Acknowledgement sent
to Paul Wise <pabs@debian.org>:
New Bug report received and forwarded. Copy sent to Bernd Zeimetz <bzed@debian.org>.
(Sun, 27 Sep 2009 04:15:11 GMT) (full text, mbox, link).
Package: merkaartor
Version: 0.14+svnfixes~20090912-1
Severity: important
Tags: security
Found a minor symlink attack in merkaartor. It allows a local attacker
to append the contents of the merkaartor log file to arbitrary files
owned by the user running merkaartor.
It may be used to DoS any applications that require their data files to
be valid before starting.
While no data loss is immediately obvious, it is possible that
corrupting files by appending data could lead other software to destroy
the newly corrupted data. An example of this could be bash. A merkaartor
log file can be fairly long if the user has enabled map tile downloads
and browses a large area and lots of tiles over one map editing session.
Merkaartor would append many lines to the user's bash history and next
time they start bash, their bash history could be larger than bash's
history limit settings, then bash would take the latest lines (all
merkaartor logs) and discard the legitimate bash history.
Steps to reproduce:
pabs@chianamo:~/tmp$ sudo rm -f /tmp/merkaartor.log /home/pabs/tmp/foo.log
pabs@chianamo:~/tmp$ sudo su -c 'ln -s /home/pabs/tmp/foo.log /tmp/merkaartor.log' nobody
pabs@chianamo:~/tmp$ ls -l /home/pabs/tmp/foo.log /tmp/merkaartor.log
ls: cannot access /home/pabs/tmp/foo.log: No such file or directory
lrwxrwxrwx 1 nobody nogroup 22 2009-09-27 11:49 /tmp/merkaartor.log -> /home/pabs/tmp/foo.log
pabs@chianamo:~/tmp$ merkaartor
**** "2009-09-27T11:49:39" -- Starting "Merkaartor 0.14"
------- "using QT version 4.5.2 (built with 4.5.2)"
------- on X11
**** "2009-09-27T11:49:42" -- Ending "Merkaartor 0.14"
pabs@chianamo:~/tmp$ ls -l /home/pabs/tmp/foo.log /tmp/merkaartor.log
-rw-r----- 1 pabs pabs 189 2009-09-27 11:49 /home/pabs/tmp/foo.log
lrwxrwxrwx 1 nobody nogroup 22 2009-09-27 11:49 /tmp/merkaartor.log -> /home/pabs/tmp/foo.log
pabs@chianamo:~/tmp$ cat /home/pabs/tmp/foo.log
**** "2009-09-27T11:49:39" -- Starting "Merkaartor 0.14"
------- "using QT version 4.5.2 (built with 4.5.2)"
------- on X11
**** "2009-09-27T11:49:42" -- Ending "Merkaartor 0.14"
pabs@chianamo:~/tmp$ echo test > foo.log
pabs@chianamo:~/tmp$ cat /home/pabs/tmp/foo.log
test
pabs@chianamo:~/tmp$ merkaartor
**** "2009-09-27T11:50:20" -- Starting "Merkaartor 0.14"
------- "using QT version 4.5.2 (built with 4.5.2)"
------- on X11
**** "2009-09-27T11:50:24" -- Ending "Merkaartor 0.14"
pabs@chianamo:~/tmp$ cat /home/pabs/tmp/foo.log
test
**** "2009-09-27T11:50:20" -- Starting "Merkaartor 0.14"
------- "using QT version 4.5.2 (built with 4.5.2)"
------- on X11
**** "2009-09-27T11:50:24" -- Ending "Merkaartor 0.14"
pabs@chianamo:~/tmp$ ls -l /home/pabs/tmp/foo.log /tmp/merkaartor.log
-rw-r----- 1 pabs pabs 194 2009-09-27 11:50 /home/pabs/tmp/foo.log
lrwxrwxrwx 1 nobody nogroup 22 2009-09-27 11:49 /tmp/merkaartor.log -> /home/pabs/tmp/foo.log
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (700, 'testing'), (600, 'unstable'), (550, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.30-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages merkaartor depends on:
ii libc6 2.9-25 GNU C Library: Shared libraries
ii libexiv2-5 0.18.2-1+b1 EXIF/IPTC metadata manipulation li
ii libgcc1 1:4.4.1-1 GCC support library
ii libgdal1-1.6.0 1.6.2-1 Geospatial Data Abstraction Librar
ii libqt4-network 4:4.5.2-2 Qt 4 network module
ii libqt4-svg 4:4.5.2-2 Qt 4 SVG module
ii libqt4-webkit 4:4.5.2-2 Qt 4 WebKit module
ii libqt4-xml 4:4.5.2-2 Qt 4 XML module
ii libqtcore4 4:4.5.2-2 Qt 4 core module
ii libqtgui4 4:4.5.2-2 Qt 4 GUI module
ii libstdc++6 4.4.1-1 The GNU Standard C++ Library v3
ii zlib1g 1:1.2.3.3.dfsg-15 compression library - runtime
--
bye,
pabs
http://wiki.debian.org/PaulWise
Information forwarded
to debian-bugs-dist@lists.debian.org, Bernd Zeimetz <bzed@debian.org>: Bug#548546; Package merkaartor.
(Sun, 27 Sep 2009 14:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Bernd Zeimetz <bzed@debian.org>.
(Sun, 27 Sep 2009 14:39:03 GMT) (full text, mbox, link).
On snein 27 Septimber 2009, Paul Wise wrote:
> Package: merkaartor
> Version: 0.14+svnfixes~20090912-1
> Severity: important
> Tags: security
>
> Found a minor symlink attack in merkaartor. It allows a local attacker
> to append the contents of the merkaartor log file to arbitrary files
> owned by the user running merkaartor.
Thanks for reporting. Some observations:
* applies to squeeze/sid but not lenny.
* merkaartor does not run as root so this is not a critical issue.
Uploading a fix to sid (and bpo?), perhaps with bumped urgency, would clear
the issue.
cheers,
Thijs
Subject: Bug#548546: fixed in merkaartor 0.14+svnfixes~20090912-2
Date: Thu, 15 Oct 2009 10:31:51 +0000
Source: merkaartor
Source-Version: 0.14+svnfixes~20090912-2
We believe that the bug you reported is fixed in the latest version of
merkaartor, which is due to be installed in the Debian FTP archive:
merkaartor_0.14+svnfixes~20090912-2.diff.gz
to pool/main/m/merkaartor/merkaartor_0.14+svnfixes~20090912-2.diff.gz
merkaartor_0.14+svnfixes~20090912-2.dsc
to pool/main/m/merkaartor/merkaartor_0.14+svnfixes~20090912-2.dsc
merkaartor_0.14+svnfixes~20090912-2_amd64.deb
to pool/main/m/merkaartor/merkaartor_0.14+svnfixes~20090912-2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 548546@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bernd Zeimetz <bzed@debian.org> (supplier of updated merkaartor package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 15 Oct 2009 11:37:15 +0200
Source: merkaartor
Binary: merkaartor
Architecture: source amd64
Version: 0.14+svnfixes~20090912-2
Distribution: unstable
Urgency: high
Maintainer: Bernd Zeimetz <bzed@debian.org>
Changed-By: Bernd Zeimetz <bzed@debian.org>
Description:
merkaartor - map editor for OpenStreetMap.org
Closes: 548546
Changes:
merkaartor (0.14+svnfixes~20090912-2) unstable; urgency=high
.
* [6a4e67f9] Support +svnfixes dversion in debian/watch.
* [00189629] Write log to /dev/null, workaround for a minor symlink
attack until upstream fixes it properly. (Closes: #548546) - thanks
to Paul Wise
Checksums-Sha1:
2d79fa8fa157291c6c541f437f5bc37e2e4d13b1 1463 merkaartor_0.14+svnfixes~20090912-2.dsc
5aa270eb8bd05c97d3dc550229f164bbdb0447b7 18829 merkaartor_0.14+svnfixes~20090912-2.diff.gz
46a36620d4fb7c53065d4cd87eb44dd7e6cc4d74 2864268 merkaartor_0.14+svnfixes~20090912-2_amd64.deb
Checksums-Sha256:
4148680e486f28081f37e2218d174d0c64f643161e8b4beba43f84e8f427324e 1463 merkaartor_0.14+svnfixes~20090912-2.dsc
3a7a8d92238febdbeb8d0172705f921941923f5cf6f67cb49bcaa55dd67810d8 18829 merkaartor_0.14+svnfixes~20090912-2.diff.gz
47f652b01d689baf03e98747333fbee9c2fbf1d4482568f9e4468b738d208dfb 2864268 merkaartor_0.14+svnfixes~20090912-2_amd64.deb
Files:
3cba3ab7c9a66b4aa9249afc605bb49e 1463 science extra merkaartor_0.14+svnfixes~20090912-2.dsc
5a4178555a07b16f4b64363c088209ed 18829 science extra merkaartor_0.14+svnfixes~20090912-2.diff.gz
19c1e3df1e42652b65875ade0fb48ffb 2864268 science extra merkaartor_0.14+svnfixes~20090912-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkrW8HoACgkQBnqtBMk7/3nXigCdEjKjyCGFXKKVsQv1ym5AfMpH
zcMAoI4pjSesqT+tOAPsKWo1sBmgTCEj
=I9bK
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Bernd Zeimetz <bzed@debian.org>: Bug#548546; Package merkaartor.
(Thu, 15 Oct 2009 11:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Bernd Zeimetz <bernd@bzed.de>:
Extra info received and forwarded to list. Copy sent to Bernd Zeimetz <bzed@debian.org>.
(Thu, 15 Oct 2009 11:39:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Bernd Zeimetz <bzed@debian.org>: Bug#548546; Package merkaartor.
(Thu, 15 Oct 2009 11:39:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Bernd Zeimetz <bernd@bzed.de>:
Extra info received and forwarded to list. Copy sent to Bernd Zeimetz <bzed@debian.org>.
(Thu, 15 Oct 2009 11:39:06 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.