[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#286379: marked as done ([lib/Lab] Lintian lab created unsafely, disputed)

Your message dated Tue, 2 Jan 2007 22:56:41 +0100
with message-id <20070102215641.GA17775@foo.wolffelaar.nl>
and subject line Bug#286379: Lintian insecure removal bug (#286379)
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: lintian
Version: 1.18.1.1-3
Priority: important
Tags: security

The lintian script does not protect itself from temporary directory
attacks since it creates the labs in an insecure manner (the process PID
is not suffient to avoid and attack) and does not check
if the temporary dir it uses exists before using them. Actually, the
LIB interface happily uses any directory if it's already available so
a symlink attack can be devised through the standard contents of
a lab if the user has not defined LINTIAN_LAB to go to a proper 
(safe) location instead of to /tmp/ (i.e. TMPDIR has not been defined)

The attached patch is an attempt to fix this behaviour using the File::Temp
library. It does have a caveat empor, with the patch below lintian 
will produce the following warnings (due to -w), but I'm unable to
remove them myself:

---------------------------------------------------
Subroutine Pipeline::O_CREAT redefined at /usr/share/perl/5.8/Exporter.pm line 65.  at /usr/lib/perl/5.8/POSIX.pm line 19
Subroutine Pipeline::O_EXCL redefined at /usr/share/perl/5.8/Exporter.pm line 65.  at /usr/lib/perl/5.8/POSIX.pm line 19
Subroutine Pipeline::O_RDWR redefined at /usr/share/perl/5.8/Exporter.pm line 65.  at /usr/lib/perl/5.8/POSIX.pm line 19
---------------------------------------------------

Regards

Javier

PS: I initially reported this to the security team back in June,
but have not found time to follow up on this issue until today.
Security team, please check
Resent-Message-ID: <20040624124521.GA10101@dat.etsit.upm.es>


--- lintian.orig	2004-12-19 23:21:31.000000000 +0100
+++ lintian	2004-12-19 23:57:55.000000000 +0100
@@ -25,6 +25,7 @@
 use strict;
 
 use Getopt::Long;
+use File::Temp qw/tempdir/;
 use FileHandle;
 # }}}
 
@@ -411,11 +412,8 @@
     # LINTIAN_LAB not defined => basic mode (temporary lab)
     $lab_mode = 'temporary';
 
-    if ($ENV{'TMPDIR'}) {
-	$LINTIAN_LAB = "$ENV{'TMPDIR'}/lintian-lab.$$";
-    } else {
-	$LINTIAN_LAB = "/tmp/lintian-lab.$$";
-    }
+    $LINTIAN_LAB = tempdir("lintian-lab-XXXX", TMPDIR => 1, CLEANUP => 1);
+    die "Cannot create temporary directory!" if ! $LINTIAN_LAB ;
 }
 $ENV{'LINTIAN_LAB'} = $LINTIAN_LAB;

--- End Message ---
--- Begin Message --- 
On Thu, Dec 14, 2006 at 12:55:52PM +0100, Jeroen van Wolffelaar wrote:
> No reply to this in nearly 2 years. My opinion didn't change, IMHO it
> is user-requested behaviour to get things writable by group is you set
> umask to 02 -- that's what umask *does*.
> 
> If anybody disagrees, you can do either of these three:
> [...]
> 
> Otherwise, I'll close this bugreport by the end of the year.

Happy new year,
--Jeroen

-- 
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl

--- End Message ---
Reply to: