Bug#286681: marked as done ([CAN-2004-1000] [lib/Lab] Insecurely removes files after lab failed to be created)

To: Steve Langasek <vorlon@debian.org>
Cc: Debian Lintian Maintainers <lintian-maint@debian.org>
Subject: Bug#286681: marked as done ([CAN-2004-1000] [lib/Lab] Insecurely removes files after lab failed to be created)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Tue, 11 Jan 2005 23:48:23 -0800
Message-id: <[🔎] handler.286681.D286681.110551528226655.ackdone@bugs.debian.org>
In-reply-to: <20050112073438.GE8852@mauritius.dodds.net>
References: <20050112073438.GE8852@mauritius.dodds.net> <20041219225832.GC9687@silicio>

Your message dated Tue, 11 Jan 2005 23:34:41 -0800
with message-id <20050112073438.GE8852@mauritius.dodds.net>
and subject line [CAN-2004-1000] [lib/Lab] Insecurely removes files after lab failed to be created
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 19 Dec 2004 22:58:38 +0000
>From jfs@computer.org Sun Dec 19 14:58:38 2004
Return-path: <jfs@computer.org>
Received: from 148.red-213-96-98.pooles.rima-tde.net (silicio) [213.96.98.148] (Debian-exim)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1CgA0b-0007wu-00; Sun, 19 Dec 2004 14:58:38 -0800
Received: from jfs by silicio with local (Exim 4.34)
	id 1CgA0W-0002cV-Hw
	for submit@bugs.debian.org; Sun, 19 Dec 2004 23:58:32 +0100
Date: Sun, 19 Dec 2004 23:58:32 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <jfs@computer.org>
To: submit@bugs.debian.org
Subject: lintian: Insecure temporary directory usage
Message-ID: <20041219225832.GC9687@silicio>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="lCAWRPmW1mITcIfM"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 


--lCAWRPmW1mITcIfM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Package: lintian
Version: 1.18.1.1-3
Priority: important
Tags: security

The lintian script does not protect itself from temporary directory
attacks since it creates the labs in an insecure manner (the process PID
is not suffient to avoid and attack) and does not check
if the temporary dir it uses exists before using them. Actually, the
LIB interface happily uses any directory if it's already available so
a symlink attack can be devised through the standard contents of
a lab if the user has not defined LINTIAN_LAB to go to a proper 
(safe) location instead of to /tmp/ (i.e. TMPDIR has not been defined)

The attached patch is an attempt to fix this behaviour using the File::Temp
library. It does have a caveat empor, with the patch below lintian 
will produce the following warnings (due to -w), but I'm unable to
remove them myself:

---------------------------------------------------
Subroutine Pipeline::O_CREAT redefined at /usr/share/perl/5.8/Exporter.pm line 65.  at /usr/lib/perl/5.8/POSIX.pm line 19
Subroutine Pipeline::O_EXCL redefined at /usr/share/perl/5.8/Exporter.pm line 65.  at /usr/lib/perl/5.8/POSIX.pm line 19
Subroutine Pipeline::O_RDWR redefined at /usr/share/perl/5.8/Exporter.pm line 65.  at /usr/lib/perl/5.8/POSIX.pm line 19
---------------------------------------------------

Regards

Javier

PS: I initially reported this to the security team back in June,
but have not found time to follow up on this issue until today.
Security team, please check
Resent-Message-ID: <20040624124521.GA10101@dat.etsit.upm.es>


--lCAWRPmW1mITcIfM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="lintian.diff"

--- lintian.orig	2004-12-19 23:21:31.000000000 +0100
+++ lintian	2004-12-19 23:57:55.000000000 +0100
@@ -25,6 +25,7 @@
 use strict;
 
 use Getopt::Long;
+use File::Temp qw/tempdir/;
 use FileHandle;
 # }}}
 
@@ -411,11 +412,8 @@
     # LINTIAN_LAB not defined => basic mode (temporary lab)
     $lab_mode = 'temporary';
 
-    if ($ENV{'TMPDIR'}) {
-	$LINTIAN_LAB = "$ENV{'TMPDIR'}/lintian-lab.$$";
-    } else {
-	$LINTIAN_LAB = "/tmp/lintian-lab.$$";
-    }
+    $LINTIAN_LAB = tempdir("lintian-lab-XXXX", TMPDIR => 1, CLEANUP => 1);
+    die "Cannot create temporary directory!" if ! $LINTIAN_LAB ;
 }
 $ENV{'LINTIAN_LAB'} = $LINTIAN_LAB;
 

--lCAWRPmW1mITcIfM--

---------------------------------------
Received: (at 286681-done) by bugs.debian.org; 12 Jan 2005 07:34:42 +0000
>From vorlon@debian.org Tue Jan 11 23:34:42 2005
Return-path: <vorlon@debian.org>
Received: from dsl093-039-086.pdx1.dsl.speakeasy.net (localhost.localdomain) [66.93.39.86] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1Cod1e-0006vk-00; Tue, 11 Jan 2005 23:34:42 -0800
Received: by localhost.localdomain (Postfix, from userid 1000)
	id A5837171D3B; Tue, 11 Jan 2005 23:34:41 -0800 (PST)
Date: Tue, 11 Jan 2005 23:34:41 -0800
From: Steve Langasek <vorlon@debian.org>
To: 286681-done@bugs.debian.org
Subject: Re: [CAN-2004-1000] [lib/Lab] Insecurely removes files after lab failed to be created
Message-ID: <20050112073438.GE8852@mauritius.dodds.net>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="3Pql8miugIZX0722"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: 286681-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no 
	version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 


--3Pql8miugIZX0722
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Version lintian 1.23.7 has reached testing, which is the last suite to be
fixed, so I believe this bug can now be closed.

Thanks,
--=20
Steve Langasek
postmodern programmer

--3Pql8miugIZX0722
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB5NMOKN6ufymYLloRAvQHAJ4rPoL5ifsICth5tD3o9z5GVSVrWgCgzbG4
X7e2lRG3rMHK452bGh+/GV4=
=6Trh
-----END PGP SIGNATURE-----

--3Pql8miugIZX0722--

Reply to:

Prev by Date: Re: Bug#288568: lintian: exceptions for description starting with capital letter
Next by Date: Processed: Re: lintian: exceptions for description starting with capital letter
Previous by thread: Processed: Re: Bug#286681: marked as done ([CAN-2004-1000] [lib/Lab] Insecurely removes files after lab failed to be created)
Next by thread: lintian_1.23.6_i386.changes REJECTED
Index(es):
- Date
- Thread