Debian Bug report logs - #548546
merkaartor: minor symlink attack

version graph

Package: merkaartor; Maintainer for merkaartor is Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>; Source for merkaartor is src:merkaartor (PTS, buildd, popcon).

Reported by: Paul Wise <pabs@debian.org>

Date: Sun, 27 Sep 2009 04:15:02 UTC

Severity: important

Tags: pending, security

Found in version merkaartor/0.14+svnfixes~20090912-1

Fixed in version merkaartor/0.14+svnfixes~20090912-2

Done: Bernd Zeimetz <bzed@debian.org>

Bug is archived. No further changes may be made.

Forwarded to http://trac.openstreetmap.org/ticket/2320

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Bernd Zeimetz <bzed@debian.org>:
Bug#548546; Package merkaartor. (Sun, 27 Sep 2009 04:15:08 GMT) (full text, mbox, link).


Acknowledgement sent to Paul Wise <pabs@debian.org>:
New Bug report received and forwarded. Copy sent to Bernd Zeimetz <bzed@debian.org>. (Sun, 27 Sep 2009 04:15:11 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Paul Wise <pabs@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: merkaartor: minor symlink attack
Date: Sun, 27 Sep 2009 12:04:13 +0800
[Message part 1 (text/plain, inline)]
Package: merkaartor
Version: 0.14+svnfixes~20090912-1
Severity: important
Tags: security

Found a minor symlink attack in merkaartor. It allows a local attacker
to append the contents of the merkaartor log file to arbitrary files
owned by the user running merkaartor.

It may be used to DoS any applications that require their data files to
be valid before starting.

While no data loss is immediately obvious, it is possible that
corrupting files by appending data could lead other software to destroy
the newly corrupted data. An example of this could be bash. A merkaartor
log file can be fairly long if the user has enabled map tile downloads
and browses a large area and lots of tiles over one map editing session.
Merkaartor would append many lines to the user's bash history and next
time they start bash, their bash history could be larger than bash's
history limit settings, then bash would take the latest lines (all
merkaartor logs) and discard the legitimate bash history. 

Steps to reproduce: 

pabs@chianamo:~/tmp$ sudo rm -f /tmp/merkaartor.log /home/pabs/tmp/foo.log
pabs@chianamo:~/tmp$ sudo su -c 'ln -s /home/pabs/tmp/foo.log /tmp/merkaartor.log' nobody
pabs@chianamo:~/tmp$ ls -l /home/pabs/tmp/foo.log /tmp/merkaartor.log
ls: cannot access /home/pabs/tmp/foo.log: No such file or directory
lrwxrwxrwx 1 nobody nogroup 22 2009-09-27 11:49 /tmp/merkaartor.log -> /home/pabs/tmp/foo.log
pabs@chianamo:~/tmp$ merkaartor
****  "2009-09-27T11:49:39"  -- Starting  "Merkaartor 0.14" 
------- "using QT version 4.5.2 (built with 4.5.2)" 
------- on X11 
****  "2009-09-27T11:49:42"  -- Ending  "Merkaartor 0.14" 
pabs@chianamo:~/tmp$ ls -l /home/pabs/tmp/foo.log /tmp/merkaartor.log
-rw-r----- 1 pabs   pabs    189 2009-09-27 11:49 /home/pabs/tmp/foo.log
lrwxrwxrwx 1 nobody nogroup  22 2009-09-27 11:49 /tmp/merkaartor.log -> /home/pabs/tmp/foo.log
pabs@chianamo:~/tmp$ cat /home/pabs/tmp/foo.log
****  "2009-09-27T11:49:39"  -- Starting  "Merkaartor 0.14" 
------- "using QT version 4.5.2 (built with 4.5.2)" 
------- on X11 
****  "2009-09-27T11:49:42"  -- Ending  "Merkaartor 0.14" 
pabs@chianamo:~/tmp$ echo test > foo.log
pabs@chianamo:~/tmp$ cat /home/pabs/tmp/foo.log
test
pabs@chianamo:~/tmp$ merkaartor
****  "2009-09-27T11:50:20"  -- Starting  "Merkaartor 0.14" 
------- "using QT version 4.5.2 (built with 4.5.2)" 
------- on X11 
****  "2009-09-27T11:50:24"  -- Ending  "Merkaartor 0.14" 
pabs@chianamo:~/tmp$ cat /home/pabs/tmp/foo.log
test
****  "2009-09-27T11:50:20"  -- Starting  "Merkaartor 0.14" 
------- "using QT version 4.5.2 (built with 4.5.2)" 
------- on X11 
****  "2009-09-27T11:50:24"  -- Ending  "Merkaartor 0.14" 
pabs@chianamo:~/tmp$ ls -l /home/pabs/tmp/foo.log /tmp/merkaartor.log
-rw-r----- 1 pabs   pabs    194 2009-09-27 11:50 /home/pabs/tmp/foo.log
lrwxrwxrwx 1 nobody nogroup  22 2009-09-27 11:49 /tmp/merkaartor.log -> /home/pabs/tmp/foo.log

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (700, 'testing'), (600, 'unstable'), (550, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages merkaartor depends on:
ii  libc6                  2.9-25            GNU C Library: Shared libraries
ii  libexiv2-5             0.18.2-1+b1       EXIF/IPTC metadata manipulation li
ii  libgcc1                1:4.4.1-1         GCC support library
ii  libgdal1-1.6.0         1.6.2-1           Geospatial Data Abstraction Librar
ii  libqt4-network         4:4.5.2-2         Qt 4 network module
ii  libqt4-svg             4:4.5.2-2         Qt 4 SVG module
ii  libqt4-webkit          4:4.5.2-2         Qt 4 WebKit module
ii  libqt4-xml             4:4.5.2-2         Qt 4 XML module
ii  libqtcore4             4:4.5.2-2         Qt 4 core module
ii  libqtgui4              4:4.5.2-2         Qt 4 GUI module
ii  libstdc++6             4.4.1-1           The GNU Standard C++ Library v3
ii  zlib1g                 1:1.2.3.3.dfsg-15 compression library - runtime

-- 
bye,
pabs

http://wiki.debian.org/PaulWise
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Bernd Zeimetz <bzed@debian.org>:
Bug#548546; Package merkaartor. (Sun, 27 Sep 2009 14:39:03 GMT) (full text, mbox, link).


Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Bernd Zeimetz <bzed@debian.org>. (Sun, 27 Sep 2009 14:39:03 GMT) (full text, mbox, link).


Message #10 received at 548546@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>
To: Paul Wise <pabs@debian.org>, 548546@bugs.debian.org
Subject: Re: Bug#548546: merkaartor: minor symlink attack
Date: Sun, 27 Sep 2009 16:16:39 +0200
[Message part 1 (text/plain, inline)]
On snein 27 Septimber 2009, Paul Wise wrote:
> Package: merkaartor
> Version: 0.14+svnfixes~20090912-1
> Severity: important
> Tags: security
>
> Found a minor symlink attack in merkaartor. It allows a local attacker
> to append the contents of the merkaartor log file to arbitrary files
> owned by the user running merkaartor.

Thanks for reporting. Some observations:
* applies to squeeze/sid but not lenny.
* merkaartor does not run as root so this is not a critical issue.

Uploading a fix to sid (and bpo?), perhaps with bumped urgency, would clear 
the issue.


cheers,
Thijs
[signature.asc (application/pgp-signature, inline)]

Set Bug forwarded-to-address to 'http://trac.openstreetmap.org/ticket/2320'. Request was from Bernd Zeimetz <bzed@debian.org> to control@bugs.debian.org. (Sun, 27 Sep 2009 16:00:03 GMT) (full text, mbox, link).


Reply sent to Bernd Zeimetz <bzed@debian.org>:
You have taken responsibility. (Thu, 15 Oct 2009 11:21:12 GMT) (full text, mbox, link).


Notification sent to Paul Wise <pabs@debian.org>:
Bug acknowledged by developer. (Thu, 15 Oct 2009 11:21:12 GMT) (full text, mbox, link).


Message #17 received at 548546-close@bugs.debian.org (full text, mbox, reply):

From: Bernd Zeimetz <bzed@debian.org>
To: 548546-close@bugs.debian.org
Subject: Bug#548546: fixed in merkaartor 0.14+svnfixes~20090912-2
Date: Thu, 15 Oct 2009 10:31:51 +0000
Source: merkaartor
Source-Version: 0.14+svnfixes~20090912-2

We believe that the bug you reported is fixed in the latest version of
merkaartor, which is due to be installed in the Debian FTP archive:

merkaartor_0.14+svnfixes~20090912-2.diff.gz
  to pool/main/m/merkaartor/merkaartor_0.14+svnfixes~20090912-2.diff.gz
merkaartor_0.14+svnfixes~20090912-2.dsc
  to pool/main/m/merkaartor/merkaartor_0.14+svnfixes~20090912-2.dsc
merkaartor_0.14+svnfixes~20090912-2_amd64.deb
  to pool/main/m/merkaartor/merkaartor_0.14+svnfixes~20090912-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 548546@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bernd Zeimetz <bzed@debian.org> (supplier of updated merkaartor package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 15 Oct 2009 11:37:15 +0200
Source: merkaartor
Binary: merkaartor
Architecture: source amd64
Version: 0.14+svnfixes~20090912-2
Distribution: unstable
Urgency: high
Maintainer: Bernd Zeimetz <bzed@debian.org>
Changed-By: Bernd Zeimetz <bzed@debian.org>
Description: 
 merkaartor - map editor for OpenStreetMap.org
Closes: 548546
Changes: 
 merkaartor (0.14+svnfixes~20090912-2) unstable; urgency=high
 .
   * [6a4e67f9] Support +svnfixes dversion in debian/watch.
   * [00189629] Write log to /dev/null, workaround for a minor symlink
     attack until upstream fixes it properly. (Closes: #548546) - thanks
     to Paul Wise
Checksums-Sha1: 
 2d79fa8fa157291c6c541f437f5bc37e2e4d13b1 1463 merkaartor_0.14+svnfixes~20090912-2.dsc
 5aa270eb8bd05c97d3dc550229f164bbdb0447b7 18829 merkaartor_0.14+svnfixes~20090912-2.diff.gz
 46a36620d4fb7c53065d4cd87eb44dd7e6cc4d74 2864268 merkaartor_0.14+svnfixes~20090912-2_amd64.deb
Checksums-Sha256: 
 4148680e486f28081f37e2218d174d0c64f643161e8b4beba43f84e8f427324e 1463 merkaartor_0.14+svnfixes~20090912-2.dsc
 3a7a8d92238febdbeb8d0172705f921941923f5cf6f67cb49bcaa55dd67810d8 18829 merkaartor_0.14+svnfixes~20090912-2.diff.gz
 47f652b01d689baf03e98747333fbee9c2fbf1d4482568f9e4468b738d208dfb 2864268 merkaartor_0.14+svnfixes~20090912-2_amd64.deb
Files: 
 3cba3ab7c9a66b4aa9249afc605bb49e 1463 science extra merkaartor_0.14+svnfixes~20090912-2.dsc
 5a4178555a07b16f4b64363c088209ed 18829 science extra merkaartor_0.14+svnfixes~20090912-2.diff.gz
 19c1e3df1e42652b65875ade0fb48ffb 2864268 science extra merkaartor_0.14+svnfixes~20090912-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkrW8HoACgkQBnqtBMk7/3nXigCdEjKjyCGFXKKVsQv1ym5AfMpH
zcMAoI4pjSesqT+tOAPsKWo1sBmgTCEj
=I9bK
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Bernd Zeimetz <bzed@debian.org>:
Bug#548546; Package merkaartor. (Thu, 15 Oct 2009 11:39:04 GMT) (full text, mbox, link).


Acknowledgement sent to Bernd Zeimetz <bernd@bzed.de>:
Extra info received and forwarded to list. Copy sent to Bernd Zeimetz <bzed@debian.org>. (Thu, 15 Oct 2009 11:39:04 GMT) (full text, mbox, link).


Message #22 received at 548546@bugs.debian.org (full text, mbox, reply):

From: Bernd Zeimetz <bernd@bzed.de>
To: 548546@bugs.debian.org
Cc: control@bugs.debian.org
Subject: [/master] Write log to /dev/null, workaround for a minor symlink attack until upstream fixes it properly.
Date: Thu, 15 Oct 2009 10:45:38 +0000
tag 548546 pending
thanks

Date: Thu Oct 15 11:31:21 2009 +0200
Author: Bernd Zeimetz <bernd@bzed.de>
Commit ID: 001896296ff5c584c28a1731d1ed25b4373bddd2
Commit URL: http://git.debian.org/?p=collab-maint/merkaartor.git;a=commitdiff;h=001896296ff5c584c28a1731d1ed25b4373bddd2
Patch URL: http://git.debian.org/?p=collab-maint/merkaartor.git;a=commitdiff_plain;h=001896296ff5c584c28a1731d1ed25b4373bddd2

    Write log to /dev/null, workaround for a minor symlink attack until upstream fixes it properly.

    See http://trac.openstreetmap.org/ticket/2320 for details.
    Thanks: Paul Wise
    Closes: #548546
      




Information forwarded to debian-bugs-dist@lists.debian.org, Bernd Zeimetz <bzed@debian.org>:
Bug#548546; Package merkaartor. (Thu, 15 Oct 2009 11:39:06 GMT) (full text, mbox, link).


Acknowledgement sent to Bernd Zeimetz <bernd@bzed.de>:
Extra info received and forwarded to list. Copy sent to Bernd Zeimetz <bzed@debian.org>. (Thu, 15 Oct 2009 11:39:06 GMT) (full text, mbox, link).


Message #27 received at 548546@bugs.debian.org (full text, mbox, reply):

From: Bernd Zeimetz <bernd@bzed.de>
To: 548546@bugs.debian.org
Cc: control@bugs.debian.org
Subject: [/lenny-backports] Write log to /dev/null, workaround for a minor symlink attack until upstream fixes it properly.
Date: Thu, 15 Oct 2009 10:45:38 +0000
tag 548546 pending
thanks

Date: Thu Oct 15 11:31:21 2009 +0200
Author: Bernd Zeimetz <bernd@bzed.de>
Commit ID: 001896296ff5c584c28a1731d1ed25b4373bddd2
Commit URL: http://git.debian.org/?p=collab-maint/merkaartor.git;a=commitdiff;h=001896296ff5c584c28a1731d1ed25b4373bddd2
Patch URL: http://git.debian.org/?p=collab-maint/merkaartor.git;a=commitdiff_plain;h=001896296ff5c584c28a1731d1ed25b4373bddd2

    Write log to /dev/null, workaround for a minor symlink attack until upstream fixes it properly.

    See http://trac.openstreetmap.org/ticket/2320 for details.
    Thanks: Paul Wise
    Closes: #548546
      




Added tag(s) pending. Request was from Bernd Zeimetz <bernd@bzed.de> to control@bugs.debian.org. (Thu, 15 Oct 2009 11:39:08 GMT) (full text, mbox, link).


Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 06 Dec 2009 07:33:02 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 01:07:00 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.