CVE-2007-4462: arbitrary files overwriting

Debian Bug report logs - #439226
CVE-2007-4462: arbitrary files overwriting

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: submit@bugs.debian.org

Subject: CVE-2007-4462: arbitrary files overwriting

Date: Thu, 23 Aug 2007 14:27:03 +0200

[Message part 1 (text/plain, inline)]

Package: po4a
Severity: serious
Tags: security

Hi,

A security issue has been reported against your package po4a:

> lib/Locale/Po4a/Po.pm in po4a before 0.32 allows local users to overwrite
> arbitrary files via a symlink attack on the gettextization.failed.po
> temporary file.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4462
It seems the new upstream 0.32 fixes this.

Please mention the CVE id in the changelog when fixing this.
Also please check whether stable and oldstable are vulneable and coordinate 
with the security team.


Thanks,
Thijs

[Message part 2 (application/pgp-signature, inline)]

Message #10 received at 439226@bugs.debian.org (full text, mbox, reply):

From: Nicolas François <nicolas.francois@centraliens.net>

To: Thijs Kinkhorst <thijs@debian.org>, 439226@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#439226: CVE-2007-4462: arbitrary files overwriting

Date: Thu, 23 Aug 2007 21:07:43 +0200

found 439226 0.20-2
found 439226 0.29-1
notfound 439226 0.31-1
thanks

Hi,

On Thu, Aug 23, 2007 at 02:27:03PM +0200, thijs@debian.org wrote:
> Hi,
> 
> A security issue has been reported against your package po4a:
> 
> > lib/Locale/Po4a/Po.pm in po4a before 0.32 allows local users to overwrite
> > arbitrary files via a symlink attack on the gettextization.failed.po
> > temporary file.
> 
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4462
> It seems the new upstream 0.32 fixes this.
> 
> Please mention the CVE id in the changelog when fixing this.
> Also please check whether stable and oldstable are vulneable and coordinate 
> with the security team.

This was fixed in Debian's 0.31-1

stable and oldstable are vulnerable.


The fix for this bug is quite simple:
replacing
        $pores->write("/tmp/gettextization.failed.po");
by
        $pores->write("gettextization.failed.po");



Security Team, shall I prepare packages with this fix and upload to
stable-security and oldstable-security?


Kind Regards,
-- 
Nekral

Message #21 received at 439226@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Nicolas François <nicolas.francois@centraliens.net>

Cc: Thijs Kinkhorst <thijs@debian.org>, 439226@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#439226: CVE-2007-4462: arbitrary files overwriting

Date: Fri, 31 Aug 2007 17:39:47 +0200

Nicolas François wrote:
> > Hi,
> > 
> > A security issue has been reported against your package po4a:
> > 
> > > lib/Locale/Po4a/Po.pm in po4a before 0.32 allows local users to overwrite
> > > arbitrary files via a symlink attack on the gettextization.failed.po
> > > temporary file.
> > 
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4462
> > It seems the new upstream 0.32 fixes this.
> > 
> > Please mention the CVE id in the changelog when fixing this.
> > Also please check whether stable and oldstable are vulneable and coordinate 
> > with the security team.
> 
> This was fixed in Debian's 0.31-1
> 
> stable and oldstable are vulnerable.
> 
> The fix for this bug is quite simple:
> replacing
>         $pores->write("/tmp/gettextization.failed.po");
> by
>         $pores->write("gettextization.failed.po");
> 
> Security Team, shall I prepare packages with this fix and upload to
> stable-security and oldstable-security?

Which enduser tools use the affected code and which operations trigger the
vulnerability?

Given that there's apparently no regularly scheduled execution (e.g. in
comparison to a server cron job), that the .pm doesn't run with elevated
privileges, that po4a is exotic and apparently uncommon in a multi user
environment with shared /tmp I'm for now inclined to consider this not
grave enough for a DSA. (However, this depends on the information I'm
asking for)

Cheers,
        Moritz

Message #26 received at 439226@bugs.debian.org (full text, mbox, reply):

From: Nicolas François <nicolas.francois@centraliens.net>

To: Moritz Muehlenhoff <jmm@inutil.org>, 439226@bugs.debian.org

Cc: Thijs Kinkhorst <thijs@debian.org>, team@security.debian.org

Subject: Re: Bug#439226: CVE-2007-4462: arbitrary files overwriting

Date: Fri, 31 Aug 2007 18:59:52 +0200

Hello,

On Fri, Aug 31, 2007 at 05:39:47PM +0200, Moritz Muehlenhoff wrote:
> 
> Which enduser tools use the affected code and which operations trigger the
> vulnerability?
> 
> Given that there's apparently no regularly scheduled execution (e.g. in
> comparison to a server cron job), that the .pm doesn't run with elevated
> privileges, that po4a is exotic and apparently uncommon in a multi user
> environment with shared /tmp I'm for now inclined to consider this not
> grave enough for a DSA. (However, this depends on the information I'm
> asking for)

The vulnerability is a symlink attack which does not involve a race
condition (the link could be installed a long time before).

po4a is a development tool, used as a build dependency for some Debian
packages.  My opinion is that it should not be used by root.

The vulnerability occurs in po4a-gettextize when it is used to import an
existing translation and convert it to a PO file usable for latter
operations by the po4a tools (and by translators).
The file is written in /tmp only if this process fails.
This usage of po4a-gettextize is intended to be interactive (with the user
fixing errors reported by each runs of po4a-gettextize) in the early stage
of building a translation framework.

Thus I don't expect this vulnerability to occur (there should be no erros
and the file should not be written) in a build system or to be triggered
by admins using "make && make install" as root with a non malicious
software.

If eventually this results in overwriting a file, this file will be a PO
file.
This will result in a DOS if /etc/shadow is overwritten. I don't expect
any line matching a valid shadow entry (i.e. the first field will contain
a space or will start with " or #).

Kind Regards,
-- 
Nekral

Message #31 received at 439226-done@bugs.debian.org (full text, mbox, reply):

From: Nicolas François <nicolas.francois@centraliens.net>

To: 439226-done@bugs.debian.org

Subject: Re: Bug#439226: CVE-2007-4462: arbitrary files overwriting

Date: Thu, 6 Sep 2007 21:53:14 +0200

Version: 0.31-1

The fix was included in the Debian 0.31-1 package. Closing the bug
accordingly.

The risk is quite low and will not deserve a DSA.

I asked the stable release managers whether the fix could be included in
sarge and etch.

Kind Regards,
-- 
Nekral

Message #36 received at 439226-close@bugs.debian.org (full text, mbox, reply):

From: Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>

To: 439226-close@bugs.debian.org

Subject: Bug#439226: fixed in po4a 0.29-1etch4

Date: Thu, 20 Sep 2007 07:56:17 +0000

Source: po4a
Source-Version: 0.29-1etch4

We believe that the bug you reported is fixed in the latest version of
po4a, which is due to be installed in the Debian FTP archive:

po4a_0.29-1etch4.diff.gz
  to pool/main/p/po4a/po4a_0.29-1etch4.diff.gz
po4a_0.29-1etch4.dsc
  to pool/main/p/po4a/po4a_0.29-1etch4.dsc
po4a_0.29-1etch4_all.deb
  to pool/main/p/po4a/po4a_0.29-1etch4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 439226@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net> (supplier of updated po4a package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 04 Sep 2007 23:35:12 +0200
Source: po4a
Binary: po4a
Architecture: source all
Version: 0.29-1etch4
Distribution: proposed-updates
Urgency: low
Maintainer: Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>
Changed-By: Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>
Description: 
 po4a       - tools for helping translation of documentation
Closes: 439226
Changes: 
 po4a (0.29-1etch4) proposed-updates; urgency=low
 .
   * Fix possible arbitrary files overwriting via a symlink attack.
     (CVE-2007-4462). Closes: #439226
Files: 
 cd69260403ccbaade7027626a746b26f 725 text optional po4a_0.29-1etch4.dsc
 ccf4cf26f84c01efb06bf2cd67f9c7cf 7847 text optional po4a_0.29-1etch4.diff.gz
 2c1d628c97fdceb735e3a95175093f6b 697292 text optional po4a_0.29-1etch4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG8WE5ST77jl1k+HARAngoAKDr24/cFWArBzrlvMO0OCbDa/3gdwCgoCvE
hrtYInoMCEPH5j+eeud8F4U=
=RZYU
-----END PGP SIGNATURE-----

Message #41 received at 439226-close@bugs.debian.org (full text, mbox, reply):

From: Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>

To: 439226-close@bugs.debian.org

Subject: Bug#439226: fixed in po4a 0.20-2sarge1

Date: Thu, 20 Sep 2007 07:56:18 +0000

Source: po4a
Source-Version: 0.20-2sarge1

We believe that the bug you reported is fixed in the latest version of
po4a, which is due to be installed in the Debian FTP archive:

po4a_0.20-2sarge1.diff.gz
  to pool/main/p/po4a/po4a_0.20-2sarge1.diff.gz
po4a_0.20-2sarge1.dsc
  to pool/main/p/po4a/po4a_0.20-2sarge1.dsc
po4a_0.20-2sarge1_all.deb
  to pool/main/p/po4a/po4a_0.20-2sarge1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 439226@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net> (supplier of updated po4a package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 04 Sep 2007 23:28:49 +0200
Source: po4a
Binary: po4a
Architecture: source all
Version: 0.20-2sarge1
Distribution: oldstable-proposed-updates
Urgency: low
Maintainer: Martin Quinson <mquinson@debian.org>
Changed-By: Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>
Description: 
 po4a       - tools for helping translation of documentation
Closes: 439226
Changes: 
 po4a (0.20-2sarge1) oldstable-proposed-updates; urgency=low
 .
   * Fix possible arbitrary files overwriting via a symlink attack.
     (CVE-2007-4462). Closes: #439226
Files: 
 5394a00469daf47279355b4c6aca46d0 787 text optional po4a_0.20-2sarge1.dsc
 2f3190dbd712bacbfe691b7a37713566 29468 text optional po4a_0.20-2sarge1.diff.gz
 220fa400774fd54f5f5fd1d2501f9f16 529776 text optional po4a_0.20-2sarge1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG8WGMST77jl1k+HARAqs+AJoDd3j4s9GibY8IOLSKCbVMzhXRbgCdEMpE
tGolJ6Vgh47E43va+SgBf6U=
=P1aH
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.