Debian Bug report logs - #496405
The possibility of attack with the help of symlinks in some Debian packages

version graph

Package: sympa; Maintainer for sympa is Debian Sympa team <sympa@packages.debian.org>; Source for sympa is src:sympa (PTS, buildd, popcon).

Reported by: "Dmitry E. Oboukhov" <dimka@uvw.ru>

Date: Sun, 24 Aug 2008 18:11:02 UTC

Severity: critical

Tags: patch, security

Merged with 494969

Found in versions sympa/5.2.3-1.2+etch1, sympa/5.3.4-5

Fixed in version 5.3.4-5.1

Done: Nico Golde <nion@debian.org>

Bug is archived. No further changes may be made.

Forwarded to http://sourcesup.cru.fr/tracker/index.php?func=detail&aid=4430

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Stefan Hornburg (Racke) <racke@linuxia.de>:
Bug#496405; Package sympa. (full text, mbox, link).


Acknowledgement sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
New Bug report received and forwarded. Copy sent to Stefan Hornburg (Racke) <racke@linuxia.de>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Dmitry E. Oboukhov" <dimka@uvw.ru>
To: submit@bugs.debian.org
Cc: dimka@uvw.ru
Subject: The possibility of attack with the help of symlinks in some Debian packages
Date: Sun, 24 Aug 2008 22:05:29 +0400
Package: sympa
Severity: grave

Hi, maintainer!

This message about the error concerns a few packages  at  once.   I've
tested all the packages (for Lenny) on my Debian mirror.  All  scripts
of packages (marked as executable) were tested.

In some packages I've discovered scripts with errors which may be used
by a user for damaging important system files or user's files.

For example if a script uses in its work a temp file which is  created
in /tmp directory, then every user can create symlink  with  the  same
name in this directory in order to  destroy  or  rewrite  some  system
or user file.  Symlink attack may also  lead  not  only  to  the  data
desctruction but to denial of service as well.

Even if you create files or directories with help of function 'RANDOM'
or pid(), then your system is not protected. Attacker can create many
symlinks in order to destroy your data or create 'denial  of  service'
for your package scripts.

Even if you make rm(dir) for files/directories, then  your  system  is
not protected. Attacker can permanently create symlinks.

This list is created with the help of script.  This list is sorted  by
hand. Howewer in some cases mistake is possible.

Please, Be understanding to possible mistakes. :)

I set Severity into grave for this bug. The table of discovered
problems is below.

Discussion of this bug you can see in debian-devel@:
    http://lists.debian.org/debian-devel/2008/08/msg00271.html

Binary-package: r-base-core-ra (1.1.1-1)
    file: /usr/lib/Ra/lib/R/bin/javareconf
Binary-package: rccp (0.9-2)
    file: /usr/lib/rccp/delqueueask
Binary-package: mafft (6.240-1)
    file: /usr/bin/mafft-homologs
Binary-package: openoffice.org-common (1:2.4.1-6)
    file: /usr/lib/openoffice/program/senddoc
Binary-package: crossfire-maps (1.11.0-1)
    file: /usr/share/games/crossfire/maps/Info/combine.pl
Binary-package: sgml2x (1.0.0-11.1)
    file: /usr/bin/rlatex
Binary-package: liguidsoap (0.3.6-4)
    file: /var/lib/liguidsoap/liguidsoap.py
Binary-package: citadel-server (7.37-1)
    file: /usr/lib/citadel-server/migrate_aliases.sh
Binary-package: ampache (3.4.1-1)
    file: /usr/share/ampache/www/locale/base/gather-messages.sh
Binary-package: xen-utils-3.2-1 (3.2.1-2)
    file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug
Binary-package: dtc-common (0.29.6-1)
    file: /usr/share/dtc/admin/accesslog.php
    file: /usr/share/dtc/admin/sa-wrapper
Binary-package: honeyd-common (1.5c-3)
    file: /usr/share/honeyd/scripts/test.sh
Binary-package: lustre-tests (1.6.5-1)
    file: /usr/lib/lustre/tests/runiozone
Binary-package: linuxtrade (3.65-8+b4)
    file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol
    file: /usr/share/linuxtrade/bin/linuxtrade.wn
    file: /usr/share/linuxtrade/bin/moneyam.helper
Binary-package: freevo (1.8.1-0)
    file: /usr/bin/freevo.real
Binary-package: fml (4.0.3.dfsg-2)
    file: /usr/share/fml/libexec/mead.pl
Binary-package: rkhunter (1.3.2-3)
    file: /usr/bin/rkhunter
Binary-package: openswan (1:2.4.12+dfsg-1.1)
    file: /usr/lib/ipsec/livetest
Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1)
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest
Binary-package: aptoncd (0.1-1.1)
    file: /usr/share/aptoncd/xmlfile.py
Binary-package: cdcontrol (1.90-1.1)
    file: /usr/lib/cdcontrol/writtercontrol
Binary-package: newsgate (1.6-23)
    file: /usr/bin/mkmailpost
Binary-package: gpsdrive-scripts (2.10~pre4-3)
    file: /usr/bin/geo-code
Binary-package: impose+ (0.2-11)
    file: /usr/bin/impose
Binary-package: mgt (2.31-5)
    file: /usr/games/mailgo
Binary-package: audiolink (0.05-1)
    file: /usr/bin/audiolink
Binary-package: ibackup (2.27-4.1)
    file: /usr/bin/ibackup
Binary-package: emacspeak (26.0-3)
    file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl
Binary-package: bk2site (1:1.1.9-3.1)
    file: /usr/lib/cgi-bin/bk2site/redirect.pl
Binary-package: datafreedom-perl (0.1.7-1)
    file: /usr/bin/dfxml-invoice
Binary-package: emacs-jabber (0.7.91-1)
    file: /usr/lib/emacsen-common/packages/install/emacs-jabber
Binary-package: lmbench (3.0-a7-1)
    file: /usr/lib/lmbench/scripts/rccs
    file: /usr/lib/lmbench/scripts/STUFF
Binary-package: rancid-util (2.3.2~a8-1)
    file: /var/lib/rancid/getipacctg
Binary-package: ogle (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: firehol (1.256-4)
    file: /sbin/firehol
Binary-package: aview (1.3.0rc1-8)
    file: /usr/bin/asciiview
Binary-package: radiance (3R9+20080530-3)
    file: /usr/bin/optics2rad
    file: /usr/bin/pdelta
    file: /usr/bin/dayfact
    file: /usr/bin/raddepend
Binary-package: vdr-dbg (1.6.0-5)
    file: /usr/bin/vdrleaktest
Binary-package: ogle-mmx (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: convirt (0.8.2-3)
    file: /usr/share/convirt/image_store/_template_/provision.sh
    file: /usr/share/convirt/image_store/Linux_CD_Install/provision.sh
    file: /usr/share/convirt/image_store/Fedora_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/CentOS_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/common/provision.sh
    file: /usr/share/convirt/image_store/example/provision.sh
    file: /usr/share/convirt/image_store/Windows_CD_Install/provision.sh
Binary-package: printfilters-ppd (2.13-9)
    file: /usr/lib/printfilters/master-filter
Binary-package: r-base-core (2.7.1-1)
    file: /usr/lib/R/bin/javareconf
    file: /usr/lib/R/bin/javareconf.orig
Binary-package: xmcd (2.6-19.3)
    file: /usr/share/xmcd/scripts/ncsarmt
    file: /usr/share/xmcd/scripts/ncsawrap
Binary-package: tiger (1:3.2.2-3.1)
    file: /usr/lib/tiger/util/genmsgidx
Binary-package: scilab-bin (4.1.2-5)
    file: /usr/lib/scilab-4.1.2/bin/scilink
    file: /usr/lib/scilab-4.1.2/util/scidoc
    file: /usr/lib/scilab-4.1.2/util/scidem
Binary-package: dpkg-cross (2.3.0)
    file: /usr/share/dpkg-cross/bin/gccross
Binary-package: ltp-network-test (20060918-2.1)
    file: /usr/lib/debian-test/tests/linux/testcases/bin/ftp_setup_vsftp_conf
    file: /usr/lib/debian-test/tests/linux/testcases/bin/nfs_fsstress.sh
Binary-package: cman (2.20080629-1)
    file: /usr/sbin/fence_egenera
Binary-package: scratchbox2 (1.99.0.24-1)
    file: /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps
    file: /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings
Binary-package: sendmail-base (8.14.3-5)
    file: /usr/sbin/checksendmail
    file: /usr/bin/expn
Binary-package: fwbuilder (2.1.19-3)
    file: /usr/bin/fwb_install
Binary-package: sng (1.0.2-5)
    file: /usr/bin/sng_regress
Binary-package: dist (1:3.5-17-1)
    file: /usr/bin/patcil
    file: /usr/bin/patdiff
Binary-package: sympa (5.3.4-5)
    file: /usr/lib/cgi-bin/sympa/wwsympa.fcgi
    file: /usr/lib/sympa/bin/sympa.pl
Binary-package: postfix (2.5.2-2)
    file: /usr/lib/postfix_groups.pl
Binary-package: caudium (3:1.4.12-11)
    file: /usr/share/caudium/configvar
Binary-package: mgetty-fax (1.1.36-1.2)
    file: /usr/bin/faxspool
Binary-package: aegis (4.24-3)
    file: /usr/share/doc/aegis/examples/remind/bng_dvlpd.sh
    file: /usr/share/doc/aegis/examples/remind/bng_rvwd.sh
    file: /usr/share/doc/aegis/examples/remind/awt_dvlp.sh
    file: /usr/share/doc/aegis/examples/remind/awt_intgrtn.sh
Binary-package: aegis-web (4.24-3)
    file: /usr/lib/cgi-bin/aegis.cgi
Binary-package: digitaldj (0.7.5-6+b1)
    file: /usr/share/digitaldj/fest.pl
Binary-package: mon (0.99.2-12)
    file: /usr/lib/mon/alert.d/test.alert
Binary-package: feta (1.4.16)
    file: /usr/share/feta/plugins/to-upgrade
Binary-package: arb-common (0.0.20071207.1-4)
    file: /usr/lib/arb/SH/arb_fastdnaml
    file: /usr/lib/arb/SH/dszmconnect.pl
Binary-package: qemu (0.9.1-5)
    file: /usr/sbin/qemu-make-debian-root
Binary-package: apertium (3.0.7+1-1+b1)
    file: /usr/bin/apertium-gen-deformat
    file: /usr/bin/apertium-gen-reformat
    file: /usr/bin/apertium
Binary-package: xcal (4.1-18.3)
    file: /usr/bin/pscal
Binary-package: myspell-tools (1:3.1-20)
    file: /usr/bin/i2myspell
Binary-package: gccxml (0.9.0+cvs20080525-1)
    file: /usr/share/gccxml-0.9/MIPSpro/find_flags
Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4)
    file: /usr/share/freeradius-dialupadmin/bin/backup_radacct
    file: /usr/share/freeradius-dialupadmin/bin/clean_radacct
    file: /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/truncate_radacct
Binary-package: dhis-server (5.3-1)
    file: /usr/lib/dhis-server/dhis-dummy-log-engine
Binary-package: wims (3.62-13)
    file: /var/lib/wims/public_html/bin/coqweb
    file: /var/lib/wims/bin/account.sh
Binary-package: initramfs-tools (0.92f)
    file: /usr/share/initramfs-tools/init
Binary-package: realtimebattle-common (1.0.8-7)
    file: /usr/lib/realtimebattle/Robots/perl.robot
Binary-package: netmrg (0.20-1)
    file: /usr/bin/rrdedit
Binary-package: bulmages-servers (0.11.1-2)
    file: /usr/share/bulmages/examples/scripts/actualizabulmacont
    file: /usr/share/bulmages/examples/scripts/installbulmages-db
    file: /usr/share/bulmages/examples/scripts/creabulmafact
    file: /usr/share/bulmages/examples/scripts/creabulmacont
    file: /usr/share/bulmages/examples/scripts/actualizabulmafact
Binary-package: xastir (1.9.2-1)
    file: /usr/lib/xastir/get-maptools.sh
    file: /usr/lib/xastir/get_shapelib.sh
Binary-package: plait (1.5.2-1)
    file: /usr/bin/plaiter
    file: /usr/bin/plait
Binary-package: cdrw-taper (0.4-2)
    file: /usr/sbin/amlabel-cdrw
Binary-package: konwert-filters (1.8-11.1)
    file: /usr/share/konwert/filters/any-UTF8
Binary-package: gdrae (0.1-1)
    file: /usr/bin/gdrae
Binary-package: lazarus-src (0.9.24-0-9)
    file: /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh




Reply sent to "Stefan Hornburg (Racke)" <racke@linuxia.de>:
You have taken responsibility. (full text, mbox, link).


Notification sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
Bug acknowledged by developer. (full text, mbox, link).


Message #10 received at 496405-done@bugs.debian.org (full text, mbox, reply):

From: "Stefan Hornburg (Racke)" <racke@linuxia.de>
To: 496405-done@bugs.debian.org
Subject: Symlink attach already fixed
Date: Sun, 24 Aug 2008 20:38:40 +0200
version: 5.3.4-5.1

This bug has been fixed in 5.3.4-5.1, see bug #494969 for reference.

Regards
         Racke

-- 
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team





Information forwarded to debian-bugs-dist@lists.debian.org, Stefan Hornburg (Racke) <racke@linuxia.de>:
Bug#496405; Package sympa. (full text, mbox, link).


Acknowledgement sent to Olivier Berger <olivier.berger@it-sudparis.eu>:
Extra info received and forwarded to list. Copy sent to Stefan Hornburg (Racke) <racke@linuxia.de>. (full text, mbox, link).


Message #15 received at 496405@bugs.debian.org (full text, mbox, reply):

From: Olivier Berger <olivier.berger@it-sudparis.eu>
To: Thijs Kinkhorst <thijs@debian.org>
Cc: 494969@bugs.debian.org, "Dmitry E. Oboukhov" <unera@debian.org>, 496405@bugs.debian.org
Subject: Re: Bug#494969: sympa: Leftover debug code may lead to data loss
Date: Mon, 25 Aug 2008 11:59:46 +0200
Le jeudi 21 août 2008 à 16:14 +0200, Thijs Kinkhorst a écrit :

> When grepping the sympa source for "/tmp" I find quite some occurances
> of
> other files directly in tmp with insecure filenames. It should be
> checked
> for each if that code is executed and whether or not they should be
> moved
> to Sympa's private tempdir.
> 

Indeed, grepping through contents of binary package gives quite some
occurrences :

./usr/share/doc/sympa/examples/config/sympa.conf:tmpdir /var/spool/sympa/tmp
./usr/lib/sympa/bin/Log.pm:    #open TMP, ">/tmp/logs.dump";
./usr/lib/sympa/bin/tt2.pl:     open my $fh, ">/tmp/tt2/$newname";
./usr/lib/sympa/bin/tools.pl:    ## first step is the msg signing OK ; /tmp/sympa-smime.$$ is created
./usr/lib/sympa/bin/tools.pl:    my $temporary_file = "/tmp/smime-sender.".$$ ;
./usr/lib/sympa/bin/List.pm:#   $parser->output_dir($Conf{'spool'} ."/tmp");    
./usr/lib/sympa/bin/List.pm:#    open TMP2, ">/tmp/digdump"; &tools::dump_var($param, 0, \*TMP2); close TMP2;
./usr/lib/sympa/bin/List.pm:#    open TMP2, ">/tmp/digdump"; &tools::dump_var($param, 0, \*TMP2); close TMP2;
./usr/lib/sympa/bin/sympasoap.pm:#    open TMP2, ">>/tmp/yy"; printf TMP2 "xxxxxxxxxx  parameters \n"; &tools::dump_var($proxy_vs, 0, \*TMP2);printf TMP2 "--------\n"; close TMP2;
./usr/lib/sympa/bin/CAS.pm:  $cas->proxyMode(pgtFile => '/tmp/pgt.txt',
./usr/lib/sympa/bin/sympa_wizard.pl:my $new_wwsympa_conf = '/tmp/wwsympa.conf';
./usr/lib/sympa/bin/sympa_wizard.pl:my $new_sympa_conf = '/tmp/sympa.conf';
./usr/lib/sympa/bin/Conf.pm:    $o{'tmpdir'}[0] = "$spool/tmp";
./usr/lib/sympa/bin/Conf.pm:    # open TMP, ">/tmp/dump1";&tools::dump_var(&load_generic_conf_file($config,\%trusted_applications);, 0,\*TMP);close TMP;
./usr/lib/sympa/bin/Conf.pm:#open TMP2, ">>/tmp/sss"; printf TMP2 "xxxxxxxxxxxxxxxxxxx--------structure admin\n"; &tools::dump_var(\%admin, 0, \*TMP2);printf TMP2 "xxxxxxxxxxxxxxxxxxx--------\n"; close TMP2;
./usr/lib/sympa/bin/sympa_soap_client.pl:#                                   file => '/tmp/my_cookies' );
./usr/lib/sympa/bin/sympa_soap_client.pl:                                    file => '/tmp/my_cookies' );
./usr/lib/sympa/bin/Family.pm: #   open TMP, ">/tmp/dump1";
./usr/lib/sympa/bin/Auth.pm:    # open TMP2, ">>/tmp/yy"; printf TMP2 "xxxxxxxxxxx\@ trusted_apps \n"; &tools::dump_var(\@trusted_apps, 0, \*TMP2);printf TMP2 "--------\n"; close TMP2;
./usr/lib/sympa/bin/sympa.pl:   --make_alias_file                     : create file in /tmp with all aliases (usefull when aliases.tpl is changed)
./usr/lib/cgi-bin/sympa/wwsympa.fcgi: #    open TMP, ">/tmp/dump1";
./usr/lib/cgi-bin/sympa/wwsympa.fcgi: #    open TMP, ">/tmp/dump2";
./usr/lib/cgi-bin/sympa/wwsympa.fcgi:     #open TMP, ">/tmp/dump1";
./usr/bin/sympa:   --make_alias_file                     : create file in /tmp with all aliases (usefull when aliases.tpl is changed)
./usr/bin/sympa_wizard:my $new_wwsympa_conf = '/tmp/wwsympa.conf';
./usr/bin/sympa_wizard:my $new_sympa_conf = '/tmp/sympa.conf';

I think that even though the first ones reported on /usr/lib/cgi-bin/sympa/wwsympa.fcgi and /usr/lib/sympa/bin/sympa.pl are now fixed by uploaded 5.3.4-5.1, there's some more need for analysis (checking with upstream too).

I think that opening a distinct bug would probably be better too.

Hope this helps.

-- 
Olivier BERGER <olivier.berger@it-sudparis.eu>
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC
Ingénieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)





Forcibly Merged 494969 496405. Request was from Olivier Berger <olivier.berger@it-sudparis.eu> to control@bugs.debian.org. (Mon, 25 Aug 2008 12:42:19 GMT) (full text, mbox, link).


Bug reopened, originator not changed. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Wed, 27 Aug 2008 15:27:05 GMT) (full text, mbox, link).


Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Feb 2009 07:40:53 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 13:03:47 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.