Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Matthias Klose <doko@debian.org>: Bug#498899; Package python2.4-examples.
(full text, mbox, link).
Acknowledgement sent to Jan Hauke Rahm <info@jhr-online.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Matthias Klose <doko@debian.org>.
(full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Unsecure use of temporary files
Date: Sun, 14 Sep 2008 13:05:08 +0200
Package: python2.4-examples
Version: 2.4.5-5
Severity: grave
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA224
Hi Matthias,
in your script "Tools/faqwiz/move-faqwiz.sh" you use $RANDOM to create a
temporary file. This is very unsecure and should be replaced by mktemp.
The following patch tries to solve that and beyond that solves your
bashism bug #489648.
Please test the patch thoroughly and upload ASAP if appropiate.
Cheers,
Hauke
*** bashandtmp.patch
diff -Naur python2.4-2.4.5~/Tools/faqwiz/move-faqwiz.sh python2.4-2.4.5/Tools/faqwiz/move-faqwiz.sh
- --- python2.4-2.4.5~/Tools/faqwiz/move-faqwiz.sh 2008-09-14 12:36:45.000000000 +0200
+++ python2.4-2.4.5/Tools/faqwiz/move-faqwiz.sh 2008-09-14 12:40:44.000000000 +0200
@@ -9,7 +9,7 @@
# blackjesus:~> ./move-faqwiz.sh 2\.1 3\.2
# Moving FAQ question 02.001 to 03.002
- -if [ x$2 == x ]; then
+if [ x$2 = x ]; then
echo "Need 2 args: original_version final_version."
exit 2
fi
@@ -19,7 +19,7 @@
exit 2
fi
- -function cut_n_pad() {
+cut_n_pad () {
t=`echo $1 | cut -d. -f $2`
export $3=`echo $t | awk "{ tmp = \\$0; l = length(tmp); for (i = 0; i < $2-l+1; i++) { tmp = "0".tmp } print tmp }"`
}
@@ -28,7 +28,7 @@
cut_n_pad $1 2 suffix1
cut_n_pad $2 1 prefix2
cut_n_pad $2 2 suffix2
- -tmpfile=tmp$RANDOM.tmp
+tmpfile=`mktemp`
file1=faq$prefix1.$suffix1.htp
file2=faq$prefix2.$suffix2.htp
- -- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (700, 'testing'), (600, 'unstable'), (500, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iFYEARELAAYFAkjM798ACgkQGOp6XeD8cQ2LRgDgg5MWslv+21jb7dv/kzfwQC6q
wRWVmLZ+2zLAywDeKwmZ8asTsBpGIoXInoXpvne9qRrvQU0vJStGng==
=xWvB
-----END PGP SIGNATURE-----
Severity set to `important' from `grave'
Request was from Marc 'HE' Brockschmidt <he@debian.org>
to control@bugs.debian.org.
(Sun, 14 Sep 2008 11:57:03 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>: Bug#498899; Package python2.4-examples.
(full text, mbox, link).
Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>.
(full text, mbox, link).
To: Jan Hauke Rahm <info@jhr-online.de>, 498899@bugs.debian.org
Subject: Re: [Secure-testing-team] Bug#498899: Unsecure use of temporary
files
Date: Sun, 14 Sep 2008 12:40:57 -0700
severity 498899 normal
thanks
On Sun, Sep 14, 2008 at 01:05:08PM +0200, Jan Hauke Rahm wrote:
> Package: python2.4-examples
> Version: 2.4.5-5
> Severity: grave
> Tags: security patch
> Hi Matthias,
> in your script "Tools/faqwiz/move-faqwiz.sh" you use $RANDOM to create a
> temporary file. This is very unsecure and should be replaced by mktemp.
But it's an example. Security is not compromised by "using" this package,
only by blindly running scripts located under
/usr/share/doc/python2.4/examples...
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org
Severity set to `normal' from `important'
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org.
(Sun, 14 Sep 2008 19:48:20 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>: Bug#498899; Package python2.4-examples.
(full text, mbox, link).
Acknowledgement sent to Jan Hauke Rahm <info@jhr-online.de>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>.
(full text, mbox, link).
Hi Steve,
On Sun, Sep 14, 2008 at 12:40:57PM -0700, Steve Langasek wrote:
> On Sun, Sep 14, 2008 at 01:05:08PM +0200, Jan Hauke Rahm wrote:
> > in your script "Tools/faqwiz/move-faqwiz.sh" you use $RANDOM to create a
> > temporary file. This is very unsecure and should be replaced by mktemp.
>
> But it's an example. Security is not compromised by "using" this package,
> only by blindly running scripts located under
> /usr/share/doc/python2.4/examples...
That's true but I think Debian should never release files with known
security issue, neither in direct use, nor as example script. Maybe
severity was set too high, but I think this is a bug and should be
solved. For my part after release if such fixes are not accepted
during freeze...
Cheers,
Hauke
Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>: Bug#498899; Package python2.4-examples.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>.
(full text, mbox, link).
Hi,
This has been assigned CVE-2008-4108, please reference it in the changelog.
We all know what happens with example code: people copy it into their
programs. Therefore please make it a priority to fix this in lenny even
though it's an example.
thanks,
Thijs
Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>: Bug#498899; Package python2.4-examples.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>.
(full text, mbox, link).
On Tuesday 16 September 2008 04:38, dann frazier wrote:
> fyi, just filed this bug:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499075
>
> The mipsel buildd has retried numerous times, so I don't believe this
> is a transient failure.
We are aware; we retried ourselves and I contacted LaMont, who thinks it's a
buildd misconfiguration. I have contacted the mipsel buildd maintainers but
received not even an acknowledgement of my email.
If you think the security team can do anything more about this please let me
know.
Thijs
Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>: Bug#498899; Package python2.4-examples.
(full text, mbox, link).
Acknowledgement sent to dann frazier <dannf@debian.org>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>.
(full text, mbox, link).
On Tue, Sep 16, 2008 at 09:12:16AM +0200, Thijs Kinkhorst wrote:
> On Tuesday 16 September 2008 04:38, dann frazier wrote:
> > fyi, just filed this bug:
> > ? http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499075
> >
> > The mipsel buildd has retried numerous times, so I don't believe this
> > is a transient failure.
>
> We are aware; we retried ourselves and I contacted LaMont, who thinks it's a
> buildd misconfiguration. I have contacted the mipsel buildd maintainers but
> received not even an acknowledgement of my email.
>
> If you think the security team can do anything more about this please let me
> know.
I don't, or I would've done it :) phil asked me to file the bug and I
just wanted to keep the team informed. I also tried contacting the
mipsel buildd maintainer (no response yet).
--
dann frazier
Tags added: pending
Request was from Matthias Klose <doko@cs.tu-berlin.de>
to control@bugs.debian.org.
(Sun, 30 Nov 2008 13:42:05 GMT) (full text, mbox, link).
Changed Bug submitter to 'Jan Hauke Rahm <jhr@debian.org>' from 'Jan Hauke Rahm <info@jhr-online.de>'
Request was from Jan Hauke Rahm <jhr@debian.org>
to control@bugs.debian.org.
(Sat, 03 Oct 2009 13:27:28 GMT) (full text, mbox, link).
No longer marked as found in versions python2.7/2.7.2-8.
Request was from Matthias Klose <doko@debian.org>
to control@bugs.debian.org.
(Sat, 14 Apr 2012 09:27:39 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Matthias Klose <doko@debian.org>
to control@bugs.debian.org.
(Sat, 14 Apr 2012 09:27:40 GMT) (full text, mbox, link).
Notification sent
to Jan Hauke Rahm <jhr@debian.org>:
Bug acknowledged by developer.
(Sat, 14 Apr 2012 09:27:40 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 13 May 2012 07:52:27 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.