Debian Bug report logs - #498899
Unsecure use of temporary files

Package: python2.4-examples; Maintainer for python2.4-examples is (unknown);

Reported by: Jan Hauke Rahm <jhr@debian.org>

Date: Sun, 14 Sep 2008 11:12:01 UTC

Severity: normal

Tags: patch, pending, security

Done: Matthias Klose <doko@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Matthias Klose <doko@debian.org>:
Bug#498899; Package python2.4-examples. Full text and rfc822 format available.

Acknowledgement sent to Jan Hauke Rahm <info@jhr-online.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Matthias Klose <doko@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Jan Hauke Rahm <info@jhr-online.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Unsecure use of temporary files
Date: Sun, 14 Sep 2008 13:05:08 +0200
Package: python2.4-examples
Version: 2.4.5-5
Severity: grave
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA224

Hi Matthias,

in your script "Tools/faqwiz/move-faqwiz.sh" you use $RANDOM to create a
temporary file. This is very unsecure and should be replaced by mktemp.

The following patch tries to solve that and beyond that solves your
bashism bug #489648.

Please test the patch thoroughly and upload ASAP if appropiate.

Cheers,
Hauke

*** bashandtmp.patch
diff -Naur python2.4-2.4.5~/Tools/faqwiz/move-faqwiz.sh python2.4-2.4.5/Tools/faqwiz/move-faqwiz.sh
- --- python2.4-2.4.5~/Tools/faqwiz/move-faqwiz.sh	2008-09-14 12:36:45.000000000 +0200
+++ python2.4-2.4.5/Tools/faqwiz/move-faqwiz.sh	2008-09-14 12:40:44.000000000 +0200
@@ -9,7 +9,7 @@
 #   blackjesus:~> ./move-faqwiz.sh 2\.1 3\.2
 #   Moving FAQ question 02.001 to 03.002
 
- -if [ x$2 == x ]; then
+if [ x$2 = x ]; then
     echo "Need 2 args: original_version final_version."
     exit 2
 fi
@@ -19,7 +19,7 @@
     exit 2
 fi
 
- -function cut_n_pad() {
+cut_n_pad () {
     t=`echo $1 | cut -d. -f $2`
     export $3=`echo $t | awk "{ tmp = \\$0; l = length(tmp); for (i = 0; i < $2-l+1; i++) { tmp = "0".tmp } print tmp  }"`
 }
@@ -28,7 +28,7 @@
 cut_n_pad $1 2 suffix1
 cut_n_pad $2 1 prefix2
 cut_n_pad $2 2 suffix2
- -tmpfile=tmp$RANDOM.tmp
+tmpfile=`mktemp`
 file1=faq$prefix1.$suffix1.htp
 file2=faq$prefix2.$suffix2.htp
 


- -- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (700, 'testing'), (600, 'unstable'), (500, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iFYEARELAAYFAkjM798ACgkQGOp6XeD8cQ2LRgDgg5MWslv+21jb7dv/kzfwQC6q
wRWVmLZ+2zLAywDeKwmZ8asTsBpGIoXInoXpvne9qRrvQU0vJStGng==
=xWvB
-----END PGP SIGNATURE-----




Severity set to `important' from `grave' Request was from Marc 'HE' Brockschmidt <he@debian.org> to control@bugs.debian.org. (Sun, 14 Sep 2008 11:57:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#498899; Package python2.4-examples. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. Full text and rfc822 format available.

Message #12 received at 498899@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Jan Hauke Rahm <info@jhr-online.de>, 498899@bugs.debian.org
Subject: Re: [Secure-testing-team] Bug#498899: Unsecure use of temporary files
Date: Sun, 14 Sep 2008 12:40:57 -0700
severity 498899 normal
thanks

On Sun, Sep 14, 2008 at 01:05:08PM +0200, Jan Hauke Rahm wrote:
> Package: python2.4-examples
> Version: 2.4.5-5
> Severity: grave
> Tags: security patch

> Hi Matthias,

> in your script "Tools/faqwiz/move-faqwiz.sh" you use $RANDOM to create a
> temporary file. This is very unsecure and should be replaced by mktemp.

But it's an example.  Security is not compromised by "using" this package,
only by blindly running scripts located under
/usr/share/doc/python2.4/examples...

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org




Severity set to `normal' from `important' Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (Sun, 14 Sep 2008 19:48:20 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#498899; Package python2.4-examples. Full text and rfc822 format available.

Acknowledgement sent to Jan Hauke Rahm <info@jhr-online.de>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. Full text and rfc822 format available.

Message #19 received at 498899@bugs.debian.org (full text, mbox):

From: Jan Hauke Rahm <info@jhr-online.de>
To: Steve Langasek <vorlon@debian.org>
Cc: 498899@bugs.debian.org
Subject: Re: [Secure-testing-team] Bug#498899: Unsecure use of temporary files
Date: Sun, 14 Sep 2008 22:59:14 +0200
[Message part 1 (text/plain, inline)]
Hi Steve,

On Sun, Sep 14, 2008 at 12:40:57PM -0700, Steve Langasek wrote:
> On Sun, Sep 14, 2008 at 01:05:08PM +0200, Jan Hauke Rahm wrote:
> > in your script "Tools/faqwiz/move-faqwiz.sh" you use $RANDOM to create a
> > temporary file. This is very unsecure and should be replaced by mktemp.
> 
> But it's an example.  Security is not compromised by "using" this package,
> only by blindly running scripts located under
> /usr/share/doc/python2.4/examples...

That's true but I think Debian should never release files with known
security issue, neither in direct use, nor as example script. Maybe
severity was set too high, but I think this is a bug and should be
solved. For my part after release if such fixes are not accepted
during freeze...

Cheers,
Hauke
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#498899; Package python2.4-examples. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. Full text and rfc822 format available.

Message #24 received at 498899@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 498899@bugs.debian.org
Subject: Re: [Secure-testing-team] Bug#498899: Unsecure use of temporary files
Date: Tue, 16 Sep 2008 08:50:27 +0200
[Message part 1 (text/plain, inline)]
Hi,

This has been assigned CVE-2008-4108, please reference it in the changelog.

We all know what happens with example code: people copy it into their 
programs. Therefore please make it a priority to fix this in lenny even 
though it's an example.


thanks,
Thijs
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#498899; Package python2.4-examples. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. Full text and rfc822 format available.

Message #29 received at 498899@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: dann frazier <dannf@debian.org>
Cc: team@security.debian.org, 498899@bugs.debian.org
Subject: Re: postfix update FTBFS on mipsel
Date: Tue, 16 Sep 2008 09:12:16 +0200
[Message part 1 (text/plain, inline)]
On Tuesday 16 September 2008 04:38, dann frazier wrote:
> fyi, just filed this bug:
>   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499075
>
> The mipsel buildd has retried numerous times, so I don't believe this
> is a transient failure.

We are aware; we retried ourselves and I contacted LaMont, who thinks it's a 
buildd misconfiguration. I have contacted the mipsel buildd maintainers but 
received not even an acknowledgement of my email.

If you think the security team can do anything more about this please let me 
know.


Thijs
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#498899; Package python2.4-examples. Full text and rfc822 format available.

Acknowledgement sent to dann frazier <dannf@debian.org>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. Full text and rfc822 format available.

Message #34 received at 498899@bugs.debian.org (full text, mbox):

From: dann frazier <dannf@debian.org>
To: Thijs Kinkhorst <thijs@debian.org>
Cc: team@security.debian.org, 498899@bugs.debian.org
Subject: Re: postfix update FTBFS on mipsel
Date: Tue, 16 Sep 2008 13:56:59 -0600
On Tue, Sep 16, 2008 at 09:12:16AM +0200, Thijs Kinkhorst wrote:
> On Tuesday 16 September 2008 04:38, dann frazier wrote:
> > fyi, just filed this bug:
> > ? http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499075
> >
> > The mipsel buildd has retried numerous times, so I don't believe this
> > is a transient failure.
> 
> We are aware; we retried ourselves and I contacted LaMont, who thinks it's a 
> buildd misconfiguration. I have contacted the mipsel buildd maintainers but 
> received not even an acknowledgement of my email.
> 
> If you think the security team can do anything more about this please let me 
> know.

I don't, or I would've done it :) phil asked me to file the bug and I
just wanted to keep the team informed. I also tried contacting the
mipsel buildd maintainer (no response yet).

-- 
dann frazier





Tags added: pending Request was from Matthias Klose <doko@cs.tu-berlin.de> to control@bugs.debian.org. (Sun, 30 Nov 2008 13:42:05 GMT) Full text and rfc822 format available.

Changed Bug submitter to 'Jan Hauke Rahm <jhr@debian.org>' from 'Jan Hauke Rahm <info@jhr-online.de>' Request was from Jan Hauke Rahm <jhr@debian.org> to control@bugs.debian.org. (Sat, 03 Oct 2009 13:27:28 GMT) Full text and rfc822 format available.

Bug reassigned from package 'python2.4-examples' to 'python2.7-examples'. Request was from David Prévot <taffit@debian.org> to control@bugs.debian.org. (Sun, 08 Apr 2012 22:33:03 GMT) Full text and rfc822 format available.

No longer marked as found in versions python2.4/2.4.5-5. Request was from David Prévot <taffit@debian.org> to control@bugs.debian.org. (Sun, 08 Apr 2012 22:33:04 GMT) Full text and rfc822 format available.

Marked as found in versions python2.7/2.7.2-8. Request was from David Prévot <taffit@debian.org> to control@bugs.debian.org. (Sun, 08 Apr 2012 22:33:04 GMT) Full text and rfc822 format available.

Bug 498899 cloned as bug 668107 Request was from David Prévot <taffit@debian.org> to control@bugs.debian.org. (Sun, 08 Apr 2012 22:33:04 GMT) Full text and rfc822 format available.

Bug reassigned from package 'python2.7-examples' to 'python2.4-examples'. Request was from Matthias Klose <doko@debian.org> to control@bugs.debian.org. (Sat, 14 Apr 2012 09:27:39 GMT) Full text and rfc822 format available.

No longer marked as found in versions python2.7/2.7.2-8. Request was from Matthias Klose <doko@debian.org> to control@bugs.debian.org. (Sat, 14 Apr 2012 09:27:39 GMT) Full text and rfc822 format available.

Marked Bug as done Request was from Matthias Klose <doko@debian.org> to control@bugs.debian.org. (Sat, 14 Apr 2012 09:27:40 GMT) Full text and rfc822 format available.

Notification sent to Jan Hauke Rahm <jhr@debian.org>:
Bug acknowledged by developer. (Sat, 14 Apr 2012 09:27:40 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 13 May 2012 07:52:27 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 00:13:24 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.