--- Begin Message ---
Package: lintian
Version: 1.23.27
Severity: grave
Tags: security patch
Justification: user security hole
The lintian collection script objdump-info uses the insecure temporary file
/tmp/debug. Any invocation of lintian on a package containing ELF binaries,
or containing files with ' ELF' in their nanes, will append lines of the form
"Processing $bin" to /tmp/debug (or through a symlink at /tmp/debug). This
trivially allows a local attacker to corrupt another user's files. If the
local attacker can control the contents of the package getting checked by
lintian, they can control the text after "Processing "; this would allow a
variety of exploits based on tools that would ignore the prefix, such as the
shell. For example, consider the filename "; do nasty stuff # ELF".
This looks like debugging code, and lintian does not appear to use /tmp/debug
for anything else, so removing the line solves the problem. Patch attached.
- Josh Triplett
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.21-rc2test
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages lintian depends on:
ii binutils 2.17-3 The GNU assembler, linker and bina
ii diffstat 1.43-2 produces graph of changes introduc
ii dpkg-dev 1.13.25 package building tools for Debian
ii file 4.19-1 Determines file type using "magic"
ii gettext 0.16.1-1 GNU Internationalization utilities
ii intltool-debian 0.35.0+20060710.1 Help i18n of RFC822 compliant conf
ii libparse-debianchangel 1.0-1 parse Debian changelogs and output
ii man-db 2.4.3-6 The on-line manual pager
ii perl [libdigest-md5-pe 5.8.8-7 Larry Wall's Practical Extraction
lintian recommends no packages.
-- no debconf information
diff -Naur lintian-1.23.27.orig/collection/objdump-info lintian-1.23.27/collection/objdump-info
--- lintian-1.23.27.orig/collection/objdump-info 2006-11-19 20:28:06.000000000 -0800
+++ lintian-1.23.27/collection/objdump-info 2007-03-09 22:12:10.000000000 -0800
@@ -43,7 +43,6 @@
# output in the objdump-info file and let the check script deal with
# it later.
for bin in `grep ' ELF' <../file-info | cut -d\: -f1`; do
- echo "Processing $bin" >> /tmp/debug
echo "-- $bin" >> ../objdump-info
if head $bin | grep -q 'packed.*with.*UPX'; then
echo "objdump: $bin: Packed with UPX" >> ../objdump-info
--- End Message ---
--- Begin Message ---
Source: lintian
Source-Version: 1.23.28
We believe that the bug you reported is fixed in the latest version of
lintian, which is due to be installed in the Debian FTP archive:
lintian_1.23.28.dsc
to pool/main/l/lintian/lintian_1.23.28.dsc
lintian_1.23.28.tar.gz
to pool/main/l/lintian/lintian_1.23.28.tar.gz
lintian_1.23.28_all.deb
to pool/main/l/lintian/lintian_1.23.28_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 414237@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Russ Allbery <rra@debian.org> (supplier of updated lintian package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 9 Mar 2007 22:58:59 -0800
Source: lintian
Binary: lintian
Architecture: source all
Version: 1.23.28
Distribution: unstable
Urgency: high
Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
Changed-By: Russ Allbery <rra@debian.org>
Description:
lintian - Debian package checker
Closes: 414237
Changes:
lintian (1.23.28) unstable; urgency=high
.
* collection/objdump-info:
+ [RA] Remove unsafe temporary file creation in left-over debugging
code added accidentally when fixing #399456. Thanks, Josh
Triplett. (Closes: #414237)
Files:
8a7dc08c4ad030c2dd1fd7f4152ae9ef 803 devel optional lintian_1.23.28.dsc
a566228fb2e3e2a67c86349663019d3f 322205 devel optional lintian_1.23.28.tar.gz
4d25d28fe7787faa71f93c4de521e1a1 274036 devel optional lintian_1.23.28_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFF8lll+YXjQAr8dHYRApLHAJ9XvPy67vaodfUc3F0L6JYG5CuSgACg1XYo
eBBxgLuSz/x0TrJZtWvJ2kY=
=mQLO
-----END PGP SIGNATURE-----
--- End Message ---