Debian Bug report logs -
#439226
CVE-2007-4462: arbitrary files overwriting
Reported by: Thijs Kinkhorst <thijs@debian.org>
Date: Thu, 23 Aug 2007 12:30:01 UTC
Severity: serious
Tags: security
Found in versions po4a/0.20-2, po4a/0.29-1
Fixed in versions 0.31-1, po4a/0.29-1etch4, po4a/0.20-2sarge1
Done: Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>
:
Bug#439226
; Package po4a
.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>
:
New Bug report received and forwarded. Copy sent to Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: po4a
Severity: serious
Tags: security
Hi,
A security issue has been reported against your package po4a:
> lib/Locale/Po4a/Po.pm in po4a before 0.32 allows local users to overwrite
> arbitrary files via a symlink attack on the gettextization.failed.po
> temporary file.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4462
It seems the new upstream 0.32 fixes this.
Please mention the CVE id in the changelog when fixing this.
Also please check whether stable and oldstable are vulneable and coordinate
with the security team.
Thanks,
Thijs
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>
:
Bug#439226
; Package po4a
.
(full text, mbox, link).
Acknowledgement sent to Nicolas François <nicolas.francois@centraliens.net>
:
Extra info received and forwarded to list. Copy sent to Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>
.
(full text, mbox, link).
Message #10 received at 439226@bugs.debian.org (full text, mbox, reply):
found 439226 0.20-2
found 439226 0.29-1
notfound 439226 0.31-1
thanks
Hi,
On Thu, Aug 23, 2007 at 02:27:03PM +0200, thijs@debian.org wrote:
> Hi,
>
> A security issue has been reported against your package po4a:
>
> > lib/Locale/Po4a/Po.pm in po4a before 0.32 allows local users to overwrite
> > arbitrary files via a symlink attack on the gettextization.failed.po
> > temporary file.
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4462
> It seems the new upstream 0.32 fixes this.
>
> Please mention the CVE id in the changelog when fixing this.
> Also please check whether stable and oldstable are vulneable and coordinate
> with the security team.
This was fixed in Debian's 0.31-1
stable and oldstable are vulnerable.
The fix for this bug is quite simple:
replacing
$pores->write("/tmp/gettextization.failed.po");
by
$pores->write("gettextization.failed.po");
Security Team, shall I prepare packages with this fix and upload to
stable-security and oldstable-security?
Kind Regards,
--
Nekral
Bug marked as found in version 0.20-2.
Request was from Nicolas François <nicolas.francois@centraliens.net>
to control@bugs.debian.org
.
(Thu, 23 Aug 2007 19:09:05 GMT) (full text, mbox, link).
Bug marked as found in version 0.29-1.
Request was from Nicolas François <nicolas.francois@centraliens.net>
to control@bugs.debian.org
.
(Thu, 23 Aug 2007 19:09:05 GMT) (full text, mbox, link).
Bug no longer marked as found in version 0.31-1.
Request was from Nicolas François <nicolas.francois@centraliens.net>
to control@bugs.debian.org
.
(Thu, 23 Aug 2007 19:09:06 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>
:
Bug#439226
; Package po4a
.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>
.
(full text, mbox, link).
Message #21 received at 439226@bugs.debian.org (full text, mbox, reply):
Nicolas François wrote:
> > Hi,
> >
> > A security issue has been reported against your package po4a:
> >
> > > lib/Locale/Po4a/Po.pm in po4a before 0.32 allows local users to overwrite
> > > arbitrary files via a symlink attack on the gettextization.failed.po
> > > temporary file.
> >
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4462
> > It seems the new upstream 0.32 fixes this.
> >
> > Please mention the CVE id in the changelog when fixing this.
> > Also please check whether stable and oldstable are vulneable and coordinate
> > with the security team.
>
> This was fixed in Debian's 0.31-1
>
> stable and oldstable are vulnerable.
>
> The fix for this bug is quite simple:
> replacing
> $pores->write("/tmp/gettextization.failed.po");
> by
> $pores->write("gettextization.failed.po");
>
> Security Team, shall I prepare packages with this fix and upload to
> stable-security and oldstable-security?
Which enduser tools use the affected code and which operations trigger the
vulnerability?
Given that there's apparently no regularly scheduled execution (e.g. in
comparison to a server cron job), that the .pm doesn't run with elevated
privileges, that po4a is exotic and apparently uncommon in a multi user
environment with shared /tmp I'm for now inclined to consider this not
grave enough for a DSA. (However, this depends on the information I'm
asking for)
Cheers,
Moritz
Information forwarded to debian-bugs-dist@lists.debian.org, Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>
:
Bug#439226
; Package po4a
.
(full text, mbox, link).
Acknowledgement sent to Nicolas François <nicolas.francois@centraliens.net>
:
Extra info received and forwarded to list. Copy sent to Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>
.
(full text, mbox, link).
Message #26 received at 439226@bugs.debian.org (full text, mbox, reply):
Hello,
On Fri, Aug 31, 2007 at 05:39:47PM +0200, Moritz Muehlenhoff wrote:
>
> Which enduser tools use the affected code and which operations trigger the
> vulnerability?
>
> Given that there's apparently no regularly scheduled execution (e.g. in
> comparison to a server cron job), that the .pm doesn't run with elevated
> privileges, that po4a is exotic and apparently uncommon in a multi user
> environment with shared /tmp I'm for now inclined to consider this not
> grave enough for a DSA. (However, this depends on the information I'm
> asking for)
The vulnerability is a symlink attack which does not involve a race
condition (the link could be installed a long time before).
po4a is a development tool, used as a build dependency for some Debian
packages. My opinion is that it should not be used by root.
The vulnerability occurs in po4a-gettextize when it is used to import an
existing translation and convert it to a PO file usable for latter
operations by the po4a tools (and by translators).
The file is written in /tmp only if this process fails.
This usage of po4a-gettextize is intended to be interactive (with the user
fixing errors reported by each runs of po4a-gettextize) in the early stage
of building a translation framework.
Thus I don't expect this vulnerability to occur (there should be no erros
and the file should not be written) in a build system or to be triggered
by admins using "make && make install" as root with a non malicious
software.
If eventually this results in overwriting a file, this file will be a PO
file.
This will result in a DOS if /etc/shadow is overwritten. I don't expect
any line matching a valid shadow entry (i.e. the first field will contain
a space or will start with " or #).
Kind Regards,
--
Nekral
Reply sent to Nicolas François <nicolas.francois@centraliens.net>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Thijs Kinkhorst <thijs@debian.org>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #31 received at 439226-done@bugs.debian.org (full text, mbox, reply):
Version: 0.31-1
The fix was included in the Debian 0.31-1 package. Closing the bug
accordingly.
The risk is quite low and will not deserve a DSA.
I asked the stable release managers whether the fix could be included in
sarge and etch.
Kind Regards,
--
Nekral
Reply sent to Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Thijs Kinkhorst <thijs@debian.org>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #36 received at 439226-close@bugs.debian.org (full text, mbox, reply):
Source: po4a
Source-Version: 0.29-1etch4
We believe that the bug you reported is fixed in the latest version of
po4a, which is due to be installed in the Debian FTP archive:
po4a_0.29-1etch4.diff.gz
to pool/main/p/po4a/po4a_0.29-1etch4.diff.gz
po4a_0.29-1etch4.dsc
to pool/main/p/po4a/po4a_0.29-1etch4.dsc
po4a_0.29-1etch4_all.deb
to pool/main/p/po4a/po4a_0.29-1etch4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 439226@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net> (supplier of updated po4a package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 04 Sep 2007 23:35:12 +0200
Source: po4a
Binary: po4a
Architecture: source all
Version: 0.29-1etch4
Distribution: proposed-updates
Urgency: low
Maintainer: Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>
Changed-By: Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>
Description:
po4a - tools for helping translation of documentation
Closes: 439226
Changes:
po4a (0.29-1etch4) proposed-updates; urgency=low
.
* Fix possible arbitrary files overwriting via a symlink attack.
(CVE-2007-4462). Closes: #439226
Files:
cd69260403ccbaade7027626a746b26f 725 text optional po4a_0.29-1etch4.dsc
ccf4cf26f84c01efb06bf2cd67f9c7cf 7847 text optional po4a_0.29-1etch4.diff.gz
2c1d628c97fdceb735e3a95175093f6b 697292 text optional po4a_0.29-1etch4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFG8WE5ST77jl1k+HARAngoAKDr24/cFWArBzrlvMO0OCbDa/3gdwCgoCvE
hrtYInoMCEPH5j+eeud8F4U=
=RZYU
-----END PGP SIGNATURE-----
Reply sent to Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Thijs Kinkhorst <thijs@debian.org>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #41 received at 439226-close@bugs.debian.org (full text, mbox, reply):
Source: po4a
Source-Version: 0.20-2sarge1
We believe that the bug you reported is fixed in the latest version of
po4a, which is due to be installed in the Debian FTP archive:
po4a_0.20-2sarge1.diff.gz
to pool/main/p/po4a/po4a_0.20-2sarge1.diff.gz
po4a_0.20-2sarge1.dsc
to pool/main/p/po4a/po4a_0.20-2sarge1.dsc
po4a_0.20-2sarge1_all.deb
to pool/main/p/po4a/po4a_0.20-2sarge1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 439226@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net> (supplier of updated po4a package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 04 Sep 2007 23:28:49 +0200
Source: po4a
Binary: po4a
Architecture: source all
Version: 0.20-2sarge1
Distribution: oldstable-proposed-updates
Urgency: low
Maintainer: Martin Quinson <mquinson@debian.org>
Changed-By: Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>
Description:
po4a - tools for helping translation of documentation
Closes: 439226
Changes:
po4a (0.20-2sarge1) oldstable-proposed-updates; urgency=low
.
* Fix possible arbitrary files overwriting via a symlink attack.
(CVE-2007-4462). Closes: #439226
Files:
5394a00469daf47279355b4c6aca46d0 787 text optional po4a_0.20-2sarge1.dsc
2f3190dbd712bacbfe691b7a37713566 29468 text optional po4a_0.20-2sarge1.diff.gz
220fa400774fd54f5f5fd1d2501f9f16 529776 text optional po4a_0.20-2sarge1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFG8WGMST77jl1k+HARAqs+AJoDd3j4s9GibY8IOLSKCbVMzhXRbgCdEMpE
tGolJ6Vgh47E43va+SgBf6U=
=P1aH
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 27 Dec 2007 07:27:54 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:27:12 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.