Debian Bug report logs - #509487
CVE-2008-5368: insecure temp file handling

version graph

Package: muttprint; Maintainer for muttprint is Rene Engelhard <rene@debian.org>; Source for muttprint is src:muttprint.

Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>

Date: Mon, 22 Dec 2008 20:15:01 UTC

Severity: normal

Tags: security

Found in version muttprint/0.72d-8

Fixed in versions 0.72d-10, muttprint/0.72d-8etch1

Done: Rene Engelhard <rene@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Rene Engelhard <rene@debian.org>:
Bug#509487; Package muttprint. (Mon, 22 Dec 2008 20:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Rene Engelhard <rene@debian.org>. (Mon, 22 Dec 2008 20:15:03 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2008-5368: insecure temp file handling
Date: Mon, 22 Dec 2008 21:13:39 +0100
Package: muttprint
Severity: normal
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for muttprint.

CVE-2008-5368[0]:
| muttprint in muttprint 0.72d allows local users to overwrite arbitrary
| files via a symlink attack on the /tmp/muttprint.log temporary file.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5368
    http://security-tracker.debian.net/tracker/CVE-2008-5368




Information forwarded to debian-bugs-dist@lists.debian.org, Rene Engelhard <rene@debian.org>:
Bug#509487; Package muttprint. (Wed, 24 Dec 2008 12:09:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Lukas Ruf <lukas.ruf@lpr.ch>:
Extra info received and forwarded to list. Copy sent to Rene Engelhard <rene@debian.org>. (Wed, 24 Dec 2008 12:09:02 GMT) Full text and rfc822 format available.

Message #10 received at submit@bugs.debian.org (full text, mbox):

From: Lukas Ruf <lukas.ruf@lpr.ch>
To: Steffen Joeris <steffen.joeris@skolelinux.de>
Cc: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Re: Bug#509487: CVE-2008-5368: insecure temp file handling
Date: Wed, 24 Dec 2008 13:08:17 +0100
Hi Steffen

> Steffen Joeris <steffen.joeris@skolelinux.de> [2008-12-22 21:17]:
>
> Package: muttprint
> Severity: normal
> Tags: security
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for muttprint.
>
> CVE-2008-5368[0]:
> | muttprint in muttprint 0.72d allows local users to overwrite arbitrary
> | files via a symlink attack on the /tmp/muttprint.log temporary file.
>
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
>

I understand this is a security problem related with muttprint, and
I'll gonna fix it.

However, the phrase "local user to overwrite arbitrary files via
symlink attack" is misleading -- except if the local user is root.

Can you please elaborate?

Thanks.

wbr,
Lukas
-- 
Lukas Ruf




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#509487; Package muttprint. (Wed, 24 Dec 2008 13:57:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Rene Engelhard <rene@debian.org>:
Extra info received and forwarded to list. (Wed, 24 Dec 2008 13:57:02 GMT) Full text and rfc822 format available.

Message #15 received at 509487@bugs.debian.org (full text, mbox):

From: Rene Engelhard <rene@debian.org>
To: Lukas Ruf <lukas.ruf@lpr.ch>
Cc: Steffen Joeris <steffen.joeris@skolelinux.de>, 509487@bugs.debian.org
Subject: Re: Bug#509487: CVE-2008-5368: insecure temp file handling
Date: Wed, 24 Dec 2008 14:42:12 +0100
Hi Lukas,

Lukas Ruf wrote:
> > Steffen Joeris <steffen.joeris@skolelinux.de> [2008-12-22 21:17]:
> >
> > Package: muttprint
> > Severity: normal
> > Tags: security
> >
> > Hi,
> > the following CVE (Common Vulnerabilities & Exposures) id was
> > published for muttprint.
> >
> > CVE-2008-5368[0]:
> > | muttprint in muttprint 0.72d allows local users to overwrite arbitrary
> > | files via a symlink attack on the /tmp/muttprint.log temporary file.
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE id in your changelog entry.
> >
> 
> I understand this is a security problem related with muttprint, and
> I'll gonna fix it.
> 
> However, the phrase "local user to overwrite arbitrary files via
> symlink attack" is misleading -- except if the local user is root.

And what about a symlink /tmp/muttprint.log -> /home/whoever/foobar.txt where
the user running muttprint has write right on? Or some attacker
putting a /tmp/muttprint.log symlink in such a way that it will overwrite
one of your files in $HOME when you execute muttprint? (Because the symlink
points to one of your files - and for those you have write permissions).

Note Steffen didn't say /etc/passwd or so but any file on the system
the user has rights on.

Grüße/Regards,

René
-- 
 .''`.  René Engelhard -- Debian GNU/Linux Developer
 : :' : http://www.debian.org | http://people.debian.org/~rene/
 `. `'  rene@debian.org | GnuPG-Key ID: 248AEB73
   `-   Fingerprint: 41FA F208 28D4 7CA5 19BB  7AD9 F859 90B0 248A EB73





Information forwarded to debian-bugs-dist@lists.debian.org, Rene Engelhard <rene@debian.org>:
Bug#509487; Package muttprint. (Thu, 25 Dec 2008 15:00:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Lukas Ruf <lukas.ruf@lpr.ch>:
Extra info received and forwarded to list. Copy sent to Rene Engelhard <rene@debian.org>. (Thu, 25 Dec 2008 15:00:26 GMT) Full text and rfc822 format available.

Message #20 received at 509487@bugs.debian.org (full text, mbox):

From: Lukas Ruf <lukas.ruf@lpr.ch>
To: rene@debian.org
Cc: Steffen Joeris <steffen.joeris@skolelinux.de>, 509487@bugs.debian.org
Subject: Re: Bug#509487: CVE-2008-5368: insecure temp file handling
Date: Thu, 25 Dec 2008 15:57:05 +0100
Dear Rene

> Rene Engelhard <rene@debian.org> [2008-12-24 14:54]:
>
[...]

Thanks for your elaboration.

> Note Steffen didn't say /etc/passwd or so but any file on the system
> the user has rights on.
>

See your statement: what can I add :)  "the user has rights on" --
that's exactly not "arbitrary".

Anyway, the vulnerability is fixed in sf.net's subversion repository
of muttprint.  A release v0.73 will follow very soon including the
announcement.

Btw. I have never had the intention to offend Steffen or
anybody else.  Please accept my appologies if my reply made you
feel offended.  I just challenged the imprecise wording of
"arbitrary".

Merry Christmas.

wbr,
Lukas
-- 
Lukas Ruf




Information forwarded to debian-bugs-dist@lists.debian.org, Rene Engelhard <rene@debian.org>:
Bug#509487; Package muttprint. (Thu, 25 Dec 2008 15:09:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Rene Engelhard <rene@debian.org>. (Thu, 25 Dec 2008 15:09:33 GMT) Full text and rfc822 format available.

Message #25 received at 509487@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Lukas Ruf <lukas.ruf@lpr.ch>
Cc: rene@debian.org, 509487@bugs.debian.org
Subject: Re: Bug#509487: CVE-2008-5368: insecure temp file handling
Date: Thu, 25 Dec 2008 16:03:25 +0100
[Message part 1 (text/plain, inline)]
On Thu, 25 Dec 2008 03:57:05 pm Lukas Ruf wrote:
> Dear Rene
>
> > Rene Engelhard <rene@debian.org> [2008-12-24 14:54]:
>
> [...]
>
> Thanks for your elaboration.
>
> > Note Steffen didn't say /etc/passwd or so but any file on the system
> > the user has rights on.
>
> See your statement: what can I add :)  "the user has rights on" --
> that's exactly not "arbitrary".
>
> Anyway, the vulnerability is fixed in sf.net's subversion repository
> of muttprint.  A release v0.73 will follow very soon including the
> announcement.
>
> Btw. I have never had the intention to offend Steffen or
> anybody else.  Please accept my appologies if my reply made you
> feel offended.  I just challenged the imprecise wording of
> "arbitrary".
No harm done, I am not offended. It's hard for MITRE to deal with all these 
dozens of symlink issues that were reported within the last months, so they 
use generic templates. Anyway, thanks for fixing the issue and merry 
christmas :)

Cheers
Steffen
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#509487; Package muttprint. (Thu, 25 Dec 2008 15:54:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Rene Engelhard <rene@debian.org>:
Extra info received and forwarded to list. (Thu, 25 Dec 2008 15:54:05 GMT) Full text and rfc822 format available.

Message #30 received at 509487@bugs.debian.org (full text, mbox):

From: Rene Engelhard <rene@debian.org>
To: Steffen Joeris <steffen.joeris@skolelinux.de>, Lukas Ruf <lukas.ruf@lpr.ch>
Cc: 509487@bugs.debian.org
Subject: Re: Bug#509487: CVE-2008-5368: insecure temp file handling
Date: Thu, 25 Dec 2008 16:36:48 +0100
Lukas Ruf wrote:
> Dear Rene
> 
> > Rene Engelhard <rene@debian.org> [2008-12-24 14:54]:
> >
> [...]
> 
> Thanks for your elaboration.
> 
> > Note Steffen didn't say /etc/passwd or so but any file on the system
> > the user has rights on.
> >
> 
> See your statement: what can I add :)  "the user has rights on" --
> that's exactly not "arbitrary".

Of course is it.

Imagine me and you on the same host. You using muttprint. I add a 
link /tmp/muttprint.log to an *arbrirtary* file of yours. you use
muttprint -> file overwritten. I can choose which file that is
by pointing the symlink to that file ("abritrary file").

Grüße/Regards,

René
-- 
 .''`.  René Engelhard -- Debian GNU/Linux Developer
 : :' : http://www.debian.org | http://people.debian.org/~rene/
 `. `'  rene@debian.org | GnuPG-Key ID: 248AEB73
   `-   Fingerprint: 41FA F208 28D4 7CA5 19BB  7AD9 F859 90B0 248A EB73





Reply sent to Rene Engelhard <rene@debian.org>:
You have taken responsibility. (Thu, 25 Dec 2008 22:39:03 GMT) Full text and rfc822 format available.

Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer. (Thu, 25 Dec 2008 22:39:03 GMT) Full text and rfc822 format available.

Message #35 received at 509487-close@bugs.debian.org (full text, mbox):

From: Rene Engelhard <rene@debian.org>
To: 509487-close@bugs.debian.org
Subject: Bug#509487: fixed in muttprint 0.72d-10
Date: Thu, 25 Dec 2008 22:17:04 +0000
Source: muttprint
Source-Version: 0.72d-10

We believe that the bug you reported is fixed in the latest version of
muttprint, which is due to be installed in the Debian FTP archive:

muttprint-manual_0.72d-10_all.deb
  to pool/main/m/muttprint/muttprint-manual_0.72d-10_all.deb
muttprint_0.72d-10.diff.gz
  to pool/main/m/muttprint/muttprint_0.72d-10.diff.gz
muttprint_0.72d-10.dsc
  to pool/main/m/muttprint/muttprint_0.72d-10.dsc
muttprint_0.72d-10_all.deb
  to pool/main/m/muttprint/muttprint_0.72d-10_all.deb
ospics_0.72d-10_all.deb
  to pool/main/m/muttprint/ospics_0.72d-10_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 509487@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Rene Engelhard <rene@debian.org> (supplier of updated muttprint package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 25 Dec 2008 22:32:04 +0100
Source: muttprint
Binary: muttprint muttprint-manual ospics
Architecture: source all
Version: 0.72d-10
Distribution: unstable
Urgency: high
Maintainer: Rene Engelhard <rene@debian.org>
Changed-By: Rene Engelhard <rene@debian.org>
Description: 
 muttprint  - Pretty printing of mails
 muttprint-manual - Manual for muttprint
 ospics     - Some images of operating system logos/mascots
Closes: 509487
Changes: 
 muttprint (0.72d-10) unstable; urgency=high
 .
   * backport fix for 15_CVE 15_2008-5368 from upstrem (closes: #509487)
   * fix up lintian warnings
Checksums-Sha1: 
 fdbef747187f434292430a94f8e8262df6694fa3 1046 muttprint_0.72d-10.dsc
 e3ce615402c9f7468a34eee197ae0dd8474a3b46 219094 muttprint_0.72d-10.diff.gz
 061652218156166f95fb79f9990065cf084916f4 97326 muttprint_0.72d-10_all.deb
 b6756ed01ad1ec8dd8c395105955a078b1723077 836452 muttprint-manual_0.72d-10_all.deb
 03bd2ee5151732de9dd72bf4c320616765b946b5 238208 ospics_0.72d-10_all.deb
Checksums-Sha256: 
 0913954b97a929a52a2c018362448ae9d285eee01c8e4c78705c656aac625069 1046 muttprint_0.72d-10.dsc
 c948929fb830a6e094844940e467adee7a3d46f733199090fe26e8739163bb1b 219094 muttprint_0.72d-10.diff.gz
 71b93061b171fe1ec119315890a8aa56e0a329c122868513137c35cc8bd664c8 97326 muttprint_0.72d-10_all.deb
 cb19aca732177bd0bb904e9f43394a44551b613c3b260280884448f01a165c0e 836452 muttprint-manual_0.72d-10_all.deb
 6bf3a661e9850d188fb982fc8e40d912d6da4dcf2ba5482e24779816099b899d 238208 ospics_0.72d-10_all.deb
Files: 
 5db3d4612964f5b3e2be001ed6c6333c 1046 mail optional muttprint_0.72d-10.dsc
 890ebb4443bbe167b139df5192b683d4 219094 mail optional muttprint_0.72d-10.diff.gz
 0c74b9813270769bb83ac17be4141772 97326 mail optional muttprint_0.72d-10_all.deb
 ddd9adec663c62e627eca970f6a8363f 836452 doc optional muttprint-manual_0.72d-10_all.deb
 f02ca4dd1a5e139a5dcd456ed457edcb 238208 graphics optional ospics_0.72d-10_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJU/5++FmQsCSK63MRAjLPAJ0bW6qZE66rtbRWC1LU5sUI6+2lHwCfYmKN
817CIVj+jGg/N26YkIF2pFQ=
=yABt
-----END PGP SIGNATURE-----





Bug marked as found in version 0.72d-8. Request was from Rene Engelhard <rene@debian.org> to control@bugs.debian.org. (Thu, 25 Dec 2008 23:39:02 GMT) Full text and rfc822 format available.

Reply sent to Rene Engelhard <rene@debian.org>:
You have taken responsibility. (Sat, 03 Jan 2009 20:12:23 GMT) Full text and rfc822 format available.

Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer. (Sat, 03 Jan 2009 20:12:23 GMT) Full text and rfc822 format available.

Message #42 received at 509487-close@bugs.debian.org (full text, mbox):

From: Rene Engelhard <rene@debian.org>
To: 509487-close@bugs.debian.org
Subject: Bug#509487: fixed in muttprint 0.72d-8etch1
Date: Sat, 03 Jan 2009 19:52:30 +0000
Source: muttprint
Source-Version: 0.72d-8etch1

We believe that the bug you reported is fixed in the latest version of
muttprint, which is due to be installed in the Debian FTP archive:

muttprint-manual_0.72d-8etch1_all.deb
  to pool/main/m/muttprint/muttprint-manual_0.72d-8etch1_all.deb
muttprint_0.72d-8etch1.diff.gz
  to pool/main/m/muttprint/muttprint_0.72d-8etch1.diff.gz
muttprint_0.72d-8etch1.dsc
  to pool/main/m/muttprint/muttprint_0.72d-8etch1.dsc
muttprint_0.72d-8etch1_all.deb
  to pool/main/m/muttprint/muttprint_0.72d-8etch1_all.deb
ospics_0.72d-8etch1_all.deb
  to pool/main/m/muttprint/ospics_0.72d-8etch1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 509487@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Rene Engelhard <rene@debian.org> (supplier of updated muttprint package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 26 Dec 2008 00:18:44 +0100
Source: muttprint
Binary: ospics muttprint muttprint-manual
Architecture: source all
Version: 0.72d-8etch1
Distribution: stable
Urgency: high
Maintainer: Rene Engelhard <rene@debian.org>
Changed-By: Rene Engelhard <rene@debian.org>
Description: 
 muttprint  - Pretty printing of mails
 muttprint-manual - Manual for muttprint
 ospics     - Some images of operating system logos/mascots
Closes: 509487
Changes: 
 muttprint (0.72d-8etch1) stable; urgency=high
 .
   * backport fix for 15_CVE 15_2008-5368 from upstrem (closes: #509487)
Files: 
 703f4e7631b067b432c6d2f6b7788211 655 mail optional muttprint_0.72d-8etch1.dsc
 638584927acbcf6c1e15504fe366f2f1 218195 mail optional muttprint_0.72d-8etch1.diff.gz
 dd772c274edb657b5bfc1e07b4f9c89f 96924 mail optional muttprint_0.72d-8etch1_all.deb
 38181175f93d0dd702755037c06601a1 923558 doc optional muttprint-manual_0.72d-8etch1_all.deb
 a2bce038ff3e6cc490069aec56815b7a 238188 graphics optional ospics_0.72d-8etch1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJVBtm+FmQsCSK63MRAqebAJ0VN4RYYN+8xo+TxEwvN2WNM7uBKwCbBCJN
o0K78cqcHiF4AQUOgRWfLkQ=
=6tRT
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 01 Feb 2009 07:31:26 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 11:46:35 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.