Debian Bug report logs -
#698490
git-effort/git-changelog: predictable /tmp filenames (CVE-2012-6114)
Reported by: Helmut Grohne <helmut@subdivi.de>
Date: Sat, 19 Jan 2013 11:12:01 UTC
Severity: serious
Tags: patch, security
Found in version git-extras/1.7.0-1.1
Fixed in version git-extras/1.7.0-1.2
Done: Jonathan Wiltshire <jmw@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jesús Espino <jespinog@gmail.com>:
Bug#698490; Package git-extras.
(Sat, 19 Jan 2013 11:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Helmut Grohne <helmut@subdivi.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jesús Espino <jespinog@gmail.com>.
(Sat, 19 Jan 2013 11:12:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: git-extras
Version: 1.7.0-1.1
Severity: serious
Tags: security
The git-effort utility uses /tmp/.git-effort as the name of its
temporary filename. While this already prevents two users from using
this utility (due to not cleaning its temporary file) it also allows for
targeted symbolic link attacks. No guessing involved.
Helmut
Information forwarded
to debian-bugs-dist@lists.debian.org, Jesús Espino <jespinog@gmail.com>:
Bug#698490; Package git-extras.
(Sat, 19 Jan 2013 11:33:14 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>:
Extra info received and forwarded to list. Copy sent to Jesús Espino <jespinog@gmail.com>.
(Sat, 19 Jan 2013 11:33:14 GMT) (full text, mbox, link).
Message #10 received at 698490@bugs.debian.org (full text, mbox, reply):
Hello,
Does this issue have CVE-identifier? I am happy to request one if there isn't one yet.
- Henri Salo
Information forwarded
to debian-bugs-dist@lists.debian.org, Jesús Espino <jespinog@gmail.com>:
Bug#698490; Package git-extras.
(Sat, 19 Jan 2013 16:54:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Rob Browning <rlb@defaultvalue.org>:
Extra info received and forwarded to list. Copy sent to Jesús Espino <jespinog@gmail.com>.
(Sat, 19 Jan 2013 16:54:03 GMT) (full text, mbox, link).
Message #15 received at 698490@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tag 698490 +patch
thanks
Assuming I understood the situation correctly, this might be a plausible
fix:
[0001-Create-git-effort-temp-file-via-mktemp-and-remove-it.patch (text/x-diff, inline)]
From 679c67c615947b44aafa969f00ea00f9ed997e4e Mon Sep 17 00:00:00 2001
From: Rob Browning <rlb@defaultvalue.org>
Date: Sat, 19 Jan 2013 10:44:34 -0600
Subject: [PATCH 1/1] Create git-effort temp file via mktemp and remove it on
EXIT.
---
bin/git-effort | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/bin/git-effort b/bin/git-effort
index a3bb50e..72ad95d 100755
--- a/bin/git-effort
+++ b/bin/git-effort
@@ -1,9 +1,11 @@
#!/bin/bash
-tmp=/tmp/.git-effort
+tmp="$(mktemp --suffix -git-effort)"
above='0'
color=
+trap "rm -f '$tmp'" EXIT
+
#
# get date for the given <commit>
#
@@ -122,4 +124,4 @@ heading
effort $files | tee $tmp && sort_effort
echo
-show_cursor
\ No newline at end of file
+show_cursor
--
1.7.10.4
[Message part 3 (text/plain, inline)]
--
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4
Added tag(s) patch.
Request was from Rob Browning <rlb@defaultvalue.org>
to control@bugs.debian.org.
(Sat, 19 Jan 2013 16:54:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Jesús Espino <jespinog@gmail.com>:
Bug#698490; Package git-extras.
(Sat, 19 Jan 2013 21:45:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Helmut Grohne <helmut@subdivi.de>:
Extra info received and forwarded to list. Copy sent to Jesús Espino <jespinog@gmail.com>.
(Sat, 19 Jan 2013 21:45:09 GMT) (full text, mbox, link).
Message #22 received at 698490@bugs.debian.org (full text, mbox, reply):
On Sat, Jan 19, 2013 at 10:51:23AM -0600, Rob Browning wrote:
> Assuming I understood the situation correctly, this might be a plausible
> fix:
Yes. Thanks for your quick reaction.
Helmut
Information forwarded
to debian-bugs-dist@lists.debian.org, Jesús Espino <jespinog@gmail.com>:
Bug#698490; Package git-extras.
(Sun, 20 Jan 2013 03:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Rob Browning <rlb@defaultvalue.org>:
Extra info received and forwarded to list. Copy sent to Jesús Espino <jespinog@gmail.com>.
(Sun, 20 Jan 2013 03:06:03 GMT) (full text, mbox, link).
Message #27 received at 698490@bugs.debian.org (full text, mbox, reply):
Helmut Grohne <helmut@subdivi.de> writes:
> On Sat, Jan 19, 2013 at 10:51:23AM -0600, Rob Browning wrote:
>> Assuming I understood the situation correctly, this might be a plausible
>> fix:
>
> Yes. Thanks for your quick reaction.
You're certainly welcome, though it was just luck -- happened to be
poking around the wheezy bug list.
--
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4
Information forwarded
to debian-bugs-dist@lists.debian.org, Jesús Espino <jespinog@gmail.com>:
Bug#698490; Package git-extras.
(Sun, 20 Jan 2013 18:27:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Jesús Espino <jespinog@gmail.com>.
(Sun, 20 Jan 2013 18:27:06 GMT) (full text, mbox, link).
Message #32 received at 698490@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 698490 + pending
thanks
The patch is incomplete, this problem affects git-changelog too. Patch
attached; I have uploaded it to DELAYED/2.
Maintainer, please ensure this patch gets applied upstream (who also seem
not to understand set -e). I do not and will not have a github account.
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
[git-extras-1.7.0-1.2-nmu.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]
Added tag(s) pending.
Request was from Jonathan Wiltshire <jmw@debian.org>
to control@bugs.debian.org.
(Sun, 20 Jan 2013 18:27:08 GMT) (full text, mbox, link).
Changed Bug title to 'git-effort/git-changelog: predictable /tmp filenames' from 'git-effort: predictable /tmp filename'
Request was from Jonathan Wiltshire <jmw@debian.org>
to control@bugs.debian.org.
(Mon, 21 Jan 2013 14:48:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Jesús Espino <jespinog@gmail.com>:
Bug#698490; Package git-extras.
(Tue, 22 Jan 2013 15:03:12 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>:
Extra info received and forwarded to list. Copy sent to Jesús Espino <jespinog@gmail.com>.
(Tue, 22 Jan 2013 15:03:12 GMT) (full text, mbox, link).
Message #41 received at 698490@bugs.debian.org (full text, mbox, reply):
CVE request http://www.openwall.com/lists/oss-security/2013/01/22/8
--
Henri Salo
Reply sent
to Jonathan Wiltshire <jmw@debian.org>:
You have taken responsibility.
(Tue, 22 Jan 2013 18:51:04 GMT) (full text, mbox, link).
Notification sent
to Helmut Grohne <helmut@subdivi.de>:
Bug acknowledged by developer.
(Tue, 22 Jan 2013 18:51:04 GMT) (full text, mbox, link).
Message #46 received at 698490-close@bugs.debian.org (full text, mbox, reply):
Source: git-extras
Source-Version: 1.7.0-1.2
We believe that the bug you reported is fixed in the latest version of
git-extras, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 698490@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonathan Wiltshire <jmw@debian.org> (supplier of updated git-extras package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 20 Jan 2013 18:07:43 +0000
Source: git-extras
Binary: git-extras
Architecture: source all
Version: 1.7.0-1.2
Distribution: unstable
Urgency: medium
Maintainer: Jesús Espino <jespinog@gmail.com>
Changed-By: Jonathan Wiltshire <jmw@debian.org>
Description:
git-extras - Extra commands for git
Closes: 698490
Changes:
git-extras (1.7.0-1.2) unstable; urgency=medium
.
* Non-maintainer upload.
* git-changelog, git-effort: Correct unsafe temporary file usage
(Closes: #698490)
Checksums-Sha1:
ccaa81a72466c390f505d66f75648d449536f3e3 1754 git-extras_1.7.0-1.2.dsc
4160d13d88e70712bfe74930aca4bcf616f7acc6 4089 git-extras_1.7.0-1.2.debian.tar.gz
bc1e4570df7dae608c48bd8e3ca842618c167bb6 24074 git-extras_1.7.0-1.2_all.deb
Checksums-Sha256:
cdb2d824f02a6f6fbf40bd5ea695d35f24550c6904b31d23923bb8442d85f134 1754 git-extras_1.7.0-1.2.dsc
7c00fef94b51a6b6c9df8c744b87cab3c747229f7e74d77bbe9df2abed86ab6d 4089 git-extras_1.7.0-1.2.debian.tar.gz
cb65bff48647308d4487d619b4719d8776b4dbff16c36d2328e470743b06d1b5 24074 git-extras_1.7.0-1.2_all.deb
Files:
296c98de75967e78cb26dffdd8112ec2 1754 vcs extra git-extras_1.7.0-1.2.dsc
70aebda7995bcd02becb38c7872a6ff2 4089 vcs extra git-extras_1.7.0-1.2.debian.tar.gz
fa8cdd4a255003718431fdeab4b8e333 24074 vcs extra git-extras_1.7.0-1.2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBAgAGBQJQ/DVtAAoJEFC7AtTIpr9hjNoP/3V7uzkHO5gvvD6iGnAGk2+G
U7H6w8Mmktei325epxTGjDTQtdvKr8auZ+hD8lm8zIf0e111zoa14bGj2QezARl1
PUschwGuDFtUFbJ14Od9K2i0kTYKxD8FsD1bDmrwz/7+ftjyycLI/uMxT22WsDh8
djVwKQa0e5PIU/TX6ftzZKOLUi2t9/KgUo57gSITF9XCw5cRyBv5xNVlG0RNTNjj
bxHfRwaZ70TZuaPaleGfAh44bHHXfbFoeKzZG7IcDDUK77vfXDjIlX2BRLW/9e+d
U8FEzyGTlUvn3yWEjbhiHFz52bGpXEvrKw8DGss3Z+qLuuM1i4hDWKzDTVj5254c
96fDkCpmQdT9R4V41wGvnzcvyYLfEO7IEYO6EydNO6Y7yrM3H9Kg2RYqMRBUw13x
pgouiVNSNBQYhCrzeRt7hsMCQMtmJMXO2VyRYSEf1qtIIYr4c6XJkMdCYuCjr6tQ
qG0kwYV3yYmZ0PJ+fViCYegp++6LLcCijoI5vuhcbBkJW7DljEPvoqr9JRomurY0
XgugYUH06Qt0pnkN0rGT6ZEtn2iSNkuuRLx3nDSvEQEc/URmBL1xjO1qhpKACVic
hf2lBSGDPMySnMcSAcKGXI+ED6EOQaGmyfjzoiWcG6Xk0Kdl5lCLGzevmJtRYUzW
reXDfkx0Uq1gmbULepjW
=K+8i
-----END PGP SIGNATURE-----
Changed Bug title to 'git-effort/git-changelog: predictable /tmp filenames (CVE-2012-6114)' from 'git-effort/git-changelog: predictable /tmp filenames'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 23 Jan 2013 12:51:09 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 25 Feb 2013 07:29:12 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:42:53 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon