Bug#496397: marked as done (The possibility of attack with the help of symlinks in some Debian packages)
Your message dated Mon, 25 Aug 2008 22:32:07 +0000
with message-id <E1KXkbX-00013O-4q@ries.debian.org>
and subject line Bug#496397: fixed in feta 1.4.16+nmu1
has caused the Debian Bug report #496397,
regarding The possibility of attack with the help of symlinks in some Debian packages
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
496397: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496397
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: feta
Severity: grave
Hi, maintainer!
This message about the error concerns a few packages at once. I've
tested all the packages (for Lenny) on my Debian mirror. All scripts
of packages (marked as executable) were tested.
In some packages I've discovered scripts with errors which may be used
by a user for damaging important system files or user's files.
For example if a script uses in its work a temp file which is created
in /tmp directory, then every user can create symlink with the same
name in this directory in order to destroy or rewrite some system
or user file. Symlink attack may also lead not only to the data
desctruction but to denial of service as well.
Even if you create files or directories with help of function 'RANDOM'
or pid(), then your system is not protected. Attacker can create many
symlinks in order to destroy your data or create 'denial of service'
for your package scripts.
Even if you make rm(dir) for files/directories, then your system is
not protected. Attacker can permanently create symlinks.
This list is created with the help of script. This list is sorted by
hand. Howewer in some cases mistake is possible.
Please, Be understanding to possible mistakes. :)
I set Severity into grave for this bug. The table of discovered
problems is below.
Discussion of this bug you can see in debian-devel@:
http://lists.debian.org/debian-devel/2008/08/msg00271.html
Binary-package: r-base-core-ra (1.1.1-1)
file: /usr/lib/Ra/lib/R/bin/javareconf
Binary-package: rccp (0.9-2)
file: /usr/lib/rccp/delqueueask
Binary-package: mafft (6.240-1)
file: /usr/bin/mafft-homologs
Binary-package: openoffice.org-common (1:2.4.1-6)
file: /usr/lib/openoffice/program/senddoc
Binary-package: crossfire-maps (1.11.0-1)
file: /usr/share/games/crossfire/maps/Info/combine.pl
Binary-package: sgml2x (1.0.0-11.1)
file: /usr/bin/rlatex
Binary-package: liguidsoap (0.3.6-4)
file: /var/lib/liguidsoap/liguidsoap.py
Binary-package: citadel-server (7.37-1)
file: /usr/lib/citadel-server/migrate_aliases.sh
Binary-package: ampache (3.4.1-1)
file: /usr/share/ampache/www/locale/base/gather-messages.sh
Binary-package: xen-utils-3.2-1 (3.2.1-2)
file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug
Binary-package: dtc-common (0.29.6-1)
file: /usr/share/dtc/admin/accesslog.php
file: /usr/share/dtc/admin/sa-wrapper
Binary-package: honeyd-common (1.5c-3)
file: /usr/share/honeyd/scripts/test.sh
Binary-package: lustre-tests (1.6.5-1)
file: /usr/lib/lustre/tests/runiozone
Binary-package: linuxtrade (3.65-8+b4)
file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol
file: /usr/share/linuxtrade/bin/linuxtrade.wn
file: /usr/share/linuxtrade/bin/moneyam.helper
Binary-package: freevo (1.8.1-0)
file: /usr/bin/freevo.real
Binary-package: fml (4.0.3.dfsg-2)
file: /usr/share/fml/libexec/mead.pl
Binary-package: rkhunter (1.3.2-3)
file: /usr/bin/rkhunter
Binary-package: openswan (1:2.4.12+dfsg-1.1)
file: /usr/lib/ipsec/livetest
Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1)
file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap
file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest
Binary-package: aptoncd (0.1-1.1)
file: /usr/share/aptoncd/xmlfile.py
Binary-package: cdcontrol (1.90-1.1)
file: /usr/lib/cdcontrol/writtercontrol
Binary-package: newsgate (1.6-23)
file: /usr/bin/mkmailpost
Binary-package: gpsdrive-scripts (2.10~pre4-3)
file: /usr/bin/geo-code
Binary-package: impose+ (0.2-11)
file: /usr/bin/impose
Binary-package: mgt (2.31-5)
file: /usr/games/mailgo
Binary-package: audiolink (0.05-1)
file: /usr/bin/audiolink
Binary-package: ibackup (2.27-4.1)
file: /usr/bin/ibackup
Binary-package: emacspeak (26.0-3)
file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl
Binary-package: bk2site (1:1.1.9-3.1)
file: /usr/lib/cgi-bin/bk2site/redirect.pl
Binary-package: datafreedom-perl (0.1.7-1)
file: /usr/bin/dfxml-invoice
Binary-package: emacs-jabber (0.7.91-1)
file: /usr/lib/emacsen-common/packages/install/emacs-jabber
Binary-package: lmbench (3.0-a7-1)
file: /usr/lib/lmbench/scripts/rccs
file: /usr/lib/lmbench/scripts/STUFF
Binary-package: rancid-util (2.3.2~a8-1)
file: /var/lib/rancid/getipacctg
Binary-package: ogle (0.9.2-5.2)
file: /usr/lib/ogle/ogle_audio_debug
file: /usr/lib/ogle/ogle_cli_debug
file: /usr/lib/ogle/ogle_ctrl_debug
file: /usr/lib/ogle/ogle_gui_debug
file: /usr/lib/ogle/ogle_mpeg_ps_debug
file: /usr/lib/ogle/ogle_mpeg_vs_debug
file: /usr/lib/ogle/ogle_nav_debug
file: /usr/lib/ogle/ogle_vout_debug
Binary-package: firehol (1.256-4)
file: /sbin/firehol
Binary-package: aview (1.3.0rc1-8)
file: /usr/bin/asciiview
Binary-package: radiance (3R9+20080530-3)
file: /usr/bin/optics2rad
file: /usr/bin/pdelta
file: /usr/bin/dayfact
file: /usr/bin/raddepend
Binary-package: vdr-dbg (1.6.0-5)
file: /usr/bin/vdrleaktest
Binary-package: ogle-mmx (0.9.2-5.2)
file: /usr/lib/ogle/ogle_audio_debug
file: /usr/lib/ogle/ogle_cli_debug
file: /usr/lib/ogle/ogle_ctrl_debug
file: /usr/lib/ogle/ogle_gui_debug
file: /usr/lib/ogle/ogle_mpeg_ps_debug
file: /usr/lib/ogle/ogle_mpeg_vs_debug
file: /usr/lib/ogle/ogle_nav_debug
file: /usr/lib/ogle/ogle_vout_debug
Binary-package: convirt (0.8.2-3)
file: /usr/share/convirt/image_store/_template_/provision.sh
file: /usr/share/convirt/image_store/Linux_CD_Install/provision.sh
file: /usr/share/convirt/image_store/Fedora_PV_Install/provision.sh
file: /usr/share/convirt/image_store/CentOS_PV_Install/provision.sh
file: /usr/share/convirt/image_store/common/provision.sh
file: /usr/share/convirt/image_store/example/provision.sh
file: /usr/share/convirt/image_store/Windows_CD_Install/provision.sh
Binary-package: printfilters-ppd (2.13-9)
file: /usr/lib/printfilters/master-filter
Binary-package: r-base-core (2.7.1-1)
file: /usr/lib/R/bin/javareconf
file: /usr/lib/R/bin/javareconf.orig
Binary-package: xmcd (2.6-19.3)
file: /usr/share/xmcd/scripts/ncsarmt
file: /usr/share/xmcd/scripts/ncsawrap
Binary-package: tiger (1:3.2.2-3.1)
file: /usr/lib/tiger/util/genmsgidx
Binary-package: scilab-bin (4.1.2-5)
file: /usr/lib/scilab-4.1.2/bin/scilink
file: /usr/lib/scilab-4.1.2/util/scidoc
file: /usr/lib/scilab-4.1.2/util/scidem
Binary-package: dpkg-cross (2.3.0)
file: /usr/share/dpkg-cross/bin/gccross
Binary-package: ltp-network-test (20060918-2.1)
file: /usr/lib/debian-test/tests/linux/testcases/bin/ftp_setup_vsftp_conf
file: /usr/lib/debian-test/tests/linux/testcases/bin/nfs_fsstress.sh
Binary-package: cman (2.20080629-1)
file: /usr/sbin/fence_egenera
Binary-package: scratchbox2 (1.99.0.24-1)
file: /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps
file: /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings
Binary-package: sendmail-base (8.14.3-5)
file: /usr/sbin/checksendmail
file: /usr/bin/expn
Binary-package: fwbuilder (2.1.19-3)
file: /usr/bin/fwb_install
Binary-package: sng (1.0.2-5)
file: /usr/bin/sng_regress
Binary-package: dist (1:3.5-17-1)
file: /usr/bin/patcil
file: /usr/bin/patdiff
Binary-package: sympa (5.3.4-5)
file: /usr/lib/cgi-bin/sympa/wwsympa.fcgi
file: /usr/lib/sympa/bin/sympa.pl
Binary-package: postfix (2.5.2-2)
file: /usr/lib/postfix_groups.pl
Binary-package: caudium (3:1.4.12-11)
file: /usr/share/caudium/configvar
Binary-package: mgetty-fax (1.1.36-1.2)
file: /usr/bin/faxspool
Binary-package: aegis (4.24-3)
file: /usr/share/doc/aegis/examples/remind/bng_dvlpd.sh
file: /usr/share/doc/aegis/examples/remind/bng_rvwd.sh
file: /usr/share/doc/aegis/examples/remind/awt_dvlp.sh
file: /usr/share/doc/aegis/examples/remind/awt_intgrtn.sh
Binary-package: aegis-web (4.24-3)
file: /usr/lib/cgi-bin/aegis.cgi
Binary-package: digitaldj (0.7.5-6+b1)
file: /usr/share/digitaldj/fest.pl
Binary-package: mon (0.99.2-12)
file: /usr/lib/mon/alert.d/test.alert
Binary-package: feta (1.4.16)
file: /usr/share/feta/plugins/to-upgrade
Binary-package: arb-common (0.0.20071207.1-4)
file: /usr/lib/arb/SH/arb_fastdnaml
file: /usr/lib/arb/SH/dszmconnect.pl
Binary-package: qemu (0.9.1-5)
file: /usr/sbin/qemu-make-debian-root
Binary-package: apertium (3.0.7+1-1+b1)
file: /usr/bin/apertium-gen-deformat
file: /usr/bin/apertium-gen-reformat
file: /usr/bin/apertium
Binary-package: xcal (4.1-18.3)
file: /usr/bin/pscal
Binary-package: myspell-tools (1:3.1-20)
file: /usr/bin/i2myspell
Binary-package: gccxml (0.9.0+cvs20080525-1)
file: /usr/share/gccxml-0.9/MIPSpro/find_flags
Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4)
file: /usr/share/freeradius-dialupadmin/bin/backup_radacct
file: /usr/share/freeradius-dialupadmin/bin/clean_radacct
file: /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats
file: /usr/share/freeradius-dialupadmin/bin/tot_stats
file: /usr/share/freeradius-dialupadmin/bin/truncate_radacct
Binary-package: dhis-server (5.3-1)
file: /usr/lib/dhis-server/dhis-dummy-log-engine
Binary-package: wims (3.62-13)
file: /var/lib/wims/public_html/bin/coqweb
file: /var/lib/wims/bin/account.sh
Binary-package: initramfs-tools (0.92f)
file: /usr/share/initramfs-tools/init
Binary-package: realtimebattle-common (1.0.8-7)
file: /usr/lib/realtimebattle/Robots/perl.robot
Binary-package: netmrg (0.20-1)
file: /usr/bin/rrdedit
Binary-package: bulmages-servers (0.11.1-2)
file: /usr/share/bulmages/examples/scripts/actualizabulmacont
file: /usr/share/bulmages/examples/scripts/installbulmages-db
file: /usr/share/bulmages/examples/scripts/creabulmafact
file: /usr/share/bulmages/examples/scripts/creabulmacont
file: /usr/share/bulmages/examples/scripts/actualizabulmafact
Binary-package: xastir (1.9.2-1)
file: /usr/lib/xastir/get-maptools.sh
file: /usr/lib/xastir/get_shapelib.sh
Binary-package: plait (1.5.2-1)
file: /usr/bin/plaiter
file: /usr/bin/plait
Binary-package: cdrw-taper (0.4-2)
file: /usr/sbin/amlabel-cdrw
Binary-package: konwert-filters (1.8-11.1)
file: /usr/share/konwert/filters/any-UTF8
Binary-package: gdrae (0.1-1)
file: /usr/bin/gdrae
Binary-package: lazarus-src (0.9.24-0-9)
file: /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh
--- End Message ---
--- Begin Message ---
Source: feta
Source-Version: 1.4.16+nmu1
We believe that the bug you reported is fixed in the latest version of
feta, which is due to be installed in the Debian FTP archive:
feta_1.4.16+nmu1.dsc
to pool/main/f/feta/feta_1.4.16+nmu1.dsc
feta_1.4.16+nmu1.tar.gz
to pool/main/f/feta/feta_1.4.16+nmu1.tar.gz
feta_1.4.16+nmu1_all.deb
to pool/main/f/feta/feta_1.4.16+nmu1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 496397@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Muehlenhoff <jmm@debian.org> (supplier of updated feta package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 26 Aug 2008 00:18:11 +0200
Source: feta
Binary: feta
Architecture: source all
Version: 1.4.16+nmu1
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Moritz Muehlenhoff <jmm@debian.org>
Description:
feta - simpler interface to APT, dpkg, and other package tools
Closes: 496397
Changes:
feta (1.4.16+nmu1) unstable; urgency=medium
.
* Non-maintainer upload.
* Fix insecure temp file generaton in to-upgrade plugin (Closes: #496397)
Checksums-Sha1:
878ac56db6670f4f20ce7b82fe71ac25682af6c6 751 feta_1.4.16+nmu1.dsc
f323f0a3e5637d1c9593c1ee99db63499e2d7a79 51891 feta_1.4.16+nmu1.tar.gz
0b76ee19124aced6d16994dd7cd9d5a3f2f4c2b6 47772 feta_1.4.16+nmu1_all.deb
Checksums-Sha256:
a8177928b52efba3f87c27538e6f584885073b981e910f78eb914af1c6c92c6c 751 feta_1.4.16+nmu1.dsc
8f1e3812e1bc2b2678682d468d98d08ff36598520ef546c56f847d48c305e2fc 51891 feta_1.4.16+nmu1.tar.gz
450d0fccd158a7e8d7eb3267b1f6c165e03c0fb572973f46089013e09ef07656 47772 feta_1.4.16+nmu1_all.deb
Files:
4de997acc6c25130b3961c314311c521 751 admin optional feta_1.4.16+nmu1.dsc
b419fc51714e80a2747a8d350424c8b3 51891 admin optional feta_1.4.16+nmu1.tar.gz
5ebbac326406461102563aafb39bb099 47772 admin optional feta_1.4.16+nmu1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkizMJUACgkQXm3vHE4uylqffACfQBiNrYY96lnIR+y2PPuTNOG6
KjwAoIORi1D4y/Wxbir0XVzyekWszlV+
=LG4n
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: