Proposed patch to aptitude in stable to fix a low-impact security bug

To: debian-release@lists.debian.org
Subject: Proposed patch to aptitude in stable to fix a low-impact security bug
From: Daniel Burrows <dburrows@debian.org>
Date: Sun, 3 Apr 2011 07:44:33 -0700
Message-id: <[🔎] 20110403144433.GB6093@windrider.lan>
Mail-followup-to: debian-release@lists.debian.org

  Hi all,

  The version of aptitude in stable contains a security bug that could
theoretically allow a symlink attack in /tmp.  However, it can only be
exploited in a very narrow set of circumstances: the user must have no
home directory, and they must invoke the "hierarchy editor" (an old and
mostly undocumented corner of the curses interface).  For this reason,
the security team recommended that I ask -release to put the patch into
a point update, rather than releasing it via the security route.

  I've attached the patch that I'll add to the debian/patches in the
package in stable.

  Please let me know what the next step I need to do is.  Also, do you
think it makes sense to patch the package in oldstable?

  Daniel

From: Daniel_Burrows@alumni.brown.edu <Daniel_Burrows@alumni.brown.edu>
Date: Tue Mar 29 21:43:30 2011 -0700
Subject: Don't clobber a fixed-name file in /tmp if the user's home directory isn't set.  (Closes: #612034)
    
diff --git a/src/edit_pkg_hier.cc b/src/edit_pkg_hier.cc
index 7189580..213a97f 100644
--- a/src/edit_pkg_hier.cc
+++ b/src/edit_pkg_hier.cc
@@ -1,6 +1,6 @@
 // edit_pkg_hier.cc
 //
-//   Copyright (C) 2000-2001, 2004-2006 Daniel Burrows
+//   Copyright (C) 2000-2001, 2004-2006, 2011 Daniel Burrows
 //
 //   This program is free software; you can redistribute it and/or
 //   modify it under the terms of the GNU General Public License as
@@ -332,18 +332,20 @@ bool hier_editor::handle_key(const cw::config::key &k)
   if(cw::config::global_bindings.key_matches(k, "SaveHier"))
     {
       string homedir = get_homedir();
-      string cfgfile;
 
       if(homedir.empty())
 	{
-	  show_message(_("Unable to look up your home directory, saving to /tmp/function_pkgs!"),
+          // This normally will not happen.  Don't default to a fixed
+          // filename to prevent symlink attacks. (Debian bug #612034)
+	  show_message(_("Unable to look up your home directory!"),
 		       NULL,
 		       cw::get_style("Error"));
-	  cfgfile = "/tmp/function_pkgs";
 	}
       else
-	cfgfile = homedir + "/.aptitude/function_pkgs";
-      save_hier(cfgfile);
+        {
+          string cfgfile = homedir + "/.aptitude/function_pkgs";
+          save_hier(cfgfile);
+        }
     }
   else if(cw::config::global_bindings.key_matches(k, "Quit"))
     {

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: Proposed patch to aptitude in stable to fix a low-impact security bug
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Bug#613735: transition: gobject-introspection
Next by Date: v86d 0.1.10 for Squeeze?
Previous by thread: Bug#613735: transition: gobject-introspection
Next by thread: Re: Proposed patch to aptitude in stable to fix a low-impact security bug
Index(es):
- Date
- Thread