reopen 496360 thanks Please do not close, if You want, change severity :) user's files can be very important, for example ~/.gnupg/* if attacker creates symlink to its then your gpg's private key may be corrupted. On 09:24 Mon 25 Aug , Debian Bug Tracking System wrote: DBTS> This is an automatic notification regarding your Bug report DBTS> which was filed against the liguidsoap package: DBTS> #496360: The possibility of attack with the help of symlinks in some Debian packages DBTS> It has been closed by Romain Beauxis <toots@rastageeks.org>. DBTS> Their explanation is attached below along with your original report. DBTS> If this explanation is unsatisfactory and you have not received a DBTS> better one in a separate message then please contact Romain Beauxis <toots@rastageeks.org> by DBTS> replying to this email. DBTS> -- DBTS> 496360: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496360 DBTS> Debian Bug Tracking System DBTS> Contact owner@bugs.debian.org with problems DBTS> Date: Mon, 25 Aug 2008 11:21:24 +0200 DBTS> From: Romain Beauxis <toots@rastageeks.org> DBTS> To: 496360-done@bugs.debian.org DBTS> Subject: Not a bug for us DBTS> User-Agent: KMail/1.9.9 DBTS> Cc: "Dmitry E. Oboukhov" <dimka@uvw.ru> DBTS> Hi ! DBTS> Indeed, liguidsoap uses files under /tmp to write logs and dump audio data DBTS> during the live show. DBTS> We don't consider this as a bug, but as feature (tm). Furthermore, this is DBTS> known to the user, the name is predictible -- "/tmp/liguidsoap.log" -- and DBTS> run manually by the user, with no root rights. DBTS> It would be nice if your system could report scripts that are meant to be run DBTS> as root, at least starting with maintainers scripts only... DBTS> Romain DBTS> Date: Sun, 24 Aug 2008 22:05:28 +0400 DBTS> From: "Dmitry E. Oboukhov" <dimka@uvw.ru> DBTS> To: submit@bugs.debian.org DBTS> Subject: The possibility of attack with the help of DBTS> symlinks in some Debian packages DBTS> Cc: dimka@uvw.ru DBTS> Package: liguidsoap DBTS> Severity: grave DBTS> Hi, maintainer! DBTS> This message about the error concerns a few packages at once. I've DBTS> tested all the packages (for Lenny) on my Debian mirror. All scripts DBTS> of packages (marked as executable) were tested. DBTS> In some packages I've discovered scripts with errors which may be used DBTS> by a user for damaging important system files or user's files. DBTS> For example if a script uses in its work a temp file which is created DBTS> in /tmp directory, then every user can create symlink with the same DBTS> name in this directory in order to destroy or rewrite some system DBTS> or user file. Symlink attack may also lead not only to the data DBTS> desctruction but to denial of service as well. DBTS> Even if you create files or directories with help of function 'RANDOM' DBTS> or pid(), then your system is not protected. Attacker can create many DBTS> symlinks in order to destroy your data or create 'denial of service' DBTS> for your package scripts. DBTS> Even if you make rm(dir) for files/directories, then your system is DBTS> not protected. Attacker can permanently create symlinks. DBTS> This list is created with the help of script. This list is sorted by DBTS> hand. Howewer in some cases mistake is possible. DBTS> Please, Be understanding to possible mistakes. :) DBTS> I set Severity into grave for this bug. The table of discovered DBTS> problems is below. DBTS> Discussion of this bug you can see in debian-devel@: DBTS> http://lists.debian.org/debian-devel/2008/08/msg00271.html DBTS> Binary-package: r-base-core-ra (1.1.1-1) DBTS> file: /usr/lib/Ra/lib/R/bin/javareconf DBTS> Binary-package: rccp (0.9-2) DBTS> file: /usr/lib/rccp/delqueueask DBTS> Binary-package: mafft (6.240-1) DBTS> file: /usr/bin/mafft-homologs DBTS> Binary-package: openoffice.org-common (1:2.4.1-6) DBTS> file: /usr/lib/openoffice/program/senddoc DBTS> Binary-package: crossfire-maps (1.11.0-1) DBTS> file: /usr/share/games/crossfire/maps/Info/combine.pl DBTS> Binary-package: sgml2x (1.0.0-11.1) DBTS> file: /usr/bin/rlatex DBTS> Binary-package: liguidsoap (0.3.6-4) DBTS> file: /var/lib/liguidsoap/liguidsoap.py DBTS> Binary-package: citadel-server (7.37-1) DBTS> file: /usr/lib/citadel-server/migrate_aliases.sh DBTS> Binary-package: ampache (3.4.1-1) DBTS> file: /usr/share/ampache/www/locale/base/gather-messages.sh DBTS> Binary-package: xen-utils-3.2-1 (3.2.1-2) DBTS> file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug DBTS> Binary-package: dtc-common (0.29.6-1) DBTS> file: /usr/share/dtc/admin/accesslog.php DBTS> file: /usr/share/dtc/admin/sa-wrapper DBTS> Binary-package: honeyd-common (1.5c-3) DBTS> file: /usr/share/honeyd/scripts/test.sh DBTS> Binary-package: lustre-tests (1.6.5-1) DBTS> file: /usr/lib/lustre/tests/runiozone DBTS> Binary-package: linuxtrade (3.65-8+b4) DBTS> file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol DBTS> file: /usr/share/linuxtrade/bin/linuxtrade.wn DBTS> file: /usr/share/linuxtrade/bin/moneyam.helper DBTS> Binary-package: freevo (1.8.1-0) DBTS> file: /usr/bin/freevo.real DBTS> Binary-package: fml (4.0.3.dfsg-2) DBTS> file: /usr/share/fml/libexec/mead.pl DBTS> Binary-package: rkhunter (1.3.2-3) DBTS> file: /usr/bin/rkhunter DBTS> Binary-package: openswan (1:2.4.12+dfsg-1.1) DBTS> file: /usr/lib/ipsec/livetest DBTS> Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1) DBTS> file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap DBTS> file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest DBTS> Binary-package: aptoncd (0.1-1.1) DBTS> file: /usr/share/aptoncd/xmlfile.py DBTS> Binary-package: cdcontrol (1.90-1.1) DBTS> file: /usr/lib/cdcontrol/writtercontrol DBTS> Binary-package: newsgate (1.6-23) DBTS> file: /usr/bin/mkmailpost DBTS> Binary-package: gpsdrive-scripts (2.10~pre4-3) DBTS> file: /usr/bin/geo-code DBTS> Binary-package: impose+ (0.2-11) DBTS> file: /usr/bin/impose DBTS> Binary-package: mgt (2.31-5) DBTS> file: /usr/games/mailgo DBTS> Binary-package: audiolink (0.05-1) DBTS> file: /usr/bin/audiolink DBTS> Binary-package: ibackup (2.27-4.1) DBTS> file: /usr/bin/ibackup DBTS> Binary-package: emacspeak (26.0-3) DBTS> file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl DBTS> Binary-package: bk2site (1:1.1.9-3.1) DBTS> file: /usr/lib/cgi-bin/bk2site/redirect.pl DBTS> Binary-package: datafreedom-perl (0.1.7-1) DBTS> file: /usr/bin/dfxml-invoice DBTS> Binary-package: emacs-jabber (0.7.91-1) DBTS> file: /usr/lib/emacsen-common/packages/install/emacs-jabber DBTS> Binary-package: lmbench (3.0-a7-1) DBTS> file: /usr/lib/lmbench/scripts/rccs DBTS> file: /usr/lib/lmbench/scripts/STUFF DBTS> Binary-package: rancid-util (2.3.2~a8-1) DBTS> file: /var/lib/rancid/getipacctg DBTS> Binary-package: ogle (0.9.2-5.2) DBTS> file: /usr/lib/ogle/ogle_audio_debug DBTS> file: /usr/lib/ogle/ogle_cli_debug DBTS> file: /usr/lib/ogle/ogle_ctrl_debug DBTS> file: /usr/lib/ogle/ogle_gui_debug DBTS> file: /usr/lib/ogle/ogle_mpeg_ps_debug DBTS> file: /usr/lib/ogle/ogle_mpeg_vs_debug DBTS> file: /usr/lib/ogle/ogle_nav_debug DBTS> file: /usr/lib/ogle/ogle_vout_debug DBTS> Binary-package: firehol (1.256-4) DBTS> file: /sbin/firehol DBTS> Binary-package: aview (1.3.0rc1-8) DBTS> file: /usr/bin/asciiview DBTS> Binary-package: radiance (3R9+20080530-3) DBTS> file: /usr/bin/optics2rad DBTS> file: /usr/bin/pdelta DBTS> file: /usr/bin/dayfact DBTS> file: /usr/bin/raddepend DBTS> Binary-package: vdr-dbg (1.6.0-5) DBTS> file: /usr/bin/vdrleaktest DBTS> Binary-package: ogle-mmx (0.9.2-5.2) DBTS> file: /usr/lib/ogle/ogle_audio_debug DBTS> file: /usr/lib/ogle/ogle_cli_debug DBTS> file: /usr/lib/ogle/ogle_ctrl_debug DBTS> file: /usr/lib/ogle/ogle_gui_debug DBTS> file: /usr/lib/ogle/ogle_mpeg_ps_debug DBTS> file: /usr/lib/ogle/ogle_mpeg_vs_debug DBTS> file: /usr/lib/ogle/ogle_nav_debug DBTS> file: /usr/lib/ogle/ogle_vout_debug DBTS> Binary-package: convirt (0.8.2-3) DBTS> file: /usr/share/convirt/image_store/_template_/provision.sh DBTS> file: /usr/share/convirt/image_store/Linux_CD_Install/provision.sh DBTS> file: /usr/share/convirt/image_store/Fedora_PV_Install/provision.sh DBTS> file: /usr/share/convirt/image_store/CentOS_PV_Install/provision.sh DBTS> file: /usr/share/convirt/image_store/common/provision.sh DBTS> file: /usr/share/convirt/image_store/example/provision.sh DBTS> file: /usr/share/convirt/image_store/Windows_CD_Install/provision.sh DBTS> Binary-package: printfilters-ppd (2.13-9) DBTS> file: /usr/lib/printfilters/master-filter DBTS> Binary-package: r-base-core (2.7.1-1) DBTS> file: /usr/lib/R/bin/javareconf DBTS> file: /usr/lib/R/bin/javareconf.orig DBTS> Binary-package: xmcd (2.6-19.3) DBTS> file: /usr/share/xmcd/scripts/ncsarmt DBTS> file: /usr/share/xmcd/scripts/ncsawrap DBTS> Binary-package: tiger (1:3.2.2-3.1) DBTS> file: /usr/lib/tiger/util/genmsgidx DBTS> Binary-package: scilab-bin (4.1.2-5) DBTS> file: /usr/lib/scilab-4.1.2/bin/scilink DBTS> file: /usr/lib/scilab-4.1.2/util/scidoc DBTS> file: /usr/lib/scilab-4.1.2/util/scidem DBTS> Binary-package: dpkg-cross (2.3.0) DBTS> file: /usr/share/dpkg-cross/bin/gccross DBTS> Binary-package: ltp-network-test (20060918-2.1) DBTS> file: /usr/lib/debian-test/tests/linux/testcases/bin/ftp_setup_vsftp_conf DBTS> file: /usr/lib/debian-test/tests/linux/testcases/bin/nfs_fsstress.sh DBTS> Binary-package: cman (2.20080629-1) DBTS> file: /usr/sbin/fence_egenera DBTS> Binary-package: scratchbox2 (1.99.0.24-1) DBTS> file: /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps DBTS> file: /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings DBTS> Binary-package: sendmail-base (8.14.3-5) DBTS> file: /usr/sbin/checksendmail DBTS> file: /usr/bin/expn DBTS> Binary-package: fwbuilder (2.1.19-3) DBTS> file: /usr/bin/fwb_install DBTS> Binary-package: sng (1.0.2-5) DBTS> file: /usr/bin/sng_regress DBTS> Binary-package: dist (1:3.5-17-1) DBTS> file: /usr/bin/patcil DBTS> file: /usr/bin/patdiff DBTS> Binary-package: sympa (5.3.4-5) DBTS> file: /usr/lib/cgi-bin/sympa/wwsympa.fcgi DBTS> file: /usr/lib/sympa/bin/sympa.pl DBTS> Binary-package: postfix (2.5.2-2) DBTS> file: /usr/lib/postfix_groups.pl DBTS> Binary-package: caudium (3:1.4.12-11) DBTS> file: /usr/share/caudium/configvar DBTS> Binary-package: mgetty-fax (1.1.36-1.2) DBTS> file: /usr/bin/faxspool DBTS> Binary-package: aegis (4.24-3) DBTS> file: /usr/share/doc/aegis/examples/remind/bng_dvlpd.sh DBTS> file: /usr/share/doc/aegis/examples/remind/bng_rvwd.sh DBTS> file: /usr/share/doc/aegis/examples/remind/awt_dvlp.sh DBTS> file: /usr/share/doc/aegis/examples/remind/awt_intgrtn.sh DBTS> Binary-package: aegis-web (4.24-3) DBTS> file: /usr/lib/cgi-bin/aegis.cgi DBTS> Binary-package: digitaldj (0.7.5-6+b1) DBTS> file: /usr/share/digitaldj/fest.pl DBTS> Binary-package: mon (0.99.2-12) DBTS> file: /usr/lib/mon/alert.d/test.alert DBTS> Binary-package: feta (1.4.16) DBTS> file: /usr/share/feta/plugins/to-upgrade DBTS> Binary-package: arb-common (0.0.20071207.1-4) DBTS> file: /usr/lib/arb/SH/arb_fastdnaml DBTS> file: /usr/lib/arb/SH/dszmconnect.pl DBTS> Binary-package: qemu (0.9.1-5) DBTS> file: /usr/sbin/qemu-make-debian-root DBTS> Binary-package: apertium (3.0.7+1-1+b1) DBTS> file: /usr/bin/apertium-gen-deformat DBTS> file: /usr/bin/apertium-gen-reformat DBTS> file: /usr/bin/apertium DBTS> Binary-package: xcal (4.1-18.3) DBTS> file: /usr/bin/pscal DBTS> Binary-package: myspell-tools (1:3.1-20) DBTS> file: /usr/bin/i2myspell DBTS> Binary-package: gccxml (0.9.0+cvs20080525-1) DBTS> file: /usr/share/gccxml-0.9/MIPSpro/find_flags DBTS> Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4) DBTS> file: /usr/share/freeradius-dialupadmin/bin/backup_radacct DBTS> file: /usr/share/freeradius-dialupadmin/bin/clean_radacct DBTS> file: /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats DBTS> file: /usr/share/freeradius-dialupadmin/bin/tot_stats DBTS> file: /usr/share/freeradius-dialupadmin/bin/truncate_radacct DBTS> Binary-package: dhis-server (5.3-1) DBTS> file: /usr/lib/dhis-server/dhis-dummy-log-engine DBTS> Binary-package: wims (3.62-13) DBTS> file: /var/lib/wims/public_html/bin/coqweb DBTS> file: /var/lib/wims/bin/account.sh DBTS> Binary-package: initramfs-tools (0.92f) DBTS> file: /usr/share/initramfs-tools/init DBTS> Binary-package: realtimebattle-common (1.0.8-7) DBTS> file: /usr/lib/realtimebattle/Robots/perl.robot DBTS> Binary-package: netmrg (0.20-1) DBTS> file: /usr/bin/rrdedit DBTS> Binary-package: bulmages-servers (0.11.1-2) DBTS> file: /usr/share/bulmages/examples/scripts/actualizabulmacont DBTS> file: /usr/share/bulmages/examples/scripts/installbulmages-db DBTS> file: /usr/share/bulmages/examples/scripts/creabulmafact DBTS> file: /usr/share/bulmages/examples/scripts/creabulmacont DBTS> file: /usr/share/bulmages/examples/scripts/actualizabulmafact DBTS> Binary-package: xastir (1.9.2-1) DBTS> file: /usr/lib/xastir/get-maptools.sh DBTS> file: /usr/lib/xastir/get_shapelib.sh DBTS> Binary-package: plait (1.5.2-1) DBTS> file: /usr/bin/plaiter DBTS> file: /usr/bin/plait DBTS> Binary-package: cdrw-taper (0.4-2) DBTS> file: /usr/sbin/amlabel-cdrw DBTS> Binary-package: konwert-filters (1.8-11.1) DBTS> file: /usr/share/konwert/filters/any-UTF8 DBTS> Binary-package: gdrae (0.1-1) DBTS> file: /usr/bin/gdrae DBTS> Binary-package: lazarus-src (0.9.24-0-9) DBTS> file: /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh -- . ''`. Dmitry E. Oboukhov : :’ : unera@debian.org `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537
Attachment:
signature.asc
Description: Digital signature