Bug#763780: marked as done (apt-get: Insecure temporary changelog handling)

To: Michael Vogt <mvo@debian.org>
Subject: Bug#763780: marked as done (apt-get: Insecure temporary changelog handling)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Thu, 02 Oct 2014 21:21:30 +0000
Message-id: <[🔎] handler.763780.D763780.141228477014411.ackdone@bugs.debian.org>
References: <E1XZnmY-0004Mm-Md@franck.debian.org> <[🔎] 20141002162945.GA14412@gaara.hadrons.org>

Your message dated Thu, 02 Oct 2014 21:19:26 +0000
with message-id <E1XZnmY-0004Mm-Md@franck.debian.org>
and subject line Bug#763780: fixed in apt 1.0.9.2
has caused the Debian Bug report #763780,
regarding apt-get: Insecure temporary changelog handling
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
763780: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=763780
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: apt-get: Insecure temporary changelog handling
From: Guillem Jover <guillem@debian.org>
Date: Thu, 2 Oct 2014 18:29:45 +0200
Message-id: <[🔎] 20141002162945.GA14412@gaara.hadrons.org>

Package: apt
Version: 0.8.7
Severity: serious
Tags: security patch

Hi!

I've found an instance of insecure temporary filenames handling. The
problem is that the code correctly creates a temporary directory, but
then uses that name as just a prefix for the created changelog
filename, thus creating it alongside the tamporary directory (instead
of inside of it), and making it very much predictable. This is worsened
due to the time it takes apt-get to download the changelog from the net,
which gives a very huge window to use that pathname.

Attached a patch fixing this. This affects all versions starting from
the one in squeeze.

I'm not sure if this deserves a CVE or perhaps a lower severity?

Thanks,
Guillem

From 9df147f44d1a9f1fb245ae085b105ed271170ce8 Mon Sep 17 00:00:00 2001
From: Guillem Jover <guillem@debian.org>
Date: Thu, 2 Oct 2014 17:48:13 +0200
Subject: [PATCH] apt-get: Create the temporary downloaded changelog inside
 tmpdir

The code is creating a secure temporary directory, but then creates
the changelog alongside the tmpdir in the same base directory. This
defeats the secure tmpdir creation, making the filename predictable.

Inject a '/' between the tmpdir and the changelog filename.
---
 cmdline/apt-get.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmdline/apt-get.cc b/cmdline/apt-get.cc
index 2e283da..cfa7933 100644
--- a/cmdline/apt-get.cc
+++ b/cmdline/apt-get.cc
@@ -1563,7 +1563,7 @@ static bool DoChangelog(CommandLine &CmdL)
    {
       string changelogfile;
       if (downOnly == false)
-	 changelogfile.append(tmpname).append("changelog");
+	 changelogfile.append(tmpname).append("/changelog");
       else
 	 changelogfile.append(Ver.ParentPkg().Name()).append(".changelog");
       if (DownloadChangelog(Cache, Fetcher, Ver, changelogfile) && downOnly == false)
-- 
2.1.1.391.g7a54a76

--- End Message ---

--- Begin Message ---

To: 763780-close@bugs.debian.org
Subject: Bug#763780: fixed in apt 1.0.9.2
From: Michael Vogt <mvo@debian.org>
Date: Thu, 02 Oct 2014 21:19:26 +0000
Message-id: <E1XZnmY-0004Mm-Md@franck.debian.org>

Source: apt
Source-Version: 1.0.9.2

We believe that the bug you reported is fixed in the latest version of
apt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 763780@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Vogt <mvo@debian.org> (supplier of updated apt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 02 Oct 2014 22:05:39 +0200
Source: apt
Binary: apt libapt-pkg4.12 libapt-inst1.5 apt-doc libapt-pkg-dev libapt-pkg-doc apt-utils apt-transport-https
Architecture: source all amd64
Version: 1.0.9.2
Distribution: unstable
Urgency: medium
Maintainer: APT Development Team <deity@lists.debian.org>
Changed-By: Michael Vogt <mvo@debian.org>
Description:
 apt        - commandline package manager
 apt-doc    - documentation for APT
 apt-transport-https - https download transport for APT
 apt-utils  - package management related utility programs
 libapt-inst1.5 - deb package format runtime library
 libapt-pkg-dev - development files for APT's libapt-pkg and libapt-inst
 libapt-pkg-doc - documentation for APT development
 libapt-pkg4.12 - package management runtime library
Closes: 762160 762223 763780
Changes:
 apt (1.0.9.2) unstable; urgency=medium
 .
   [ Michael Vogt ]
   * test/integration/test-apt-update-file: improve test
   * Fix regression when copy: is used for a relative path (Closes: #762160)
   * generalize Acquire::GzipIndex to support all compressions that
     apt supports
   * Fix regression for cdrom: sources from latest security update
   * Ensure that iTFRewritePackageOrder is "MD5sum" to match
     apt-ftparchive
   * debian/rules: add hardening=+all.
     Thanks to Simon Ruderich, Markus Waldeck
 .
   [ Holger Wansing ]
   * German program translation update (Closes: 762223)
 .
   [ Jérémy Bobbio ]
   * disable timestamps in the footer of docs by doxygen
 .
   [ Trần Ngọc Quân ]
   * Set STRIP_FROM_PATH for doxygen
 .
   [ Guillem Jover ]
   * apt-get: Create the temporary downloaded changelog inside tmpdir
     (closes: #763780)
Checksums-Sha1:
 544ce5258b75acad3d126a8543a7b1dc2e051a6e 2353 apt_1.0.9.2.dsc
 f8b7587ba7584e7bb277dc2d4adb31724244ddb4 1796640 apt_1.0.9.2.tar.xz
 2fae1f470f2338cfa1a2ca0c2946da755f93197e 300382 apt-doc_1.0.9.2_all.deb
 fa85ffc8993f0c0e1517d0ec13ed58697038627d 773864 libapt-pkg-doc_1.0.9.2_all.deb
 40409f1a02d60e2a74418310a34104bea954eded 780066 libapt-pkg4.12_1.0.9.2_amd64.deb
 06be8285347af003e857246c5bc05bc0f44a8b54 167808 libapt-inst1.5_1.0.9.2_amd64.deb
 1568f5fd5946f5e7aace73dd1bfe2dfce4e96361 1100016 apt_1.0.9.2_amd64.deb
 0df928953f02ca209c898d0194025c3fa8b74f66 191500 libapt-pkg-dev_1.0.9.2_amd64.deb
 b7c01678f5a6c2e8944d46149a36f7ad7d1b0268 366570 apt-utils_1.0.9.2_amd64.deb
 396a2d8ac167097e4255c7ad2a13bfa266f95618 135342 apt-transport-https_1.0.9.2_amd64.deb
Checksums-Sha256:
 d412c8fd6ca3106a94fc8d1f5b7d8f7559fdc44013cc690b190cb262a6971cee 2353 apt_1.0.9.2.dsc
 93954ec3ed94c9d34eba7c6c713ea28f9ae6af2b8c637b588909f3ab189e80fc 1796640 apt_1.0.9.2.tar.xz
 6f6d6f8e02c78b1a4be1807e01151a67cbd98f4ec37d2919eb14efb4c6b2c514 300382 apt-doc_1.0.9.2_all.deb
 e012a6a9161a259412f3442ae37aab492121a8af6525b9dfd1e90a36f171c0b5 773864 libapt-pkg-doc_1.0.9.2_all.deb
 d6167887737a43fd09cc83d95e155dd86381eae08d642c4476ad82a52414a793 780066 libapt-pkg4.12_1.0.9.2_amd64.deb
 0daf4d288196fc9bebbb27d2a81942c2ce7c28777a07c2463d5418f7aae45ec0 167808 libapt-inst1.5_1.0.9.2_amd64.deb
 5941392bb4077fafdb839b1ec2c835eb6babb6dacf2ecbb5241c90c55774c45d 1100016 apt_1.0.9.2_amd64.deb
 706eb233461ccd864572634770437ef9cd5e92216618e007516b9006632d87c1 191500 libapt-pkg-dev_1.0.9.2_amd64.deb
 cd1efa220312eaf1c810a80e82d1c267d230094107f81f57c6589bf3fcc67170 366570 apt-utils_1.0.9.2_amd64.deb
 6ce85d531f8829bd47b9d3f20040f075897fc34fcc9d51cb9680811132aa1c93 135342 apt-transport-https_1.0.9.2_amd64.deb
Files:
 a540624ab2bcb592e010f963710f2d65 300382 doc optional apt-doc_1.0.9.2_all.deb
 0e5bc3fd84107534cbe30df79583f0cb 773864 doc optional libapt-pkg-doc_1.0.9.2_all.deb
 c7a92e4e909708c830c92cef2585a24b 780066 libs important libapt-pkg4.12_1.0.9.2_amd64.deb
 678345350d08b9023be62c7ab0a823f6 167808 libs important libapt-inst1.5_1.0.9.2_amd64.deb
 e9ccc2444fb9a0f71110bdbb0fa4f4b0 1100016 admin important apt_1.0.9.2_amd64.deb
 ce4e80b8124b8c0d26e404f4d6be04bd 191500 libdevel optional libapt-pkg-dev_1.0.9.2_amd64.deb
 349eb17f8e8b025f07346977b56aa13b 366570 admin important apt-utils_1.0.9.2_amd64.deb
 aabb9774e82b5209969cc6e54250c616 135342 admin optional apt-transport-https_1.0.9.2_amd64.deb
 9ff81dcf60c59715fe8f1311b1885f65 2353 admin important apt_1.0.9.2.dsc
 4b9d845e00952263eac634f35bc98d5d 1796640 admin important apt_1.0.9.2.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJULbh1AAoJEJjKuzq9TKWexMEQALzdSf2Q9rsRSz6UBV0S7Lvu
p7FVbKFhZnPWZA1QDpUfMdpwI1/upnG+eF/clX/pWGlm+ZHBJ009QQAp5ywR8POc
nTIUc6gO//RAuENO1UJlAGrbV+oWSNCdmeQxkhZfIRf1AaunYQ67FL9AxODiyPcg
EigVGbTtP6Fefw/oG33BZD9osYc2Bx/8lMwUr7RDH9Z7VrlLKqP8kxKjb0TB1lUg
8xAtR6xjPS3fx4vd5Rs5JN2mCwIm/qe+pq9W9VnLnHj7o6lJlzeCmXIKPzySsa6X
0Tdc807eEqqAPP33ghtmsEY0xzvCHTtF1aS7CQqSFwb9ZiiZfnupOl2dVab3NJZL
EEPhOml70Y9keEcrxUS5Du6iuj9lFSk3m3jb9NXI7qp+S4WU1bboPL97gQ361Hz+
CiOKakBYb08uKgvqDhnsaUAGS5KvQWKE/eNk0C/3ro9GdYkVDgv43CiY4JirWDhN
sfTZMS6ZVRfpsPMLGyg40B+LjR9jNVA30iFUK7HFQ88fEVApNx4NY9lOF3ecCoMe
Raiq5h995YrTCabeF6y+TJPYeMgzdCe0GALVybf6xX9MNHEiefIvHOsstmjAJzd6
WV3S8R31bpTlhl7eu1bopQXAPXJ8z4orpmJhllNa88UFTOyZeTMPW5spEzZvggid
iYaWnY0RHYqzy7YMQun4
=a+Mp
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

References:
- Bug#763780: apt-get: Insecure temporary changelog handling
  - From: Guillem Jover <guillem@debian.org>

Prev by Date: Bug#762223: marked as done ([L10N,DE] apt: updated german program translation)
Next by Date: Bug#763939: lost+found directories owner changed from root
Previous by thread: Bug#763780: apt-get: Insecure temporary changelog handling
Next by thread: Bug#763780: apt-get: Insecure temporary changelog handling
Index(es):
- Date
- Thread