Debian Bug report logs - #496400
The possibility of attack with the help of symlinks in some Debian packages

version graph

Package: aegis-web; Maintainer for aegis-web is Walter Franzini <walter.franzini@gmail.com>; Source for aegis-web is src:aegis.

Reported by: "Dmitry E. Oboukhov" <dimka@uvw.ru>

Date: Sun, 24 Aug 2008 18:10:49 UTC

Severity: grave

Tags: security

Fixed in version aegis/4.24-3.1

Done: Ben Hutchings <ben@decadent.org.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Christian Meder <chris@absolutegiganten.org>:
Bug#496400; Package aegis-web. Full text and rfc822 format available.

Acknowledgement sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
New Bug report received and forwarded. Copy sent to Christian Meder <chris@absolutegiganten.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Dmitry E. Oboukhov" <dimka@uvw.ru>
To: submit@bugs.debian.org
Cc: dimka@uvw.ru
Subject: The possibility of attack with the help of symlinks in some Debian packages
Date: Sun, 24 Aug 2008 22:05:29 +0400
Package: aegis-web
Severity: grave

Hi, maintainer!

This message about the error concerns a few packages  at  once.   I've
tested all the packages (for Lenny) on my Debian mirror.  All  scripts
of packages (marked as executable) were tested.

In some packages I've discovered scripts with errors which may be used
by a user for damaging important system files or user's files.

For example if a script uses in its work a temp file which is  created
in /tmp directory, then every user can create symlink  with  the  same
name in this directory in order to  destroy  or  rewrite  some  system
or user file.  Symlink attack may also  lead  not  only  to  the  data
desctruction but to denial of service as well.

Even if you create files or directories with help of function 'RANDOM'
or pid(), then your system is not protected. Attacker can create many
symlinks in order to destroy your data or create 'denial  of  service'
for your package scripts.

Even if you make rm(dir) for files/directories, then  your  system  is
not protected. Attacker can permanently create symlinks.

This list is created with the help of script.  This list is sorted  by
hand. Howewer in some cases mistake is possible.

Please, Be understanding to possible mistakes. :)

I set Severity into grave for this bug. The table of discovered
problems is below.

Discussion of this bug you can see in debian-devel@:
    http://lists.debian.org/debian-devel/2008/08/msg00271.html

Binary-package: r-base-core-ra (1.1.1-1)
    file: /usr/lib/Ra/lib/R/bin/javareconf
Binary-package: rccp (0.9-2)
    file: /usr/lib/rccp/delqueueask
Binary-package: mafft (6.240-1)
    file: /usr/bin/mafft-homologs
Binary-package: openoffice.org-common (1:2.4.1-6)
    file: /usr/lib/openoffice/program/senddoc
Binary-package: crossfire-maps (1.11.0-1)
    file: /usr/share/games/crossfire/maps/Info/combine.pl
Binary-package: sgml2x (1.0.0-11.1)
    file: /usr/bin/rlatex
Binary-package: liguidsoap (0.3.6-4)
    file: /var/lib/liguidsoap/liguidsoap.py
Binary-package: citadel-server (7.37-1)
    file: /usr/lib/citadel-server/migrate_aliases.sh
Binary-package: ampache (3.4.1-1)
    file: /usr/share/ampache/www/locale/base/gather-messages.sh
Binary-package: xen-utils-3.2-1 (3.2.1-2)
    file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug
Binary-package: dtc-common (0.29.6-1)
    file: /usr/share/dtc/admin/accesslog.php
    file: /usr/share/dtc/admin/sa-wrapper
Binary-package: honeyd-common (1.5c-3)
    file: /usr/share/honeyd/scripts/test.sh
Binary-package: lustre-tests (1.6.5-1)
    file: /usr/lib/lustre/tests/runiozone
Binary-package: linuxtrade (3.65-8+b4)
    file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol
    file: /usr/share/linuxtrade/bin/linuxtrade.wn
    file: /usr/share/linuxtrade/bin/moneyam.helper
Binary-package: freevo (1.8.1-0)
    file: /usr/bin/freevo.real
Binary-package: fml (4.0.3.dfsg-2)
    file: /usr/share/fml/libexec/mead.pl
Binary-package: rkhunter (1.3.2-3)
    file: /usr/bin/rkhunter
Binary-package: openswan (1:2.4.12+dfsg-1.1)
    file: /usr/lib/ipsec/livetest
Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1)
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest
Binary-package: aptoncd (0.1-1.1)
    file: /usr/share/aptoncd/xmlfile.py
Binary-package: cdcontrol (1.90-1.1)
    file: /usr/lib/cdcontrol/writtercontrol
Binary-package: newsgate (1.6-23)
    file: /usr/bin/mkmailpost
Binary-package: gpsdrive-scripts (2.10~pre4-3)
    file: /usr/bin/geo-code
Binary-package: impose+ (0.2-11)
    file: /usr/bin/impose
Binary-package: mgt (2.31-5)
    file: /usr/games/mailgo
Binary-package: audiolink (0.05-1)
    file: /usr/bin/audiolink
Binary-package: ibackup (2.27-4.1)
    file: /usr/bin/ibackup
Binary-package: emacspeak (26.0-3)
    file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl
Binary-package: bk2site (1:1.1.9-3.1)
    file: /usr/lib/cgi-bin/bk2site/redirect.pl
Binary-package: datafreedom-perl (0.1.7-1)
    file: /usr/bin/dfxml-invoice
Binary-package: emacs-jabber (0.7.91-1)
    file: /usr/lib/emacsen-common/packages/install/emacs-jabber
Binary-package: lmbench (3.0-a7-1)
    file: /usr/lib/lmbench/scripts/rccs
    file: /usr/lib/lmbench/scripts/STUFF
Binary-package: rancid-util (2.3.2~a8-1)
    file: /var/lib/rancid/getipacctg
Binary-package: ogle (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: firehol (1.256-4)
    file: /sbin/firehol
Binary-package: aview (1.3.0rc1-8)
    file: /usr/bin/asciiview
Binary-package: radiance (3R9+20080530-3)
    file: /usr/bin/optics2rad
    file: /usr/bin/pdelta
    file: /usr/bin/dayfact
    file: /usr/bin/raddepend
Binary-package: vdr-dbg (1.6.0-5)
    file: /usr/bin/vdrleaktest
Binary-package: ogle-mmx (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: convirt (0.8.2-3)
    file: /usr/share/convirt/image_store/_template_/provision.sh
    file: /usr/share/convirt/image_store/Linux_CD_Install/provision.sh
    file: /usr/share/convirt/image_store/Fedora_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/CentOS_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/common/provision.sh
    file: /usr/share/convirt/image_store/example/provision.sh
    file: /usr/share/convirt/image_store/Windows_CD_Install/provision.sh
Binary-package: printfilters-ppd (2.13-9)
    file: /usr/lib/printfilters/master-filter
Binary-package: r-base-core (2.7.1-1)
    file: /usr/lib/R/bin/javareconf
    file: /usr/lib/R/bin/javareconf.orig
Binary-package: xmcd (2.6-19.3)
    file: /usr/share/xmcd/scripts/ncsarmt
    file: /usr/share/xmcd/scripts/ncsawrap
Binary-package: tiger (1:3.2.2-3.1)
    file: /usr/lib/tiger/util/genmsgidx
Binary-package: scilab-bin (4.1.2-5)
    file: /usr/lib/scilab-4.1.2/bin/scilink
    file: /usr/lib/scilab-4.1.2/util/scidoc
    file: /usr/lib/scilab-4.1.2/util/scidem
Binary-package: dpkg-cross (2.3.0)
    file: /usr/share/dpkg-cross/bin/gccross
Binary-package: ltp-network-test (20060918-2.1)
    file: /usr/lib/debian-test/tests/linux/testcases/bin/ftp_setup_vsftp_conf
    file: /usr/lib/debian-test/tests/linux/testcases/bin/nfs_fsstress.sh
Binary-package: cman (2.20080629-1)
    file: /usr/sbin/fence_egenera
Binary-package: scratchbox2 (1.99.0.24-1)
    file: /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps
    file: /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings
Binary-package: sendmail-base (8.14.3-5)
    file: /usr/sbin/checksendmail
    file: /usr/bin/expn
Binary-package: fwbuilder (2.1.19-3)
    file: /usr/bin/fwb_install
Binary-package: sng (1.0.2-5)
    file: /usr/bin/sng_regress
Binary-package: dist (1:3.5-17-1)
    file: /usr/bin/patcil
    file: /usr/bin/patdiff
Binary-package: sympa (5.3.4-5)
    file: /usr/lib/cgi-bin/sympa/wwsympa.fcgi
    file: /usr/lib/sympa/bin/sympa.pl
Binary-package: postfix (2.5.2-2)
    file: /usr/lib/postfix_groups.pl
Binary-package: caudium (3:1.4.12-11)
    file: /usr/share/caudium/configvar
Binary-package: mgetty-fax (1.1.36-1.2)
    file: /usr/bin/faxspool
Binary-package: aegis (4.24-3)
    file: /usr/share/doc/aegis/examples/remind/bng_dvlpd.sh
    file: /usr/share/doc/aegis/examples/remind/bng_rvwd.sh
    file: /usr/share/doc/aegis/examples/remind/awt_dvlp.sh
    file: /usr/share/doc/aegis/examples/remind/awt_intgrtn.sh
Binary-package: aegis-web (4.24-3)
    file: /usr/lib/cgi-bin/aegis.cgi
Binary-package: digitaldj (0.7.5-6+b1)
    file: /usr/share/digitaldj/fest.pl
Binary-package: mon (0.99.2-12)
    file: /usr/lib/mon/alert.d/test.alert
Binary-package: feta (1.4.16)
    file: /usr/share/feta/plugins/to-upgrade
Binary-package: arb-common (0.0.20071207.1-4)
    file: /usr/lib/arb/SH/arb_fastdnaml
    file: /usr/lib/arb/SH/dszmconnect.pl
Binary-package: qemu (0.9.1-5)
    file: /usr/sbin/qemu-make-debian-root
Binary-package: apertium (3.0.7+1-1+b1)
    file: /usr/bin/apertium-gen-deformat
    file: /usr/bin/apertium-gen-reformat
    file: /usr/bin/apertium
Binary-package: xcal (4.1-18.3)
    file: /usr/bin/pscal
Binary-package: myspell-tools (1:3.1-20)
    file: /usr/bin/i2myspell
Binary-package: gccxml (0.9.0+cvs20080525-1)
    file: /usr/share/gccxml-0.9/MIPSpro/find_flags
Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4)
    file: /usr/share/freeradius-dialupadmin/bin/backup_radacct
    file: /usr/share/freeradius-dialupadmin/bin/clean_radacct
    file: /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/truncate_radacct
Binary-package: dhis-server (5.3-1)
    file: /usr/lib/dhis-server/dhis-dummy-log-engine
Binary-package: wims (3.62-13)
    file: /var/lib/wims/public_html/bin/coqweb
    file: /var/lib/wims/bin/account.sh
Binary-package: initramfs-tools (0.92f)
    file: /usr/share/initramfs-tools/init
Binary-package: realtimebattle-common (1.0.8-7)
    file: /usr/lib/realtimebattle/Robots/perl.robot
Binary-package: netmrg (0.20-1)
    file: /usr/bin/rrdedit
Binary-package: bulmages-servers (0.11.1-2)
    file: /usr/share/bulmages/examples/scripts/actualizabulmacont
    file: /usr/share/bulmages/examples/scripts/installbulmages-db
    file: /usr/share/bulmages/examples/scripts/creabulmafact
    file: /usr/share/bulmages/examples/scripts/creabulmacont
    file: /usr/share/bulmages/examples/scripts/actualizabulmafact
Binary-package: xastir (1.9.2-1)
    file: /usr/lib/xastir/get-maptools.sh
    file: /usr/lib/xastir/get_shapelib.sh
Binary-package: plait (1.5.2-1)
    file: /usr/bin/plaiter
    file: /usr/bin/plait
Binary-package: cdrw-taper (0.4-2)
    file: /usr/sbin/amlabel-cdrw
Binary-package: konwert-filters (1.8-11.1)
    file: /usr/share/konwert/filters/any-UTF8
Binary-package: gdrae (0.1-1)
    file: /usr/bin/gdrae
Binary-package: lazarus-src (0.9.24-0-9)
    file: /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh




Tags added: Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru> to control@bugs.debian.org. (Tue, 26 Aug 2008 08:45:40 GMT) Full text and rfc822 format available.

Tags added: security Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru> to control@bugs.debian.org. (Tue, 26 Aug 2008 08:57:29 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Christian Meder <chris@absolutegiganten.org>:
Bug#496400; Package aegis-web. Full text and rfc822 format available.

Acknowledgement sent to <marcos.marado@sonae.com>:
Extra info received and forwarded to list. Copy sent to Christian Meder <chris@absolutegiganten.org>. Full text and rfc822 format available.

Message #14 received at 496400@bugs.debian.org (full text, mbox):

From: <marcos.marado@sonae.com>
To: <496402@bugs.debian.org>, <496400@bugs.debian.org>
Subject: upstream
Date: Wed, 27 Aug 2008 20:48:17 +0100
The bugs were reported upstream:
http://sourceforge.net/tracker/index.php?func=detail&aid=2079025&group_id=224&atid=100224

Best regards,
-- 
Marcos Marado




Information forwarded to debian-bugs-dist@lists.debian.org, Christian Meder <chris@absolutegiganten.org>:
Bug#496400; Package aegis-web. Full text and rfc822 format available.

Acknowledgement sent to <marcos.marado@sonae.com>:
Extra info received and forwarded to list. Copy sent to Christian Meder <chris@absolutegiganten.org>. Full text and rfc822 format available.

Message #19 received at 496400@bugs.debian.org (full text, mbox):

From: <marcos.marado@sonae.com>
To: <496400@bugs.debian.org>
Subject: patch
Date: Wed, 27 Aug 2008 20:57:53 +0100
A patch like the one I wrote[1] should suffice to fix this. Note that I didn't 
test it at all...

[1] http://talkerspt.no-ip.org/~mbooster/aegis-web.patch

Best regards,
-- 
Marcos Marado




Information forwarded to debian-bugs-dist@lists.debian.org, Christian Meder <chris@absolutegiganten.org>:
Bug#496400; Package aegis-web. Full text and rfc822 format available.

Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to Christian Meder <chris@absolutegiganten.org>. Full text and rfc822 format available.

Message #24 received at 496400@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadent.org.uk>
To: 496400@bugs.debian.org
Cc: security@debian.org
Subject: Re: [aegis] The possibility of attack with the help of symlinks in some Debian packages
Date: Sun, 07 Sep 2008 01:09:17 +0100
[Message part 1 (text/plain, inline)]
I couldn't access Marcos Marado's patch for this bug, so I did the work
again.  I only dealt with aegis-web; the other vulnerable code in aegis
is in examples and is therefore not so critical.

Here's the diff for my NMU.  The stable version of aegis-web has an
almost identical version of the vulnerable CGI script, which my patch
applies to with an offset of 2 lines.

Ben.

diff -u aegis-4.24/debian/control aegis-4.24/debian/control
--- aegis-4.24/debian/control
+++ aegis-4.24/debian/control
@@ -62,7 +62,7 @@
 
 Package: aegis-web
 Architecture: any
-Depends: ${shlibs:Depends}, aegis, apache | httpd
+Depends: ${shlibs:Depends}, aegis, apache | httpd, mktemp
 Replaces: aegis3-web, aegis (<< 4.10)
 Conflicts: aegis3-web
 Description: aegis web based user interface
diff -u aegis-4.24/debian/changelog aegis-4.24/debian/changelog
--- aegis-4.24/debian/changelog
+++ aegis-4.24/debian/changelog
@@ -1,3 +1,12 @@
+aegis (4.24-3.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Add patch for aegis.cgi to make temporary file creation secure
+    (closes: #496400)
+  * Add dependency on mktemp, introduced by this patch
+
+ -- Ben Hutchings <ben@decadent.org.uk>  Sat, 06 Sep 2008 19:58:13 +0100
+
 aegis (4.24-3) unstable; urgency=low
 
   * integrate updated patch to fix aefinish with non-existing $HOME,
only in patch2:
unchanged:
--- aegis-4.24.orig/debian/patches/11_cgi_use_secure_temp_files.patch
+++ aegis-4.24/debian/patches/11_cgi_use_secure_temp_files.patch
@@ -0,0 +1,338 @@
+--- script/aegis.cgi.in.orig	2008-09-06 18:48:00.000000000 +0100
++++ script/aegis.cgi.in	2008-09-06 19:15:51.000000000 +0100
+@@ -40,6 +40,12 @@
+ . /etc/aegis.cgi.conf
+ fi
+ 
++# securely create temporary file
++# Debian change to fix bug 496400
++aegis_tmp() {
++    mktemp /tmp/aegis$1.XXXXXX || exit 1
++}
++
+ extra=
+ lang=en
+ file=proj_list
+@@ -74,8 +80,12 @@
+ then
+     test -z "$project" && exit 1
+     test -z "$change" && change="--baseline"
++
++    out=$(aegis_tmp .ae)
++    log=$(aegis_tmp)
++
+     $bindir/aedist --send $project $change -ndh -naa \
+-		-o /tmp/aegis.$$.ae > /tmp/aegis.$$ 2>&1
++		-o $out > $log 2>&1
+     status=$?
+     if test $status -ne 0
+     then
+@@ -88,18 +98,18 @@
+ 	echo '</tt></blockquote>'
+ 	echo "terminated with exit status $status."
+ 	echo 'The following text was produced <blockquote><pre>'
+-	sed 's|<|\&lt;|g' < /tmp/aegis.$$
++	sed 's|<|\&lt;|g' < $log
+ 	echo '</pre></blockquote>'
+ 	echo '<hr>'
+ 	echo 'This page was generated'
+ 	date
+ 	echo '</body></html>'
+-	rm /tmp/aegis.$$*
++	rm $out $log
+ 	exit 1
+     fi
+ 
+-    cat /tmp/aegis.$$.ae
+-    rm /tmp/aegis.$$*
++    cat $out
++    rm $out $log
+     exit 0
+ fi
+ 
+@@ -107,8 +117,12 @@
+ then
+     test -z "$project" && exit 1
+     test -z "$change" && change="--baseline"
++
++    out=$(aegis_tmp .ae)
++    log=$(aegis_tmp)
++
+     $bindir/aepatch --send $project $change -naa \
+-       	-o /tmp/aegis.$$.ae > /tmp/aegis.$$ 2>&1
++       	-o $out > $log 2>&1
+     status=$?
+     if test $status -ne 0
+     then
+@@ -121,18 +135,18 @@
+        	echo '</tt></blockquote>'
+        	echo "terminated with exit status $status."
+        	echo 'The following text was produced <blockquote><pre>'
+-       	sed 's|<|\&lt;|g' < /tmp/aegis.$$
++       	sed 's|<|\&lt;|g' < $log
+        	echo '</pre></blockquote>'
+        	echo '<hr>'
+        	echo 'This page was generated'
+        	date
+        	echo '</body></html>'
+-       	rm /tmp/aegis.$$*
++       	rm $out $log
+        	exit 1
+     fi
+ 
+-    cat /tmp/aegis.$$.ae
+-    rm /tmp/aegis.$$*
++    cat $out
++    rm $out $log
+     exit 0
+ fi
+ 
+@@ -140,8 +154,12 @@
+ then
+     test -z "$project" && exit 1
+     test -z "$change" && change="--baseline"
++
++    out=$(aegis_tmp .ae)
++    log=$(aegis_tmp)
++
+     $bindir/aetar --send $project $change \
+-       	-o /tmp/aegis.$$.ae > /tmp/aegis.$$ 2>&1
++       	-o $out > $log 2>&1
+     status=$?
+     if test $status -ne 0
+     then
+@@ -154,21 +172,21 @@
+        	echo '</tt></blockquote>'
+        	echo "terminated with exit status $status."
+        	echo 'The following text was produced <blockquote><pre>'
+-       	sed 's|<|\&lt;|g' < /tmp/aegis.$$
++       	sed 's|<|\&lt;|g' < $log
+        	echo '</pre></blockquote>'
+        	echo '<hr>'
+        	echo 'This page was generated'
+        	date
+        	echo '</body></html>'
+-       	rm /tmp/aegis.$$*
++       	rm $out $log
+        	exit 1
+     fi
+ 
+     echo 'Content-Type: application/x-tar-gz'
+     echo 'Content-Transfer-Encoding: 8bit'
+     echo ''
+-    cat /tmp/aegis.$$.ae
+-    rm /tmp/aegis.$$*
++    cat $out
++    rm $out $log
+     exit 0
+ fi
+ 
+@@ -180,11 +198,16 @@
+ 
+     File=$extra;
+ 
++    ver1=$(aegis_tmp .1)
++    ver2=$(aegis_tmp .2)
++    err=$(aegis_tmp .log)
++    out=$(aegis_tmp .out)
++
+     cmdcmd="$bindir/aereport -f $datadir/en/html/file_diff.rpt $delta1 \
+-	$delta2 $File /tmp/aegis.$$.1 /tmp/aegis.$$.2 $project $change -unf"
++	$delta2 $File $ver1 $ver2 $project $change -unf"
+ 
+     # the script will work out where to get the file from
+-    cmd="`$cmdcmd 2> /tmp/aegis.$$.log`";
++    cmd="`$cmdcmd 2> $err`";
+     status=$?
+ 
+     if test $status -ne 0
+@@ -198,18 +221,18 @@
+        	echo '</tt></blockquote>'
+        	echo "terminated with exit status $status."
+        	echo 'The following text was produced <blockquote><pre>'
+-       	sed 's|<|\&lt;|g' < /tmp/aegis.$$.log
++       	sed 's|<|\&lt;|g' < $err
+        	echo '</pre></blockquote>'
+        	echo '<hr>'
+        	echo 'This page was generated'
+        	date
+        	echo '</body></html>'
+-       	rm -f /tmp/aegis.$$.*
++       	rm -f $ver1 $ver2 $err $out
+        	exit 1
+     fi
+-    rm -f /tmp/aegis.$$.*
++    rm -f $ver1 $ver2
+ 
+-    eval "$cmd 2> /tmp/aegis.$$.log" > /tmp/aegis.$$.out
++    eval "$cmd 2> $err" > $out
+     status=$?
+     if test $status -ne 0
+     then
+@@ -222,16 +245,16 @@
+        	echo '</tt></blockquote>'
+        	echo "terminated with exit status $status."
+        	echo 'The following text was produced <blockquote><pre>'
+-       	sed 's|<|\&lt;|g' < /tmp/aegis.$$.log
++       	sed 's|<|\&lt;|g' < $err
+        	echo '</pre></blockquote>'
+        	echo '<hr>'
+        	echo 'This page was generated'
+        	date
+        	echo '</body></html>'
+-       	rm -f /tmp/aegis.$$.*
++       	rm -f $err $out
+        	exit 1
+     fi
+-    rm /tmp/aegis.$$.log
++    rm -f $err
+ 
+     echo 'Content-Type: text/html'
+     echo ''
+@@ -247,13 +270,13 @@
+     echo "<br>Delta $delta1, Delta $delta2"
+     echo '</h1>'
+     echo '<pre>'
+-    sed 's|<|\&lt;|g' < /tmp/aegis.$$.out
++    sed 's|<|\&lt;|g' < $out
+     echo '</pre>'
+     echo '<hr>'
+     echo 'This page was generated'
+     date
+     echo '</body></html>'
+-    rm -f /tmp/aegis.$$.*
++    rm -f $out
+     exit 0
+ fi
+ 
+@@ -266,10 +289,14 @@
+     test -z "$delta" && Delta="";
+ 
+     File="$extra"
++
++    out=$(aegis_tmp)
++    log=$(aegis_tmp .log)
++
+     if test -z "$change"
+     then
+        	$bindir/aegis -cp -ind $project -baserel $File $Delta \
+-	    -o /tmp/aegis.$$ 2> /tmp/aegis.$$.log
++	    -o $out 2> $log
+        	status=$?
+        	if test $status -ne 0
+        	then
+@@ -282,20 +309,20 @@
+ 	    echo '</tt></blockquote>'
+ 	    echo "terminated with exit status $status."
+ 	    echo 'The following text was produced <blockquote><pre>'
+-	    sed 's|<|\&lt;|g' < /tmp/aegis.$$.log
++	    sed 's|<|\&lt;|g' < $log
+ 	    echo '</pre></blockquote>'
+ 	    echo '<hr>'
+ 	    echo 'This page was generated'
+ 	    date
+ 	    echo '</body></html>'
+-	    rm -f /tmp/aegis.$$ /tmp/aegis.$$.log
++	    rm -f $out $log
+ 	    exit 1
+        	fi
+-       	rm -f /tmp/aegis.$$.log
++       	rm -f $log
+     else
+        	# the script will work out where to get the file from
+        	cmd="`$bindir/aereport -f $datadir/en/html/cp_command.rpt $File \
+-	    /tmp/aegis.$$ -unf $project $change 2> /tmp/aegis.$$.log`"
++	    $out -unf $project $change 2> $log`"
+ 
+        	status=$?
+        	if test $status -ne 0
+@@ -307,22 +334,21 @@
+ 	    echo '<blockquote><tt>'
+ 	    echo $bindir/aereport -f \
+ 	     	$datadir/en/html/cp_command.rpt $File \
+-	     	/tmp/aegis.$$ -unf $project $change
++	     	$out -unf $project $change
+ 	    echo '</tt></blockquote>'
+ 	    echo "terminated with exit status $status."
+ 	    echo 'The following text was produced <blockquote><pre>'
+-	    sed 's|<|\&lt;|g' < /tmp/aegis.$$.log
++	    sed 's|<|\&lt;|g' < $log
+ 	    echo '</pre></blockquote>'
+ 	    echo '<hr>'
+ 	    echo 'This page was generated'
+ 	    date
+ 	    echo '</body></html>'
+-	    rm /tmp/aegis.$$.log
++	    rm $out $log
+ 	    exit 1
+        	fi
+-       	rm /tmp/aegis.$$.log
+ 
+-       	eval "$cmd 2> /tmp/aegis.$$.log"
++       	eval "$cmd 2> $log"
+        	status=$?
+        	if test $status -ne 0
+        	then
+@@ -335,16 +361,16 @@
+ 	    echo '</tt></blockquote>'
+ 	    echo "terminated with exit status $status."
+ 	    echo 'The following text was produced <blockquote><pre>'
+-	    sed 's|<|\&lt;|g' < /tmp/aegis.$$.log
++	    sed 's|<|\&lt;|g' < $log
+ 	    echo '</pre></blockquote>'
+ 	    echo '<hr>'
+ 	    echo 'This page was generated'
+ 	    date
+ 	    echo '</body></html>'
+-	    rm -f /tmp/aegis.$$.log /tmp/aegis.$$
++	    rm -f $out $log
+ 	    exit 1
+        	fi
+-	rm /tmp/aegis.$$.log
++	rm $log
+     fi
+ 
+     echo 'Content-Type: text/html'
+@@ -360,19 +386,21 @@
+     echo "<br>File <i>$x</i>"
+     echo '</h1>'
+     echo '<pre>'
+-    sed 's|<|\&lt;|g' < /tmp/aegis.$$
++    sed 's|<|\&lt;|g' < $out
+     echo '</pre>'
+     echo '<hr>'
+     echo 'This page was generated'
+     date
+     echo '</body></html>'
+-    rm /tmp/aegis.$$
++    rm $out
+     exit 0
+ fi
+ 
++log=$(aegis_tmp)
++
+ $bindir/aereport --file $datadir/$lang/html/$file.rpt \
+     $project $change $extra --page-width=1000 --unformatted \
+-    > /tmp/aegis.$$ 2>&1
++    > $log 2>&1
+ 
+ status=$?
+ if test $status -ne 0
+@@ -387,14 +415,14 @@
+     echo '</tt></blockquote>'
+     echo "terminated with exit status $status."
+     echo 'The following text was produced <blockquote><pre>'
+-    sed 's|<|\&lt;|g' < /tmp/aegis.$$
++    sed 's|<|\&lt;|g' < $log
+     echo '</pre></blockquote>'
+     echo '<hr>'
+     echo 'This page was generated'
+     date
+     echo '</body></html>'
+ else
+-    cat /tmp/aegis.$$
++    cat $log
+ fi
+-rm /tmp/aegis.$$
++rm $log
+ exit 0

[signature.asc (application/pgp-signature, inline)]

Reply sent to Ben Hutchings <ben@decadent.org.uk>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #29 received at 496400-close@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadent.org.uk>
To: 496400-close@bugs.debian.org
Subject: Bug#496400: fixed in aegis 4.24-3.1
Date: Sun, 07 Sep 2008 00:17:06 +0000
Source: aegis
Source-Version: 4.24-3.1

We believe that the bug you reported is fixed in the latest version of
aegis, which is due to be installed in the Debian FTP archive:

aegis-doc_4.24-3.1_all.deb
  to pool/main/a/aegis/aegis-doc_4.24-3.1_all.deb
aegis-tk_4.24-3.1_all.deb
  to pool/main/a/aegis/aegis-tk_4.24-3.1_all.deb
aegis-web_4.24-3.1_i386.deb
  to pool/main/a/aegis/aegis-web_4.24-3.1_i386.deb
aegis_4.24-3.1.diff.gz
  to pool/main/a/aegis/aegis_4.24-3.1.diff.gz
aegis_4.24-3.1.dsc
  to pool/main/a/aegis/aegis_4.24-3.1.dsc
aegis_4.24-3.1_i386.deb
  to pool/main/a/aegis/aegis_4.24-3.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 496400@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ben Hutchings <ben@decadent.org.uk> (supplier of updated aegis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 06 Sep 2008 19:58:13 +0100
Source: aegis
Binary: aegis aegis-doc aegis-tk aegis-web
Architecture: source all i386
Version: 4.24-3.1
Distribution: unstable
Urgency: medium
Maintainer: Christian Meder <chris@absolutegiganten.org>
Changed-By: Ben Hutchings <ben@decadent.org.uk>
Description: 
 aegis      - transaction-based software configuration management
 aegis-doc  - documentation for aegis
 aegis-tk   - aegis Tk user interface
 aegis-web  - aegis web based user interface
Closes: 496400
Changes: 
 aegis (4.24-3.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Add patch for aegis.cgi to make temporary file creation secure
     (closes: #496400)
   * Add dependency on mktemp, introduced by this patch
Checksums-Sha1: 
 fd1d4f4440c0c9bae1e56ebb24e68b9a510378fd 1190 aegis_4.24-3.1.dsc
 d062c10d65a31a30be34aa772b2e2dc55d0ba3c7 22167 aegis_4.24-3.1.diff.gz
 17c7cda1262459a096a02b4b9b0766194100a228 2127692 aegis-doc_4.24-3.1_all.deb
 377da5bde1da0f0904589d157e18fe3a7a6f9a06 156672 aegis-tk_4.24-3.1_all.deb
 17abe835fe0773afc48dd2e3a7c4a4b2871fb075 16053870 aegis_4.24-3.1_i386.deb
 d46782dbddb2412d4a8b2806340dd7433cba4baf 984332 aegis-web_4.24-3.1_i386.deb
Checksums-Sha256: 
 65c63190257202f8a9bb6a6e8e4c0a8d6c39d4b98efefbbc2685f64b8534f6d5 1190 aegis_4.24-3.1.dsc
 7cd06e81c6bc05f1c84df29c91e908985c97b15ef5f1fe36f7371a1f730e55bb 22167 aegis_4.24-3.1.diff.gz
 a717916fdae7b8febc3af9b22f7e106cba3b041fa8bcc606ca4f008d464874a1 2127692 aegis-doc_4.24-3.1_all.deb
 0850e3cb689bf47fb5ea370f1c708771382fca30290bd96e1db71246762865ef 156672 aegis-tk_4.24-3.1_all.deb
 4b3e82bfd21e032e6841ea8c3fd9bd0b337305dbea1cacda04c557f0154c4ba4 16053870 aegis_4.24-3.1_i386.deb
 097ceffc3a6ad9bbb6a2d435ffa06649e5cc2bbf7a65af990dbca7b8cd1ed190 984332 aegis-web_4.24-3.1_i386.deb
Files: 
 c3b2034b0ad88590a95fb93fa9b2d23e 1190 devel optional aegis_4.24-3.1.dsc
 88d4181fd34732ffc7878e03d0e659ec 22167 devel optional aegis_4.24-3.1.diff.gz
 19f608c70301ee96e651cc023f7f489c 2127692 doc optional aegis-doc_4.24-3.1_all.deb
 51bc58c06f51a6a324f8d8b49cb922de 156672 devel optional aegis-tk_4.24-3.1_all.deb
 002bc01086f610f760a13cf69386f935 16053870 devel optional aegis_4.24-3.1_i386.deb
 8e8f86875f8c24a3635c160a896ed969 984332 devel optional aegis-web_4.24-3.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFIwxjT79ZNCRIGYgcRAtEzAKCanycM56kKaCVB0DZRSEp07AV7rwCdH8Lp
EJAMDmnJmCMDqaRVHVWqTe0=
=afQ0
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Christian Meder <chris@absolutegiganten.org>:
Bug#496400; Package aegis-web. Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Christian Meder <chris@absolutegiganten.org>. Full text and rfc822 format available.

Message #34 received at 496400@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Ben Hutchings <ben@decadent.org.uk>, 496400@bugs.debian.org
Cc: security@debian.org
Subject: Re: Bug#496400: [aegis] The possibility of attack with the help of symlinks in some Debian packages
Date: Sun, 7 Sep 2008 02:32:54 +0200
On Sun, Sep  7, 2008 at 01:09:17 +0100, Ben Hutchings wrote:

> diff -u aegis-4.24/debian/control aegis-4.24/debian/control
> --- aegis-4.24/debian/control
> +++ aegis-4.24/debian/control
> @@ -62,7 +62,7 @@
>  
>  Package: aegis-web
>  Architecture: any
> -Depends: ${shlibs:Depends}, aegis, apache | httpd
> +Depends: ${shlibs:Depends}, aegis, apache | httpd, mktemp
>  Replaces: aegis3-web, aegis (<< 4.10)
>  Conflicts: aegis3-web
>  Description: aegis web based user interface

mktemp is 'Essential: yes', this dependency is useless.

Cheers,
Julien




Information forwarded to debian-bugs-dist@lists.debian.org, Christian Meder <chris@absolutegiganten.org>:
Bug#496400; Package aegis-web. Full text and rfc822 format available.

Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to Christian Meder <chris@absolutegiganten.org>. Full text and rfc822 format available.

Message #39 received at 496400@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadent.org.uk>
To: Julien Cristau <jcristau@debian.org>
Cc: 496400@bugs.debian.org, security@debian.org
Subject: Re: Bug#496400: [aegis] The possibility of attack with the help of symlinks in some Debian packages
Date: Sun, 7 Sep 2008 01:56:45 +0100
[Message part 1 (text/plain, inline)]
On Sun, Sep 07, 2008 at 02:32:54AM +0200, Julien Cristau wrote:
> On Sun, Sep  7, 2008 at 01:09:17 +0100, Ben Hutchings wrote:
> 
> > diff -u aegis-4.24/debian/control aegis-4.24/debian/control
> > --- aegis-4.24/debian/control
> > +++ aegis-4.24/debian/control
> > @@ -62,7 +62,7 @@
> >  
> >  Package: aegis-web
> >  Architecture: any
> > -Depends: ${shlibs:Depends}, aegis, apache | httpd
> > +Depends: ${shlibs:Depends}, aegis, apache | httpd, mktemp
> >  Replaces: aegis3-web, aegis (<< 4.10)
> >  Conflicts: aegis3-web
> >  Description: aegis web based user interface
> 
> mktemp is 'Essential: yes', this dependency is useless.

You know, I thought it was, but when I checked I somehow didn't see that
line.  That's one less thing to include in a stable security update.

Ben.

-- 
Ben Hutchings
Everything should be made as simple as possible, but not simpler.
                                                           - Albert Einstein
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Feb 2009 07:37:00 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 06:10:42 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.