Bug#290974: marked as done (apache: Temporary usage bugs that can be used in symlink attacks)

To: Adam Conrad <adconrad@0c3.net>
Cc: Debian Apache Maintainers <debian-apache@lists.debian.org>
Subject: Bug#290974: marked as done (apache: Temporary usage bugs that can be used in symlink attacks)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 19 Jan 2005 18:49:02 -0800
Message-id: <[🔎] handler.290974.D290974.110618865414248.ackdone@bugs.debian.org>
In-reply-to: <E1CrS7J-0006t1-00@newraff.debian.org>
References: <E1CrS7J-0006t1-00@newraff.debian.org> <[🔎] 20050118000842.GA25813@dat.etsit.upm.es>
Your message dated Wed, 19 Jan 2005 21:32:13 -0500
with message-id <E1CrS7J-0006t1-00@newraff.debian.org>
and subject line Bug#290974: fixed in apache 1.3.33-3
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 18 Jan 2005 00:08:47 +0000
>From jfs@dat.etsit.upm.es Mon Jan 17 16:08:47 2005
Return-path: <jfs@dat.etsit.upm.es>
Received: from tornado.dat.etsit.upm.es (dat.etsit.upm.es) [138.100.17.73] 
	by spohr.debian.org with smtp (Exim 3.35 1 (Debian))
	id 1CqgvP-0007EJ-00; Mon, 17 Jan 2005 16:08:47 -0800
Received: (qmail 9429 invoked by uid 1013); 18 Jan 2005 00:08:43 -0000
Date: Tue, 18 Jan 2005 01:08:42 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <jfs@computer.org>
To: submit@bugs.debian.org
Subject: apache: Temporary usage bugs that can be used in symlink attacks
Message-ID: <[🔎] 20050118000842.GA25813@dat.etsit.upm.es>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="5vNYLRcllDrimb99"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 


--5vNYLRcllDrimb99
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Package: apache
Version: 1.3.33-2
Priority: grave
Tags: security sid sarge

Hi, I've found unsafe uses of /tmp in some of Apache's scripts in the 
source, one of this (check_forensic) is installed in Debian's apache-utils 
package and IMHO should be fixed. They are rather low risk, but I have to 
set the priority to grave in any case (since they qualify)

The fix is rather straightforward (use mktemp or tempfile instead of the $$ 
construct and add a trap to remove the temporary files) and it is needed, 
specially for check_forensic.

In the check_forensic script, for example, an attacker could just monitor
/tmp/ usage and construct symlinks to the fc-XX.$$ as soon as "sees" that
the fc-all.$$ file is being used. 

I've verified that none of these issues affect woody's Apache 
(1.3.26-0woody6). The fnm.sh script was there but it is not installed with 
any package and the check_forensic script was introduced later on.

The attached (untested) patch should fix these issues, hope it helps. 
Please fix fnm.sh even if not being installed in any Debian packages, just 
to ease the work of automatic source-code review tools.


Regards


Javier

--5vNYLRcllDrimb99
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="apache-1.3.33.diff"

diff -Nru build-tree-apache.orig/apache_1.3.33/src/helpers/fmn.sh build-tree-apache/apache_1.3.33/src/helpers/fmn.sh
--- build-tree-apache.orig/apache_1.3.33/src/helpers/fmn.sh	2004-02-16 23:23:09.000000000 +0100
+++ build-tree-apache/apache_1.3.33/src/helpers/fmn.sh	2005-01-18 00:51:03.000000000 +0100
@@ -24,8 +24,8 @@
 modfile=$1
 
 #   the part from the Configure script
-tmpfile=${TMPDIR-/tmp}/fmn.tmp.$$
-rm -f $tmpfile
+tmpfile=`mktemp -t fmn.XXXXXX || tempfile --prefix=fmn` || { echo "$0: Cannot create temporary file" >&2; exit 1; }
+trap "rm -f -- \"$tmpfile\";" 0 1 2 3 13 15
 modname=''
 ext=`echo $modfile | sed 's/^.*\.//'`
 modbase=`echo $modfile | sed 's/\.[^.]*$//'`
@@ -52,8 +52,8 @@
     modname=`echo $modbase | sed 's/^.*\///' | \
         sed 's/^mod_//' | sed 's/^lib//' | sed 's/$/_module/'`
 fi
-rm -f $tmpfile
 
 #   output: the name of the module structure symbol
 echo "$modname"
 
+exit 0
diff -Nru build-tree-apache.orig/apache_1.3.33/src/support/check_forensic build-tree-apache/apache_1.3.33/src/support/check_forensic
--- build-tree-apache.orig/apache_1.3.33/src/support/check_forensic	2005-01-18 00:49:23.000000000 +0100
+++ build-tree-apache/apache_1.3.33/src/support/check_forensic	2005-01-18 00:53:32.000000000 +0100
@@ -7,9 +7,14 @@
 
 F=$1
 
-cut -f 1 -d '|' $F  > /tmp/fc-all.$$
-grep + < /tmp/fc-all.$$ | cut -c2- | sort > /tmp/fc-in.$$
-grep -- - < /tmp/fc-all.$$ | cut -c2- | sort > /tmp/fc-out.$$
+all=`mktemp -t fcall.XXXXXX || tempfile --prefix=fcall` || { echo "$0: Cannot create temporary file" >&2; exit 1; }
+in=`mktemp -t fcin.XXXXXX || tempfile --prefix=fcin` || { echo "$0: Cannot create temporary file" >&2; exit 1; }
+out=`mktemp -t fcout.XXXXXX || tempfile --prefix=fcout` || { echo "$0: Cannot create temporary file" >&2; exit 1; }
+trap "rm -f -- \"$all\" \"$in\" \"$out\";" 0 1 2 3 13 15
+
+cut -f 1 -d '|' $F  > $all
+grep + < $all | cut -c2- | sort > $in
+grep -- - < $all | cut -c2- | sort > $out
 # use -i instead of -I for GNU xargs
-join -v 1 /tmp/fc-in.$$ /tmp/fc-out.$$ | xargs -ixx egrep "^\\+xx" $F
-rm /tmp/fc-all.$$ /tmp/fc-in.$$ /tmp/fc-out.$$
+join -v 1 $in $out | xargs -ixx egrep "^\\+xx" $F
+exit 0

--5vNYLRcllDrimb99--

---------------------------------------
Received: (at 290974-close) by bugs.debian.org; 20 Jan 2005 02:37:34 +0000
>From katie@ftp-master.debian.org Wed Jan 19 18:37:34 2005
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1CrSCU-0003hS-00; Wed, 19 Jan 2005 18:37:34 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
	id 1CrS7J-0006t1-00; Wed, 19 Jan 2005 21:32:13 -0500
From: Adam Conrad <adconrad@0c3.net>
To: 290974-close@bugs.debian.org
X-Katie: $Revision: 1.55 $
Subject: Bug#290974: fixed in apache 1.3.33-3
Message-Id: <E1CrS7J-0006t1-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Wed, 19 Jan 2005 21:32:13 -0500
Delivered-To: 290974-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Source: apache
Source-Version: 1.3.33-3

We believe that the bug you reported is fixed in the latest version of
apache, which is due to be installed in the Debian FTP archive:

apache-common_1.3.33-3_powerpc.deb
  to pool/main/a/apache/apache-common_1.3.33-3_powerpc.deb
apache-dbg_1.3.33-3_powerpc.deb
  to pool/main/a/apache/apache-dbg_1.3.33-3_powerpc.deb
apache-dev_1.3.33-3_all.deb
  to pool/main/a/apache/apache-dev_1.3.33-3_all.deb
apache-doc_1.3.33-3_all.deb
  to pool/main/a/apache/apache-doc_1.3.33-3_all.deb
apache-perl_1.3.33-3_powerpc.deb
  to pool/main/a/apache/apache-perl_1.3.33-3_powerpc.deb
apache-ssl_1.3.33-3_powerpc.deb
  to pool/main/a/apache/apache-ssl_1.3.33-3_powerpc.deb
apache-utils_1.3.33-3_powerpc.deb
  to pool/main/a/apache/apache-utils_1.3.33-3_powerpc.deb
apache_1.3.33-3.diff.gz
  to pool/main/a/apache/apache_1.3.33-3.diff.gz
apache_1.3.33-3.dsc
  to pool/main/a/apache/apache_1.3.33-3.dsc
apache_1.3.33-3_powerpc.deb
  to pool/main/a/apache/apache_1.3.33-3_powerpc.deb
libapache-mod-perl_1.29.0.2-17_powerpc.deb
  to pool/main/a/apache/libapache-mod-perl_1.29.0.2-17_powerpc.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 290974@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adam Conrad <adconrad@0c3.net> (supplier of updated apache package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 19 Jan 2005 18:31:25 -0700
Source: apache
Binary: apache-dev apache-common apache-doc apache-utils apache apache-dbg apache-perl libapache-mod-perl apache-ssl
Architecture: source powerpc all
Version: 1.3.33-3
Distribution: unstable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Adam Conrad <adconrad@0c3.net>
Description: 
 apache     - versatile, high-performance HTTP server
 apache-common - support files for all Apache webservers
 apache-dbg - debug versions of the Apache webservers
 apache-dev - development kit for the Apache webserver
 apache-doc - documentation for the Apache webserver
 apache-perl - versatile, high-performance HTTP server with Perl support
 apache-ssl - versatile, high-performance HTTP server with SSL support
 apache-utils - utility programs for webservers
 libapache-mod-perl - integration of perl with the Apache web server
Closes: 290974
Changes: 
 apache (1.3.33-3) unstable; urgency=low
 .
   * (Thom May)
     - Security fix - fix tempfile usage in check_forensic (Closes: #290974)
   * (Adam Conrad)
     - Mangle the debian/rules so that the libapache-mod-perl version number
       is defined in the variables at the top, rather than deep in the
       binary-arch target where it can get missed.
Files: 
 964cbd797a122ffcc9a550a128a6f54e 1107 web optional apache_1.3.33-3.dsc
 c9ddde8e80bb509183a70ca815ed3922 362637 web optional apache_1.3.33-3.diff.gz
 270a17ebbd079c5281d5128c7e79353e 1188626 doc optional apache-doc_1.3.33-3_all.deb
 42db312ef30a6ed79208a4a63247d93c 330540 devel extra apache-dev_1.3.33-3_all.deb
 01bfab983390ef73fa5b7f4b479cb9b6 396686 web optional apache_1.3.33-3_powerpc.deb
 2f588fe5d7847a0262d67fdf6da0ec5c 508466 web optional apache-ssl_1.3.33-3_powerpc.deb
 f9f223afd86ece1f6468c26ab7c3a429 512554 web optional apache-perl_1.3.33-3_powerpc.deb
 1b14b5014d05545713091f1740362f5f 9252266 devel extra apache-dbg_1.3.33-3_powerpc.deb
 bc8bfed9b8dc06e0eb1a9fbf8df06449 919422 web optional apache-common_1.3.33-3_powerpc.deb
 9bdd740d23807e05d3272eb217a2c58f 279850 web optional apache-utils_1.3.33-3_powerpc.deb
 44b484efef214b20138fc799643d9068 489752 web optional libapache-mod-perl_1.29.0.2-17_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFB7xUyvjztR8bOoMkRAsEPAJ459AyJBIJplbL8ORzX4sU6veBaMQCg57iR
fEbrS2BfyC7YEiPiR1qJxWA=
=QvYJ
-----END PGP SIGNATURE-----
Reply to:
References:
- Bug#290974: apache: Temporary usage bugs that can be used in symlink attacks
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>
Prev by Date: apache_1.3.33-3_powerpc.changes ACCEPTED
Next by Date: Processed: Re: Bug#291312: apache 1.3.33-2 i386 2GB file size limit
Previous by thread: Bug#290974: apache: Temporary usage bugs that can be used in symlink attacks
Next by thread: Bug#290974: acknowledged by developer (Bug#290974: fixed in apache 1.3.33-3)
Index(es):
- Date
- Thread