary-package: ibackup (2.27-4.1)
    file: /usr/bin/ibackup
Binary-package: emacspeak (26.0-3)
    file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl
Binary-package: bk2site (1:1.1.9-3.1)
    file: /usr/lib/cgi-bin/bk2site/redirect.pl
Binary-package: datafreedom-perl (0.1.7-1)
    file: /usr/bin/dfxml-invoice
Binary-package: emacs-jabber (0.7.91-1)
    file: /usr/lib/emacsen-common/packages/install/emacs-jabber
Binary-package: lmbench (3.0-a7-1)
    file: /usr/lib/lmbench/scripts/rccs
    file: /usr/lib/lmbench/scripts/STUFF
Binary-package: rancid-util (2.3.2~a8-1)
    file: /var/lib/rancid/getipacctg
Binary-package: ogle (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: firehol (1.256-4)
    file: /sbin/firehol
Binary-package: aview (1.3.0rc1-8)
    file: /usr/bin/asciiview
Binary-package: radiance (3R9+20080530-3)
    file: /usr/bin/optics2rad
    file: /usr/bin/pdelta
    file: /usr/bin/dayfact
    file: /usr/bin/raddepend
Binary-package: vdr-dbg (1.6.0-5)
    file: /usr/bin/vdrleaktest
Binary-package: ogle-mmx (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: convirt (0.8.2-3)
    file: /usr/share/convirt/image_store/_template_/provision.sh
    file: /usr/share/convirt/image_store/Linux_CD_Install/provision.sh
    file: /usr/share/convirt/image_store/Fedora_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/CentOS_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/common/provision.sh
    file: /usr/share/convirt/image_store/example/provision.sh
    file: /usr/share/convirt/image_store/Windows_CD_Install/provision.sh
Binary-package: printfilters-ppd (2.13-9)
    file: /usr/lib/printfilters/master-filter
Binary-package: r-base-core (2.7.1-1)
    file: /usr/lib/R/bin/javareconf
    file: /usr/lib/R/bin/javareconf.orig
Binary-package: xmcd (2.6-19.3)
    file: /usr/share/xmcd/scripts/ncsarmt
    file: /usr/share/xmcd/scripts/ncsawrap
Binary-package: tiger (1:3.2.2-3.1)
    file: /usr/lib/tiger/util/genmsgidx
Binary-package: scilab-bin (4.1.2-5)
    file: /usr/lib/scilab-4.1.2/bin/scilink
    file: /usr/lib/scilab-4.1.2/util/scidoc
    file: /usr/lib/scilab-4.1.2/util/scidem
Binary-package: dpkg-cross (2.3.0)
    file: /usr/share/dpkg-cross/bin/gccross
Binary-package: ltp-network-test (20060918-2.1)
    file: /usr/lib/debian-test/tests/linux/testcases/bin/ftp_setup_vsftp_conf
    file: /usr/lib/debian-test/tests/linux/testcases/bin/nfs_fsstress.sh
Binary-package: cman (2.20080629-1)
    file: /usr/sbin/fence_egenera
Binary-package: scratchbox2 (1.99.0.24-1)
    file: /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps
    file: /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings
Binary-package: sendmail-base (8.14.3-5)
    file: /usr/sbin/checksendmail
    file: /usr/bin/expn
Binary-package: fwbuilder (2.1.19-3)
    file: /usr/bin/fwb_install
Binary-package: sng (1.0.2-5)
    file: /usr/bin/sng_regress
Binary-package: dist (1:3.5-17-1)
    file: /usr/bin/patcil
    file: /usr/bin/patdiff
Binary-package: sympa (5.3.4-5)
    file: /usr/lib/cgi-bin/sympa/wwsympa.fcgi
    file: /usr/lib/sympa/bin/sympa.pl
Binary-package: postfix (2.5.2-2)
    file: /usr/lib/postfix_groups.pl
Binary-package: caudium (3:1.4.12-11)
    file: /usr/share/caudium/configvar
Binary-package: mgetty-fax (1.1.36-1.2)
    file: /usr/bin/faxspool
Binary-package: aegis (4.24-3)
    file: /usr/share/doc/aegis/examples/remind/bng_dvlpd.sh
    file: /usr/share/doc/aegis/examples/remind/bng_rvwd.sh
    file: /usr/share/doc/aegis/examples/remind/awt_dvlp.sh
    file: /usr/share/doc/aegis/examples/remind/awt_intgrtn.sh
Binary-package: aegis-web (4.24-3)
    file: /usr/lib/cgi-bin/aegis.cgi
Binary-package: digitaldj (0.7.5-6+b1)
    file: /usr/share/digitaldj/fest.pl
Binary-package: mon (0.99.2-12)
    file: /usr/lib/mon/alert.d/test.alert
Binary-package: feta (1.4.16)
    file: /usr/share/feta/plugins/to-upgrade
Binary-package: arb-common (0.0.20071207.1-4)
    file: /usr/lib/arb/SH/arb_fastdnaml
    file: /usr/lib/arb/SH/dszmconnect.pl
Binary-package: qemu (0.9.1-5)
    file: /usr/sbin/qemu-make-debian-root
Binary-package: apertium (3.0.7+1-1+b1)
    file: /usr/bin/apertium-gen-deformat
    file: /usr/bin/apertium-gen-reformat
    file: /usr/bin/apertium
Binary-package: xcal (4.1-18.3)
    file: /usr/bin/pscal
Binary-package: myspell-tools (1:3.1-20)
    file: /usr/bin/i2myspell
Binary-package: gccxml (0.9.0+cvs20080525-1)
    file: /usr/share/gccxml-0.9/MIPSpro/find_flags
Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4)
    file: /usr/share/freeradius-dialupadmin/bin/backup_radacct
    file: /usr/share/freeradius-dialupadmin/bin/clean_radacct
    file: /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/truncate_radacct
Binary-package: dhis-server (5.3-1)
    file: /usr/lib/dhis-server/dhis-dummy-log-engine
Binary-package: wims (3.62-13)
    file: /var/lib/wims/public_html/bin/coqweb
    file: /var/lib/wims/bin/account.sh
Binary-package: initramfs-tools (0.92f)
    file: /usr/share/initramfs-tools/init
Binary-package: realtimebattle-common (1.0.8-7)
    file: /usr/lib/realtimebattle/Robots/perl.robot
Binary-package: netmrg (0.20-1)
    file: /usr/bin/rrdedit
Binary-package: bulmages-servers (0.11.1-2)
    file: /usr/share/bulmages/examples/scripts/actualizabulmacont
    file: /usr/share/bulmages/examples/scripts/installbulmages-db
    file: /usr/share/bulmages/examples/scripts/creabulmafact
    file: /usr/share/bulmages/examples/scripts/creabulmacont
    file: /usr/share/bulmages/examples/scripts/actualizabulmafact
Binary-package: xastir (1.9.2-1)
    file: /usr/lib/xastir/get-maptools.sh
    file: /usr/lib/xastir/get_shapelib.sh
Binary-package: plait (1.5.2-1)
    file: /usr/bin/plaiter
    file: /usr/bin/plait
Binary-package: cdrw-taper (0.4-2)
    file: /usr/sbin/amlabel-cdrw
Binary-package: konwert-filters (1.8-11.1)
    file: /usr/share/konwert/filters/any-UTF8
Binary-package: gdrae (0.1-1)
    file: /usr/bin/gdrae
Binary-package: lazarus-src (0.9.24-0-9)
    file: /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh




Information forwarded to debian-bugs-dist@lists.debian.org, Alejandro Garrido Mota <garridomota@gmail.com>:
Bug#496378; Package gdrae. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Alejandro Garrido Mota <garridomota@gmail.com>. Full text and rfc822 format available.

Message #10 received at 496378@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: "Dmitry E. Oboukhov" <dimka@uvw.ru>
Cc: 496378@bugs.debian.org
Subject: Re: The possibility of attack with the help of symlinks in some Debian packages
Date: Mon, 25 Aug 2008 00:59:05 +0200
On Sun, Aug 24, 2008 at 10:05:30PM +0400, Dmitry E. Oboukhov wrote:
> Package: gdrae
> Severity: grave
> 
> Hi, maintainer!

gdrae is indeed vulnerable to temp file attacks through /tmp/gdrae/palabra

However, I have some doubts whether this should be fixed or gdrae
rather be removed altogether: It consists of a very small shell script
(43 lines), which only runs a lynx dump on 
http://buscon.rae.es/draeI/SrvltGUIBusUsual?LEMA=$palabra"

This will break whenever they update their site scheme and there're much
more useful approachs in search engine frontends, e.g. the surfraw package
or Iceweasel website search scripts.

The package is also unmaintained beyond the initial upload.

Cheers,
        Moritz




Tags added: Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru> to control@bugs.debian.org. (Tue, 26 Aug 2008 08:45:22 GMT) Full text and rfc822 format available.

Tags added: security Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru> to control@bugs.debian.org. (Tue, 26 Aug 2008 08:57:15 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Alejandro Garrido Mota <garridomota@gmail.com>:
Bug#496378; Package gdrae. Full text and rfc822 format available.

Acknowledgement sent to Chris Lamb <chris@chris-lamb.co.uk>:
Extra info received and forwarded to list. Copy sent to Alejandro Garrido Mota <garridomota@gmail.com>. Full text and rfc822 format available.

Message #19 received at 496378@bugs.debian.org (full text, mbox):

From: Chris Lamb <chris@chris-lamb.co.uk>
To: 496378@bugs.debian.org
Subject: gdrae: diff for NMU version 0.1-1.1
Date: Tue, 9 Sep 2008 02:05:46 +0100
[Message part 1 (text/plain, inline)]
Hi,

The attached file is the diff for my gdrae 0.1-1.1 NMU. The associated
changelog entry is:

 gdrae (0.1-1.1) unstable; urgency=medium

   * Non-maintainer upload.
   * Use File::Temp in place of hard-coded temporary filename to prevent
     against symlink-based attacks. (Closes: #496378)


Regards,

-- 
Chris Lamb, UK                                       chris@chris-lamb.co.uk
                                                            GPG: 0x634F9A20
[gdrae-0.1-1.1-nmu.diff.txt (text/plain, attachment)]
[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Alejandro Garrido Mota <garridomota@gmail.com>:
Bug#496378; Package gdrae. Full text and rfc822 format available.

Acknowledgement sent to Chris Lamb <chris@chris-lamb.co.uk>:
Extra info received and forwarded to list. Copy sent to Alejandro Garrido Mota <garridomota@gmail.com>. Full text and rfc822 format available.

Message #24 received at 496378@bugs.debian.org (full text, mbox):

From: Chris Lamb <chris@chris-lamb.co.uk>
To: 496378@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@inutil.org>
Subject: Re: The possibility of attack with the help of symlinks in some Debian packages
Date: Tue, 9 Sep 2008 02:08:08 +0100
[Message part 1 (text/plain, inline)]
Moritz Muehlenhoff wrote:

> However, I have some doubts whether this should be fixed or gdrae
> rather be removed altogether

I would tend to agree. However, I'm going to upload the NMU anyway because
it's simple and is security-related.

Would you like to try and contact upstream and see if there is a suitable
replacement available?


Regards,

-- 
Chris Lamb, UK                                       chris@chris-lamb.co.uk
                                                            GPG: 0x634F9A20
[signature.asc (application/pgp-signature, attachment)]

Reply sent to Chris Lamb <chris@chris-lamb.co.uk>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #29 received at 496378-close@bugs.debian.org (full text, mbox):

From: Chris Lamb <chris@chris-lamb.co.uk>
To: 496378-close@bugs.debian.org
Subject: Bug#496378: fixed in gdrae 0.1-1.1
Date: Tue, 09 Sep 2008 21:17:27 +0000
Source: gdrae
Source-Version: 0.1-1.1

We believe that the bug you reported is fixed in the latest version of
gdrae, which is due to be installed in the Debian FTP archive:

gdrae_0.1-1.1.diff.gz
  to pool/main/g/gdrae/gdrae_0.1-1.1.diff.gz
gdrae_0.1-1.1.dsc
  to pool/main/g/gdrae/gdrae_0.1-1.1.dsc
gdrae_0.1-1.1_all.deb
  to pool/main/g/gdrae/gdrae_0.1-1.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 496378@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <chris@chris-lamb.co.uk> (supplier of updated gdrae package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 09 Sep 2008 01:55:53 +0100
Source: gdrae
Binary: gdrae
Architecture: source all
Version: 0.1-1.1
Distribution: unstable
Urgency: medium
Maintainer: Alejandro Garrido Mota <garridomota@gmail.com>
Changed-By: Chris Lamb <chris@chris-lamb.co.uk>
Description: 
 gdrae      - A Real Academia Espanola dictinoary interface
Closes: 496378
Changes: 
 gdrae (0.1-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Use File::Temp in place of hard-coded temporary filename to prevent against
     symlink-based attacks. (Closes: #496378)
Checksums-Sha1: 
 dd402df4f12ec30b66d4d8d4c60ba6a2098cc2b1 952 gdrae_0.1-1.1.dsc
 08ff9dd3385dd4d340b676d050fd492241f041ba 2427 gdrae_0.1-1.1.diff.gz
 7ad955c12696b6a2b179bc0720e000a2a204b578 6928 gdrae_0.1-1.1_all.deb
Checksums-Sha256: 
 a01d78081c321ec5bc9cf1e7957e1c08fad5e60abcd29ac69a721a21e493136a 952 gdrae_0.1-1.1.dsc
 adefc599c41e286ce1a1532a9e6ab4db7d0c0fbf49809bb0b544c622fa99cfd5 2427 gdrae_0.1-1.1.diff.gz
 a138723a7da4370d36eea34e10a38ee8297b232bbdf9f424c5b3353d58902a44 6928 gdrae_0.1-1.1_all.deb
Files: 
 b4cdb73ffc0fa58c7d67198813b05e24 952 text optional gdrae_0.1-1.1.dsc
 9ccf3b0c5c7bfeb57bfcd0278b55b9a2 2427 text optional gdrae_0.1-1.1.diff.gz
 097a715a32940d578adde5cf8141c982 6928 text optional gdrae_0.1-1.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkjG4jEACgkQriZpaaIa1PmNfgCdGWr596CY/tee6KgHP8Fc44me
awQAoIXxtdysdS2wzCi0an+FP+cu6/4e
=vpNQ
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Feb 2009 08:34:16 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 13:31:55 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.