Debian Bug report logs - #496387
The possibility of attack with the help of symlinks in some Debian packages

version graph

Package: wims; Maintainer for wims is Georges Khaznadar <georgesk@debian.org>; Source for wims is src:wims.

Reported by: "Dmitry E. Oboukhov" <dimka@uvw.ru>

Date: Sun, 24 Aug 2008 18:10:14 UTC

Severity: grave

Tags: security

Fixed in version wims/3.62-13.1

Done: Chris Lamb <lamby@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Georges Khaznadar <georgesk@ofset.org>:
Bug#496387; Package wims. Full text and rfc822 format available.

Acknowledgement sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
New Bug report received and forwarded. Copy sent to Georges Khaznadar <georgesk@ofset.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Dmitry E. Oboukhov" <dimka@uvw.ru>
To: submit@bugs.debian.org
Cc: dimka@uvw.ru
Subject: The possibility of attack with the help of symlinks in some Debian packages
Date: Sun, 24 Aug 2008 22:05:30 +0400
Package: wims
Severity: grave

Hi, maintainer!

This message about the error concerns a few packages  at  once.   I've
tested all the packages (for Lenny) on my Debian mirror.  All  scripts
of packages (marked as executable) were tested.

In some packages I've discovered scripts with errors which may be used
by a user for damaging important system files or user's files.

For example if a script uses in its work a temp file which is  created
in /tmp directory, then every user can create symlink  with  the  same
name in this directory in order to  destroy  or  rewrite  some  system
or user file.  Symlink attack may also  lead  not  only  to  the  data
desctruction but to denial of service as well.

Even if you create files or directories with help of function 'RANDOM'
or pid(), then your system is not protected. Attacker can create many
symlinks in order to destroy your data or create 'denial  of  service'
for your package scripts.

Even if you make rm(dir) for files/directories, then  your  system  is
not protected. Attacker can permanently create symlinks.

This list is created with the help of script.  This list is sorted  by
hand. Howewer in some cases mistake is possible.

Please, Be understanding to possible mistakes. :)

I set Severity into grave for this bug. The table of discovered
problems is below.

Discussion of this bug you can see in debian-devel@:
    http://lists.debian.org/debian-devel/2008/08/msg00271.html

Binary-package: r-base-core-ra (1.1.1-1)
    file: /usr/lib/Ra/lib/R/bin/javareconf
Binary-package: rccp (0.9-2)
    file: /usr/lib/rccp/delqueueask
Binary-package: mafft (6.240-1)
    file: /usr/bin/mafft-homologs
Binary-package: openoffice.org-common (1:2.4.1-6)
    file: /usr/lib/openoffice/program/senddoc
Binary-package: crossfire-maps (1.11.0-1)
    file: /usr/share/games/crossfire/maps/Info/combine.pl
Binary-package: sgml2x (1.0.0-11.1)
    file: /usr/bin/rlatex
Binary-package: liguidsoap (0.3.6-4)
    file: /var/lib/liguidsoap/liguidsoap.py
Binary-package: citadel-server (7.37-1)
    file: /usr/lib/citadel-server/migrate_aliases.sh
Binary-package: ampache (3.4.1-1)
    file: /usr/share/ampache/www/locale/base/gather-messages.sh
Binary-package: xen-utils-3.2-1 (3.2.1-2)
    file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug
Binary-package: dtc-common (0.29.6-1)
    file: /usr/share/dtc/admin/accesslog.php
    file: /usr/share/dtc/admin/sa-wrapper
Binary-package: honeyd-common (1.5c-3)
    file: /usr/share/honeyd/scripts/test.sh
Binary-package: lustre-tests (1.6.5-1)
    file: /usr/lib/lustre/tests/runiozone
Binary-package: linuxtrade (3.65-8+b4)
    file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol
    file: /usr/share/linuxtrade/bin/linuxtrade.wn
    file: /usr/share/linuxtrade/bin/moneyam.helper
Binary-package: freevo (1.8.1-0)
    file: /usr/bin/freevo.real
Binary-package: fml (4.0.3.dfsg-2)
    file: /usr/share/fml/libexec/mead.pl
Binary-package: rkhunter (1.3.2-3)
    file: /usr/bin/rkhunter
Binary-package: openswan (1:2.4.12+dfsg-1.1)
    file: /usr/lib/ipsec/livetest
Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1)
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest
Binary-package: aptoncd (0.1-1.1)
    file: /usr/share/aptoncd/xmlfile.py
Binary-package: cdcontrol (1.90-1.1)
    file: /usr/lib/cdcontrol/writtercontrol
Binary-package: newsgate (1.6-23)
    file: /usr/bin/mkmailpost
Binary-package: gpsdrive-scripts (2.10~pre4-3)
    file: /usr/bin/geo-code
Binary-package: impose+ (0.2-11)
    file: /usr/bin/impose
Binary-package: mgt (2.31-5)
    file: /usr/games/mailgo
Binary-package: audiolink (0.05-1)
    file: /usr/bin/audiolink
Binary-package: ibackup (2.27-4.1)
    file: /usr/bin/ibackup
Binary-package: emacspeak (26.0-3)
    file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl
Binary-package: bk2site (1:1.1.9-3.1)
    file: /usr/lib/cgi-bin/bk2site/redirect.pl
Binary-package: datafreedom-perl (0.1.7-1)
    file: /usr/bin/dfxml-invoice
Binary-package: emacs-jabber (0.7.91-1)
    file: /usr/lib/emacsen-common/packages/install/emacs-jabber
Binary-package: lmbench (3.0-a7-1)
    file: /usr/lib/lmbench/scripts/rccs
    file: /usr/lib/lmbench/scripts/STUFF
Binary-package: rancid-util (2.3.2~a8-1)
    file: /var/lib/rancid/getipacctg
Binary-package: ogle (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: firehol (1.256-4)
    file: /sbin/firehol
Binary-package: aview (1.3.0rc1-8)
    file: /usr/bin/asciiview
Binary-package: radiance (3R9+20080530-3)
    file: /usr/bin/optics2rad
    file: /usr/bin/pdelta
    file: /usr/bin/dayfact
    file: /usr/bin/raddepend
Binary-package: vdr-dbg (1.6.0-5)
    file: /usr/bin/vdrleaktest
Binary-package: ogle-mmx (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: convirt (0.8.2-3)
    file: /usr/share/convirt/image_store/_template_/provision.sh
    file: /usr/share/convirt/image_store/Linux_CD_Install/provision.sh
    file: /usr/share/convirt/image_store/Fedora_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/CentOS_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/common/provision.sh
    file: /usr/share/convirt/image_store/example/provision.sh
    file: /usr/share/convirt/image_store/Windows_CD_Install/provision.sh
Binary-package: printfilters-ppd (2.13-9)
    file: /usr/lib/printfilters/master-filter
Binary-package: r-base-core (2.7.1-1)
    file: /usr/lib/R/bin/javareconf
    file: /usr/lib/R/bin/javareconf.orig
Binary-package: xmcd (2.6-19.3)
    file: /usr/share/xmcd/scripts/ncsarmt
    file: /usr/share/xmcd/scripts/ncsawrap
Binary-package: tiger (1:3.2.2-3.1)
    file: /usr/lib/tiger/util/genmsgidx
Binary-package: scilab-bin (4.1.2-5)
    file: /usr/lib/scilab-4.1.2/bin/scilink
    file: /usr/lib/scilab-4.1.2/util/scidoc
    file: /usr/lib/scilab-4.1.2/util/scidem
Binary-package: dpkg-cross (2.3.0)
    file: /usr/share/dpkg-cross/bin/gccross
Binary-package: ltp-network-test (20060918-2.1)
    file: /usr/lib/debian-test/tests/linux/testcases/bin/ftp_setup_vsftp_conf
    file: /usr/lib/debian-test/tests/linux/testcases/bin/nfs_fsstress.sh
Binary-package: cman (2.20080629-1)
    file: /usr/sbin/fence_egenera
Binary-package: scratchbox2 (1.99.0.24-1)
    file: /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps
    file: /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings
Binary-package: sendmail-base (8.14.3-5)
    file: /usr/sbin/checksendmail
    file: /usr/bin/expn
Binary-package: fwbuilder (2.1.19-3)
    file: /usr/bin/fwb_install
Binary-package: sng (1.0.2-5)
    file: /usr/bin/sng_regress
Binary-package: dist (1:3.5-17-1)
    file: /usr/bin/patcil
    file: /usr/bin/patdiff
Binary-package: sympa (5.3.4-5)
    file: /usr/lib/cgi-bin/sympa/wwsympa.fcgi
    file: /usr/lib/sympa/bin/sympa.pl
Binary-package: postfix (2.5.2-2)
    file: /usr/lib/postfix_groups.pl
Binary-package: caudium (3:1.4.12-11)
    file: /usr/share/caudium/configvar
Binary-package: mgetty-fax (1.1.36-1.2)
    file: /usr/bin/faxspool
Binary-package: aegis (4.24-3)
    file: /usr/share/doc/aegis/examples/remind/bng_dvlpd.sh
    file: /usr/share/doc/aegis/examples/remind/bng_rvwd.sh
    file: /usr/share/doc/aegis/examples/remind/awt_dvlp.sh
    file: /usr/share/doc/aegis/examples/remind/awt_intgrtn.sh
Binary-package: aegis-web (4.24-3)
    file: /usr/lib/cgi-bin/aegis.cgi
Binary-package: digitaldj (0.7.5-6+b1)
    file: /usr/share/digitaldj/fest.pl
Binary-package: mon (0.99.2-12)
    file: /usr/lib/mon/alert.d/test.alert
Binary-package: feta (1.4.16)
    file: /usr/share/feta/plugins/to-upgrade
Binary-package: arb-common (0.0.20071207.1-4)
    file: /usr/lib/arb/SH/arb_fastdnaml
    file: /usr/lib/arb/SH/dszmconnect.pl
Binary-package: qemu (0.9.1-5)
    file: /usr/sbin/qemu-make-debian-root
Binary-package: apertium (3.0.7+1-1+b1)
    file: /usr/bin/apertium-gen-deformat
    file: /usr/bin/apertium-gen-reformat
    file: /usr/bin/apertium
Binary-package: xcal (4.1-18.3)
    file: /usr/bin/pscal
Binary-package: myspell-tools (1:3.1-20)
    file: /usr/bin/i2myspell
Binary-package: gccxml (0.9.0+cvs20080525-1)
    file: /usr/share/gccxml-0.9/MIPSpro/find_flags
Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4)
    file: /usr/share/freeradius-dialupadmin/bin/backup_radacct
    file: /usr/share/freeradius-dialupadmin/bin/clean_radacct
    file: /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/truncate_radacct
Binary-package: dhis-server (5.3-1)
    file: /usr/lib/dhis-server/dhis-dummy-log-engine
Binary-package: wims (3.62-13)
    file: /var/lib/wims/public_html/bin/coqweb
    file: /var/lib/wims/bin/account.sh
Binary-package: initramfs-tools (0.92f)
    file: /usr/share/initramfs-tools/init
Binary-package: realtimebattle-common (1.0.8-7)
    file: /usr/lib/realtimebattle/Robots/perl.robot
Binary-package: netmrg (0.20-1)
    file: /usr/bin/rrdedit
Binary-package: bulmages-servers (0.11.1-2)
    file: /usr/share/bulmages/examples/scripts/actualizabulmacont
    file: /usr/share/bulmages/examples/scripts/installbulmages-db
    file: /usr/share/bulmages/examples/scripts/creabulmafact
    file: /usr/share/bulmages/examples/scripts/creabulmacont
    file: /usr/share/bulmages/examples/scripts/actualizabulmafact
Binary-package: xastir (1.9.2-1)
    file: /usr/lib/xastir/get-maptools.sh
    file: /usr/lib/xastir/get_shapelib.sh
Binary-package: plait (1.5.2-1)
    file: /usr/bin/plaiter
    file: /usr/bin/plait
Binary-package: cdrw-taper (0.4-2)
    file: /usr/sbin/amlabel-cdrw
Binary-package: konwert-filters (1.8-11.1)
    file: /usr/share/konwert/filters/any-UTF8
Binary-package: gdrae (0.1-1)
    file: /usr/bin/gdrae
Binary-package: lazarus-src (0.9.24-0-9)
    file: /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh




Information forwarded to debian-bugs-dist@lists.debian.org, Georges Khaznadar <georgesk@ofset.org>:
Bug#496387; Package wims. Full text and rfc822 format available.

Acknowledgement sent to Georges Khaznadar <georges.khaznadar@free.fr>:
Extra info received and forwarded to list. Copy sent to Georges Khaznadar <georgesk@ofset.org>. Full text and rfc822 format available.

Message #10 received at 496387@bugs.debian.org (full text, mbox):

From: Georges Khaznadar <georges.khaznadar@free.fr>
To: "Dmitry E. Oboukhov" <dimka@uvw.ru>, 496387@bugs.debian.org
Cc: José Luis Redrejo <jredrejo@edu.juntaextremadura.net>
Subject: Re: Bug#496387: The possibility of attack with the help of symlinks in some Debian packages
Date: Mon, 25 Aug 2008 09:59:52 +0200
[Message part 1 (text/plain, inline)]
Hello Dmitri, José Luis,

Dmitri,
thank you for your investigation work: your script revealed some weak
points inside scripts of the package wims. I made a new package to fix
these weaknesses, and will send a message about them to the upstream
developer.

José Luis,
please can you sponsor the new package? The description file is at
ftp://debian.ofset.org/debian/pool/main/w/wims_3.62-15.dsc

Thanking you in advance,

best regards,				Georges.

Dmitry E. Oboukhov a écrit :
> Package: wims
> Severity: grave
> 
> Hi, maintainer!
> 
> This message about the error concerns a few packages  at  once.   I've
> tested all the packages (for Lenny) on my Debian mirror.  All  scripts
> of packages (marked as executable) were tested.
> 
> In some packages I've discovered scripts with errors which may be used
> by a user for damaging important system files or user's files.
> 
> For example if a script uses in its work a temp file which is  created
> in /tmp directory, then every user can create symlink  with  the  same
> name in this directory in order to  destroy  or  rewrite  some  system
> or user file.  Symlink attack may also  lead  not  only  to  the  data
> desctruction but to denial of service as well.
> 
> Even if you create files or directories with help of function 'RANDOM'
> or pid(), then your system is not protected. Attacker can create many
> symlinks in order to destroy your data or create 'denial  of  service'
> for your package scripts.
> 
> Even if you make rm(dir) for files/directories, then  your  system  is
> not protected. Attacker can permanently create symlinks.
> 
> This list is created with the help of script.  This list is sorted  by
> hand. Howewer in some cases mistake is possible.
> 
> Please, Be understanding to possible mistakes. :)
> 
> I set Severity into grave for this bug. The table of discovered
> problems is below.
> 
> Discussion of this bug you can see in debian-devel@:
>     http://lists.debian.org/debian-devel/2008/08/msg00271.html
> 
> Binary-package: r-base-core-ra (1.1.1-1)
>     file: /usr/lib/Ra/lib/R/bin/javareconf
> Binary-package: rccp (0.9-2)
>     file: /usr/lib/rccp/delqueueask
> Binary-package: mafft (6.240-1)
>     file: /usr/bin/mafft-homologs
> Binary-package: openoffice.org-common (1:2.4.1-6)
>     file: /usr/lib/openoffice/program/senddoc
> Binary-package: crossfire-maps (1.11.0-1)
>     file: /usr/share/games/crossfire/maps/Info/combine.pl
> Binary-package: sgml2x (1.0.0-11.1)
>     file: /usr/bin/rlatex
> Binary-package: liguidsoap (0.3.6-4)
>     file: /var/lib/liguidsoap/liguidsoap.py
> Binary-package: citadel-server (7.37-1)
>     file: /usr/lib/citadel-server/migrate_aliases.sh
> Binary-package: ampache (3.4.1-1)
>     file: /usr/share/ampache/www/locale/base/gather-messages.sh
> Binary-package: xen-utils-3.2-1 (3.2.1-2)
>     file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug
> Binary-package: dtc-common (0.29.6-1)
>     file: /usr/share/dtc/admin/accesslog.php
>     file: /usr/share/dtc/admin/sa-wrapper
> Binary-package: honeyd-common (1.5c-3)
>     file: /usr/share/honeyd/scripts/test.sh
> Binary-package: lustre-tests (1.6.5-1)
>     file: /usr/lib/lustre/tests/runiozone
> Binary-package: linuxtrade (3.65-8+b4)
>     file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol
>     file: /usr/share/linuxtrade/bin/linuxtrade.wn
>     file: /usr/share/linuxtrade/bin/moneyam.helper
> Binary-package: freevo (1.8.1-0)
>     file: /usr/bin/freevo.real
> Binary-package: fml (4.0.3.dfsg-2)
>     file: /usr/share/fml/libexec/mead.pl
> Binary-package: rkhunter (1.3.2-3)
>     file: /usr/bin/rkhunter
> Binary-package: openswan (1:2.4.12+dfsg-1.1)
>     file: /usr/lib/ipsec/livetest
> Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1)
>     file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap
>     file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest
> Binary-package: aptoncd (0.1-1.1)
>     file: /usr/share/aptoncd/xmlfile.py
> Binary-package: cdcontrol (1.90-1.1)
>     file: /usr/lib/cdcontrol/writtercontrol
> Binary-package: newsgate (1.6-23)
>     file: /usr/bin/mkmailpost
> Binary-package: gpsdrive-scripts (2.10~pre4-3)
>     file: /usr/bin/geo-code
> Binary-package: impose+ (0.2-11)
>     file: /usr/bin/impose
> Binary-package: mgt (2.31-5)
>     file: /usr/games/mailgo
> Binary-package: audiolink (0.05-1)
>     file: /usr/bin/audiolink
> Binary-package: ibackup (2.27-4.1)
>     file: /usr/bin/ibackup
> Binary-package: emacspeak (26.0-3)
>     file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl
> Binary-package: bk2site (1:1.1.9-3.1)
>     file: /usr/lib/cgi-bin/bk2site/redirect.pl
> Binary-package: datafreedom-perl (0.1.7-1)
>     file: /usr/bin/dfxml-invoice
> Binary-package: emacs-jabber (0.7.91-1)
>     file: /usr/lib/emacsen-common/packages/install/emacs-jabber
> Binary-package: lmbench (3.0-a7-1)
>     file: /usr/lib/lmbench/scripts/rccs
>     file: /usr/lib/lmbench/scripts/STUFF
> Binary-package: rancid-util (2.3.2~a8-1)
>     file: /var/lib/rancid/getipacctg
> Binary-package: ogle (0.9.2-5.2)
>     file: /usr/lib/ogle/ogle_audio_debug
>     file: /usr/lib/ogle/ogle_cli_debug
>     file: /usr/lib/ogle/ogle_ctrl_debug
>     file: /usr/lib/ogle/ogle_gui_debug
>     file: /usr/lib/ogle/ogle_mpeg_ps_debug
>     file: /usr/lib/ogle/ogle_mpeg_vs_debug
>     file: /usr/lib/ogle/ogle_nav_debug
>     file: /usr/lib/ogle/ogle_vout_debug
> Binary-package: firehol (1.256-4)
>     file: /sbin/firehol
> Binary-package: aview (1.3.0rc1-8)
>     file: /usr/bin/asciiview
> Binary-package: radiance (3R9+20080530-3)
>     file: /usr/bin/optics2rad
>     file: /usr/bin/pdelta
>     file: /usr/bin/dayfact
>     file: /usr/bin/raddepend
> Binary-package: vdr-dbg (1.6.0-5)
>     file: /usr/bin/vdrleaktest
> Binary-package: ogle-mmx (0.9.2-5.2)
>     file: /usr/lib/ogle/ogle_audio_debug
>     file: /usr/lib/ogle/ogle_cli_debug
>     file: /usr/lib/ogle/ogle_ctrl_debug
>     file: /usr/lib/ogle/ogle_gui_debug
>     file: /usr/lib/ogle/ogle_mpeg_ps_debug
>     file: /usr/lib/ogle/ogle_mpeg_vs_debug
>     file: /usr/lib/ogle/ogle_nav_debug
>     file: /usr/lib/ogle/ogle_vout_debug
> Binary-package: convirt (0.8.2-3)
>     file: /usr/share/convirt/image_store/_template_/provision.sh
>     file: /usr/share/convirt/image_store/Linux_CD_Install/provision.sh
>     file: /usr/share/convirt/image_store/Fedora_PV_Install/provision.sh
>     file: /usr/share/convirt/image_store/CentOS_PV_Install/provision.sh
>     file: /usr/share/convirt/image_store/common/provision.sh
>     file: /usr/share/convirt/image_store/example/provision.sh
>     file: /usr/share/convirt/image_store/Windows_CD_Install/provision.sh
> Binary-package: printfilters-ppd (2.13-9)
>     file: /usr/lib/printfilters/master-filter
> Binary-package: r-base-core (2.7.1-1)
>     file: /usr/lib/R/bin/javareconf
>     file: /usr/lib/R/bin/javareconf.orig
> Binary-package: xmcd (2.6-19.3)
>     file: /usr/share/xmcd/scripts/ncsarmt
>     file: /usr/share/xmcd/scripts/ncsawrap
> Binary-package: tiger (1:3.2.2-3.1)
>     file: /usr/lib/tiger/util/genmsgidx
> Binary-package: scilab-bin (4.1.2-5)
>     file: /usr/lib/scilab-4.1.2/bin/scilink
>     file: /usr/lib/scilab-4.1.2/util/scidoc
>     file: /usr/lib/scilab-4.1.2/util/scidem
> Binary-package: dpkg-cross (2.3.0)
>     file: /usr/share/dpkg-cross/bin/gccross
> Binary-package: ltp-network-test (20060918-2.1)
>     file: /usr/lib/debian-test/tests/linux/testcases/bin/ftp_setup_vsftp_conf
>     file: /usr/lib/debian-test/tests/linux/testcases/bin/nfs_fsstress.sh
> Binary-package: cman (2.20080629-1)
>     file: /usr/sbin/fence_egenera
> Binary-package: scratchbox2 (1.99.0.24-1)
>     file: /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps
>     file: /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings
> Binary-package: sendmail-base (8.14.3-5)
>     file: /usr/sbin/checksendmail
>     file: /usr/bin/expn
> Binary-package: fwbuilder (2.1.19-3)
>     file: /usr/bin/fwb_install
> Binary-package: sng (1.0.2-5)
>     file: /usr/bin/sng_regress
> Binary-package: dist (1:3.5-17-1)
>     file: /usr/bin/patcil
>     file: /usr/bin/patdiff
> Binary-package: sympa (5.3.4-5)
>     file: /usr/lib/cgi-bin/sympa/wwsympa.fcgi
>     file: /usr/lib/sympa/bin/sympa.pl
> Binary-package: postfix (2.5.2-2)
>     file: /usr/lib/postfix_groups.pl
> Binary-package: caudium (3:1.4.12-11)
>     file: /usr/share/caudium/configvar
> Binary-package: mgetty-fax (1.1.36-1.2)
>     file: /usr/bin/faxspool
> Binary-package: aegis (4.24-3)
>     file: /usr/share/doc/aegis/examples/remind/bng_dvlpd.sh
>     file: /usr/share/doc/aegis/examples/remind/bng_rvwd.sh
>     file: /usr/share/doc/aegis/examples/remind/awt_dvlp.sh
>     file: /usr/share/doc/aegis/examples/remind/awt_intgrtn.sh
> Binary-package: aegis-web (4.24-3)
>     file: /usr/lib/cgi-bin/aegis.cgi
> Binary-package: digitaldj (0.7.5-6+b1)
>     file: /usr/share/digitaldj/fest.pl
> Binary-package: mon (0.99.2-12)
>     file: /usr/lib/mon/alert.d/test.alert
> Binary-package: feta (1.4.16)
>     file: /usr/share/feta/plugins/to-upgrade
> Binary-package: arb-common (0.0.20071207.1-4)
>     file: /usr/lib/arb/SH/arb_fastdnaml
>     file: /usr/lib/arb/SH/dszmconnect.pl
> Binary-package: qemu (0.9.1-5)
>     file: /usr/sbin/qemu-make-debian-root
> Binary-package: apertium (3.0.7+1-1+b1)
>     file: /usr/bin/apertium-gen-deformat
>     file: /usr/bin/apertium-gen-reformat
>     file: /usr/bin/apertium
> Binary-package: xcal (4.1-18.3)
>     file: /usr/bin/pscal
> Binary-package: myspell-tools (1:3.1-20)
>     file: /usr/bin/i2myspell
> Binary-package: gccxml (0.9.0+cvs20080525-1)
>     file: /usr/share/gccxml-0.9/MIPSpro/find_flags
> Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4)
>     file: /usr/share/freeradius-dialupadmin/bin/backup_radacct
>     file: /usr/share/freeradius-dialupadmin/bin/clean_radacct
>     file: /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats
>     file: /usr/share/freeradius-dialupadmin/bin/tot_stats
>     file: /usr/share/freeradius-dialupadmin/bin/truncate_radacct
> Binary-package: dhis-server (5.3-1)
>     file: /usr/lib/dhis-server/dhis-dummy-log-engine
> Binary-package: wims (3.62-13)
>     file: /var/lib/wims/public_html/bin/coqweb
>     file: /var/lib/wims/bin/account.sh
> Binary-package: initramfs-tools (0.92f)
>     file: /usr/share/initramfs-tools/init
> Binary-package: realtimebattle-common (1.0.8-7)
>     file: /usr/lib/realtimebattle/Robots/perl.robot
> Binary-package: netmrg (0.20-1)
>     file: /usr/bin/rrdedit
> Binary-package: bulmages-servers (0.11.1-2)
>     file: /usr/share/bulmages/examples/scripts/actualizabulmacont
>     file: /usr/share/bulmages/examples/scripts/installbulmages-db
>     file: /usr/share/bulmages/examples/scripts/creabulmafact
>     file: /usr/share/bulmages/examples/scripts/creabulmacont
>     file: /usr/share/bulmages/examples/scripts/actualizabulmafact
> Binary-package: xastir (1.9.2-1)
>     file: /usr/lib/xastir/get-maptools.sh
>     file: /usr/lib/xastir/get_shapelib.sh
> Binary-package: plait (1.5.2-1)
>     file: /usr/bin/plaiter
>     file: /usr/bin/plait
> Binary-package: cdrw-taper (0.4-2)
>     file: /usr/sbin/amlabel-cdrw
> Binary-package: konwert-filters (1.8-11.1)
>     file: /usr/share/konwert/filters/any-UTF8
> Binary-package: gdrae (0.1-1)
>     file: /usr/bin/gdrae
> Binary-package: lazarus-src (0.9.24-0-9)
>     file: /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh
> 
> 
> 

-- 
Georges KHAZNADAR et Jocelyne FOURNIER
22 rue des mouettes, 59240 Dunkerque France.
Téléphone +33 (0)3 28 29 17 70

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Georges Khaznadar <georgesk@ofset.org>:
Bug#496387; Package wims. Full text and rfc822 format available.

Acknowledgement sent to "Dmitry E. Oboukhov" <unera@debian.org>:
Extra info received and forwarded to list. Copy sent to Georges Khaznadar <georgesk@ofset.org>. Full text and rfc822 format available.

Message #15 received at 496387@bugs.debian.org (full text, mbox):

From: "Dmitry E. Oboukhov" <unera@debian.org>
To: 496387@bugs.debian.org
Subject: The possibility of attack with the help of symlinks in some Debian packages
Date: Mon, 25 Aug 2008 12:45:33 +0400
[Message part 1 (text/plain, inline)]
JL> please can you sponsor the new package? The description file is at
JL> ftp://debian.ofset.org/debian/pool/main/w/wims_3.62-15.dsc

$ dget ftp://debian.ofset.org/debian/pool/main/w/wims_3.62-15.dsc
dget: retrieving
ftp://debian.ofset.org/debian/pool/main/w/wims_3.62-15.dsc

curl: (67) Access denied: 530
dget: curl wims_3.62-15.dsc
ftp://debian.ofset.org/debian/pool/main/w/wims_3.62-15.dsc failed

sorry, i cannot download it :(
--

. ''`. Dmitry E. Oboukhov
: :’  : unera@debian.org
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
  `- 1B23 D4F8 8EC0 D902 0555  E438 AB8C 00CF F8E2 6537
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Georges Khaznadar <georgesk@ofset.org>:
Bug#496387; Package wims. Full text and rfc822 format available.

Acknowledgement sent to Georges Khaznadar <georges.khaznadar@free.fr>:
Extra info received and forwarded to list. Copy sent to Georges Khaznadar <georgesk@ofset.org>. Full text and rfc822 format available.

Message #20 received at 496387@bugs.debian.org (full text, mbox):

From: Georges Khaznadar <georges.khaznadar@free.fr>
To: "Dmitry E. Oboukhov" <unera@debian.org>, 496387@bugs.debian.org
Subject: Re: Bug#496387: The possibility of attack with the help of symlinks in some Debian packages
Date: Mon, 25 Aug 2008 11:06:59 +0200
[Message part 1 (text/plain, inline)]
Hello Dmitri,

wget downloads the description file easily:
-------------------8<---------------------
gk:/tmp$ LC_ALL=C wget ftp://debian.ofset.org/debian/pool/main/w/wims_3.62-15.dsc
--2008-08-25 11:00:51--  ftp://debian.ofset.org/debian/pool/main/w/wims_3.62-15.dsc
           => `wims_3.62-15.dsc'
Resolving debian.ofset.org... 131.246.124.227
Connecting to debian.ofset.org|131.246.124.227|:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD /debian/pool/main/w ... done.
==> SIZE wims_3.62-15.dsc ... 411
==> PASV ... done.    ==> RETR wims_3.62-15.dsc ... done.
Length: 411

100%[======================================>] 411         --.-K/s   in 0.001s  

2008-08-25 11:00:52 (507 KB/s) - `wims_3.62-15.dsc' saved [411]
-------------------8<---------------------

However nor dget, neither curl do succeed to access the same URL. I suppose
that it is due to some misconfiguration of our ftp server, but I ignore which
configuration is wrong. If you wan I can send you the files directly.

Best regards,			Georges.

Dmitry E. Oboukhov a écrit :
> JL> please can you sponsor the new package? The description file is at
> JL> ftp://debian.ofset.org/debian/pool/main/w/wims_3.62-15.dsc
> 
> $ dget ftp://debian.ofset.org/debian/pool/main/w/wims_3.62-15.dsc
> dget: retrieving
> ftp://debian.ofset.org/debian/pool/main/w/wims_3.62-15.dsc
> 
> curl: (67) Access denied: 530
> dget: curl wims_3.62-15.dsc
> ftp://debian.ofset.org/debian/pool/main/w/wims_3.62-15.dsc failed
> 
> sorry, i cannot download it :(
> --
> 
> . ''`. Dmitry E. Oboukhov
> : :’  : unera@debian.org
> `. `~’ GPGKey: 1024D / F8E26537 2006-11-21
>   `- 1B23 D4F8 8EC0 D902 0555  E438 AB8C 00CF F8E2 6537



-- 
Georges KHAZNADAR et Jocelyne FOURNIER
22 rue des mouettes, 59240 Dunkerque France.
Téléphone +33 (0)3 28 29 17 70

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Georges Khaznadar <georgesk@ofset.org>:
Bug#496387; Package wims. Full text and rfc822 format available.

Acknowledgement sent to "Dmitry E. Oboukhov" <unera@debian.org>:
Extra info received and forwarded to list. Copy sent to Georges Khaznadar <georgesk@ofset.org>. Full text and rfc822 format available.

Message #25 received at 496387@bugs.debian.org (full text, mbox):

From: "Dmitry E. Oboukhov" <unera@debian.org>
To: Georges Khaznadar <georges.khaznadar@free.fr>
Cc: 496387@bugs.debian.org
Subject: Re: Bug#496387: The possibility of attack with the help of symlinks in some Debian packages
Date: Mon, 25 Aug 2008 15:39:42 +0400
[Message part 1 (text/plain, inline)]
please recheck src-code

for example:
	wims/src/Texgif/texgif.c

char *tmpdir="/tmp";
char *fontdir="/tmp";
char *headerfile="";
char *texstyle="";
char *outfile="/tmp/texgif.gif";
...


make grep /tmp for all sources :)


On 11:06 Mon 25 Aug     , Georges Khaznadar wrote:
GK> Hello Dmitri,

GK> wget downloads the description file easily:
GK> -------------------8<---------------------
GK> gk:/tmp$ LC_ALL=C wget ftp://debian.ofset.org/debian/pool/main/w/wims_3.62-15.dsc
GK> --2008-08-25 11:00:51--  ftp://debian.ofset.org/debian/pool/main/w/wims_3.62-15.dsc
GK>> `wims_3.62-15.dsc'
GK> Resolving debian.ofset.org... 131.246.124.227
GK> Connecting to debian.ofset.org|131.246.124.227|:21... connected.
GK> Logging in as anonymous ... Logged in!
GK>> SYST ... done.    ==> PWD ... done.
GK>> TYPE I ... done.  ==> CWD /debian/pool/main/w ... done.
GK>> SIZE wims_3.62-15.dsc ... 411
GK>> PASV ... done.    ==> RETR wims_3.62-15.dsc ... done.
GK> Length: 411

GK> 100%[======================================>] 411         --.-K/s   in 0.001s

GK> 2008-08-25 11:00:52 (507 KB/s) - `wims_3.62-15.dsc' saved [411]
GK> -------------------8<---------------------

GK> However nor dget, neither curl do succeed to access the same URL. I suppose
GK> that it is due to some misconfiguration of our ftp server, but I ignore which
GK> configuration is wrong. If you wan I can send you the files directly.

GK> Best regards,			Georges.

GK> Dmitry E. Oboukhov a écrit :
GK>>> please can you sponsor the new package? The description file is at
GK>>> ftp://debian.ofset.org/debian/pool/main/w/wims_3.62-15.dsc
GK>> 
GK>> $ dget ftp://debian.ofset.org/debian/pool/main/w/wims_3.62-15.dsc
GK>> dget: retrieving
GK>> ftp://debian.ofset.org/debian/pool/main/w/wims_3.62-15.dsc
GK>> 
GK>> curl: (67) Access denied: 530
GK>> dget: curl wims_3.62-15.dsc
GK>> ftp://debian.ofset.org/debian/pool/main/w/wims_3.62-15.dsc failed
GK>> 
GK>> sorry, i cannot download it :(
GK>> --
GK>> 
GK>> . ''`. Dmitry E. Oboukhov
GK>> : :’  : unera@debian.org
GK>> `. `~’ GPGKey: 1024D / F8E26537 2006-11-21
GK>>   `- 1B23 D4F8 8EC0 D902 0555  E438 AB8C 00CF F8E2 6537
--

. ''`. Dmitry E. Oboukhov
: :’  : unera@debian.org
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
  `- 1B23 D4F8 8EC0 D902 0555  E438 AB8C 00CF F8E2 6537
[signature.asc (application/pgp-signature, inline)]

Tags added: Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru> to control@bugs.debian.org. (Tue, 26 Aug 2008 08:45:29 GMT) Full text and rfc822 format available.

Tags added: security Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru> to control@bugs.debian.org. (Tue, 26 Aug 2008 08:57:20 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Georges Khaznadar <georgesk@ofset.org>:
Bug#496387; Package wims. (Thu, 09 Oct 2008 22:51:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Georges Khaznadar <georgesk@ofset.org>. (Thu, 09 Oct 2008 22:51:02 GMT) Full text and rfc822 format available.

Message #34 received at 496387@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Georges Khaznadar <georges.khaznadar@free.fr>
Cc: "Dmitry E. Oboukhov" <dimka@uvw.ru>, 496387@bugs.debian.org, José Luis Redrejo <jredrejo@edu.juntaextremadura.net>
Subject: Re: Bug#496387: The possibility of attack with the help of symlinks in some Debian packages
Date: Fri, 10 Oct 2008 00:48:12 +0200
Georges Khaznadar wrote:

> thank you for your investigation work: your script revealed some weak
> points inside scripts of the package wims. I made a new package to fix
> these weaknesses, and will send a message about them to the upstream
> developer.
> 
> José Luis,
> please can you sponsor the new package? The description file is at
> ftp://debian.ofset.org/debian/pool/main/w/wims_3.62-15.dsc

Can you prepare a -14 upload with only the two security patches
(which are fine) so that the change is minimal?

I'll sponsor the upload for you.

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Georges Khaznadar <georgesk@ofset.org>:
Bug#496387; Package wims. (Sun, 12 Oct 2008 21:03:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Chris Lamb <lamby@debian.org>:
Extra info received and forwarded to list. Copy sent to Georges Khaznadar <georgesk@ofset.org>. (Sun, 12 Oct 2008 21:03:02 GMT) Full text and rfc822 format available.

Message #39 received at 496387@bugs.debian.org (full text, mbox):

From: Chris Lamb <lamby@debian.org>
To: 496387@bugs.debian.org
Subject: wims: diff for NMU version 3.62-13.1
Date: Sun, 12 Oct 2008 22:00:19 +0100
[Message part 1 (text/plain, inline)]
tags 496387 +pending
thanks

Hi,

The attached file is the diff for my wims 3.62-13.1 NMU. The associated
changelog entry is:

 wims (3.62-13.1) unstable; urgency=medium

   * Non-maintainer upload.
   * Prevent against the possibility of an attack with the help of symlinks
     by patching public_html/bin/coqweb and bin/accounts.sh. Patches (and
     patch system) by the regular maintainer. (Closes: #496387)


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org
       `-
[wims-3.62-13.1-nmu.diff.txt (text/plain, attachment)]
[signature.asc (application/pgp-signature, attachment)]

Tags added: pending Request was from Chris Lamb <lamby@debian.org> to control@bugs.debian.org. (Sun, 12 Oct 2008 21:03:08 GMT) Full text and rfc822 format available.

Reply sent to Chris Lamb <lamby@debian.org>:
You have taken responsibility. (Sun, 12 Oct 2008 21:33:52 GMT) Full text and rfc822 format available.

Notification sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
Bug acknowledged by developer. (Sun, 12 Oct 2008 21:33:53 GMT) Full text and rfc822 format available.

Message #46 received at 496387-close@bugs.debian.org (full text, mbox):

From: Chris Lamb <lamby@debian.org>
To: 496387-close@bugs.debian.org
Subject: Bug#496387: fixed in wims 3.62-13.1
Date: Sun, 12 Oct 2008 21:17:58 +0000
Source: wims
Source-Version: 3.62-13.1

We believe that the bug you reported is fixed in the latest version of
wims, which is due to be installed in the Debian FTP archive:

flydraw_3.62-13.1_amd64.deb
  to pool/main/w/wims/flydraw_3.62-13.1_amd64.deb
texgd_3.62-13.1_amd64.deb
  to pool/main/w/wims/texgd_3.62-13.1_amd64.deb
wims-modules_3.62-13.1_all.deb
  to pool/main/w/wims/wims-modules_3.62-13.1_all.deb
wims_3.62-13.1.diff.gz
  to pool/main/w/wims/wims_3.62-13.1.diff.gz
wims_3.62-13.1.dsc
  to pool/main/w/wims/wims_3.62-13.1.dsc
wims_3.62-13.1_amd64.deb
  to pool/main/w/wims/wims_3.62-13.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 496387@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated wims package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 12 Oct 2008 21:06:10 +0100
Source: wims
Binary: wims wims-modules flydraw texgd
Architecture: source amd64 all
Version: 3.62-13.1
Distribution: unstable
Urgency: medium
Maintainer: Georges Khaznadar <georgesk@ofset.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description: 
 flydraw    - Inline drawing tool
 texgd      - Program to convert short TeX formulas to PNG graphics
 wims       - WWW Interactive Mathematics Server (WIMS)
 wims-modules - modules used by the WIMS server
Closes: 496387
Changes: 
 wims (3.62-13.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Prevent against the possibility of an attack with the help of symlinks by
     patching public_html/bin/coqweb and bin/accounts.sh. Patches (and patch
     system) by the regular maintainer. (Closes: #496387)
Checksums-Sha1: 
 58f84733564d85fed8a333c5311c8dac5ee229aa 1046 wims_3.62-13.1.dsc
 32e51799ddf8a29818879095d0b37747757a5ef2 16769877 wims_3.62.orig.tar.gz
 d059160945e808469fdd2849b65faa178359617f 158851 wims_3.62-13.1.diff.gz
 6bfca74c7e476a05bb5ed05e3f6db59413e91dd4 8975444 wims_3.62-13.1_amd64.deb
 a280fcd7bcfaba4841bc28baf580bfcf1f0be37d 49054 flydraw_3.62-13.1_amd64.deb
 624664f722c5e5cbc915be6f92adafcc7a96d491 25640 texgd_3.62-13.1_amd64.deb
 d9308f9a6f0070a35932bcad7c0c0587cd39fba8 8176640 wims-modules_3.62-13.1_all.deb
Checksums-Sha256: 
 cc96c3de697a05db6f30325fe977a9f5244577260d3ef58ef25216d902be333d 1046 wims_3.62-13.1.dsc
 f4804f3a7c1975d2b33d3fa272d4f5359b9cb24e1d49be7d5b55a32f5c654432 16769877 wims_3.62.orig.tar.gz
 b5b56de751a1bb945a61bd20677948497283c789e591823b466fd2f1c46ba50e 158851 wims_3.62-13.1.diff.gz
 21db904460458604d3ae117847654997e39e19b5c270c4128f58bf4f8c964d56 8975444 wims_3.62-13.1_amd64.deb
 93dabe593866f0ed068afe9fffdf6c3cb7cbfc48db279f480cd29fba1b8ec64f 49054 flydraw_3.62-13.1_amd64.deb
 af2ef435d56f3dd0f3bb4c3c1f7631ca0b3a558975206da59fcce9613efbc2f3 25640 texgd_3.62-13.1_amd64.deb
 a0f04e552ebc37c353611714bc75788e5a84f299cddb9bf6ded9d60f01a1fee4 8176640 wims-modules_3.62-13.1_all.deb
Files: 
 05fa23f419e752ccc719f355fa2bdc96 1046 web optional wims_3.62-13.1.dsc
 1439db5983dbb8f2c2481ba3804c6707 16769877 web optional wims_3.62.orig.tar.gz
 e6925bddd178f4c8dce4ad13b12b222f 158851 web optional wims_3.62-13.1.diff.gz
 de172998462e4e867e62dbb49b80306f 8975444 web optional wims_3.62-13.1_amd64.deb
 02b491ab556a4a10a955e196e409dc79 49054 graphics optional flydraw_3.62-13.1_amd64.deb
 ef19b632011b25a630c4081987f3ec28 25640 graphics optional texgd_3.62-13.1_amd64.deb
 db86190aa58e5f8b3ecf94056321d7bc 8176640 web optional wims-modules_3.62-13.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkjyXd4ACgkQ5/8uW2NPmiAzjACgoUYK0AUqwiSZ6Lq7xUVzjxOz
5+kAn2HYbv3angzmzPZtYLrE065rV9Ro
=nLRO
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 18 Sep 2009 07:49:26 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 21:06:54 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.