Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages

["Dmitry E. Oboukhov" <unera@debian.org>]

On 10:57 Mon 11 Aug     , Dmitry E. Oboukhov wrote:
DEO> Package: mplayer nws ppp twiki
DEO> Severity: grave
DEO> Tags: security

DEO> This message about the error concerns a few packages  at  once.   I've
DEO> tested all the packages on my Debian mirror.  (post|pre)(inst|rm)  and
DEO> config scripts were tested.

DEO> In some packages I've discovered scripts with errors which may be used
DEO> by a user for damaging important system files.

DEO> For example if a script uses in its work a temp file which is  created
DEO> in /tmp directory, then every user can create symlink  with  the  same
DEO> name in this directory in order to  destroy  or  rewrite  some	system
DEO> file.

DEO> I set Severity into grave for  this  bug.   The  table	of  discovered
DEO> problems is below.

DEO> +------------------+-----------------+----------------------------------
DEO> |    package       |  script         | file for attack
DEO> +------------------+-----------------+----------------------------------
DEO> | mplayer-1.0~rc2  |  config         | /tmp/HACK (pipe)
DEO> |                  |                 |
DEO> | nws-2.13         |  postinst       | /tmp/nws.debug (cp)
DEO> |                  |                 |
DEO> | ppp-2.4.4rel     |  postinst       | /tmp/probe-finished (rm -f, pipe)
DEO> |                  |  postinst       | /tmp/ppp-errors (rm -f, pipe)
DEO> |   ppp-udeb       |  /etc/ppp/ip-up | /tmp/resolv.conf.tmp (cp)
DEO> |                  |                 |
DEO> | twiki-4.1.2      |  postinst       | /tmp/twiki  (chmod 1777, chown)
DEO> +------------------+-----------------+----------------------------------

additional table again

muttprint_0.72d-9       muttprint   /tmp/muttprint.log (write)

myspell-tools_3.1-20    i2myspell   /tmp/i2my$$.1 (pipe)

noip2_2.1.7-10          noip2       /tmp/noip2 (write)

plait_1.5.2-1           plait       /tmp/cut.$$ (pipe)
                        plait       /tmp/head.$$ (pipe, mv)

pvpgn_1.8.1-1.1         pvpgn-support-installer 
                                    /tmp/pvpgn-support-1.0.tar.gz (cp)

radiance_3R9+20080530-3 dayfact     /tmp/gsf$$ (pipe)
                                    /tmp/tl$$.pic (pipe)
                                    /tmp/ds$$.pic (pipe)
                                    /tmp/tfa$$ (pipe)
                        optics2rad  /tmp/opt.fmt (pipe)
                                    /tmp/out$$.fmt (pipe)
                        raddepend   /tmp/sed$$ (pipe)

screenie_1.30.0-5       screenie    /tmp/.screenie.$$ (pipe)

sdm-terminal_0.4.0b-3   sdm-login   /tmp/sdm.autologin.once (touch)

sng_1.0.2-5             sng_regress /tmp/recompiled$$.png (pipe)
                                    /tmp/decompiled$$.sng (pipe)
                                    /tmp/canonicalized$$.sng (pipe)

systemimager-server_3.6.3dfsg1-3
                        si_mkbootserver 
                                    /tmp/*.inetd.conf (pipe)
                                    /tmp/* (rsync, sh)

tau_2.16.4-1.1          tau_cc      /tmp/makefile.tau.$USER.$$ (pipe)
                        tau_cxx     /tmp/makefile.tau.$USER.$$ (pipe)
                        tau_f90     /tmp/makefile.tau.$USER.$$ (pipe)

winkeydaemon_1.0.1-1    winkeydaemon
                                    /tmp/.winkey/keyer_busy (touch)




--
... mpd is off

. ''`. Dmitry E. Oboukhov
: :’  : unera@debian.org
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
  `- 1B23 D4F8 8EC0 D902 0555  E438 AB8C 00CF F8E2 6537

Attachment: signature.asc
Description: Digital signature