Debian Bug report logs - #553948
winkeydaemon: Symlink attack allows creation of arbitrary files

version graph

Package: winkeydaemon; Maintainer for winkeydaemon is (unknown);

Reported by: Steve Kemp <skx@debian.org>

Date: Mon, 2 Nov 2009 11:45:30 UTC

Severity: grave

Tags: security

Found in version winkeydaemon/1.0.1-3

Fixed in version 1.0.1-4+rm

Done: Marco Rodrigues <gothicx@sapo.pt>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Joop Stakenborg <pa3aba@debian.org>:
Bug#553948; Package winkeydaemon. (Mon, 02 Nov 2009 11:45:35 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steve Kemp <skx@debian.org>:
New Bug report received and forwarded. Copy sent to Joop Stakenborg <pa3aba@debian.org>. (Mon, 02 Nov 2009 11:45:35 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Steve Kemp <skx@debian.org>
To: submit@bugs.debian.org
Subject: winkeydaemon: Symlink attack allows creation of arbitrary files
Date: Mon, 2 Nov 2009 11:11:43 +0000
Package: winkeydaemon
Version: 1.0.1-3
Justification: user security hole
Severity: grave
Tags: security

*** Please type your report below this line ***

  This is probably not a hugely exploitable issue, but reporting
 regardless:

 winkeydaemon.pl:

if (-d "/tmp/.winkey") {
    # ok, no action required
} else {
    my $dir = "/tmp/.winkey";
    `mkdir "$dir"`;
    if ($debug) {print "Arranging mutex directory\n";}
}
...
...
                        `touch /tmp/.winkey/keyer_busy`;
...
                            `rm /tmp/.winkey/keyer_busy`;
...


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages winkeydaemon depends on:
ii  libdevice-serialport-perl     1.04-2+b1  emulation of Win32::SerialPort for

winkeydaemon recommends no packages.

winkeydaemon suggests no packages.




Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#553948; Package winkeydaemon. (Sun, 29 Nov 2009 00:12:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Johann Felix Soden <johfel@gmx.de>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>. (Sun, 29 Nov 2009 00:12:05 GMT) Full text and rfc822 format available.

Message #10 received at 553948@bugs.debian.org (full text, mbox):

From: Johann Felix Soden <johfel@gmx.de>
To: 553948@bugs.debian.org
Subject: About the lockfile vulnerabiltiy
Date: Sun, 29 Nov 2009 01:08:06 +0100
Hi!

At the moment, the lock file usage in winkeydaemon is useless since
there is never a test if the lock file does exist.

In my opinion, the vulnerability should be solved by using routines from
LockFile::Simple (package liblockfile-simple-perl) and creating the
files directly in /tmp/.






Reply sent to Marco Rodrigues <gothicx@sapo.pt>:
You have taken responsibility. (Sun, 06 Dec 2009 16:48:21 GMT) Full text and rfc822 format available.

Notification sent to Steve Kemp <skx@debian.org>:
Bug acknowledged by developer. (Sun, 06 Dec 2009 16:48:21 GMT) Full text and rfc822 format available.

Message #15 received at 553948-done@bugs.debian.org (full text, mbox):

From: Marco Rodrigues <gothicx@sapo.pt>
To: 553948-done@bugs.debian.org
Subject: Package winkeydaemon has been removed from Debian
Date: Sun, 06 Dec 2009 16:40:08 +0000
Version: 1.0.1-4+rm

You filled the bug http://bugs.debian.org/553948 in Debian BTS
against the package winkeydaemon. I'm closing it at *unstable*, but it will
remain open for older distributions.

For more information about this package's removal, read
http://bugs.debian.org/558450. That bug might give the reasons why
this package was removed and suggestions of possible replacements.

Don't hesitate to reply to this mail if you have any question.

Thank you for your contribution to Debian.

--
Marco Rodrigues




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 07 Feb 2011 08:06:05 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 06:42:35 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.