Report forwarded
to debian-bugs-dist@lists.debian.org, David Martínez Moreno <ender@debian.org>: Bug#651931; Package bokken.
(Tue, 13 Dec 2011 11:06:50 GMT) (full text, mbox, link).
Acknowledgement sent
to Paul Wise <pabs@debian.org>:
New Bug report received and forwarded. Copy sent to David Martínez Moreno <ender@debian.org>.
(Tue, 13 Dec 2011 11:06:56 GMT) (full text, mbox, link).
Package: bokken
Version: 1.5-2
Severity: important
Tags: security
An attacker on a multi-user system can overwrite an arbitrary file owned
by the user running bokken by creating a symlink named /tmp/graph.dot:
pabs@chianamo ~ $ ls -l foo /tmp/graph.dot
ls: cannot access foo: No such file or directory
lrwxrwxrwx 1 nobody nogroup 14 Dec 13 18:56 /tmp/graph.dot -> /home/pabs/foo
pabs@chianamo ~ $ bokken /bin/ls
Python version... OK
Checking:
Pyew availability... D'oh!
You need pyew in order to use pyew backend in binaries and PDFs. Download it from its web:
- http://code.google.com/p/pyew/
Radare availability... OK
GTK UI dependencies... OK
GtkSourceView2... OK
Psyco availability... D'oh!
No psyco module found. It's recomended to use it to improve performance
Tidy availability... OK
Starting bokken, running on:
Python version:
2.7.2+ (default, Oct 5 2011, 10:41:47)
[GCC 4.6.1]
GTK version: 2.24.8
PyGTK version: 2.24.0
/tmp/graph.dot created
Traceback (most recent call last):
File "/usr/share/pyshared/bokken/ui/rightnotebook.py", line 149, in on_switch
self.xdot_box.set_dot(self.uicore.get_callgraph(self.last_fcn))
File "/usr/share/pyshared/bokken/ui/radare_core.py", line 397, in get_callgraph
os.unlink(file)
OSError: [Errno 1] Operation not permitted: '/tmp/graph.dot'
[*] Get text dasm
* Let's get the dasm for .init... OK!
/tmp/graph.dot created
* Let's get the dasm for .plt... OK!
* Let's get the dasm for .text... OK!
* Let's get the dasm for .fini... OK!
DEBUG: DASM finished, reading from queue!
Process state True
DEBUG: Got a disassembly of 951575 bytes.
DEBUG: Section lines created [12, 689, 19271, 8, 19980]
/tmp/graph.dot created
Traceback (most recent call last):
File "/usr/share/pyshared/bokken/ui/main.py", line 309, in merge_dasm_rightextview
self.tviews.update_graph(self, link_name)
File "/usr/share/pyshared/bokken/ui/textviews.py", line 386, in update_graph
self.right_notebook.xdot_box.set_dot(self.uicore.get_callgraph(addr))
File "/usr/share/pyshared/bokken/ui/radare_core.py", line 397, in get_callgraph
os.unlink(file)
OSError: [Errno 1] Operation not permitted: '/tmp/graph.dot'
/tmp/graph.dot created
Traceback (most recent call last):
File "/usr/share/pyshared/bokken/ui/rightnotebook.py", line 149, in on_switch
self.xdot_box.set_dot(self.uicore.get_callgraph(self.last_fcn))
File "/usr/share/pyshared/bokken/ui/radare_core.py", line 397, in get_callgraph
os.unlink(file)
OSError: [Errno 1] Operation not permitted: '/tmp/graph.dot'
pabs@chianamo ~ $ ls -l foo /tmp/graph.dot
-rw-r----- 1 pabs pabs 664 Dec 13 18:57 foo
lrwxrwxrwx 1 nobody nogroup 14 Dec 13 18:56 /tmp/graph.dot -> /home/pabs/foo
pabs@chianamo ~ $ cat foo
digraph code {
graph [bgcolor=white];
node [color=lightgray, style=filled shape=box fontname="Courier" fontsize="8"];
"0x004046d4_0x004046d4" [URL="entry0/0x004046d4" color="lightgray", label="/ function: entry0 (42)\l| 0x004046d4 entry0:\l| 0x004046d4 xor ebp, ebp\l| 0x004046d6 mov r9, rdx\l| 0x004046d9 pop rsi\l| 0x004046da mov rdx, rsp\l| 0x004046dd and rsp, 0xfffffffffffffff0\l| 0x004046e1 push rax\l| 0x004046e2 push rsp\l| 0x004046e3 mov r8, 0x412500\l| 0x004046ea mov rcx, 0x412510\l| 0x004046f1 mov rdi, section_end..plt\l| 0x004046f8 call dword imp.__libc_start_main\l| ; imp.__libc_start_main()\l\ 0x004046fd hlt\l"]
}
pabs@chianamo ~ $ bokken /bin/ls
Python version... OK
Checking:
Pyew availability... D'oh!
You need pyew in order to use pyew backend in binaries and PDFs. Download it from its web:
- http://code.google.com/p/pyew/
Radare availability... OK
GTK UI dependencies... OK
GtkSourceView2... OK
Psyco availability... D'oh!
No psyco module found. It's recomended to use it to improve performance
Tidy availability... OK
Starting bokken, running on:
Python version:
2.7.2+ (default, Oct 5 2011, 10:41:47)
[GCC 4.6.1]
GTK version: 2.24.8
PyGTK version: 2.24.0
/tmp/graph.dot created
Traceback (most recent call last):
File "/usr/share/pyshared/bokken/ui/rightnotebook.py", line 149, in on_switch
self.xdot_box.set_dot(self.uicore.get_callgraph(self.last_fcn))
File "/usr/share/pyshared/bokken/ui/radare_core.py", line 397, in get_callgraph
os.unlink(file)
OSError: [Errno 1] Operation not permitted: '/tmp/graph.dot'
[*] Get text dasm
* Let's get the dasm for .init... OK!
/tmp/graph.dot created
* Let's get the dasm for .plt... OK!
* Let's get the dasm for .text... OK!
* Let's get the dasm for .fini... OK!
DEBUG: DASM finished, reading from queue!
Process state True
DEBUG: Got a disassembly of 951552 bytes.
DEBUG: Section lines created [12, 689, 19271, 8, 19980]
/tmp/graph.dot created
Traceback (most recent call last):
File "/usr/share/pyshared/bokken/ui/rightnotebook.py", line 149, in on_switch
self.xdot_box.set_dot(self.uicore.get_callgraph(self.last_fcn))
File "/usr/share/pyshared/bokken/ui/radare_core.py", line 397, in get_callgraph
os.unlink(file)
OSError: [Errno 1] Operation not permitted: '/tmp/graph.dot'
/tmp/graph.dot created
Traceback (most recent call last):
File "/usr/share/pyshared/bokken/ui/main.py", line 309, in merge_dasm_rightextview
self.tviews.update_graph(self, link_name)
File "/usr/share/pyshared/bokken/ui/textviews.py", line 386, in update_graph
self.right_notebook.xdot_box.set_dot(self.uicore.get_callgraph(addr))
File "/usr/share/pyshared/bokken/ui/radare_core.py", line 397, in get_callgraph
os.unlink(file)
OSError: [Errno 1] Operation not permitted: '/tmp/graph.dot'
pabs@chianamo ~ $ ls -l foo /tmp/graph.dot
-rw-r----- 1 pabs pabs 664 Dec 13 19:02 foo
lrwxrwxrwx 1 nobody nogroup 14 Dec 13 18:56 /tmp/graph.dot -> /home/pabs/foo
pabs@chianamo ~ $ cat foo
digraph code {
graph [bgcolor=white];
node [color=lightgray, style=filled shape=box fontname="Courier" fontsize="8"];
"0x004046d4_0x004046d4" [URL="entry0/0x004046d4" color="lightgray", label="/ function: entry0 (42)\l| 0x004046d4 entry0:\l| 0x004046d4 xor ebp, ebp\l| 0x004046d6 mov r9, rdx\l| 0x004046d9 pop rsi\l| 0x004046da mov rdx, rsp\l| 0x004046dd and rsp, 0xfffffffffffffff0\l| 0x004046e1 push rax\l| 0x004046e2 push rsp\l| 0x004046e3 mov r8, 0x412500\l| 0x004046ea mov rcx, 0x412510\l| 0x004046f1 mov rdi, section_end..plt\l| 0x004046f8 call dword imp.__libc_start_main\l| ; imp.__libc_start_main()\l\ 0x004046fd hlt\l"]
}
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (700, 'testing'), (600, 'unstable'), (550, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.1.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages bokken depends on:
ii python 2.7.2-9
ii python-gtk2 2.24.0-2
ii python-gtksourceview2 2.10.1-2
ii python-radare2 0.9-1
ii python2.6 2.6.7-4
ii python2.7 2.7.2-7
--
bye,
pabs
http://wiki.debian.org/PaulWise
Information forwarded
to debian-bugs-dist@lists.debian.org: Bug#651931; Package bokken.
(Tue, 13 Dec 2011 19:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to David Martínez Moreno <ender@debian.org>:
Extra info received and forwarded to list.
(Tue, 13 Dec 2011 19:42:03 GMT) (full text, mbox, link).
Source: bokken
Source-Version: 1.5-3
We believe that the bug you reported is fixed in the latest version of
bokken, which is due to be installed in the Debian FTP archive:
bokken_1.5-3.debian.tar.gz
to main/b/bokken/bokken_1.5-3.debian.tar.gz
bokken_1.5-3.dsc
to main/b/bokken/bokken_1.5-3.dsc
bokken_1.5-3_all.deb
to main/b/bokken/bokken_1.5-3_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 651931@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Martínez Moreno <ender@debian.org> (supplier of updated bokken package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 14 Dec 2011 01:23:05 -0800
Source: bokken
Binary: bokken
Architecture: source all
Version: 1.5-3
Distribution: unstable
Urgency: high
Maintainer: David Martínez Moreno <ender@debian.org>
Changed-By: David Martínez Moreno <ender@debian.org>
Description:
bokken - reverse code engineering GUI for pyew and radare
Closes: 651931
Changes:
bokken (1.5-3) unstable; urgency=high
.
* debian/patches/02_tmp_symlink_vulnerability: Fixed symlink attack
vulnerability in /tmp (closes: #651931).
* Adjusted order of patches to leave packaging-related ones at the end.
Checksums-Sha1:
3722e027d8a3f05348a6d0351ac0f6b2f7d56f36 1127 bokken_1.5-3.dsc
7056c8de5b20e4c919f8372c8dc5890b4c4520fb 8208 bokken_1.5-3.debian.tar.gz
421024ebf53570a09ad328cad90ed8a12026bad3 959194 bokken_1.5-3_all.deb
Checksums-Sha256:
c47b98f0dbd83a0062d40a72577e3282cdafbc314ffb5f6ffe295e5c00dffb3b 1127 bokken_1.5-3.dsc
cb6a3a8181afebbf7d7f99706fe35f1f80e9e9e7348d3a699bb10a3209a6bff9 8208 bokken_1.5-3.debian.tar.gz
21b79967781373ecb58039ec29454a73aa0ac94b71c7b1a01cad480f3e1ada25 959194 bokken_1.5-3_all.deb
Files:
e236ec81777d20807e0c86b1943afff4 1127 python extra bokken_1.5-3.dsc
bdb527eaed0c7220d2531bc507dac662 8208 python extra bokken_1.5-3.debian.tar.gz
0d2e7f8d4d7408eb02f3834453b2446c 959194 python extra bokken_1.5-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk7obEwACgkQWs/EhA1iABuiugCgjVo793NCdNcie4m30No9T1/H
dW8AoL5zHDeH5mSRbfx5WeJLihfDgkne
=SzFw
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 12 Jan 2012 07:34:48 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.