--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: lintian: Insecure temporary directory usage
- From: Javier Fernández-Sanguino Peña <jfs@computer.org>
- Date: Sun, 19 Dec 2004 23:58:32 +0100
- Message-id: <20041219225832.GC9687@silicio>
Package: lintian
Version: 1.18.1.1-3
Priority: important
Tags: security
The lintian script does not protect itself from temporary directory
attacks since it creates the labs in an insecure manner (the process PID
is not suffient to avoid and attack) and does not check
if the temporary dir it uses exists before using them. Actually, the
LIB interface happily uses any directory if it's already available so
a symlink attack can be devised through the standard contents of
a lab if the user has not defined LINTIAN_LAB to go to a proper
(safe) location instead of to /tmp/ (i.e. TMPDIR has not been defined)
The attached patch is an attempt to fix this behaviour using the File::Temp
library. It does have a caveat empor, with the patch below lintian
will produce the following warnings (due to -w), but I'm unable to
remove them myself:
---------------------------------------------------
Subroutine Pipeline::O_CREAT redefined at /usr/share/perl/5.8/Exporter.pm line 65. at /usr/lib/perl/5.8/POSIX.pm line 19
Subroutine Pipeline::O_EXCL redefined at /usr/share/perl/5.8/Exporter.pm line 65. at /usr/lib/perl/5.8/POSIX.pm line 19
Subroutine Pipeline::O_RDWR redefined at /usr/share/perl/5.8/Exporter.pm line 65. at /usr/lib/perl/5.8/POSIX.pm line 19
---------------------------------------------------
Regards
Javier
PS: I initially reported this to the security team back in June,
but have not found time to follow up on this issue until today.
Security team, please check
Resent-Message-ID: <20040624124521.GA10101@dat.etsit.upm.es>
--- lintian.orig 2004-12-19 23:21:31.000000000 +0100
+++ lintian 2004-12-19 23:57:55.000000000 +0100
@@ -25,6 +25,7 @@
use strict;
use Getopt::Long;
+use File::Temp qw/tempdir/;
use FileHandle;
# }}}
@@ -411,11 +412,8 @@
# LINTIAN_LAB not defined => basic mode (temporary lab)
$lab_mode = 'temporary';
- if ($ENV{'TMPDIR'}) {
- $LINTIAN_LAB = "$ENV{'TMPDIR'}/lintian-lab.$$";
- } else {
- $LINTIAN_LAB = "/tmp/lintian-lab.$$";
- }
+ $LINTIAN_LAB = tempdir("lintian-lab-XXXX", TMPDIR => 1, CLEANUP => 1);
+ die "Cannot create temporary directory!" if ! $LINTIAN_LAB ;
}
$ENV{'LINTIAN_LAB'} = $LINTIAN_LAB;
--- End Message ---
--- Begin Message ---
- To: 286379-done@bugs.debian.org
- Subject: Re: Bug#286379: Lintian insecure removal bug (#286379)
- From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
- Date: Tue, 2 Jan 2007 22:56:41 +0100
- Message-id: <20070102215641.GA17775@foo.wolffelaar.nl>
- In-reply-to: <20061214115552.GA18918@foo.wolffelaar.nl>
- References: <20041220193126.GF380@A-Eskwadraat.nl> <20041220194353.GB7329@finlandia.infodrom.north.de> <20041220195701.GT18313@A-Eskwadraat.nl> <20041221043929.GD7329@finlandia.infodrom.north.de> <20041221121603.GH380@A-Eskwadraat.nl> <20041221142612.GU7329@finlandia.infodrom.north.de> <20041221143454.GX18313@A-Eskwadraat.nl> <20061214115552.GA18918@foo.wolffelaar.nl>
On Thu, Dec 14, 2006 at 12:55:52PM +0100, Jeroen van Wolffelaar wrote:
> No reply to this in nearly 2 years. My opinion didn't change, IMHO it
> is user-requested behaviour to get things writable by group is you set
> umask to 02 -- that's what umask *does*.
>
> If anybody disagrees, you can do either of these three:
> [...]
>
> Otherwise, I'll close this bugreport by the end of the year.
Happy new year,
--Jeroen
--
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl
--- End Message ---