Bug#286379: lintian: Insecure temporary directory usage

To: submit@bugs.debian.org
Subject: Bug#286379: lintian: Insecure temporary directory usage
From: Javier Fernández-Sanguino Peña <jfs@computer.org>
Date: Sun, 19 Dec 2004 23:58:32 +0100
Message-id: <[🔎] 20041219225832.GC9687@silicio>
Reply-to: Javier Fernández-Sanguino Peña <jfs@computer.org>, 286379@bugs.debian.org

Package: lintian
Version: 1.18.1.1-3
Priority: important
Tags: security

The lintian script does not protect itself from temporary directory
attacks since it creates the labs in an insecure manner (the process PID
is not suffient to avoid and attack) and does not check
if the temporary dir it uses exists before using them. Actually, the
LIB interface happily uses any directory if it's already available so
a symlink attack can be devised through the standard contents of
a lab if the user has not defined LINTIAN_LAB to go to a proper 
(safe) location instead of to /tmp/ (i.e. TMPDIR has not been defined)

The attached patch is an attempt to fix this behaviour using the File::Temp
library. It does have a caveat empor, with the patch below lintian 
will produce the following warnings (due to -w), but I'm unable to
remove them myself:

---------------------------------------------------
Subroutine Pipeline::O_CREAT redefined at /usr/share/perl/5.8/Exporter.pm line 65.  at /usr/lib/perl/5.8/POSIX.pm line 19
Subroutine Pipeline::O_EXCL redefined at /usr/share/perl/5.8/Exporter.pm line 65.  at /usr/lib/perl/5.8/POSIX.pm line 19
Subroutine Pipeline::O_RDWR redefined at /usr/share/perl/5.8/Exporter.pm line 65.  at /usr/lib/perl/5.8/POSIX.pm line 19
---------------------------------------------------

Regards

Javier

PS: I initially reported this to the security team back in June,
but have not found time to follow up on this issue until today.
Security team, please check
Resent-Message-ID: <20040624124521.GA10101@dat.etsit.upm.es>

--- lintian.orig	2004-12-19 23:21:31.000000000 +0100
+++ lintian	2004-12-19 23:57:55.000000000 +0100
@@ -25,6 +25,7 @@
 use strict;
 
 use Getopt::Long;
+use File::Temp qw/tempdir/;
 use FileHandle;
 # }}}
 
@@ -411,11 +412,8 @@
     # LINTIAN_LAB not defined => basic mode (temporary lab)
     $lab_mode = 'temporary';
 
-    if ($ENV{'TMPDIR'}) {
-	$LINTIAN_LAB = "$ENV{'TMPDIR'}/lintian-lab.$$";
-    } else {
-	$LINTIAN_LAB = "/tmp/lintian-lab.$$";
-    }
+    $LINTIAN_LAB = tempdir("lintian-lab-XXXX", TMPDIR => 1, CLEANUP => 1);
+    die "Cannot create temporary directory!" if ! $LINTIAN_LAB ;
 }
 $ENV{'LINTIAN_LAB'} = $LINTIAN_LAB;

Reply to:

Follow-Ups:
- Bug#286379: lintian: Insecure temporary directory usage
  - From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>

Prev by Date: Have you installed the new M1crosOft s0ftware
Next by Date: Bug#286379: lintian: Insecure temporary directory usage
Previous by thread: Have you installed the new M1crosOft s0ftware
Next by thread: Bug#286379: lintian: Insecure temporary directory usage
Index(es):
- Date
- Thread