Bug#414237: marked as done (lintian: Uses insecure temporary file /tmp/debug in objdump-info)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 10 Mar 2007 07:17:03 +0000
with message-id <E1HPvp9-0007ji-D0@ries.debian.org>
and subject line Bug#414237: fixed in lintian 1.23.28
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: lintian: Uses insecure temporary file /tmp/debug in objdump-info
• From: Josh Triplett <josh@freedesktop.org>
• Date: Fri, 09 Mar 2007 22:21:56 -0800
• Message-id: <[🔎] 20070310062156.17125.5785.reportbug@josh-mobile>

Package: lintian
Version: 1.23.27
Severity: grave
Tags: security patch
Justification: user security hole

The lintian collection script objdump-info uses the insecure temporary file
/tmp/debug.  Any invocation of lintian on a package containing ELF binaries,
or containing files with ' ELF' in their nanes, will append lines of the form
"Processing $bin" to /tmp/debug (or through a symlink at /tmp/debug).  This
trivially allows a local attacker to corrupt another user's files.  If the
local attacker can control the contents of the package getting checked by
lintian, they can control the text after "Processing "; this would allow a
variety of exploits based on tools that would ignore the prefix, such as the
shell.  For example, consider the filename "; do nasty stuff # ELF".

This looks like debugging code, and lintian does not appear to use /tmp/debug
for anything else, so removing the line solves the problem.  Patch attached.

- Josh Triplett

-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.21-rc2test
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages lintian depends on:
ii  binutils               2.17-3            The GNU assembler, linker and bina
ii  diffstat               1.43-2            produces graph of changes introduc
ii  dpkg-dev               1.13.25           package building tools for Debian
ii  file                   4.19-1            Determines file type using "magic"
ii  gettext                0.16.1-1          GNU Internationalization utilities
ii  intltool-debian        0.35.0+20060710.1 Help i18n of RFC822 compliant conf
ii  libparse-debianchangel 1.0-1             parse Debian changelogs and output
ii  man-db                 2.4.3-6           The on-line manual pager
ii  perl [libdigest-md5-pe 5.8.8-7           Larry Wall's Practical Extraction 

lintian recommends no packages.

-- no debconf information

diff -Naur lintian-1.23.27.orig/collection/objdump-info lintian-1.23.27/collection/objdump-info
--- lintian-1.23.27.orig/collection/objdump-info	2006-11-19 20:28:06.000000000 -0800
+++ lintian-1.23.27/collection/objdump-info	2007-03-09 22:12:10.000000000 -0800
@@ -43,7 +43,6 @@
 # output in the objdump-info file and let the check script deal with
 # it later.
 for bin in `grep ' ELF' <../file-info | cut -d\: -f1`; do
-    echo "Processing $bin" >> /tmp/debug
     echo "-- $bin" >> ../objdump-info
     if head $bin | grep -q 'packed.*with.*UPX'; then
 	echo "objdump: $bin: Packed with UPX" >> ../objdump-info

--- End Message ---

--- Begin Message ---

• To: 414237-close@bugs.debian.org
• Subject: Bug#414237: fixed in lintian 1.23.28
• From: Russ Allbery <rra@debian.org>
• Date: Sat, 10 Mar 2007 07:17:03 +0000
• Message-id: <E1HPvp9-0007ji-D0@ries.debian.org>

Source: lintian
Source-Version: 1.23.28

We believe that the bug you reported is fixed in the latest version of
lintian, which is due to be installed in the Debian FTP archive:

lintian_1.23.28.dsc
  to pool/main/l/lintian/lintian_1.23.28.dsc
lintian_1.23.28.tar.gz
  to pool/main/l/lintian/lintian_1.23.28.tar.gz
lintian_1.23.28_all.deb
  to pool/main/l/lintian/lintian_1.23.28_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 414237@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Russ Allbery <rra@debian.org> (supplier of updated lintian package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri,  9 Mar 2007 22:58:59 -0800
Source: lintian
Binary: lintian
Architecture: source all
Version: 1.23.28
Distribution: unstable
Urgency: high
Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
Changed-By: Russ Allbery <rra@debian.org>
Description: 
 lintian    - Debian package checker
Closes: 414237
Changes: 
 lintian (1.23.28) unstable; urgency=high
 .
   * collection/objdump-info:
     + [RA] Remove unsafe temporary file creation in left-over debugging
       code added accidentally when fixing #399456.  Thanks, Josh
       Triplett.  (Closes: #414237)
Files: 
 8a7dc08c4ad030c2dd1fd7f4152ae9ef 803 devel optional lintian_1.23.28.dsc
 a566228fb2e3e2a67c86349663019d3f 322205 devel optional lintian_1.23.28.tar.gz
 4d25d28fe7787faa71f93c4de521e1a1 274036 devel optional lintian_1.23.28_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF8lll+YXjQAr8dHYRApLHAJ9XvPy67vaodfUc3F0L6JYG5CuSgACg1XYo
eBBxgLuSz/x0TrJZtWvJ2kY=
=mQLO
-----END PGP SIGNATURE-----

--- End Message ---