Debian Bug report logs - #496419
The possibility of attack with the help of symlinks in some Debian packages

version graph

Package: convirt; Maintainer for convirt is Roland Stigge <stigge@antcom.de>;

Reported by: "Dmitry E. Oboukhov" <dimka@uvw.ru>

Date: Sun, 24 Aug 2008 18:11:40 UTC

Severity: grave

Tags: confirmed, patch, security

Fixed in version convirt/0.9.6-1

Done: Roland Stigge <stigge@antcom.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Roland Stigge <stigge@antcom.de>:
Bug#496419; Package convirt. Full text and rfc822 format available.

Acknowledgement sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
New Bug report received and forwarded. Copy sent to Roland Stigge <stigge@antcom.de>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Dmitry E. Oboukhov" <dimka@uvw.ru>
To: submit@bugs.debian.org
Cc: dimka@uvw.ru
Subject: The possibility of attack with the help of symlinks in some Debian packages
Date: Sun, 24 Aug 2008 22:05:29 +0400
Package: convirt
Severity: grave

Hi, maintainer!

This message about the error concerns a few packages  at  once.   I've
tested all the packages (for Lenny) on my Debian mirror.  All  scripts
of packages (marked as executable) were tested.

In some packages I've discovered scripts with errors which may be used
by a user for damaging important system files or user's files.

For example if a script uses in its work a temp file which is  created
in /tmp directory, then every user can create symlink  with  the  same
name in this directory in order to  destroy  or  rewrite  some  system
or user file.  Symlink attack may also  lead  not  only  to  the  data
desctruction but to denial of service as well.

Even if you create files or directories with help of function 'RANDOM'
or pid(), then your system is not protected. Attacker can create many
symlinks in order to destroy your data or create 'denial  of  service'
for your package scripts.

Even if you make rm(dir) for files/directories, then  your  system  is
not protected. Attacker can permanently create symlinks.

This list is created with the help of script.  This list is sorted  by
hand. Howewer in some cases mistake is possible.

Please, Be understanding to possible mistakes. :)

I set Severity into grave for this bug. The table of discovered
problems is below.

Discussion of this bug you can see in debian-devel@:
    http://lists.debian.org/debian-devel/2008/08/msg00271.html

Binary-package: r-base-core-ra (1.1.1-1)
    file: /usr/lib/Ra/lib/R/bin/javareconf
Binary-package: rccp (0.9-2)
    file: /usr/lib/rccp/delqueueask
Binary-package: mafft (6.240-1)
    file: /usr/bin/mafft-homologs
Binary-package: openoffice.org-common (1:2.4.1-6)
    file: /usr/lib/openoffice/program/senddoc
Binary-package: crossfire-maps (1.11.0-1)
    file: /usr/share/games/crossfire/maps/Info/combine.pl
Binary-package: sgml2x (1.0.0-11.1)
    file: /usr/bin/rlatex
Binary-package: liguidsoap (0.3.6-4)
    file: /var/lib/liguidsoap/liguidsoap.py
Binary-package: citadel-server (7.37-1)
    file: /usr/lib/citadel-server/migrate_aliases.sh
Binary-package: ampache (3.4.1-1)
    file: /usr/share/ampache/www/locale/base/gather-messages.sh
Binary-package: xen-utils-3.2-1 (3.2.1-2)
    file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug
Binary-package: dtc-common (0.29.6-1)
    file: /usr/share/dtc/admin/accesslog.php
    file: /usr/share/dtc/admin/sa-wrapper
Binary-package: honeyd-common (1.5c-3)
    file: /usr/share/honeyd/scripts/test.sh
Binary-package: lustre-tests (1.6.5-1)
    file: /usr/lib/lustre/tests/runiozone
Binary-package: linuxtrade (3.65-8+b4)
    file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol
    file: /usr/share/linuxtrade/bin/linuxtrade.wn
    file: /usr/share/linuxtrade/bin/moneyam.helper
Binary-package: freevo (1.8.1-0)
    file: /usr/bin/freevo.real
Binary-package: fml (4.0.3.dfsg-2)
    file: /usr/share/fml/libexec/mead.pl
Binary-package: rkhunter (1.3.2-3)
    file: /usr/bin/rkhunter
Binary-package: openswan (1:2.4.12+dfsg-1.1)
    file: /usr/lib/ipsec/livetest
Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1)
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest
Binary-package: aptoncd (0.1-1.1)
    file: /usr/share/aptoncd/xmlfile.py
Binary-package: cdcontrol (1.90-1.1)
    file: /usr/lib/cdcontrol/writtercontrol
Binary-package: newsgate (1.6-23)
    file: /usr/bin/mkmailpost
Binary-package: gpsdrive-scripts (2.10~pre4-3)
    file: /usr/bin/geo-code
Binary-package: impose+ (0.2-11)
    file: /usr/bin/impose
Binary-package: mgt (2.31-5)
    file: /usr/games/mailgo
Binary-package: audiolink (0.05-1)
    file: /usr/bin/audiolink
Binary-package: ibackup (2.27-4.1)
    file: /usr/bin/ibackup
Binary-package: emacspeak (26.0-3)
    file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl
Binary-package: bk2site (1:1.1.9-3.1)
    file: /usr/lib/cgi-bin/bk2site/redirect.pl
Binary-package: datafreedom-perl (0.1.7-1)
    file: /usr/bin/dfxml-invoice
Binary-package: emacs-jabber (0.7.91-1)
    file: /usr/lib/emacsen-common/packages/install/emacs-jabber
Binary-package: lmbench (3.0-a7-1)
    file: /usr/lib/lmbench/scripts/rccs
    file: /usr/lib/lmbench/scripts/STUFF
Binary-package: rancid-util (2.3.2~a8-1)
    file: /var/lib/rancid/getipacctg
Binary-package: ogle (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: firehol (1.256-4)
    file: /sbin/firehol
Binary-package: aview (1.3.0rc1-8)
    file: /usr/bin/asciiview
Binary-package: radiance (3R9+20080530-3)
    file: /usr/bin/optics2rad
    file: /usr/bin/pdelta
    file: /usr/bin/dayfact
    file: /usr/bin/raddepend
Binary-package: vdr-dbg (1.6.0-5)
    file: /usr/bin/vdrleaktest
Binary-package: ogle-mmx (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: convirt (0.8.2-3)
    file: /usr/share/convirt/image_store/_template_/provision.sh
    file: /usr/share/convirt/image_store/Linux_CD_Install/provision.sh
    file: /usr/share/convirt/image_store/Fedora_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/CentOS_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/common/provision.sh
    file: /usr/share/convirt/image_store/example/provision.sh
    file: /usr/share/convirt/image_store/Windows_CD_Install/provision.sh
Binary-package: printfilters-ppd (2.13-9)
    file: /usr/lib/printfilters/master-filter
Binary-package: r-base-core (2.7.1-1)
    file: /usr/lib/R/bin/javareconf
    file: /usr/lib/R/bin/javareconf.orig
Binary-package: xmcd (2.6-19.3)
    file: /usr/share/xmcd/scripts/ncsarmt
    file: /usr/share/xmcd/scripts/ncsawrap
Binary-package: tiger (1:3.2.2-3.1)
    file: /usr/lib/tiger/util/genmsgidx
Binary-package: scilab-bin (4.1.2-5)
    file: /usr/lib/scilab-4.1.2/bin/scilink
    file: /usr/lib/scilab-4.1.2/util/scidoc
    file: /usr/lib/scilab-4.1.2/util/scidem
Binary-package: dpkg-cross (2.3.0)
    file: /usr/share/dpkg-cross/bin/gccross
Binary-package: ltp-network-test (20060918-2.1)
    file: /usr/lib/debian-test/tests/linux/testcases/bin/ftp_setup_vsftp_conf
    file: /usr/lib/debian-test/tests/linux/testcases/bin/nfs_fsstress.sh
Binary-package: cman (2.20080629-1)
    file: /usr/sbin/fence_egenera
Binary-package: scratchbox2 (1.99.0.24-1)
    file: /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps
    file: /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings
Binary-package: sendmail-base (8.14.3-5)
    file: /usr/sbin/checksendmail
    file: /usr/bin/expn
Binary-package: fwbuilder (2.1.19-3)
    file: /usr/bin/fwb_install
Binary-package: sng (1.0.2-5)
    file: /usr/bin/sng_regress
Binary-package: dist (1:3.5-17-1)
    file: /usr/bin/patcil
    file: /usr/bin/patdiff
Binary-package: sympa (5.3.4-5)
    file: /usr/lib/cgi-bin/sympa/wwsympa.fcgi
    file: /usr/lib/sympa/bin/sympa.pl
Binary-package: postfix (2.5.2-2)
    file: /usr/lib/postfix_groups.pl
Binary-package: caudium (3:1.4.12-11)
    file: /usr/share/caudium/configvar
Binary-package: mgetty-fax (1.1.36-1.2)
    file: /usr/bin/faxspool
Binary-package: aegis (4.24-3)
    file: /usr/share/doc/aegis/examples/remind/bng_dvlpd.sh
    file: /usr/share/doc/aegis/examples/remind/bng_rvwd.sh
    file: /usr/share/doc/aegis/examples/remind/awt_dvlp.sh
    file: /usr/share/doc/aegis/examples/remind/awt_intgrtn.sh
Binary-package: aegis-web (4.24-3)
    file: /usr/lib/cgi-bin/aegis.cgi
Binary-package: digitaldj (0.7.5-6+b1)
    file: /usr/share/digitaldj/fest.pl
Binary-package: mon (0.99.2-12)
    file: /usr/lib/mon/alert.d/test.alert
Binary-package: feta (1.4.16)
    file: /usr/share/feta/plugins/to-upgrade
Binary-package: arb-common (0.0.20071207.1-4)
    file: /usr/lib/arb/SH/arb_fastdnaml
    file: /usr/lib/arb/SH/dszmconnect.pl
Binary-package: qemu (0.9.1-5)
    file: /usr/sbin/qemu-make-debian-root
Binary-package: apertium (3.0.7+1-1+b1)
    file: /usr/bin/apertium-gen-deformat
    file: /usr/bin/apertium-gen-reformat
    file: /usr/bin/apertium
Binary-package: xcal (4.1-18.3)
    file: /usr/bin/pscal
Binary-package: myspell-tools (1:3.1-20)
    file: /usr/bin/i2myspell
Binary-package: gccxml (0.9.0+cvs20080525-1)
    file: /usr/share/gccxml-0.9/MIPSpro/find_flags
Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4)
    file: /usr/share/freeradius-dialupadmin/bin/backup_radacct
    file: /usr/share/freeradius-dialupadmin/bin/clean_radacct
    file: /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/truncate_radacct
Binary-package: dhis-server (5.3-1)
    file: /usr/lib/dhis-server/dhis-dummy-log-engine
Binary-package: wims (3.62-13)
    file: /var/lib/wims/public_html/bin/coqweb
    file: /var/lib/wims/bin/account.sh
Binary-package: initramfs-tools (0.92f)
    file: /usr/share/initramfs-tools/init
Binary-package: realtimebattle-common (1.0.8-7)
    file: /usr/lib/realtimebattle/Robots/perl.robot
Binary-package: netmrg (0.20-1)
    file: /usr/bin/rrdedit
Binary-package: bulmages-servers (0.11.1-2)
    file: /usr/share/bulmages/examples/scripts/actualizabulmacont
    file: /usr/share/bulmages/examples/scripts/installbulmages-db
    file: /usr/share/bulmages/examples/scripts/creabulmafact
    file: /usr/share/bulmages/examples/scripts/creabulmacont
    file: /usr/share/bulmages/examples/scripts/actualizabulmafact
Binary-package: xastir (1.9.2-1)
    file: /usr/lib/xastir/get-maptools.sh
    file: /usr/lib/xastir/get_shapelib.sh
Binary-package: plait (1.5.2-1)
    file: /usr/bin/plaiter
    file: /usr/bin/plait
Binary-package: cdrw-taper (0.4-2)
    file: /usr/sbin/amlabel-cdrw
Binary-package: konwert-filters (1.8-11.1)
    file: /usr/share/konwert/filters/any-UTF8
Binary-package: gdrae (0.1-1)
    file: /usr/bin/gdrae
Binary-package: lazarus-src (0.9.24-0-9)
    file: /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh




Tags added: Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru> to control@bugs.debian.org. (Tue, 26 Aug 2008 08:45:48 GMT) Full text and rfc822 format available.

Tags added: security Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru> to control@bugs.debian.org. (Tue, 26 Aug 2008 08:57:38 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Roland Stigge <stigge@antcom.de>:
Bug#496419; Package convirt. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Roland Stigge <stigge@antcom.de>. Full text and rfc822 format available.

Message #14 received at 496419@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 496419@bugs.debian.org
Cc: control@bugs.debian.org
Subject: issue is present, code runs as root
Date: Wed, 27 Aug 2008 14:42:45 +0200
[Message part 1 (text/plain, inline)]
tags 496419 confirmed
thanks

Hi,

A simple grep revealed a lot of tempfile issues here, see below. As far as I 
understand it, the code runs as root. This makes the issue quite serious. 
Please make sure this is fixed before lenny is released.

As several different temp files are used insecurely, it may be better to 
create a separate, private working directory for the program where it may 
store all those files at will.


cheers,
Thijs

./config-scripts/xen-3.2/configure-xend.sh:    cat  <<EOF > /tmp/open_ssl.res
./config-scripts/xen-3.2/configure-xend.sh:    $OPENSSL req -new -key 
$KEY -out $CSR < /tmp/open_ssl.res
./config-scripts/xen-3.2/configure-xend.sh:    rm /tmp/open_ssl.res
./config-scripts/xen-3.1/configure-xend.sh:    cat  <<EOF > /tmp/open_ssl.res
./config-scripts/xen-3.1/configure-xend.sh:    $OPENSSL req -new -key 
$KEY -out $CSR < /tmp/open_ssl.res
./config-scripts/xen-3.1/configure-xend.sh:    rm /tmp/open_ssl.res
./src/utils.py:    updates_file = "/tmp/updates.xml"
./src/utils.py:                                                          
dir="/tmp")
./src/utils.py:    TEST_CONFIGFILE = '/tmp/convirt.conf'
./src/XenNode.py:    dom_config.save("/tmp/test_config")
./src/XenNode.py:    newcfg.set_filename("/tmp/Txx")
./src/XenNode.py:    f = managed_node.node_proxy.open("/tmp/Txx")
./src/XenNode.py:    print "### read config from /etc/xen/auto and write them 
to /tmp"
./src/XenNode.py:        d.save("/tmp/" + f)
./src/NodeProxy.py:    node.put("/tmp/send", "/tmp/send_r")
./src/NodeProxy.py:    node.get("/tmp/send_r", "/tmp/received")
./src/NodeProxy.py:    fd = node.open('/tmp/test_writable','w')
./src/NodeProxy.py:    
print 'exists?: ',node.file_exists('/tmp/test_writable')
./src/NodeProxy.py:    print 'isWritable?: ', 
node.file_is_writable('/tmp/test_writable')
./src/NodeProxy.py:    node.remove('/tmp/test_writable')
./src/NodeProxy.py:    print 'exists?: ', 
node.file_exists('/tmp/test_writable')
./src/NodeProxy.py:            node.mkdir("/tmp/node_test")
./src/NodeProxy.py:        w = node.open("/tmp/node_test/test", "w")
./src/NodeProxy.py:        r = node.open("/tmp/node_test/test")
./src/NodeProxy.py:        node.remove("/tmp/node_test/test")
./src/NodeProxy.py:        node.rmdir("/tmp/node_test")
./src/NodeProxy.py:        output,code = node.exec_cmd('find /tmp')
./src/NodeProxy.py:        output,code = node.exec_cmd('junk /tmp')
./src/GridManager.py:                                                          
dir="/tmp")
./src/KVMProxy.py:            cmdline = cmdline + " -monitor unix:/tmp/" + 
config.get("name") + \
./src/KVMProxy.py:    config["monitor"] = "unix:/tmp/xyz"
[Message part 2 (application/pgp-signature, inline)]

Tags added: confirmed Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. (Wed, 27 Aug 2008 12:45:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Roland Stigge <stigge@antcom.de>:
Bug#496419; Package convirt. Full text and rfc822 format available.

Acknowledgement sent to Sebastien Delafond <seb@debian.org>:
Extra info received and forwarded to list. Copy sent to Roland Stigge <stigge@antcom.de>. Full text and rfc822 format available.

Message #21 received at 496419@bugs.debian.org (full text, mbox):

From: Sebastien Delafond <seb@debian.org>
To: 496419@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Patch
Date: Wed, 10 Sep 2008 16:30:36 -0700
[Message part 1 (text/plain, inline)]
tag 496419 + patch
thanks

Hi,

attached is a patch for a tentative 0.8.2-3.1, that aims at handling
temporary files more securely by designating ~/.convirt/tmp as their
base path.

I do not use convirt myself, so if this patch raises additional issues
please let me know; it should at least provide the basis for a better
fix, if need be.

Cheers,

--Seb
[convirt.debdiff (text/plain, attachment)]

Tags added: patch Request was from Sebastien Delafond <seb@debian.org> to control@bugs.debian.org. (Wed, 10 Sep 2008 23:33:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Roland Stigge <stigge@antcom.de>:
Bug#496419; Package convirt. (Sun, 28 Sep 2008 08:48:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Roland Stigge <stigge@antcom.de>. (Sun, 28 Sep 2008 08:48:02 GMT) Full text and rfc822 format available.

Message #28 received at 496419@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: debian-release@lists.debian.org
Cc: 496419@bugs.debian.org, 497761@bugs.debian.org, secure-testing-team@lists.alioth.debian.org
Subject: please remove convirt and cgiwrap from testing
Date: Sun, 28 Sep 2008 10:45:30 +0200
[Message part 1 (text/plain, inline)]
Hi,

Here's a request to remove two security-bugged packages from testing:

convirt:
 * Has security issue spread around the code. There's a patch but
   it's necessarily invasive and untested.
 * No maintainer response to the security bug or any other open bug.
 * Package not in stable, doesn't seem a good idea to introduce it into
   stable when it's unmaintained.

cgiwrap:
 * Security issue with no adequate patch available.
 * Security sensitive application but unmaintained; last maintainer
   upload in 2005.
 * Many newer upstreams available.


thanks,
Thijs
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Roland Stigge <stigge@antcom.de>:
Bug#496419; Package convirt. (Sun, 28 Sep 2008 12:18:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Pierre Habouzit <madcoder@debian.org>:
Extra info received and forwarded to list. Copy sent to Roland Stigge <stigge@antcom.de>. (Sun, 28 Sep 2008 12:18:02 GMT) Full text and rfc822 format available.

Message #33 received at 496419@bugs.debian.org (full text, mbox):

From: Pierre Habouzit <madcoder@debian.org>
To: Thijs Kinkhorst <thijs@debian.org>
Cc: debian-release@lists.debian.org, 496419@bugs.debian.org, 497761@bugs.debian.org, secure-testing-team@lists.alioth.debian.org
Subject: Re: please remove convirt and cgiwrap from testing
Date: Sun, 28 Sep 2008 14:15:35 +0200
[Message part 1 (text/plain, inline)]
On Sun, Sep 28, 2008 at 08:45:30AM +0000, Thijs Kinkhorst wrote:
> Hi,
> 
> Here's a request to remove two security-bugged packages from testing:
> 
> convirt:
>  * Has security issue spread around the code. There's a patch but
>    it's necessarily invasive and untested.
>  * No maintainer response to the security bug or any other open bug.
>  * Package not in stable, doesn't seem a good idea to introduce it into
>    stable when it's unmaintained.
> 
> cgiwrap:
>  * Security issue with no adequate patch available.
>  * Security sensitive application but unmaintained; last maintainer
>    upload in 2005.
>  * Many newer upstreams available.

done
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Roland Stigge <stigge@antcom.de>:
Bug#496419; Package convirt. (Thu, 08 Jan 2009 09:42:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Roland Stigge <stigge@antcom.de>. (Thu, 08 Jan 2009 09:42:02 GMT) Full text and rfc822 format available.

Message #38 received at 496419@bugs.debian.org (full text, mbox):

From: Raphael Hertzog <hertzog@debian.org>
To: Roland Stigge <stigge@antcom.de>, 496419@bugs.debian.org
Subject: Re: Bug#496419: issue is present, code runs as root
Date: Thu, 8 Jan 2009 10:38:23 +0100
Hi Roland,

you did not handle this RC bug and hence ConVirt is not part of Lenny…
it's a pity as XenMan used to be part of Etch.

There's a new upstream release out and they claim having done "Critical
bugfixes", maybe it's related?

Please take care of the package or find some help to maintain it.

Cheers,

On Wed, 27 Aug 2008, Thijs Kinkhorst wrote:
> tags 496419 confirmed
> thanks
> 
> Hi,
> 
> A simple grep revealed a lot of tempfile issues here, see below. As far as I 
> understand it, the code runs as root. This makes the issue quite serious. 
> Please make sure this is fixed before lenny is released.
> 
> As several different temp files are used insecurely, it may be better to 
> create a separate, private working directory for the program where it may 
> store all those files at will.
> 
> 
> cheers,
> Thijs
> 
> ./config-scripts/xen-3.2/configure-xend.sh:    cat  <<EOF > /tmp/open_ssl.res
> ./config-scripts/xen-3.2/configure-xend.sh:    $OPENSSL req -new -key 
> $KEY -out $CSR < /tmp/open_ssl.res
> ./config-scripts/xen-3.2/configure-xend.sh:    rm /tmp/open_ssl.res
> ./config-scripts/xen-3.1/configure-xend.sh:    cat  <<EOF > /tmp/open_ssl.res
> ./config-scripts/xen-3.1/configure-xend.sh:    $OPENSSL req -new -key 
> $KEY -out $CSR < /tmp/open_ssl.res
> ./config-scripts/xen-3.1/configure-xend.sh:    rm /tmp/open_ssl.res
> ./src/utils.py:    updates_file = "/tmp/updates.xml"
> ./src/utils.py:                                                          
> dir="/tmp")
> ./src/utils.py:    TEST_CONFIGFILE = '/tmp/convirt.conf'
> ./src/XenNode.py:    dom_config.save("/tmp/test_config")
> ./src/XenNode.py:    newcfg.set_filename("/tmp/Txx")
> ./src/XenNode.py:    f = managed_node.node_proxy.open("/tmp/Txx")
> ./src/XenNode.py:    print "### read config from /etc/xen/auto and write them 
> to /tmp"
> ./src/XenNode.py:        d.save("/tmp/" + f)
> ./src/NodeProxy.py:    node.put("/tmp/send", "/tmp/send_r")
> ./src/NodeProxy.py:    node.get("/tmp/send_r", "/tmp/received")
> ./src/NodeProxy.py:    fd = node.open('/tmp/test_writable','w')
> ./src/NodeProxy.py:    
> print 'exists?: ',node.file_exists('/tmp/test_writable')
> ./src/NodeProxy.py:    print 'isWritable?: ', 
> node.file_is_writable('/tmp/test_writable')
> ./src/NodeProxy.py:    node.remove('/tmp/test_writable')
> ./src/NodeProxy.py:    print 'exists?: ', 
> node.file_exists('/tmp/test_writable')
> ./src/NodeProxy.py:            node.mkdir("/tmp/node_test")
> ./src/NodeProxy.py:        w = node.open("/tmp/node_test/test", "w")
> ./src/NodeProxy.py:        r = node.open("/tmp/node_test/test")
> ./src/NodeProxy.py:        node.remove("/tmp/node_test/test")
> ./src/NodeProxy.py:        node.rmdir("/tmp/node_test")
> ./src/NodeProxy.py:        output,code = node.exec_cmd('find /tmp')
> ./src/NodeProxy.py:        output,code = node.exec_cmd('junk /tmp')
> ./src/GridManager.py:                                                          
> dir="/tmp")
> ./src/KVMProxy.py:            cmdline = cmdline + " -monitor unix:/tmp/" + 
> config.get("name") + \
> ./src/KVMProxy.py:    config["monitor"] = "unix:/tmp/xyz"



-- 
Raphaël Hertzog

Le best-seller français mis à jour pour Debian Etch :
http://www.ouaza.com/livre/admin-debian/




Reply sent to Roland Stigge <stigge@antcom.de>:
You have taken responsibility. (Tue, 23 Jun 2009 13:57:03 GMT) Full text and rfc822 format available.

Notification sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
Bug acknowledged by developer. (Tue, 23 Jun 2009 13:57:03 GMT) Full text and rfc822 format available.

Message #43 received at 496419-close@bugs.debian.org (full text, mbox):

From: Roland Stigge <stigge@antcom.de>
To: 496419-close@bugs.debian.org
Subject: Bug#496419: fixed in convirt 0.9.6-1
Date: Tue, 23 Jun 2009 13:47:10 +0000
Source: convirt
Source-Version: 0.9.6-1

We believe that the bug you reported is fixed in the latest version of
convirt, which is due to be installed in the Debian FTP archive:

convirt_0.9.6-1.diff.gz
  to pool/main/c/convirt/convirt_0.9.6-1.diff.gz
convirt_0.9.6-1.dsc
  to pool/main/c/convirt/convirt_0.9.6-1.dsc
convirt_0.9.6-1_all.deb
  to pool/main/c/convirt/convirt_0.9.6-1_all.deb
convirt_0.9.6.orig.tar.gz
  to pool/main/c/convirt/convirt_0.9.6.orig.tar.gz
xenman_0.9.6-1_all.deb
  to pool/main/c/convirt/xenman_0.9.6-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 496419@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Roland Stigge <stigge@antcom.de> (supplier of updated convirt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 23 Jun 2009 12:32:10 +0200
Source: convirt
Binary: convirt xenman
Architecture: source all
Version: 0.9.6-1
Distribution: unstable
Urgency: low
Maintainer: Roland Stigge <stigge@antcom.de>
Changed-By: Roland Stigge <stigge@antcom.de>
Description: 
 convirt    - A graphical Xen management tool
 xenman     - transitional package for Debian lenny
Closes: 496419
Changes: 
 convirt (0.9.6-1) unstable; urgency=low
 .
   * New upstream release
   * Applied security fixes from Sebastien Delafond (Closes: #496419)
Checksums-Sha1: 
 d518aa279751276138c1282a92553311f83f6303 965 convirt_0.9.6-1.dsc
 ffa99cc601d7654d4147755ba2b4f078f96393d6 690666 convirt_0.9.6.orig.tar.gz
 60c44c6bf08a77286f3be37c5dbf947f4985647d 7663 convirt_0.9.6-1.diff.gz
 59c6ebc6b30913db6cd3b499bc1bd868d82b384b 410652 convirt_0.9.6-1_all.deb
 6496cd9dfd28a7107cfd47f198c38639233c52cd 6368 xenman_0.9.6-1_all.deb
Checksums-Sha256: 
 9ade3b29c68ffd4e920a5e31053321195fd688ff9c3740daa98985628072ede2 965 convirt_0.9.6-1.dsc
 8c63c2ed985bbca69db1d5c40c73336b4f692ba9ff8e67fcaf35b1ff34f289b1 690666 convirt_0.9.6.orig.tar.gz
 20455ac2a36666c660855eae6d90e7f3a87058d57b280b2b7f6834738fd36482 7663 convirt_0.9.6-1.diff.gz
 adef2c1fda6433c108b47dea2f4e7c2bbf3abd523b3d9e496da438d38d29a754 410652 convirt_0.9.6-1_all.deb
 4a5fd36600e8ae702fa9cbac7bddb4bbec6e8fe66ea9de18c7a8cfb1e92b598a 6368 xenman_0.9.6-1_all.deb
Files: 
 caa9077c9ab56708950b3c96f7ed2b7b 965 admin optional convirt_0.9.6-1.dsc
 7ff7952a68ebf62ba784dae74f77f950 690666 admin optional convirt_0.9.6.orig.tar.gz
 25438fec107f33fcad865a02f9fa01ee 7663 admin optional convirt_0.9.6-1.diff.gz
 8d6a1e59699a9f332b5c88233f0dce81 410652 admin optional convirt_0.9.6-1_all.deb
 f9fd6f3695da46d4c8351d47d8c98f71 6368 admin optional xenman_0.9.6-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKQNk8caH/YBv43g8RAiBWAJ0ZdN8yfd28vs45eiUcDAFMoFcROQCgswdh
nvlQ13f7QDA4/CvaZzOobDU=
=27ul
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 01 Aug 2009 07:40:57 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 05:43:08 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.