Debian Bug report logs - #506350
CVE-2008-5141: allows local users to overwrite arbitrary files via a symlink attack

version graph

Package: flamethrower; Maintainer for flamethrower is dann frazier <dannf@debian.org>; Source for flamethrower is src:flamethrower.

Reported by: Raphael Geissert <atomo64@gmail.com>

Date: Thu, 20 Nov 2008 20:36:03 UTC

Severity: important

Tags: security

Found in version flamethrower/0.1.8-1

Fixed in versions flamethrower/0.1.8-2, flamethrower/0.1.8-1+etch1

Done: dann frazier <dannf@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, dann frazier <dannf@debian.org>:
Bug#506350; Package flamethrower. (Thu, 20 Nov 2008 20:36:06 GMT) Full text and rfc822 format available.

Message #3 received at submit@bugs.debian.org (full text, mbox):

From: Raphael Geissert <atomo64@gmail.com>
To: submit@bugs.debian.org
Subject: CVE-2008-5141: allows local users to overwrite arbitrary files via a symlink attack
Date: Thu, 20 Nov 2008 14:32:25 -0600
[Message part 1 (text/plain, inline)]
Package: flamethrower
Version: 0.1.8-1
Severity: important
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was published for 
flamethrower.

CVE-2008-5141[1]:
> flamethrower in flamethrower 0.1.8 allows local users to overwrite
> arbitrary files via a symlink attack on a /tmp/multicast.tar.#####
> temporary file.

Please note that a more careful inspection of the script reveals that even 
more insecure paths are used, not just the one mentioned in the CVE.
Searching for /tmp and $tmp_dir and the other vars taking $tmp_dir as their 
value will reveal the rest.

If you fix the vulnerability please also make sure to include the CVE id in 
the changelog entry.

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5141
     http://security-tracker.debian.net/tracker/CVE-2008-5141

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#506350; Package flamethrower. (Fri, 21 Nov 2008 18:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to dann frazier <dannf@debian.org>:
Extra info received and forwarded to list. (Fri, 21 Nov 2008 18:06:04 GMT) Full text and rfc822 format available.

Message #8 received at 506350@bugs.debian.org (full text, mbox):

From: dann frazier <dannf@debian.org>
To: 506350@bugs.debian.org, 506350-submitter@bugs.debian.org
Subject: patch
Date: Fri, 21 Nov 2008 11:05:02 -0700
Thanks for the report. Does this patch look sufficient to you?

--- flamethrower-0.1.8.orig/bin/flamethrower
+++ flamethrower-0.1.8/bin/flamethrower
@@ -9,6 +9,7 @@
 
 use strict;
 use File::Path;
+use File::Temp;
 use Getopt::Long;
 
 use lib "/usr/lib/flamethrower";
@@ -23,7 +24,7 @@
 my $version_number  = "INS_VERSION";
 my $conf_file       = '/etc/flamethrower/flamethrower.conf';
 my $transport       = "udp-receiver";
-my $tmp_dir         = "/tmp/.flamethrower.$$";
+my $tmp_dir         = File::Temp::tempdir("/tmp/flamethrower.XXXXXX");
 
 
 my $version_info = <<"EOF";
@@ -283,13 +284,16 @@
     #
     my $udp_cmd;
     my $tar_cmd;
+    my $tar_fh;
+    my $tar_file;
 
+    ($tar_fh, $tar_file) = File::Temp::tempfile("/tmp/multicast.tar.XXXXXX");
     if($verbose) {
-        $udp_cmd = "udp-receiver $udp_receiver_options --file /tmp/multicast.tar.$$";
-        $tar_cmd = "tar $tar_opts -C $dir -f /tmp/multicast.tar.$$";
+        $udp_cmd = "udp-receiver $udp_receiver_options --file $tar_file";
+        $tar_cmd = "tar $tar_opts -C $dir -f $tar_file";
     } else {
-        $udp_cmd = "udp-receiver $udp_receiver_options --file /tmp/multicast.tar.$$ 2>/dev/null";
-        $tar_cmd = "tar $tar_opts -C $dir -f /tmp/multicast.tar.$$";
+        $udp_cmd = "udp-receiver $udp_receiver_options --file $tar_file 2>/dev/null";
+        $tar_cmd = "tar $tar_opts -C $dir -f $tar_file";
     }
 
     print "$udp_cmd\n" if($verbose);
@@ -298,7 +302,8 @@
     print "$tar_cmd\n" if($verbose);
     !system($tar_cmd) or die("FAILED: $tar_cmd");
 
-    unlink("/tmp/multicast.tar.$$");
+    close $tar_fh;
+    unlink("$tar_file");
 }
 
 


-- 
dann frazier





Message sent on to Raphael Geissert <atomo64@gmail.com>:
Bug#506350. (Fri, 21 Nov 2008 18:06:11 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, dann frazier <dannf@debian.org>:
Bug#506350; Package flamethrower. (Sun, 23 Nov 2008 23:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Raphael Geissert" <atomo64@gmail.com>:
Extra info received and forwarded to list. Copy sent to dann frazier <dannf@debian.org>. (Sun, 23 Nov 2008 23:21:04 GMT) Full text and rfc822 format available.

Message #16 received at 506350@bugs.debian.org (full text, mbox):

From: "Raphael Geissert" <atomo64@gmail.com>
To: 506350@bugs.debian.org
Subject: Re: Bug#506350: patch
Date: Sun, 23 Nov 2008 17:18:58 -0600
Hi,

Sorry for the delay.

2008/11/21 dann frazier <dannf@debian.org>:
> Thanks for the report. Does this patch look sufficient to you?
>
> --- flamethrower-0.1.8.orig/bin/flamethrower
> +++ flamethrower-0.1.8/bin/flamethrower
> @@ -9,6 +9,7 @@
>
>  use strict;
>  use File::Path;
> +use File::Temp;
>  use Getopt::Long;
>
>  use lib "/usr/lib/flamethrower";
> @@ -23,7 +24,7 @@
>  my $version_number  = "INS_VERSION";
>  my $conf_file       = '/etc/flamethrower/flamethrower.conf';
>  my $transport       = "udp-receiver";
> -my $tmp_dir         = "/tmp/.flamethrower.$$";
> +my $tmp_dir         = File::Temp::tempdir("/tmp/flamethrower.XXXXXX");

You could even omit the template and let tempdir create a directory
with a random name under $TMPDIR (instead of hard-coding /tmp).

Same as for the other calls. Other than that it does look good.

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net

P. J. O'Rourke  - "Never wear anything that panics the cat."




Reply sent to dann frazier <dannf@debian.org>:
You have taken responsibility. (Sat, 29 Nov 2008 02:27:09 GMT) Full text and rfc822 format available.

Notification sent to Raphael Geissert <atomo64@gmail.com>:
Bug acknowledged by developer. (Sat, 29 Nov 2008 02:27:09 GMT) Full text and rfc822 format available.

Message #21 received at 506350-close@bugs.debian.org (full text, mbox):

From: dann frazier <dannf@debian.org>
To: 506350-close@bugs.debian.org
Subject: Bug#506350: fixed in flamethrower 0.1.8-2
Date: Sat, 29 Nov 2008 02:02:04 +0000
Source: flamethrower
Source-Version: 0.1.8-2

We believe that the bug you reported is fixed in the latest version of
flamethrower, which is due to be installed in the Debian FTP archive:

flamethrower_0.1.8-2.diff.gz
  to pool/main/f/flamethrower/flamethrower_0.1.8-2.diff.gz
flamethrower_0.1.8-2.dsc
  to pool/main/f/flamethrower/flamethrower_0.1.8-2.dsc
flamethrower_0.1.8-2_all.deb
  to pool/main/f/flamethrower/flamethrower_0.1.8-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 506350@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
dann frazier <dannf@debian.org> (supplier of updated flamethrower package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 21 Nov 2008 10:46:08 -0700
Source: flamethrower
Binary: flamethrower
Architecture: source all
Version: 0.1.8-2
Distribution: unstable
Urgency: low
Maintainer: dann frazier <dannf@debian.org>
Changed-By: dann frazier <dannf@debian.org>
Description: 
 flamethrower - Multicast file distribution utility
Closes: 506350
Changes: 
 flamethrower (0.1.8-2) unstable; urgency=low
 .
   * Fix /tmp symlink attack vector. Closes: #506350 (CVE-2008-5141)
   * Rebuilding with current toolchain would cause executables to
     be installed in /usr/local/bin. Fix this by supplying an
     appropriate SITEPREFIX.
   * Don't package /usr/lib/flamethrower/auto subtree
   * Lintian cleanup:
     - Remove bogus (empty) line in lsb section of initscript
     - Use $(CURDIR) instead of $(PWD) in rules file, suggested by lintian
     - Don't ignore clean errors from make
     - Update Standards-Version to 3.8.0
     - Swap binary-arch/binary-indep rules
     - List debhelper under Build-Depends instead of Build-Depends-Indep
Checksums-Sha1: 
 2eab7dd9fa9e9cdc36e0db4e5bc529585b668134 972 flamethrower_0.1.8-2.dsc
 b8b9ba71192b0ca2292e31d4a8bd599fb9a09a1e 3433 flamethrower_0.1.8-2.diff.gz
 ba11ec90657bd71b4fd15d5e457514a36703d5b8 17000 flamethrower_0.1.8-2_all.deb
Checksums-Sha256: 
 52af61ea68e412ce6541fbc2ef528981788d7547411b62e39aa5e725ceab919a 972 flamethrower_0.1.8-2.dsc
 367039552533206f4160cccb6aff2e88d53891785e234c2fe459e203e3502be8 3433 flamethrower_0.1.8-2.diff.gz
 0528121c3e4bc5cdba033e7f9bf383c415f7ef58e127e95e693755a0cc4cb884 17000 flamethrower_0.1.8-2_all.deb
Files: 
 457edac4335566c9984989dc4c861323 972 admin optional flamethrower_0.1.8-2.dsc
 c4d4a9e9eb94386ebf77a2666eef08d5 3433 admin optional flamethrower_0.1.8-2.diff.gz
 3d094d6abd87ca216cc1d5b7b404b20c 17000 admin optional flamethrower_0.1.8-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJMKDEhuANDBmkLRkRAqM4AJ0UW+ExlZzAQ6Zg0A8kwK0jyqNZgQCfaWW6
KpZywHnfEWVk6QQKKPdSGGU=
=GrgU
-----END PGP SIGNATURE-----





Reply sent to dann frazier <dannf@debian.org>:
You have taken responsibility. (Fri, 05 Dec 2008 07:57:04 GMT) Full text and rfc822 format available.

Notification sent to Raphael Geissert <atomo64@gmail.com>:
Bug acknowledged by developer. (Fri, 05 Dec 2008 07:57:04 GMT) Full text and rfc822 format available.

Message #26 received at 506350-close@bugs.debian.org (full text, mbox):

From: dann frazier <dannf@debian.org>
To: 506350-close@bugs.debian.org
Subject: Bug#506350: fixed in flamethrower 0.1.8-1+etch1
Date: Fri, 05 Dec 2008 07:52:20 +0000
Source: flamethrower
Source-Version: 0.1.8-1+etch1

We believe that the bug you reported is fixed in the latest version of
flamethrower, which is due to be installed in the Debian FTP archive:

flamethrower_0.1.8-1+etch1.diff.gz
  to pool/main/f/flamethrower/flamethrower_0.1.8-1+etch1.diff.gz
flamethrower_0.1.8-1+etch1.dsc
  to pool/main/f/flamethrower/flamethrower_0.1.8-1+etch1.dsc
flamethrower_0.1.8-1+etch1_all.deb
  to pool/main/f/flamethrower/flamethrower_0.1.8-1+etch1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 506350@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
dann frazier <dannf@debian.org> (supplier of updated flamethrower package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 21 Nov 2008 11:19:16 -0700
Source: flamethrower
Binary: flamethrower
Architecture: source all
Version: 0.1.8-1+etch1
Distribution: stable-security
Urgency: high
Maintainer: dann frazier <dannf@debian.org>
Changed-By: dann frazier <dannf@debian.org>
Description: 
 flamethrower - Multicast file distribution utility
Closes: 506350
Changes: 
 flamethrower (0.1.8-1+etch1) stable-security; urgency=high
 .
   * Fix /tmp symlink attack vector. Closes: #506350 (CVE-2008-5141)
   * Rebuilding with current toolchain would cause executables to
     be installed in /usr/local/bin. Fix this by supplying an
     appropriate SITEPREFIX.
Files: 
 4a880e477706f57bcfb806eb46a81922 598 admin optional flamethrower_0.1.8-1+etch1.dsc
 f6263743cb41f4f75ab9f4dbc76a71a5 3138 admin optional flamethrower_0.1.8-1+etch1.diff.gz
 fbc0c1b237503a9d88521b444e4319e0 16880 admin optional flamethrower_0.1.8-1+etch1_all.deb
 04e1b6c5b4e72879e8aa69fcccb0491f 23485 admin optional flamethrower_0.1.8.orig.tar.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJM3AChuANDBmkLRkRAoMwAKCTdGlyebzWC3bEXpmvDfuZug36EwCdHlei
gOM0LVrNeXMInytSXParaRQ=
=etot
-----END PGP SIGNATURE-----





Reply sent to dann frazier <dannf@debian.org>:
You have taken responsibility. (Wed, 17 Dec 2008 21:19:47 GMT) Full text and rfc822 format available.

Notification sent to Raphael Geissert <atomo64@gmail.com>:
Bug acknowledged by developer. (Wed, 17 Dec 2008 21:19:48 GMT) Full text and rfc822 format available.

Message #31 received at 506350-close@bugs.debian.org (full text, mbox):

From: dann frazier <dannf@debian.org>
To: 506350-close@bugs.debian.org
Subject: Bug#506350: fixed in flamethrower 0.1.8-1+etch1
Date: Wed, 17 Dec 2008 21:02:58 +0000
Source: flamethrower
Source-Version: 0.1.8-1+etch1

We believe that the bug you reported is fixed in the latest version of
flamethrower, which is due to be installed in the Debian FTP archive:

flamethrower_0.1.8-1+etch1.diff.gz
  to pool/main/f/flamethrower/flamethrower_0.1.8-1+etch1.diff.gz
flamethrower_0.1.8-1+etch1.dsc
  to pool/main/f/flamethrower/flamethrower_0.1.8-1+etch1.dsc
flamethrower_0.1.8-1+etch1_all.deb
  to pool/main/f/flamethrower/flamethrower_0.1.8-1+etch1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 506350@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
dann frazier <dannf@debian.org> (supplier of updated flamethrower package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 21 Nov 2008 11:19:16 -0700
Source: flamethrower
Binary: flamethrower
Architecture: source all
Version: 0.1.8-1+etch1
Distribution: stable-security
Urgency: high
Maintainer: dann frazier <dannf@debian.org>
Changed-By: dann frazier <dannf@debian.org>
Description: 
 flamethrower - Multicast file distribution utility
Closes: 506350
Changes: 
 flamethrower (0.1.8-1+etch1) stable-security; urgency=high
 .
   * Fix /tmp symlink attack vector. Closes: #506350 (CVE-2008-5141)
   * Rebuilding with current toolchain would cause executables to
     be installed in /usr/local/bin. Fix this by supplying an
     appropriate SITEPREFIX.
Files: 
 4a880e477706f57bcfb806eb46a81922 598 admin optional flamethrower_0.1.8-1+etch1.dsc
 f6263743cb41f4f75ab9f4dbc76a71a5 3138 admin optional flamethrower_0.1.8-1+etch1.diff.gz
 fbc0c1b237503a9d88521b444e4319e0 16880 admin optional flamethrower_0.1.8-1+etch1_all.deb
 04e1b6c5b4e72879e8aa69fcccb0491f 23485 admin optional flamethrower_0.1.8.orig.tar.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJM3AChuANDBmkLRkRAoMwAKCTdGlyebzWC3bEXpmvDfuZug36EwCdHlei
gOM0LVrNeXMInytSXParaRQ=
=etot
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 15 Jan 2009 07:29:13 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 12:45:56 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.