Debian Bug report logs -
#498899
Unsecure use of temporary files
Reported by: Jan Hauke Rahm <jhr@debian.org>
Date: Sun, 14 Sep 2008 11:12:01 UTC
Severity: normal
Tags: patch, pending, security
Done: Matthias Klose <doko@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Matthias Klose <doko@debian.org>
:
Bug#498899
; Package python2.4-examples
.
(full text, mbox, link).
Acknowledgement sent to Jan Hauke Rahm <info@jhr-online.de>
:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Matthias Klose <doko@debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: python2.4-examples
Version: 2.4.5-5
Severity: grave
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA224
Hi Matthias,
in your script "Tools/faqwiz/move-faqwiz.sh" you use $RANDOM to create a
temporary file. This is very unsecure and should be replaced by mktemp.
The following patch tries to solve that and beyond that solves your
bashism bug #489648.
Please test the patch thoroughly and upload ASAP if appropiate.
Cheers,
Hauke
*** bashandtmp.patch
diff -Naur python2.4-2.4.5~/Tools/faqwiz/move-faqwiz.sh python2.4-2.4.5/Tools/faqwiz/move-faqwiz.sh
- --- python2.4-2.4.5~/Tools/faqwiz/move-faqwiz.sh 2008-09-14 12:36:45.000000000 +0200
+++ python2.4-2.4.5/Tools/faqwiz/move-faqwiz.sh 2008-09-14 12:40:44.000000000 +0200
@@ -9,7 +9,7 @@
# blackjesus:~> ./move-faqwiz.sh 2\.1 3\.2
# Moving FAQ question 02.001 to 03.002
- -if [ x$2 == x ]; then
+if [ x$2 = x ]; then
echo "Need 2 args: original_version final_version."
exit 2
fi
@@ -19,7 +19,7 @@
exit 2
fi
- -function cut_n_pad() {
+cut_n_pad () {
t=`echo $1 | cut -d. -f $2`
export $3=`echo $t | awk "{ tmp = \\$0; l = length(tmp); for (i = 0; i < $2-l+1; i++) { tmp = "0".tmp } print tmp }"`
}
@@ -28,7 +28,7 @@
cut_n_pad $1 2 suffix1
cut_n_pad $2 1 prefix2
cut_n_pad $2 2 suffix2
- -tmpfile=tmp$RANDOM.tmp
+tmpfile=`mktemp`
file1=faq$prefix1.$suffix1.htp
file2=faq$prefix2.$suffix2.htp
- -- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (700, 'testing'), (600, 'unstable'), (500, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iFYEARELAAYFAkjM798ACgkQGOp6XeD8cQ2LRgDgg5MWslv+21jb7dv/kzfwQC6q
wRWVmLZ+2zLAywDeKwmZ8asTsBpGIoXInoXpvne9qRrvQU0vJStGng==
=xWvB
-----END PGP SIGNATURE-----
Severity set to `important' from `grave'
Request was from Marc 'HE' Brockschmidt <he@debian.org>
to control@bugs.debian.org
.
(Sun, 14 Sep 2008 11:57:03 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>
:
Bug#498899
; Package python2.4-examples
.
(full text, mbox, link).
Acknowledgement sent to Steve Langasek <vorlon@debian.org>
:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>
.
(full text, mbox, link).
Message #12 received at 498899@bugs.debian.org (full text, mbox, reply):
severity 498899 normal
thanks
On Sun, Sep 14, 2008 at 01:05:08PM +0200, Jan Hauke Rahm wrote:
> Package: python2.4-examples
> Version: 2.4.5-5
> Severity: grave
> Tags: security patch
> Hi Matthias,
> in your script "Tools/faqwiz/move-faqwiz.sh" you use $RANDOM to create a
> temporary file. This is very unsecure and should be replaced by mktemp.
But it's an example. Security is not compromised by "using" this package,
only by blindly running scripts located under
/usr/share/doc/python2.4/examples...
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org
Severity set to `normal' from `important'
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org
.
(Sun, 14 Sep 2008 19:48:20 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>
:
Bug#498899
; Package python2.4-examples
.
(full text, mbox, link).
Acknowledgement sent to Jan Hauke Rahm <info@jhr-online.de>
:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>
.
(full text, mbox, link).
Message #19 received at 498899@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Steve,
On Sun, Sep 14, 2008 at 12:40:57PM -0700, Steve Langasek wrote:
> On Sun, Sep 14, 2008 at 01:05:08PM +0200, Jan Hauke Rahm wrote:
> > in your script "Tools/faqwiz/move-faqwiz.sh" you use $RANDOM to create a
> > temporary file. This is very unsecure and should be replaced by mktemp.
>
> But it's an example. Security is not compromised by "using" this package,
> only by blindly running scripts located under
> /usr/share/doc/python2.4/examples...
That's true but I think Debian should never release files with known
security issue, neither in direct use, nor as example script. Maybe
severity was set too high, but I think this is a bug and should be
solved. For my part after release if such fixes are not accepted
during freeze...
Cheers,
Hauke
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>
:
Bug#498899
; Package python2.4-examples
.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>
:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>
.
(full text, mbox, link).
Message #24 received at 498899@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
This has been assigned CVE-2008-4108, please reference it in the changelog.
We all know what happens with example code: people copy it into their
programs. Therefore please make it a priority to fix this in lenny even
though it's an example.
thanks,
Thijs
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>
:
Bug#498899
; Package python2.4-examples
.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>
:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>
.
(full text, mbox, link).
Message #29 received at 498899@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Tuesday 16 September 2008 04:38, dann frazier wrote:
> fyi, just filed this bug:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499075
>
> The mipsel buildd has retried numerous times, so I don't believe this
> is a transient failure.
We are aware; we retried ourselves and I contacted LaMont, who thinks it's a
buildd misconfiguration. I have contacted the mipsel buildd maintainers but
received not even an acknowledgement of my email.
If you think the security team can do anything more about this please let me
know.
Thijs
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>
:
Bug#498899
; Package python2.4-examples
.
(full text, mbox, link).
Acknowledgement sent to dann frazier <dannf@debian.org>
:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>
.
(full text, mbox, link).
Message #34 received at 498899@bugs.debian.org (full text, mbox, reply):
On Tue, Sep 16, 2008 at 09:12:16AM +0200, Thijs Kinkhorst wrote:
> On Tuesday 16 September 2008 04:38, dann frazier wrote:
> > fyi, just filed this bug:
> > ? http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499075
> >
> > The mipsel buildd has retried numerous times, so I don't believe this
> > is a transient failure.
>
> We are aware; we retried ourselves and I contacted LaMont, who thinks it's a
> buildd misconfiguration. I have contacted the mipsel buildd maintainers but
> received not even an acknowledgement of my email.
>
> If you think the security team can do anything more about this please let me
> know.
I don't, or I would've done it :) phil asked me to file the bug and I
just wanted to keep the team informed. I also tried contacting the
mipsel buildd maintainer (no response yet).
--
dann frazier
Tags added: pending
Request was from Matthias Klose <doko@cs.tu-berlin.de>
to control@bugs.debian.org
.
(Sun, 30 Nov 2008 13:42:05 GMT) (full text, mbox, link).
Changed Bug submitter to 'Jan Hauke Rahm <jhr@debian.org>' from 'Jan Hauke Rahm <info@jhr-online.de>'
Request was from Jan Hauke Rahm <jhr@debian.org>
to control@bugs.debian.org
.
(Sat, 03 Oct 2009 13:27:28 GMT) (full text, mbox, link).
No longer marked as found in versions python2.4/2.4.5-5.
Request was from David Prévot <taffit@debian.org>
to control@bugs.debian.org
.
(Sun, 08 Apr 2012 22:33:04 GMT) (full text, mbox, link).
Marked as found in versions python2.7/2.7.2-8.
Request was from David Prévot <taffit@debian.org>
to control@bugs.debian.org
.
(Sun, 08 Apr 2012 22:33:04 GMT) (full text, mbox, link).
Bug 498899 cloned as bug 668107
Request was from David Prévot <taffit@debian.org>
to control@bugs.debian.org
.
(Sun, 08 Apr 2012 22:33:04 GMT) (full text, mbox, link).
No longer marked as found in versions python2.7/2.7.2-8.
Request was from Matthias Klose <doko@debian.org>
to control@bugs.debian.org
.
(Sat, 14 Apr 2012 09:27:39 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Matthias Klose <doko@debian.org>
to control@bugs.debian.org
.
(Sat, 14 Apr 2012 09:27:40 GMT) (full text, mbox, link).
Notification sent
to Jan Hauke Rahm <jhr@debian.org>
:
Bug acknowledged by developer.
(Sat, 14 Apr 2012 09:27:40 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 13 May 2012 07:52:27 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:28:48 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.