Unsecure use of temporary files

Debian Bug report logs - #498899
Unsecure use of temporary files

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jan Hauke Rahm <info@jhr-online.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Unsecure use of temporary files

Date: Sun, 14 Sep 2008 13:05:08 +0200

Package: python2.4-examples
Version: 2.4.5-5
Severity: grave
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA224

Hi Matthias,

in your script "Tools/faqwiz/move-faqwiz.sh" you use $RANDOM to create a
temporary file. This is very unsecure and should be replaced by mktemp.

The following patch tries to solve that and beyond that solves your
bashism bug #489648.

Please test the patch thoroughly and upload ASAP if appropiate.

Cheers,
Hauke

*** bashandtmp.patch
diff -Naur python2.4-2.4.5~/Tools/faqwiz/move-faqwiz.sh python2.4-2.4.5/Tools/faqwiz/move-faqwiz.sh
- --- python2.4-2.4.5~/Tools/faqwiz/move-faqwiz.sh	2008-09-14 12:36:45.000000000 +0200
+++ python2.4-2.4.5/Tools/faqwiz/move-faqwiz.sh	2008-09-14 12:40:44.000000000 +0200
@@ -9,7 +9,7 @@
 #   blackjesus:~> ./move-faqwiz.sh 2\.1 3\.2
 #   Moving FAQ question 02.001 to 03.002
 
- -if [ x$2 == x ]; then
+if [ x$2 = x ]; then
     echo "Need 2 args: original_version final_version."
     exit 2
 fi
@@ -19,7 +19,7 @@
     exit 2
 fi
 
- -function cut_n_pad() {
+cut_n_pad () {
     t=`echo $1 | cut -d. -f $2`
     export $3=`echo $t | awk "{ tmp = \\$0; l = length(tmp); for (i = 0; i < $2-l+1; i++) { tmp = "0".tmp } print tmp  }"`
 }
@@ -28,7 +28,7 @@
 cut_n_pad $1 2 suffix1
 cut_n_pad $2 1 prefix2
 cut_n_pad $2 2 suffix2
- -tmpfile=tmp$RANDOM.tmp
+tmpfile=`mktemp`
 file1=faq$prefix1.$suffix1.htp
 file2=faq$prefix2.$suffix2.htp
 


- -- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (700, 'testing'), (600, 'unstable'), (500, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iFYEARELAAYFAkjM798ACgkQGOp6XeD8cQ2LRgDgg5MWslv+21jb7dv/kzfwQC6q
wRWVmLZ+2zLAywDeKwmZ8asTsBpGIoXInoXpvne9qRrvQU0vJStGng==
=xWvB
-----END PGP SIGNATURE-----

Message #12 received at 498899@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: Jan Hauke Rahm <info@jhr-online.de>, 498899@bugs.debian.org

Subject: Re: [Secure-testing-team] Bug#498899: Unsecure use of temporary files

Date: Sun, 14 Sep 2008 12:40:57 -0700

severity 498899 normal
thanks

On Sun, Sep 14, 2008 at 01:05:08PM +0200, Jan Hauke Rahm wrote:
> Package: python2.4-examples
> Version: 2.4.5-5
> Severity: grave
> Tags: security patch

> Hi Matthias,

> in your script "Tools/faqwiz/move-faqwiz.sh" you use $RANDOM to create a
> temporary file. This is very unsecure and should be replaced by mktemp.

But it's an example.  Security is not compromised by "using" this package,
only by blindly running scripts located under
/usr/share/doc/python2.4/examples...

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Message #19 received at 498899@bugs.debian.org (full text, mbox, reply):

From: Jan Hauke Rahm <info@jhr-online.de>

To: Steve Langasek <vorlon@debian.org>

Cc: 498899@bugs.debian.org

Subject: Re: [Secure-testing-team] Bug#498899: Unsecure use of temporary files

Date: Sun, 14 Sep 2008 22:59:14 +0200

[Message part 1 (text/plain, inline)]

Hi Steve,

On Sun, Sep 14, 2008 at 12:40:57PM -0700, Steve Langasek wrote:
> On Sun, Sep 14, 2008 at 01:05:08PM +0200, Jan Hauke Rahm wrote:
> > in your script "Tools/faqwiz/move-faqwiz.sh" you use $RANDOM to create a
> > temporary file. This is very unsecure and should be replaced by mktemp.
> 
> But it's an example.  Security is not compromised by "using" this package,
> only by blindly running scripts located under
> /usr/share/doc/python2.4/examples...

That's true but I think Debian should never release files with known
security issue, neither in direct use, nor as example script. Maybe
severity was set too high, but I think this is a bug and should be
solved. For my part after release if such fixes are not accepted
during freeze...

Cheers,
Hauke

[signature.asc (application/pgp-signature, inline)]

Message #24 received at 498899@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: 498899@bugs.debian.org

Subject: Re: [Secure-testing-team] Bug#498899: Unsecure use of temporary files

Date: Tue, 16 Sep 2008 08:50:27 +0200

[Message part 1 (text/plain, inline)]

Hi,

This has been assigned CVE-2008-4108, please reference it in the changelog.

We all know what happens with example code: people copy it into their 
programs. Therefore please make it a priority to fix this in lenny even 
though it's an example.


thanks,
Thijs

[Message part 2 (application/pgp-signature, inline)]

Message #29 received at 498899@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: dann frazier <dannf@debian.org>

Cc: team@security.debian.org, 498899@bugs.debian.org

Subject: Re: postfix update FTBFS on mipsel

Date: Tue, 16 Sep 2008 09:12:16 +0200

[Message part 1 (text/plain, inline)]

On Tuesday 16 September 2008 04:38, dann frazier wrote:
> fyi, just filed this bug:
>   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499075
>
> The mipsel buildd has retried numerous times, so I don't believe this
> is a transient failure.

We are aware; we retried ourselves and I contacted LaMont, who thinks it's a 
buildd misconfiguration. I have contacted the mipsel buildd maintainers but 
received not even an acknowledgement of my email.

If you think the security team can do anything more about this please let me 
know.


Thijs

[Message part 2 (application/pgp-signature, inline)]

Message #34 received at 498899@bugs.debian.org (full text, mbox, reply):

From: dann frazier <dannf@debian.org>

To: Thijs Kinkhorst <thijs@debian.org>

Cc: team@security.debian.org, 498899@bugs.debian.org

Subject: Re: postfix update FTBFS on mipsel

Date: Tue, 16 Sep 2008 13:56:59 -0600

On Tue, Sep 16, 2008 at 09:12:16AM +0200, Thijs Kinkhorst wrote:
> On Tuesday 16 September 2008 04:38, dann frazier wrote:
> > fyi, just filed this bug:
> > ? http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499075
> >
> > The mipsel buildd has retried numerous times, so I don't believe this
> > is a transient failure.
> 
> We are aware; we retried ourselves and I contacted LaMont, who thinks it's a 
> buildd misconfiguration. I have contacted the mipsel buildd maintainers but 
> received not even an acknowledgement of my email.
> 
> If you think the security team can do anything more about this please let me 
> know.

I don't, or I would've done it :) phil asked me to file the bug and I
just wanted to keep the team informed. I also tried contacting the
mipsel buildd maintainer (no response yet).

-- 
dann frazier

Send a report that this bug log contains spam.