CVE-2008-5378: possible symlink attacks

Debian Bug report logs - #508942
CVE-2008-5378: possible symlink attacks

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2008-5378: possible symlink attacks

Date: Tue, 16 Dec 2008 21:37:33 +0100

Package: arb
Severity: important
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for arb.

CVE-2008-5378[0]:
| arb-kill in arb 0.0.20071207.1 allows local users to overwrite
| arbitrary files via a symlink attack on a /tmp/arb_pids_*_* temporary
| file.

Checking the source for "tmp" with grep reveals some other occurences,
which should at least be checked.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Cheers
Steffen

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5378
    http://security-tracker.debian.net/tracker/CVE-2008-5378

Message #10 received at 508942@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <tillea@rki.de>

To: 508942@bugs.debian.org

Cc: Steffen Joeris <steffen.joeris@skolelinux.de>, debian-devel@rki.de

Subject: Re: CVE-2008-5378: possible symlink attacks

Date: Mon, 22 Dec 2008 14:57:15 +0100 (CET)

Hi,

when I started manitaining arb I noticed that the program might crash
under some seldom occurrences.  To enable the users to start cleanly
another instance I enhanced the scripts provided by upstream which
basically parse a file containing the PIDs of the main arb processes.
These files are stored under

    /tmp/arb_pids_${USER}_${ARB_PID}

Code:
  ARBDB/adcomm.c:    sprintf(filename,"/tmp/arb_pids_%s_%s",user,arb_pid);
  SH/arb_fastdnaml:/bin/echo "$sig $$ \c" >>/tmp/arb_pids_${USER}_${ARB_PID}

These files are parsed in the following scripts provided by upstream:

$ grep -R arb_pids_ * | grep -v -e "\.c:" -e "debian" -e "echo"
SH/arb_clean:   pidfiles=/tmp/arb_pids_$USER_*
SH/arb_clean:   pidfiles=/tmp/arb_pids_${USER}_${ARB_PID}
SH/arb_panic:chooser="/tmp/arb_pids_${USER}_*"
SH/arb_panic:if [ ! -f /tmp/arb_pids_${USER}_${ARB_PID} ]; then
SH/arb_panic:for i in `cat /tmp/arb_pids_${USER}_${ARB_PID}`; do

These are most probably volunarable as well as arb_kill[1] which is
"a working version" of arb_kill basically.  After quite good experiences
with recent versions of arb the issue of arb_kill became void and I
could simply drop this script to fix CVE-2008-5378 - but this would not
solve the problem with the scripts provided by upstream.

Currently I see two options:

  1. Do not install arb_{clean,panic} any more in the binary package
     and advise the user in the docs what to do in case of a problem.
  2. Make the temp file save against symlink attacks.  The question
     I have for this case which should probably be prefered is: How
     can I savely teach an independent script about the PIDs of a
     crashed program that should be stopped.  I think random file names
     will not really work here or do I miss something?

Kind regards

       Andreas.

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5378

-- 
http://fam-tille.de

Message #15 received at 508942-close@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <tille@debian.org>

To: 508942-close@bugs.debian.org

Subject: Bug#508942: fixed in arb 0.0.20071207.1-6

Date: Wed, 11 Feb 2009 13:32:17 +0000

Source: arb
Source-Version: 0.0.20071207.1-6

We believe that the bug you reported is fixed in the latest version of
arb, which is due to be installed in the Debian FTP archive:

arb-common_0.0.20071207.1-6_all.deb
  to pool/non-free/a/arb/arb-common_0.0.20071207.1-6_all.deb
arb-doc_0.0.20071207.1-6_all.deb
  to pool/non-free/a/arb/arb-doc_0.0.20071207.1-6_all.deb
arb_0.0.20071207.1-6.diff.gz
  to pool/non-free/a/arb/arb_0.0.20071207.1-6.diff.gz
arb_0.0.20071207.1-6.dsc
  to pool/non-free/a/arb/arb_0.0.20071207.1-6.dsc
arb_0.0.20071207.1-6_i386.deb
  to pool/non-free/a/arb/arb_0.0.20071207.1-6_i386.deb
libarb_0.0.20071207.1-6_i386.deb
  to pool/non-free/a/arb/libarb_0.0.20071207.1-6_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 508942@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Tille <tille@debian.org> (supplier of updated arb package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 10 Feb 2009 23:32:41 +0100
Source: arb
Binary: arb libarb arb-common arb-doc
Architecture: source all i386
Version: 0.0.20071207.1-6
Distribution: unstable
Urgency: low
Maintainer: Debian-Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>
Changed-By: Andreas Tille <tille@debian.org>
Description: 
 arb        - Integrated package for sequence database handling and analysis
 arb-common - Integrated package for sequence database handling and analysis
 arb-doc    - Integrated package for sequence database handling and analysis
 libarb     - Integrated package for sequence database handling and analysis
Closes: 508942 511376
Changes: 
 arb (0.0.20071207.1-6) unstable; urgency=low
 .
   * Save use of /tmp in arb-kill and addressing the other
     potential tempfile symlink attacks reported in
     CVE-2008-5378: possible symlink attacks
     Closes: #508942
   * Use xmllint instead of rxp to verify helpfile XML because
     rxp is outdate, unmaintained and should be removed.
   * Do not use command-with-path-in-maintainer-script in
     postinst and config
   * Added Russian debconf translation (Thanks to Yuri Kozlov)
     Closes: #511376
Checksums-Sha1: 
 3fb87ade99e6e5b720729e0002ecb313924a12a9 1607 arb_0.0.20071207.1-6.dsc
 133ca57b768697158fa0d575ffeed187fdd948e5 32807 arb_0.0.20071207.1-6.diff.gz
 9eca1077835441ce21878070c28f93f3e9a0b5a4 5633294 arb-common_0.0.20071207.1-6_all.deb
 b71d84dfed2c5feba593564a7f814b99e1bc1a7e 697160 arb-doc_0.0.20071207.1-6_all.deb
 fe2c7a659f2445499aa1784751452b9520e43896 2169994 arb_0.0.20071207.1-6_i386.deb
 e0e39144b71b1a791952978f43de0732d02c4c29 918416 libarb_0.0.20071207.1-6_i386.deb
Checksums-Sha256: 
 136fc04a1f6beb5d7301e56345f16019c80c5d31297081655a0da9a001e900ee 1607 arb_0.0.20071207.1-6.dsc
 b6dee432c4fc7692c2bec22925b40ac28dce7a0711eff1235ad60487a8de8b2c 32807 arb_0.0.20071207.1-6.diff.gz
 0ad627dcc3fb3c77c36433462664264b1e766c784b0f06cb8380977a1ed6b255 5633294 arb-common_0.0.20071207.1-6_all.deb
 d446c3be978f483a03fd0cd0defb96cff0eb4a6e753f2e9dda216bf16b4962a4 697160 arb-doc_0.0.20071207.1-6_all.deb
 c4c038931553ed676389ad41c9cfdfe0655adef767f63dedfa61e40ad2ab0475 2169994 arb_0.0.20071207.1-6_i386.deb
 c1bbf62f2b6d19c2cf4e218d1f3f05a0fb328d9bbffba9c35112d9c7c590f82b 918416 libarb_0.0.20071207.1-6_i386.deb
Files: 
 f7aeca0db765267689f5281cf8d9fcad 1607 non-free/science extra arb_0.0.20071207.1-6.dsc
 507f8612fb84492701ba49a09311119a 32807 non-free/science extra arb_0.0.20071207.1-6.diff.gz
 f63ae74e83bf485db4ef56ff4dd3bd28 5633294 non-free/science extra arb-common_0.0.20071207.1-6_all.deb
 ac255c4f887d32800b5263f75b8615a9 697160 non-free/science extra arb-doc_0.0.20071207.1-6_all.deb
 af5423f2750c6ce281a906a971e92a28 2169994 non-free/science extra arb_0.0.20071207.1-6_i386.deb
 6deeb87901a12d59a61b80cd0928c917 918416 non-free/science extra libarb_0.0.20071207.1-6_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJks7NYDBbMcCf01oRAodyAJ4h8K8l9VRoqqMYb82m3Hy/fcwJbQCfYgBy
THMGKAcTnFn0GBWUtdIvA/M=
=WEpa
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.