[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#286681: marked as done ([CAN-2004-1000] [lib/Lab] Insecurely removes files after lab failed to be created)

Your message dated Sat, 01 Jan 2005 21:17:30 -0500
with message-id <E1CkvJC-0004bI-00@newraff.debian.org>
and subject line Bug#286681: fixed in lintian 1.23.6
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 19 Dec 2004 22:58:38 +0000
>From jfs@computer.org Sun Dec 19 14:58:38 2004
Return-path: <jfs@computer.org>
Received: from 148.red-213-96-98.pooles.rima-tde.net (silicio) [213.96.98.148] (Debian-exim)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1CgA0b-0007wu-00; Sun, 19 Dec 2004 14:58:38 -0800
Received: from jfs by silicio with local (Exim 4.34)
	id 1CgA0W-0002cV-Hw
	for submit@bugs.debian.org; Sun, 19 Dec 2004 23:58:32 +0100
Date: Sun, 19 Dec 2004 23:58:32 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <jfs@computer.org>
To: submit@bugs.debian.org
Subject: lintian: Insecure temporary directory usage
Message-ID: <20041219225832.GC9687@silicio>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="lCAWRPmW1mITcIfM"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 


--lCAWRPmW1mITcIfM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Package: lintian
Version: 1.18.1.1-3
Priority: important
Tags: security

The lintian script does not protect itself from temporary directory
attacks since it creates the labs in an insecure manner (the process PID
is not suffient to avoid and attack) and does not check
if the temporary dir it uses exists before using them. Actually, the
LIB interface happily uses any directory if it's already available so
a symlink attack can be devised through the standard contents of
a lab if the user has not defined LINTIAN_LAB to go to a proper 
(safe) location instead of to /tmp/ (i.e. TMPDIR has not been defined)

The attached patch is an attempt to fix this behaviour using the File::Temp
library. It does have a caveat empor, with the patch below lintian 
will produce the following warnings (due to -w), but I'm unable to
remove them myself:

---------------------------------------------------
Subroutine Pipeline::O_CREAT redefined at /usr/share/perl/5.8/Exporter.pm line 65.  at /usr/lib/perl/5.8/POSIX.pm line 19
Subroutine Pipeline::O_EXCL redefined at /usr/share/perl/5.8/Exporter.pm line 65.  at /usr/lib/perl/5.8/POSIX.pm line 19
Subroutine Pipeline::O_RDWR redefined at /usr/share/perl/5.8/Exporter.pm line 65.  at /usr/lib/perl/5.8/POSIX.pm line 19
---------------------------------------------------

Regards

Javier

PS: I initially reported this to the security team back in June,
but have not found time to follow up on this issue until today.
Security team, please check
Resent-Message-ID: <20040624124521.GA10101@dat.etsit.upm.es>


--lCAWRPmW1mITcIfM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="lintian.diff"

--- lintian.orig	2004-12-19 23:21:31.000000000 +0100
+++ lintian	2004-12-19 23:57:55.000000000 +0100
@@ -25,6 +25,7 @@
 use strict;
 
 use Getopt::Long;
+use File::Temp qw/tempdir/;
 use FileHandle;
 # }}}
 
@@ -411,11 +412,8 @@
     # LINTIAN_LAB not defined => basic mode (temporary lab)
     $lab_mode = 'temporary';
 
-    if ($ENV{'TMPDIR'}) {
-	$LINTIAN_LAB = "$ENV{'TMPDIR'}/lintian-lab.$$";
-    } else {
-	$LINTIAN_LAB = "/tmp/lintian-lab.$$";
-    }
+    $LINTIAN_LAB = tempdir("lintian-lab-XXXX", TMPDIR => 1, CLEANUP => 1);
+    die "Cannot create temporary directory!" if ! $LINTIAN_LAB ;
 }
 $ENV{'LINTIAN_LAB'} = $LINTIAN_LAB;
 

--lCAWRPmW1mITcIfM--

---------------------------------------
Received: (at 286681-close) by bugs.debian.org; 2 Jan 2005 02:19:26 +0000
>From katie@ftp-master.debian.org Sat Jan 01 18:19:26 2005
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1CkvL3-0001jC-00; Sat, 01 Jan 2005 18:19:25 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
	id 1CkvJC-0004bI-00; Sat, 01 Jan 2005 21:17:30 -0500
From: Debian Lintian Maintainers <lintian-maint@debian.org>
To: 286681-close@bugs.debian.org
X-Katie: $Revision: 1.54 $
Subject: Bug#286681: fixed in lintian 1.23.6
Message-Id: <E1CkvJC-0004bI-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Sat, 01 Jan 2005 21:17:30 -0500
Delivered-To: 286681-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 
X-CrossAssassin-Score: 9

Source: lintian
Source-Version: 1.23.6

We believe that the bug you reported is fixed in the latest version of
lintian, which is due to be installed in the Debian FTP archive:

lintian_1.23.6.dsc
  to pool/main/l/lintian/lintian_1.23.6.dsc
lintian_1.23.6.tar.gz
  to pool/main/l/lintian/lintian_1.23.6.tar.gz
lintian_1.23.6_all.deb
  to pool/main/l/lintian/lintian_1.23.6_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 286681@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Debian Lintian Maintainers <lintian-maint@debian.org> (supplier of updated lintian package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 27 Dec 2004 05:40:13 +0100
Source: lintian
Binary: lintian
Architecture: source all
Version: 1.23.6
Distribution: unstable
Urgency: low
Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
Changed-By: Debian Lintian Maintainers <lintian-maint@debian.org>
Description: 
 lintian    - Debian package checker
Closes: 200171 244830 245883 258824 259227 284662 284728 285335 286681
Changes: 
 lintian (1.23.6) unstable; urgency=low
 .
   The "Let's see if I can upload myself now" release, made by Marc, Frank and
   Colin, uploaded by Jeroen.
 .
   * checks/description
     + [HE] Warn if the short description start with an article or a capital
       letter. Patch by Tobias Toedter <t.toedter@gmx.net>, thanks. (Closes:
       #258824)
   * checks/fields:
     + [HE] Warn if the debian revision has three parts, as this is the sign of
       a binary NMU. New check's name is binary-nmu-debian-revision-in-source.
       (Closes: #244830)
     + [HE] Warn if people use the Bugs field to refer to the Debian BTS, the
       new check is called redundant-bugs-field. (Closes: #245883)
   * checks/files:
     + [HE] Check that .desktop files are placed in /usr/share/applications.
       This seems to be the standard place for those files that are used
       to create menus. The check is called desktop-file-in-wrong-dir.
       (Closes: #200171)
   * checks/manpages:
     + [HE] Don't compare the manpage filename extension and the content of
       .TH case-sensitive. Report + patch by Jay Berkenbilt <ejb@ql.org>,
       thanks. (Closes: #285335)
     + [HE] Emit binary-without-english-manpage if a package only provides
       translated manpages for a binary. (Closes: #259227)
     + [HE] Skip all comment lines when checking for .so links in manpages.
       Thanks for the report and fix suggestion to Steinar H. Gunderson
       <sgunderson@bigfoot.com>. (Closes: #284662)
   * checks/md5sums:
     + [HE] Strip off ./ at the beginning of the filenames in md5sums
       files (this seems to happen on some systems, though we don't know
       how). (Closes: #284728)
   * checks/standards-version:
     + [CW] By definition, udebs aren't required to conform to policy, so
       don't issue no-standards-version-field for them. (If they happen to
       have a Standards-Version field anyway, we still check that it's
       valid.)
 .
   * lib/Lab.pm, frontend/lintian:
     SECURITY (CAN-2004-1000):
     + [FL] Overhaul lab directory handling. This also fixes the issue
       of removing a lab that never was created (Closes: #286681)
Files: 
 d7d7da4d3bf9e489da7174cf95dc8bbf 802 devel optional lintian_1.23.6.dsc
 039d5def803533ebcba3abe6656649e5 255150 devel optional lintian_1.23.6.tar.gz
 58c3979171d3751b04cafec7246038eb 221236 devel optional lintian_1.23.6_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Signed by Jeroen van Wolffelaar <jeroen@wolffelaar.nl>

iD8DBQFB11Qil2uISwgTVp8RAu/RAJ9M63wnOaxQWEt6WZny8tKTHEZVswCZAX9S
gASJ+tMQyWvj8o7jnWlbsUo=
=zLXv
-----END PGP SIGNATURE-----
Reply to: