Bug#414237: lintian: Uses insecure temporary file /tmp/debug in objdump-info
Package: lintian
Version: 1.23.27
Severity: grave
Tags: security patch
Justification: user security hole
The lintian collection script objdump-info uses the insecure temporary file
/tmp/debug. Any invocation of lintian on a package containing ELF binaries,
or containing files with ' ELF' in their nanes, will append lines of the form
"Processing $bin" to /tmp/debug (or through a symlink at /tmp/debug). This
trivially allows a local attacker to corrupt another user's files. If the
local attacker can control the contents of the package getting checked by
lintian, they can control the text after "Processing "; this would allow a
variety of exploits based on tools that would ignore the prefix, such as the
shell. For example, consider the filename "; do nasty stuff # ELF".
This looks like debugging code, and lintian does not appear to use /tmp/debug
for anything else, so removing the line solves the problem. Patch attached.
- Josh Triplett
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.21-rc2test
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages lintian depends on:
ii binutils 2.17-3 The GNU assembler, linker and bina
ii diffstat 1.43-2 produces graph of changes introduc
ii dpkg-dev 1.13.25 package building tools for Debian
ii file 4.19-1 Determines file type using "magic"
ii gettext 0.16.1-1 GNU Internationalization utilities
ii intltool-debian 0.35.0+20060710.1 Help i18n of RFC822 compliant conf
ii libparse-debianchangel 1.0-1 parse Debian changelogs and output
ii man-db 2.4.3-6 The on-line manual pager
ii perl [libdigest-md5-pe 5.8.8-7 Larry Wall's Practical Extraction
lintian recommends no packages.
-- no debconf information
diff -Naur lintian-1.23.27.orig/collection/objdump-info lintian-1.23.27/collection/objdump-info
--- lintian-1.23.27.orig/collection/objdump-info 2006-11-19 20:28:06.000000000 -0800
+++ lintian-1.23.27/collection/objdump-info 2007-03-09 22:12:10.000000000 -0800
@@ -43,7 +43,6 @@
# output in the objdump-info file and let the check script deal with
# it later.
for bin in `grep ' ELF' <../file-info | cut -d\: -f1`; do
- echo "Processing $bin" >> /tmp/debug
echo "-- $bin" >> ../objdump-info
if head $bin | grep -q 'packed.*with.*UPX'; then
echo "objdump: $bin: Packed with UPX" >> ../objdump-info
Reply to: