Debian Bug report logs - #543785
backintime-common: backintime make world readable file in backup when it remove old backup

version graph

Package: backintime-common; Maintainer for backintime-common is Jonathan Wiltshire <jmw@debian.org>; Source for backintime-common is src:backintime.

Reported by: Rémi Vanicat <vanicat@debian.org>

Date: Wed, 26 Aug 2009 22:15:02 UTC

Severity: grave

Tags: fixed-upstream, security

Found in versions backintime/0.9.26-1, backintime/0.9.26-2

Fixed in version backintime/0.9.26-3

Done: Jonathan Wiltshire <debian@jwiltshire.org.uk>

Bug is archived. No further changes may be made.

Forwarded to https://bugs.launchpad.net/backintime/+bug/419774

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, vanicat@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jonathan Wiltshire <debian@jwiltshire.org.uk>:
Bug#543785; Package backintime-common. (Wed, 26 Aug 2009 22:15:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Rémi Vanicat <vanicat@debian.org>:
New Bug report received and forwarded. Copy sent to vanicat@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jonathan Wiltshire <debian@jwiltshire.org.uk>. (Wed, 26 Aug 2009 22:15:07 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Rémi Vanicat <vanicat@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: backintime-common: backintime make world readable file in backup when it remove old backup
Date: Thu, 27 Aug 2009 00:04:49 +0200
Package: backintime-common
Version: 0.9.26-2
Severity: grave
Tags: security
Justification: user security hole

When asking backintime to remove an old backup, it first change mode
of all file of the backup to 777, allowing potentially every local
user to read and modify those before they are deleted (and this could take some
time). 

Worst still, if a file is shared between several backup, as the file's
mode are also shared, it stay world readable and writable in those
other backup.

Note that one do not need to change the mode of a file to suppress it:
only the mode of the directory need to be changed. The other advantage
to change the mode only for directories is that they are not shared
between backup, so the changed mode don't stay for long period of
time.



-- System Information:
Debian Release: squeeze/sid
  APT prefers transitional
  APT policy: (500, 'transitional'), (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30.4 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages backintime-common depends on:
ii  cron                          3.0pl1-106 process scheduling daemon
ii  python                        2.5.4-2    An interactive high-level object-o
ii  python-support                1.0.3      automated rebuilding support for P
ii  rsync                         3.0.6-1    fast remote file copy program (lik

backintime-common recommends no packages.

backintime-common suggests no packages.

-- no debconf information




Set Bug forwarded-to-address to 'https://bugs.launchpad.net/backintime/+bug/419774'. Request was from Jonathan Wiltshire <debian@jwiltshire.org.uk> to control@bugs.debian.org. (Thu, 27 Aug 2009 09:06:10 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Jonathan Wiltshire <debian@jwiltshire.org.uk>:
Bug#543785; Package backintime-common. (Thu, 27 Aug 2009 18:42:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Rémi Vanicat <vanicat@debian.org>:
Extra info received and forwarded to list. Copy sent to Jonathan Wiltshire <debian@jwiltshire.org.uk>. (Thu, 27 Aug 2009 18:42:06 GMT) Full text and rfc822 format available.

Message #12 received at 543785@bugs.debian.org (full text, mbox):

From: Rémi Vanicat <vanicat@debian.org>
To: control@bugs.debian.org, 543785@bugs.debian.org
Subject: Package version for security bug.
Date: Thu, 27 Aug 2009 20:37:05 +0200
found: 543785 0.9.26-1
Thanks.

I had first found this bug in this version of the package, but I had
no connection at this time.




Bug Marked as found in versions backintime/0.9.26-1. Request was from Rémi Vanicat <remi.vanicat@gmail.com> to control@bugs.debian.org. (Thu, 27 Aug 2009 18:54:09 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Jonathan Wiltshire <debian@jwiltshire.org.uk>:
Bug#543785; Package backintime-common. (Fri, 28 Aug 2009 10:27:14 GMT) Full text and rfc822 format available.

Acknowledgement sent to Rémi Vanicat <vanicat@debian.org>:
Extra info received and forwarded to list. Copy sent to Jonathan Wiltshire <debian@jwiltshire.org.uk>. (Fri, 28 Aug 2009 10:27:19 GMT) Full text and rfc822 format available.

Message #19 received at 543785@bugs.debian.org (full text, mbox):

From: Rémi Vanicat <vanicat@debian.org>
To: 543785@bugs.debian.org
Subject: Re: Bug#543785: backintime-common: backintime make world readable file in backup when it remove old backup
Date: Fri, 28 Aug 2009 11:53:14 +0200
2009/8/27 Rémi Vanicat <vanicat@debian.org>:

> When asking backintime to remove an old backup, it first change mode
> of all file of the backup to 777, allowing potentially every local
> user to read and modify those before they are deleted (and this could take some
> time).

Will looking at this bug, I found that applying this:

--- common/snapshots.py~	2009-08-24 23:11:27.000000000 +0200
+++ common/snapshots.py	2009-08-28 09:48:57.000000000 +0200
@@ -314,7 +314,7 @@
 			return

 		path = self.get_snapshot_path( snapshot_id )
-		cmd = "chmod -R a+rwx \"%s\"" %  path
+		cmd = "find \"%s\" -type d -exec chmod u+wx {} \\;" % path
 		self._execute( cmd )
 		cmd = "rm -rfv \"%s\"" % path
 		self._execute( cmd )

to the snapshots.py file solve this problem but I also found others
call to chmod -R a+rwx or to
chmod a+w that should probably be investigated.




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#543785; Package backintime-common. (Fri, 28 Aug 2009 11:21:14 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Wiltshire <debian@jwiltshire.org.uk>:
Extra info received and forwarded to list. (Fri, 28 Aug 2009 11:21:14 GMT) Full text and rfc822 format available.

Message #24 received at 543785@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <debian@jwiltshire.org.uk>
To: Rémi Vanicat <vanicat@debian.org>, 543785@bugs.debian.org
Subject: Re: Bug#543785: backintime-common: backintime make world readable file in backup when it remove old backup
Date: Fri, 28 Aug 2009 12:01:47 +0100
On Fri, Aug 28, 2009 at 11:53:14AM +0200, Rémi Vanicat wrote:
> 2009/8/27 Rémi Vanicat <vanicat@debian.org>:
> 
> > When asking backintime to remove an old backup, it first change mode
> > of all file of the backup to 777, allowing potentially every local
> > user to read and modify those before they are deleted (and this could take some
> > time).
> 
> Will looking at this bug, I found that applying this:
> 
> to the snapshots.py file solve this problem but I also found others
> call to chmod -R a+rwx or to
> chmod a+w that should probably be investigated.

Ok, thanks for having a look. I've forwarded it upstream but if he's not
quick about it, I will investigate patching it for the time being.


-- 
Jonathan Wiltshire

1024D: 0xDB800B52 / 4216 F01F DCA9 21AC F3D3  A903 CA6B EA3E DB80 0B52
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51




Added tag(s) fixed-upstream. Request was from bts-link-upstream@lists.alioth.debian.org to control@bugs.debian.org. (Thu, 03 Sep 2009 19:01:38 GMT) Full text and rfc822 format available.

Added tag(s) pending. Request was from Jonathan Wiltshire <debian@jwiltshire.org.uk> to control@bugs.debian.org. (Mon, 07 Sep 2009 21:15:15 GMT) Full text and rfc822 format available.

Reply sent to Jonathan Wiltshire <debian@jwiltshire.org.uk>:
You have taken responsibility. (Mon, 07 Sep 2009 22:57:11 GMT) Full text and rfc822 format available.

Notification sent to Rémi Vanicat <vanicat@debian.org>:
Bug acknowledged by developer. (Mon, 07 Sep 2009 22:57:11 GMT) Full text and rfc822 format available.

Message #33 received at 543785-close@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <debian@jwiltshire.org.uk>
To: 543785-close@bugs.debian.org
Subject: Bug#543785: fixed in backintime 0.9.26-3
Date: Mon, 07 Sep 2009 22:33:42 +0000
Source: backintime
Source-Version: 0.9.26-3

We believe that the bug you reported is fixed in the latest version of
backintime, which is due to be installed in the Debian FTP archive:

backintime-common_0.9.26-3_all.deb
  to pool/main/b/backintime/backintime-common_0.9.26-3_all.deb
backintime-gnome_0.9.26-3_all.deb
  to pool/main/b/backintime/backintime-gnome_0.9.26-3_all.deb
backintime-kde_0.9.26-3_all.deb
  to pool/main/b/backintime/backintime-kde_0.9.26-3_all.deb
backintime_0.9.26-3.diff.gz
  to pool/main/b/backintime/backintime_0.9.26-3.diff.gz
backintime_0.9.26-3.dsc
  to pool/main/b/backintime/backintime_0.9.26-3.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 543785@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonathan Wiltshire <debian@jwiltshire.org.uk> (supplier of updated backintime package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 07 Sep 2009 21:53:28 +0100
Source: backintime
Binary: backintime-common backintime-gnome backintime-kde
Architecture: source all
Version: 0.9.26-3
Distribution: unstable
Urgency: high
Maintainer: Jonathan Wiltshire <debian@jwiltshire.org.uk>
Changed-By: Jonathan Wiltshire <debian@jwiltshire.org.uk>
Description: 
 backintime-common - simple backup/snapshot system
 backintime-gnome - GNOME front-end for backintime
 backintime-kde - KDE front-end for backintime
Closes: 543785
Changes: 
 backintime (0.9.26-3) unstable; urgency=high
 .
   * Fix typo in debian/rules
   * New patch no-chmod-777.patch to stop common/snapshots.py from making
     all files world-readable and writeable before deleting a backup.
     (Closes: #543785) - thanks to Rémi Vanicat, Bart de Koning
Checksums-Sha1: 
 1549ae8b8fef26d386d31761a8ab308f2f8c8f1b 1246 backintime_0.9.26-3.dsc
 e45972eef86ca4003a5d1fbb344ab4c4810b4008 4699 backintime_0.9.26-3.diff.gz
 a32c3d104917278687b61309d08ae88f0d739ba6 77444 backintime-common_0.9.26-3_all.deb
 1ab7d6b9100157f9bf440dfa86e3eb9d419942ba 419388 backintime-gnome_0.9.26-3_all.deb
 24f5b32dcd260b01a0ab5b6ee8a72c00c8a5766f 334654 backintime-kde_0.9.26-3_all.deb
Checksums-Sha256: 
 c2c7ac6a827ab0ebca1547602c67699ee3b175af69b2071d31103ac5560a0735 1246 backintime_0.9.26-3.dsc
 7a2522fcb868ba82143f3502b3814bf62ad5a5ed38434f5097858ef15954a378 4699 backintime_0.9.26-3.diff.gz
 614dffcc535e2cc145b39e607ed03fbce36caacd478e2f34c18a321ff0ac2022 77444 backintime-common_0.9.26-3_all.deb
 102babc33f37b936e03a1ae1a635d704b20eaa1d252b1caf1ec4e03a08caac58 419388 backintime-gnome_0.9.26-3_all.deb
 08543295ea99d5d79018c175ae42e54fc4631cf824a570e8a5faa089d6e27ae4 334654 backintime-kde_0.9.26-3_all.deb
Files: 
 49e40593e2eb231b08d5202b87b6facb 1246 utils extra backintime_0.9.26-3.dsc
 193f909bb20f0f23321714afd9bdc425 4699 utils extra backintime_0.9.26-3.diff.gz
 e3fdb5ed45b135d7c223284b77af526b 77444 utils extra backintime-common_0.9.26-3_all.deb
 e37999023ed5d9477bcac73944cca004 419388 utils extra backintime-gnome_0.9.26-3_all.deb
 cbf32dba693d14d8c9e351e122a4b75c 334654 utils extra backintime-kde_0.9.26-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkqlet0ACgkQB01zfu119ZnqRwCfZ/2zHEbvP6Vs1gxPqpbgRX2U
CoQAoISMZlRQOU5eiEFLVVsgbmZ1Z8LC
=3yO/
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 08 Oct 2009 07:36:48 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 08:31:30 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.