Debian Bug report logs - #651931
bokken: vulnerable to symlink attack, leading to arbitrary file overwrite

version graph

Package: bokken; Maintainer for bokken is (unknown);

Reported by: Paul Wise <pabs@debian.org>

Date: Tue, 13 Dec 2011 11:06:47 UTC

Severity: important

Tags: security

Found in version bokken/1.5-2

Fixed in version bokken/1.5-3

Done: David Martínez Moreno <ender@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, David Martínez Moreno <ender@debian.org>:
Bug#651931; Package bokken. (Tue, 13 Dec 2011 11:06:50 GMT) (full text, mbox, link).


Acknowledgement sent to Paul Wise <pabs@debian.org>:
New Bug report received and forwarded. Copy sent to David Martínez Moreno <ender@debian.org>. (Tue, 13 Dec 2011 11:06:56 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Paul Wise <pabs@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: bokken: vulnerable to symlink attack, leading to arbitrary file overwrite
Date: Tue, 13 Dec 2011 19:05:52 +0800
[Message part 1 (text/plain, inline)]
Package: bokken
Version: 1.5-2
Severity: important
Tags: security

An attacker on a multi-user system can overwrite an arbitrary file owned
by the user running bokken by creating a symlink named /tmp/graph.dot:

pabs@chianamo ~ $ ls -l foo /tmp/graph.dot 
ls: cannot access foo: No such file or directory
lrwxrwxrwx 1 nobody nogroup 14 Dec 13 18:56 /tmp/graph.dot -> /home/pabs/foo
pabs@chianamo ~ $ bokken /bin/ls
	Python version... 	OK
Checking:
	Pyew availability... 	D'oh!
You need pyew in order to use pyew backend in binaries and PDFs. Download it from its web:
    - http://code.google.com/p/pyew/

	Radare availability... 	OK
	GTK UI dependencies... 	OK
	GtkSourceView2... 	OK
	Psyco availability... 	D'oh!
No psyco module found. It's recomended to use it to improve performance

	Tidy availability... 	OK
Starting bokken, running on:
  Python version:
    2.7.2+ (default, Oct  5 2011, 10:41:47) 
    [GCC 4.6.1]
  GTK version: 2.24.8
  PyGTK version: 2.24.0

/tmp/graph.dot created
Traceback (most recent call last):
  File "/usr/share/pyshared/bokken/ui/rightnotebook.py", line 149, in on_switch
    self.xdot_box.set_dot(self.uicore.get_callgraph(self.last_fcn))
  File "/usr/share/pyshared/bokken/ui/radare_core.py", line 397, in get_callgraph
    os.unlink(file)
OSError: [Errno 1] Operation not permitted: '/tmp/graph.dot'
[*] Get text dasm
	* Let's get the dasm for .init...  OK!
/tmp/graph.dot created
	* Let's get the dasm for .plt...  OK!
	* Let's get the dasm for .text...  OK!
	* Let's get the dasm for .fini...  OK!
DEBUG: DASM finished, reading from queue!
Process state True
DEBUG: Got a disassembly of 951575 bytes.
DEBUG: Section lines created [12, 689, 19271, 8, 19980]
/tmp/graph.dot created
Traceback (most recent call last):
  File "/usr/share/pyshared/bokken/ui/main.py", line 309, in merge_dasm_rightextview
    self.tviews.update_graph(self, link_name)
  File "/usr/share/pyshared/bokken/ui/textviews.py", line 386, in update_graph
    self.right_notebook.xdot_box.set_dot(self.uicore.get_callgraph(addr))
  File "/usr/share/pyshared/bokken/ui/radare_core.py", line 397, in get_callgraph
    os.unlink(file)
OSError: [Errno 1] Operation not permitted: '/tmp/graph.dot'
/tmp/graph.dot created
Traceback (most recent call last):
  File "/usr/share/pyshared/bokken/ui/rightnotebook.py", line 149, in on_switch
    self.xdot_box.set_dot(self.uicore.get_callgraph(self.last_fcn))
  File "/usr/share/pyshared/bokken/ui/radare_core.py", line 397, in get_callgraph
    os.unlink(file)
OSError: [Errno 1] Operation not permitted: '/tmp/graph.dot'
pabs@chianamo ~ $ ls -l foo /tmp/graph.dot 
-rw-r----- 1 pabs   pabs    664 Dec 13 18:57 foo
lrwxrwxrwx 1 nobody nogroup  14 Dec 13 18:56 /tmp/graph.dot -> /home/pabs/foo
pabs@chianamo ~ $ cat foo
digraph code {
	graph [bgcolor=white];
	node [color=lightgray, style=filled shape=box fontname="Courier" fontsize="8"];
 "0x004046d4_0x004046d4" [URL="entry0/0x004046d4" color="lightgray", label="/ function: entry0 (42)\l| 0x004046d4  entry0:\l| 0x004046d4   xor ebp, ebp\l| 0x004046d6   mov r9, rdx\l| 0x004046d9   pop rsi\l| 0x004046da   mov rdx, rsp\l| 0x004046dd   and rsp, 0xfffffffffffffff0\l| 0x004046e1   push rax\l| 0x004046e2   push rsp\l| 0x004046e3   mov r8, 0x412500\l| 0x004046ea   mov rcx, 0x412510\l| 0x004046f1   mov rdi, section_end..plt\l| 0x004046f8   call dword imp.__libc_start_main\l|     ; imp.__libc_start_main()\l\ 0x004046fd   hlt\l"]
}
pabs@chianamo ~ $ bokken /bin/ls
	Python version... 	OK
Checking:
	Pyew availability... 	D'oh!
You need pyew in order to use pyew backend in binaries and PDFs. Download it from its web:
    - http://code.google.com/p/pyew/

	Radare availability... 	OK
	GTK UI dependencies... 	OK
	GtkSourceView2... 	OK
	Psyco availability... 	D'oh!
No psyco module found. It's recomended to use it to improve performance

	Tidy availability... 	OK
Starting bokken, running on:
  Python version:
    2.7.2+ (default, Oct  5 2011, 10:41:47) 
    [GCC 4.6.1]
  GTK version: 2.24.8
  PyGTK version: 2.24.0

/tmp/graph.dot created
Traceback (most recent call last):
  File "/usr/share/pyshared/bokken/ui/rightnotebook.py", line 149, in on_switch
    self.xdot_box.set_dot(self.uicore.get_callgraph(self.last_fcn))
  File "/usr/share/pyshared/bokken/ui/radare_core.py", line 397, in get_callgraph
    os.unlink(file)
OSError: [Errno 1] Operation not permitted: '/tmp/graph.dot'
[*] Get text dasm
	* Let's get the dasm for .init...  OK!
/tmp/graph.dot created
	* Let's get the dasm for .plt...  OK!
	* Let's get the dasm for .text...  OK!
	* Let's get the dasm for .fini...  OK!
DEBUG: DASM finished, reading from queue!
Process state True
DEBUG: Got a disassembly of 951552 bytes.
DEBUG: Section lines created [12, 689, 19271, 8, 19980]
/tmp/graph.dot created
Traceback (most recent call last):
  File "/usr/share/pyshared/bokken/ui/rightnotebook.py", line 149, in on_switch
    self.xdot_box.set_dot(self.uicore.get_callgraph(self.last_fcn))
  File "/usr/share/pyshared/bokken/ui/radare_core.py", line 397, in get_callgraph
    os.unlink(file)
OSError: [Errno 1] Operation not permitted: '/tmp/graph.dot'
/tmp/graph.dot created
Traceback (most recent call last):
  File "/usr/share/pyshared/bokken/ui/main.py", line 309, in merge_dasm_rightextview
    self.tviews.update_graph(self, link_name)
  File "/usr/share/pyshared/bokken/ui/textviews.py", line 386, in update_graph
    self.right_notebook.xdot_box.set_dot(self.uicore.get_callgraph(addr))
  File "/usr/share/pyshared/bokken/ui/radare_core.py", line 397, in get_callgraph
    os.unlink(file)
OSError: [Errno 1] Operation not permitted: '/tmp/graph.dot'
pabs@chianamo ~ $ ls -l foo /tmp/graph.dot 
-rw-r----- 1 pabs   pabs    664 Dec 13 19:02 foo
lrwxrwxrwx 1 nobody nogroup  14 Dec 13 18:56 /tmp/graph.dot -> /home/pabs/foo
pabs@chianamo ~ $ cat foo
digraph code {
	graph [bgcolor=white];
	node [color=lightgray, style=filled shape=box fontname="Courier" fontsize="8"];
 "0x004046d4_0x004046d4" [URL="entry0/0x004046d4" color="lightgray", label="/ function: entry0 (42)\l| 0x004046d4  entry0:\l| 0x004046d4   xor ebp, ebp\l| 0x004046d6   mov r9, rdx\l| 0x004046d9   pop rsi\l| 0x004046da   mov rdx, rsp\l| 0x004046dd   and rsp, 0xfffffffffffffff0\l| 0x004046e1   push rax\l| 0x004046e2   push rsp\l| 0x004046e3   mov r8, 0x412500\l| 0x004046ea   mov rcx, 0x412510\l| 0x004046f1   mov rdi, section_end..plt\l| 0x004046f8   call dword imp.__libc_start_main\l|     ; imp.__libc_start_main()\l\ 0x004046fd   hlt\l"]
}

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (700, 'testing'), (600, 'unstable'), (550, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.1.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages bokken depends on:
ii  python                 2.7.2-9 
ii  python-gtk2            2.24.0-2
ii  python-gtksourceview2  2.10.1-2
ii  python-radare2         0.9-1   
ii  python2.6              2.6.7-4 
ii  python2.7              2.7.2-7 

-- 
bye,
pabs

http://wiki.debian.org/PaulWise
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#651931; Package bokken. (Tue, 13 Dec 2011 19:42:03 GMT) (full text, mbox, link).


Acknowledgement sent to David Martínez Moreno <ender@debian.org>:
Extra info received and forwarded to list. (Tue, 13 Dec 2011 19:42:03 GMT) (full text, mbox, link).


Message #10 received at 651931@bugs.debian.org (full text, mbox, reply):

From: David Martínez Moreno <ender@debian.org>
To: Paul Wise <pabs@debian.org>, 651931@bugs.debian.org
Cc: David Martínez Moreno <ender@debian.org>
Subject: Re: Bug#651931: bokken: vulnerable to symlink attack, leading to arbitrary file overwrite
Date: Tue, 13 Dec 2011 11:33:10 -0800
    Acknowledged, I'm working on a fix.

    Thanks,


        Ender.




Reply sent to David Martínez Moreno <ender@debian.org>:
You have taken responsibility. (Wed, 14 Dec 2011 09:51:21 GMT) (full text, mbox, link).


Notification sent to Paul Wise <pabs@debian.org>:
Bug acknowledged by developer. (Wed, 14 Dec 2011 09:51:24 GMT) (full text, mbox, link).


Message #15 received at 651931-close@bugs.debian.org (full text, mbox, reply):

From: David Martínez Moreno <ender@debian.org>
To: 651931-close@bugs.debian.org
Subject: Bug#651931: fixed in bokken 1.5-3
Date: Wed, 14 Dec 2011 09:47:12 +0000
Source: bokken
Source-Version: 1.5-3

We believe that the bug you reported is fixed in the latest version of
bokken, which is due to be installed in the Debian FTP archive:

bokken_1.5-3.debian.tar.gz
  to main/b/bokken/bokken_1.5-3.debian.tar.gz
bokken_1.5-3.dsc
  to main/b/bokken/bokken_1.5-3.dsc
bokken_1.5-3_all.deb
  to main/b/bokken/bokken_1.5-3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 651931@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
David Martínez Moreno <ender@debian.org> (supplier of updated bokken package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 14 Dec 2011 01:23:05 -0800
Source: bokken
Binary: bokken
Architecture: source all
Version: 1.5-3
Distribution: unstable
Urgency: high
Maintainer: David Martínez Moreno <ender@debian.org>
Changed-By: David Martínez Moreno <ender@debian.org>
Description: 
 bokken     - reverse code engineering GUI for pyew and radare
Closes: 651931
Changes: 
 bokken (1.5-3) unstable; urgency=high
 .
   * debian/patches/02_tmp_symlink_vulnerability: Fixed symlink attack
     vulnerability in /tmp (closes: #651931).
   * Adjusted order of patches to leave packaging-related ones at the end.
Checksums-Sha1: 
 3722e027d8a3f05348a6d0351ac0f6b2f7d56f36 1127 bokken_1.5-3.dsc
 7056c8de5b20e4c919f8372c8dc5890b4c4520fb 8208 bokken_1.5-3.debian.tar.gz
 421024ebf53570a09ad328cad90ed8a12026bad3 959194 bokken_1.5-3_all.deb
Checksums-Sha256: 
 c47b98f0dbd83a0062d40a72577e3282cdafbc314ffb5f6ffe295e5c00dffb3b 1127 bokken_1.5-3.dsc
 cb6a3a8181afebbf7d7f99706fe35f1f80e9e9e7348d3a699bb10a3209a6bff9 8208 bokken_1.5-3.debian.tar.gz
 21b79967781373ecb58039ec29454a73aa0ac94b71c7b1a01cad480f3e1ada25 959194 bokken_1.5-3_all.deb
Files: 
 e236ec81777d20807e0c86b1943afff4 1127 python extra bokken_1.5-3.dsc
 bdb527eaed0c7220d2531bc507dac662 8208 python extra bokken_1.5-3.debian.tar.gz
 0d2e7f8d4d7408eb02f3834453b2446c 959194 python extra bokken_1.5-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk7obEwACgkQWs/EhA1iABuiugCgjVo793NCdNcie4m30No9T1/H
dW8AoL5zHDeH5mSRbfx5WeJLihfDgkne
=SzFw
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 12 Jan 2012 07:34:48 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 11:26:10 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.