Package: lmbench; Maintainer for lmbench is Debian QA Group <packages@qa.debian.org>; Source for lmbench is src:lmbench (PTS, buildd, popcon).
Reported by: "Dmitry E. Oboukhov" <dimka@uvw.ru>
Date: Sun, 24 Aug 2008 18:12:01 UTC
Severity: grave
Tags: confirmed, security
Fixed in version lmbench/3.0-a9-1
Done: Al Stone <ahs3@debian.org>
Bug is archived. No further changes may be made.
View this report as an mbox folder, status mbox, maintainer mbox
Report forwarded to debian-bugs-dist@lists.debian.org, Al Stone <ahs3@debian.org>:
Bug#496427; Package lmbench.
(full text, mbox, link).
Acknowledgement sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
New Bug report received and forwarded. Copy sent to Al Stone <ahs3@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: lmbench
Severity: grave
Hi, maintainer!
This message about the error concerns a few packages at once. I've
tested all the packages (for Lenny) on my Debian mirror. All scripts
of packages (marked as executable) were tested.
In some packages I've discovered scripts with errors which may be used
by a user for damaging important system files or user's files.
For example if a script uses in its work a temp file which is created
in /tmp directory, then every user can create symlink with the same
name in this directory in order to destroy or rewrite some system
or user file. Symlink attack may also lead not only to the data
desctruction but to denial of service as well.
Even if you create files or directories with help of function 'RANDOM'
or pid(), then your system is not protected. Attacker can create many
symlinks in order to destroy your data or create 'denial of service'
for your package scripts.
Even if you make rm(dir) for files/directories, then your system is
not protected. Attacker can permanently create symlinks.
This list is created with the help of script. This list is sorted by
hand. Howewer in some cases mistake is possible.
Please, Be understanding to possible mistakes. :)
I set Severity into grave for this bug. The table of discovered
problems is below.
Discussion of this bug you can see in debian-devel@:
http://lists.debian.org/debian-devel/2008/08/msg00271.html
Binary-package: r-base-core-ra (1.1.1-1)
file: /usr/lib/Ra/lib/R/bin/javareconf
Binary-package: rccp (0.9-2)
file: /usr/lib/rccp/delqueueask
Binary-package: mafft (6.240-1)
file: /usr/bin/mafft-homologs
Binary-package: openoffice.org-common (1:2.4.1-6)
file: /usr/lib/openoffice/program/senddoc
Binary-package: crossfire-maps (1.11.0-1)
file: /usr/share/games/crossfire/maps/Info/combine.pl
Binary-package: sgml2x (1.0.0-11.1)
file: /usr/bin/rlatex
Binary-package: liguidsoap (0.3.6-4)
file: /var/lib/liguidsoap/liguidsoap.py
Binary-package: citadel-server (7.37-1)
file: /usr/lib/citadel-server/migrate_aliases.sh
Binary-package: ampache (3.4.1-1)
file: /usr/share/ampache/www/locale/base/gather-messages.sh
Binary-package: xen-utils-3.2-1 (3.2.1-2)
file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug
Binary-package: dtc-common (0.29.6-1)
file: /usr/share/dtc/admin/accesslog.php
file: /usr/share/dtc/admin/sa-wrapper
Binary-package: honeyd-common (1.5c-3)
file: /usr/share/honeyd/scripts/test.sh
Binary-package: lustre-tests (1.6.5-1)
file: /usr/lib/lustre/tests/runiozone
Binary-package: linuxtrade (3.65-8+b4)
file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol
file: /usr/share/linuxtrade/bin/linuxtrade.wn
file: /usr/share/linuxtrade/bin/moneyam.helper
Binary-package: freevo (1.8.1-0)
file: /usr/bin/freevo.real
Binary-package: fml (4.0.3.dfsg-2)
file: /usr/share/fml/libexec/mead.pl
Binary-package: rkhunter (1.3.2-3)
file: /usr/bin/rkhunter
Binary-package: openswan (1:2.4.12+dfsg-1.1)
file: /usr/lib/ipsec/livetest
Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1)
file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap
file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest
Binary-package: aptoncd (0.1-1.1)
file: /usr/share/aptoncd/xmlfile.py
Binary-package: cdcontrol (1.90-1.1)
file: /usr/lib/cdcontrol/writtercontrol
Binary-package: newsgate (1.6-23)
file: /usr/bin/mkmailpost
Binary-package: gpsdrive-scripts (2.10~pre4-3)
file: /usr/bin/geo-code
Binary-package: impose+ (0.2-11)
file: /usr/bin/impose
Binary-package: mgt (2.31-5)
file: /usr/games/mailgo
Binary-package: audiolink (0.05-1)
file: /usr/bin/audiolink
Binary-package: ibackup (2.27-4.1)
file: /usr/bin/ibackup
Binary-package: emacspeak (26.0-3)
file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl
Binary-package: bk2site (1:1.1.9-3.1)
file: /usr/lib/cgi-bin/bk2site/redirect.pl
Binary-package: datafreedom-perl (0.1.7-1)
file: /usr/bin/dfxml-invoice
Binary-package: emacs-jabber (0.7.91-1)
file: /usr/lib/emacsen-common/packages/install/emacs-jabber
Binary-package: lmbench (3.0-a7-1)
file: /usr/lib/lmbench/scripts/rccs
file: /usr/lib/lmbench/scripts/STUFF
Binary-package: rancid-util (2.3.2~a8-1)
file: /var/lib/rancid/getipacctg
Binary-package: ogle (0.9.2-5.2)
file: /usr/lib/ogle/ogle_audio_debug
file: /usr/lib/ogle/ogle_cli_debug
file: /usr/lib/ogle/ogle_ctrl_debug
file: /usr/lib/ogle/ogle_gui_debug
file: /usr/lib/ogle/ogle_mpeg_ps_debug
file: /usr/lib/ogle/ogle_mpeg_vs_debug
file: /usr/lib/ogle/ogle_nav_debug
file: /usr/lib/ogle/ogle_vout_debug
Binary-package: firehol (1.256-4)
file: /sbin/firehol
Binary-package: aview (1.3.0rc1-8)
file: /usr/bin/asciiview
Binary-package: radiance (3R9+20080530-3)
file: /usr/bin/optics2rad
file: /usr/bin/pdelta
file: /usr/bin/dayfact
file: /usr/bin/raddepend
Binary-package: vdr-dbg (1.6.0-5)
file: /usr/bin/vdrleaktest
Binary-package: ogle-mmx (0.9.2-5.2)
file: /usr/lib/ogle/ogle_audio_debug
file: /usr/lib/ogle/ogle_cli_debug
file: /usr/lib/ogle/ogle_ctrl_debug
file: /usr/lib/ogle/ogle_gui_debug
file: /usr/lib/ogle/ogle_mpeg_ps_debug
file: /usr/lib/ogle/ogle_mpeg_vs_debug
file: /usr/lib/ogle/ogle_nav_debug
file: /usr/lib/ogle/ogle_vout_debug
Binary-package: convirt (0.8.2-3)
file: /usr/share/convirt/image_store/_template_/provision.sh
file: /usr/share/convirt/image_store/Linux_CD_Install/provision.sh
file: /usr/share/convirt/image_store/Fedora_PV_Install/provision.sh
file: /usr/share/convirt/image_store/CentOS_PV_Install/provision.sh
file: /usr/share/convirt/image_store/common/provision.sh
file: /usr/share/convirt/image_store/example/provision.sh
file: /usr/share/convirt/image_store/Windows_CD_Install/provision.sh
Binary-package: printfilters-ppd (2.13-9)
file: /usr/lib/printfilters/master-filter
Binary-package: r-base-core (2.7.1-1)
file: /usr/lib/R/bin/javareconf
file: /usr/lib/R/bin/javareconf.orig
Binary-package: xmcd (2.6-19.3)
file: /usr/share/xmcd/scripts/ncsarmt
file: /usr/share/xmcd/scripts/ncsawrap
Binary-package: tiger (1:3.2.2-3.1)
file: /usr/lib/tiger/util/genmsgidx
Binary-package: scilab-bin (4.1.2-5)
file: /usr/lib/scilab-4.1.2/bin/scilink
file: /usr/lib/scilab-4.1.2/util/scidoc
file: /usr/lib/scilab-4.1.2/util/scidem
Binary-package: dpkg-cross (2.3.0)
file: /usr/share/dpkg-cross/bin/gccross
Binary-package: ltp-network-test (20060918-2.1)
file: /usr/lib/debian-test/tests/linux/testcases/bin/ftp_setup_vsftp_conf
file: /usr/lib/debian-test/tests/linux/testcases/bin/nfs_fsstress.sh
Binary-package: cman (2.20080629-1)
file: /usr/sbin/fence_egenera
Binary-package: scratchbox2 (1.99.0.24-1)
file: /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps
file: /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings
Binary-package: sendmail-base (8.14.3-5)
file: /usr/sbin/checksendmail
file: /usr/bin/expn
Binary-package: fwbuilder (2.1.19-3)
file: /usr/bin/fwb_install
Binary-package: sng (1.0.2-5)
file: /usr/bin/sng_regress
Binary-package: dist (1:3.5-17-1)
file: /usr/bin/patcil
file: /usr/bin/patdiff
Binary-package: sympa (5.3.4-5)
file: /usr/lib/cgi-bin/sympa/wwsympa.fcgi
file: /usr/lib/sympa/bin/sympa.pl
Binary-package: postfix (2.5.2-2)
file: /usr/lib/postfix_groups.pl
Binary-package: caudium (3:1.4.12-11)
file: /usr/share/caudium/configvar
Binary-package: mgetty-fax (1.1.36-1.2)
file: /usr/bin/faxspool
Binary-package: aegis (4.24-3)
file: /usr/share/doc/aegis/examples/remind/bng_dvlpd.sh
file: /usr/share/doc/aegis/examples/remind/bng_rvwd.sh
file: /usr/share/doc/aegis/examples/remind/awt_dvlp.sh
file: /usr/share/doc/aegis/examples/remind/awt_intgrtn.sh
Binary-package: aegis-web (4.24-3)
file: /usr/lib/cgi-bin/aegis.cgi
Binary-package: digitaldj (0.7.5-6+b1)
file: /usr/share/digitaldj/fest.pl
Binary-package: mon (0.99.2-12)
file: /usr/lib/mon/alert.d/test.alert
Binary-package: feta (1.4.16)
file: /usr/share/feta/plugins/to-upgrade
Binary-package: arb-common (0.0.20071207.1-4)
file: /usr/lib/arb/SH/arb_fastdnaml
file: /usr/lib/arb/SH/dszmconnect.pl
Binary-package: qemu (0.9.1-5)
file: /usr/sbin/qemu-make-debian-root
Binary-package: apertium (3.0.7+1-1+b1)
file: /usr/bin/apertium-gen-deformat
file: /usr/bin/apertium-gen-reformat
file: /usr/bin/apertium
Binary-package: xcal (4.1-18.3)
file: /usr/bin/pscal
Binary-package: myspell-tools (1:3.1-20)
file: /usr/bin/i2myspell
Binary-package: gccxml (0.9.0+cvs20080525-1)
file: /usr/share/gccxml-0.9/MIPSpro/find_flags
Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4)
file: /usr/share/freeradius-dialupadmin/bin/backup_radacct
file: /usr/share/freeradius-dialupadmin/bin/clean_radacct
file: /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats
file: /usr/share/freeradius-dialupadmin/bin/tot_stats
file: /usr/share/freeradius-dialupadmin/bin/truncate_radacct
Binary-package: dhis-server (5.3-1)
file: /usr/lib/dhis-server/dhis-dummy-log-engine
Binary-package: wims (3.62-13)
file: /var/lib/wims/public_html/bin/coqweb
file: /var/lib/wims/bin/account.sh
Binary-package: initramfs-tools (0.92f)
file: /usr/share/initramfs-tools/init
Binary-package: realtimebattle-common (1.0.8-7)
file: /usr/lib/realtimebattle/Robots/perl.robot
Binary-package: netmrg (0.20-1)
file: /usr/bin/rrdedit
Binary-package: bulmages-servers (0.11.1-2)
file: /usr/share/bulmages/examples/scripts/actualizabulmacont
file: /usr/share/bulmages/examples/scripts/installbulmages-db
file: /usr/share/bulmages/examples/scripts/creabulmafact
file: /usr/share/bulmages/examples/scripts/creabulmacont
file: /usr/share/bulmages/examples/scripts/actualizabulmafact
Binary-package: xastir (1.9.2-1)
file: /usr/lib/xastir/get-maptools.sh
file: /usr/lib/xastir/get_shapelib.sh
Binary-package: plait (1.5.2-1)
file: /usr/bin/plaiter
file: /usr/bin/plait
Binary-package: cdrw-taper (0.4-2)
file: /usr/sbin/amlabel-cdrw
Binary-package: konwert-filters (1.8-11.1)
file: /usr/share/konwert/filters/any-UTF8
Binary-package: gdrae (0.1-1)
file: /usr/bin/gdrae
Binary-package: lazarus-src (0.9.24-0-9)
file: /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh
Tags added:
Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru>
to control@bugs.debian.org.
(Tue, 26 Aug 2008 08:45:55 GMT) (full text, mbox, link).
Tags added: security
Request was from "Dmitry E. Oboukhov" <dimka@uvw.ru>
to control@bugs.debian.org.
(Tue, 26 Aug 2008 08:57:43 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Al Stone <ahs3@debian.org>:
Bug#496427; Package lmbench.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Al Stone <ahs3@debian.org>.
(full text, mbox, link).
Message #14 received at 496427@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 496427 confirmed
thanks
Indeed present, a simple grep yields a number of different results already,
see below. As the code contains many instances of different things written
to /tmp, it may make sense to resolve that by creating one private working
dir securely, and then prefixing that path to all uses of /tmp.
Thijs
./lmbench-3.0-a7/src/bench.h:97:#define UNIX_CONTROL "/tmp/lmbench.ctl"
./lmbench-3.0-a7/src/bench.h:98:#define UNIX_DATA "/tmp/lmbench.data"
./lmbench-3.0-a7/src/bench.h:99:#define UNIX_LAT "/tmp/lmbench.lat"
./lmbench-3.0-a7/src/rhttp.c:81:
sprintf(name, "/tmp/rhttp%d", i);
./lmbench-3.0-a7/src/rhttp.c:96: system("cat /tmp/rhttp*;
rm /tmp/rhttp*");
./lmbench-3.0-a7/src/rhttp.c:106: sprintf(buf, "/tmp/http%d",
i);
./lmbench-3.0-a7/src/lat_fcntl.c:105:
sprintf(state->filename1, "/tmp/lmbench-fcntl%d.1", getpid());
./lmbench-3.0-a7/src/lat_fcntl.c:106:
sprintf(state->filename2, "/tmp/lmbench-fcntl%d.2", getpid());
./lmbench-3.0-a7/src/lat_unix_connect.c:18:#define CONNAME "/tmp/af_unix"
./lmbench-3.0-a7/src/lat_fifo.c:15:#define F1 "/tmp/lmbench_f1.%d"
./lmbench-3.0-a7/src/lat_fifo.c:16:#define F2 "/tmp/lmbench_f2.%d"
./lmbench-3.0-a7/src/lat_proc.c:20:#define PROG "/tmp/hello-s"
./lmbench-3.0-a7/src/lat_proc.c:23:#define PROG "/tmp/hello"
./lmbench-3.0-a7/src/lmhttp.c:23:#define
LOGFILE "/usr/tmp/lmhttp.log"
./lmbench-3.0-a7/scripts/SHIT:594: system "co -q -p -kkvl
$rev $_[$i] > /tmp/sdiff.$$" .
./lmbench-3.0-a7/scripts/SHIT:595: "&&
$diff /tmp/sdiff.$$ $working[$i]";
./lmbench-3.0-a7/scripts/SHIT:597: unlink("/tmp/sdiff.
$$");./lmbench-3.0-a7/scripts/rccs:603:
system "co -q -p -kkvl $rev $_[$i] > /tmp/sdiff.$$" .
./lmbench-3.0-a7/scripts/rccs:604: "&&
$diff /tmp/sdiff.$$ $working[$i]";
./lmbench-3.0-a7/scripts/rccs:606: unlink("/tmp/sdiff.
$$");
[Message part 2 (application/pgp-signature, inline)]
Tags added: confirmed
Request was from Thijs Kinkhorst <thijs@debian.org>
to control@bugs.debian.org.
(Wed, 27 Aug 2008 12:30:06 GMT) (full text, mbox, link).
Reply sent
to Al Stone <ahs3@debian.org>:
You have taken responsibility.
(Mon, 23 Feb 2009 06:15:04 GMT) (full text, mbox, link).
Notification sent
to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
Bug acknowledged by developer.
(Mon, 23 Feb 2009 06:15:05 GMT) (full text, mbox, link).
Message #21 received at 496427-close@bugs.debian.org (full text, mbox, reply):
Source: lmbench
Source-Version: 3.0-a9-1
We believe that the bug you reported is fixed in the latest version of
lmbench, which is due to be installed in the Debian FTP archive:
lmbench-doc_3.0-a9-1_all.deb
to pool/non-free/l/lmbench/lmbench-doc_3.0-a9-1_all.deb
lmbench_3.0-a9-1.diff.gz
to pool/non-free/l/lmbench/lmbench_3.0-a9-1.diff.gz
lmbench_3.0-a9-1.dsc
to pool/non-free/l/lmbench/lmbench_3.0-a9-1.dsc
lmbench_3.0-a9-1_i386.deb
to pool/non-free/l/lmbench/lmbench_3.0-a9-1_i386.deb
lmbench_3.0-a9.orig.tar.gz
to pool/non-free/l/lmbench/lmbench_3.0-a9.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 496427@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Al Stone <ahs3@debian.org> (supplier of updated lmbench package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 22 Feb 2009 18:20:00 -0700
Source: lmbench
Binary: lmbench lmbench-doc
Architecture: source all i386
Version: 3.0-a9-1
Distribution: unstable
Urgency: low
Maintainer: Al Stone <ahs3@debian.org>
Changed-By: Al Stone <ahs3@debian.org>
Description:
lmbench - Utilities to benchmark UNIX systems
lmbench-doc - Documentation for the lmbench benchmark suite
Closes: 470279 496427
Changes:
lmbench (3.0-a9-1) unstable; urgency=low
.
* Update to latest upstream (3.0-a9).
* Update to latest Standards-Version.
* Incorporate Ubuntu patch: depend on libc6-dev (LP: #246618)
* Closes: bug#470279 -- replaced all uses of /usr/tmp with /var/tmp
* Closes: bug#496427 -- removed risk of /tmp symlink attacks by moving
all usage of /tmp to /var/tmp/lmbench
Checksums-Sha1:
63ae25a5e83165cc772798fb3b2d6d82d7ed75d6 977 lmbench_3.0-a9-1.dsc
0ac51bd0a871e0dc4d070aca8e734c57b3a122b2 417326 lmbench_3.0-a9.orig.tar.gz
da6cbb986a69d8a6e45ab54522ec0b616a573f8b 14264 lmbench_3.0-a9-1.diff.gz
fc6630426a4b2768907f5c6dc6616c6553c41c85 274412 lmbench-doc_3.0-a9-1_all.deb
ba205fa45b5b68ca94742843bb516e09e96dc2ab 1024032 lmbench_3.0-a9-1_i386.deb
Checksums-Sha256:
1176116df24e807356a14366176a87fa6058423350d26288acc97a99cc0a5314 977 lmbench_3.0-a9-1.dsc
8e1746e5e0299d67ce26469fba6dfdabcd5125f4a07403cb635f4be76c1ab00b 417326 lmbench_3.0-a9.orig.tar.gz
9f3784259adbb5d9c8fa2b386119c18caf9458137aa76bb236db66978a99ad1a 14264 lmbench_3.0-a9-1.diff.gz
ef9c9752c8e1f8b4e587a3d0f065c8419cb24f29c327d0bc9b4242c7b4600f5a 274412 lmbench-doc_3.0-a9-1_all.deb
5d16a66ecd2af73cc9e971357f90acb45e6a8e31e1652f836368b8336761a811 1024032 lmbench_3.0-a9-1_i386.deb
Files:
2bf5c4e38982292aff5bd64010858ed4 977 non-free/admin optional lmbench_3.0-a9-1.dsc
ff8978a900999b60b336e56e368bef59 417326 non-free/admin optional lmbench_3.0-a9.orig.tar.gz
2c63c50a0b6d3c3736f5f5c40ea9ffbf 14264 non-free/admin optional lmbench_3.0-a9-1.diff.gz
c403ddcac1ae456563f616bbdf52bd87 274412 non-free/admin optional lmbench-doc_3.0-a9-1_all.deb
1094438958728f6f6a6cab8b2685e00b 1024032 non-free/admin optional lmbench_3.0-a9-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFJojOgso6+T7qY4V0RAnTSAKCB52CbuU1bRQhJZSzl+SFADjdBOACeJwgm
eWXUtADkrs2E8kgnoOaH0kM=
=64XA
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 14 May 2011 07:35:08 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.