The possibility of attack with the help of symlinks in some Debian packages

Debian Bug report logs - #496389
The possibility of attack with the help of symlinks in some Debian packages

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Dmitry E. Oboukhov" <dimka@uvw.ru>

To: submit@bugs.debian.org

Cc: dimka@uvw.ru

Subject: The possibility of attack with the help of symlinks in some Debian packages

Date: Sun, 24 Aug 2008 22:05:30 +0400

Package: freeradius-dialupadmin
Severity: grave

Hi, maintainer!

This message about the error concerns a few packages  at  once.   I've
tested all the packages (for Lenny) on my Debian mirror.  All  scripts
of packages (marked as executable) were tested.

In some packages I've discovered scripts with errors which may be used
by a user for damaging important system files or user's files.

For example if a script uses in its work a temp file which is  created
in /tmp directory, then every user can create symlink  with  the  same
name in this directory in order to  destroy  or  rewrite  some  system
or user file.  Symlink attack may also  lead  not  only  to  the  data
desctruction but to denial of service as well.

Even if you create files or directories with help of function 'RANDOM'
or pid(), then your system is not protected. Attacker can create many
symlinks in order to destroy your data or create 'denial  of  service'
for your package scripts.

Even if you make rm(dir) for files/directories, then  your  system  is
not protected. Attacker can permanently create symlinks.

This list is created with the help of script.  This list is sorted  by
hand. Howewer in some cases mistake is possible.

Please, Be understanding to possible mistakes. :)

I set Severity into grave for this bug. The table of discovered
problems is below.

Discussion of this bug you can see in debian-devel@:
    http://lists.debian.org/debian-devel/2008/08/msg00271.html

Binary-package: r-base-core-ra (1.1.1-1)
    file: /usr/lib/Ra/lib/R/bin/javareconf
Binary-package: rccp (0.9-2)
    file: /usr/lib/rccp/delqueueask
Binary-package: mafft (6.240-1)
    file: /usr/bin/mafft-homologs
Binary-package: openoffice.org-common (1:2.4.1-6)
    file: /usr/lib/openoffice/program/senddoc
Binary-package: crossfire-maps (1.11.0-1)
    file: /usr/share/games/crossfire/maps/Info/combine.pl
Binary-package: sgml2x (1.0.0-11.1)
    file: /usr/bin/rlatex
Binary-package: liguidsoap (0.3.6-4)
    file: /var/lib/liguidsoap/liguidsoap.py
Binary-package: citadel-server (7.37-1)
    file: /usr/lib/citadel-server/migrate_aliases.sh
Binary-package: ampache (3.4.1-1)
    file: /usr/share/ampache/www/locale/base/gather-messages.sh
Binary-package: xen-utils-3.2-1 (3.2.1-2)
    file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug
Binary-package: dtc-common (0.29.6-1)
    file: /usr/share/dtc/admin/accesslog.php
    file: /usr/share/dtc/admin/sa-wrapper
Binary-package: honeyd-common (1.5c-3)
    file: /usr/share/honeyd/scripts/test.sh
Binary-package: lustre-tests (1.6.5-1)
    file: /usr/lib/lustre/tests/runiozone
Binary-package: linuxtrade (3.65-8+b4)
    file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol
    file: /usr/share/linuxtrade/bin/linuxtrade.wn
    file: /usr/share/linuxtrade/bin/moneyam.helper
Binary-package: freevo (1.8.1-0)
    file: /usr/bin/freevo.real
Binary-package: fml (4.0.3.dfsg-2)
    file: /usr/share/fml/libexec/mead.pl
Binary-package: rkhunter (1.3.2-3)
    file: /usr/bin/rkhunter
Binary-package: openswan (1:2.4.12+dfsg-1.1)
    file: /usr/lib/ipsec/livetest
Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1)
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest
Binary-package: aptoncd (0.1-1.1)
    file: /usr/share/aptoncd/xmlfile.py
Binary-package: cdcontrol (1.90-1.1)
    file: /usr/lib/cdcontrol/writtercontrol
Binary-package: newsgate (1.6-23)
    file: /usr/bin/mkmailpost
Binary-package: gpsdrive-scripts (2.10~pre4-3)
    file: /usr/bin/geo-code
Binary-package: impose+ (0.2-11)
    file: /usr/bin/impose
Binary-package: mgt (2.31-5)
    file: /usr/games/mailgo
Binary-package: audiolink (0.05-1)
    file: /usr/bin/audiolink
Binary-package: ibackup (2.27-4.1)
    file: /usr/bin/ibackup
Binary-package: emacspeak (26.0-3)
    file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl
Binary-package: bk2site (1:1.1.9-3.1)
    file: /usr/lib/cgi-bin/bk2site/redirect.pl
Binary-package: datafreedom-perl (0.1.7-1)
    file: /usr/bin/dfxml-invoice
Binary-package: emacs-jabber (0.7.91-1)
    file: /usr/lib/emacsen-common/packages/install/emacs-jabber
Binary-package: lmbench (3.0-a7-1)
    file: /usr/lib/lmbench/scripts/rccs
    file: /usr/lib/lmbench/scripts/STUFF
Binary-package: rancid-util (2.3.2~a8-1)
    file: /var/lib/rancid/getipacctg
Binary-package: ogle (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: firehol (1.256-4)
    file: /sbin/firehol
Binary-package: aview (1.3.0rc1-8)
    file: /usr/bin/asciiview
Binary-package: radiance (3R9+20080530-3)
    file: /usr/bin/optics2rad
    file: /usr/bin/pdelta
    file: /usr/bin/dayfact
    file: /usr/bin/raddepend
Binary-package: vdr-dbg (1.6.0-5)
    file: /usr/bin/vdrleaktest
Binary-package: ogle-mmx (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: convirt (0.8.2-3)
    file: /usr/share/convirt/image_store/_template_/provision.sh
    file: /usr/share/convirt/image_store/Linux_CD_Install/provision.sh
    file: /usr/share/convirt/image_store/Fedora_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/CentOS_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/common/provision.sh
    file: /usr/share/convirt/image_store/example/provision.sh
    file: /usr/share/convirt/image_store/Windows_CD_Install/provision.sh
Binary-package: printfilters-ppd (2.13-9)
    file: /usr/lib/printfilters/master-filter
Binary-package: r-base-core (2.7.1-1)
    file: /usr/lib/R/bin/javareconf
    file: /usr/lib/R/bin/javareconf.orig
Binary-package: xmcd (2.6-19.3)
    file: /usr/share/xmcd/scripts/ncsarmt
    file: /usr/share/xmcd/scripts/ncsawrap
Binary-package: tiger (1:3.2.2-3.1)
    file: /usr/lib/tiger/util/genmsgidx
Binary-package: scilab-bin (4.1.2-5)
    file: /usr/lib/scilab-4.1.2/bin/scilink
    file: /usr/lib/scilab-4.1.2/util/scidoc
    file: /usr/lib/scilab-4.1.2/util/scidem
Binary-package: dpkg-cross (2.3.0)
    file: /usr/share/dpkg-cross/bin/gccross
Binary-package: ltp-network-test (20060918-2.1)
    file: /usr/lib/debian-test/tests/linux/testcases/bin/ftp_setup_vsftp_conf
    file: /usr/lib/debian-test/tests/linux/testcases/bin/nfs_fsstress.sh
Binary-package: cman (2.20080629-1)
    file: /usr/sbin/fence_egenera
Binary-package: scratchbox2 (1.99.0.24-1)
    file: /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps
    file: /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings
Binary-package: sendmail-base (8.14.3-5)
    file: /usr/sbin/checksendmail
    file: /usr/bin/expn
Binary-package: fwbuilder (2.1.19-3)
    file: /usr/bin/fwb_install
Binary-package: sng (1.0.2-5)
    file: /usr/bin/sng_regress
Binary-package: dist (1:3.5-17-1)
    file: /usr/bin/patcil
    file: /usr/bin/patdiff
Binary-package: sympa (5.3.4-5)
    file: /usr/lib/cgi-bin/sympa/wwsympa.fcgi
    file: /usr/lib/sympa/bin/sympa.pl
Binary-package: postfix (2.5.2-2)
    file: /usr/lib/postfix_groups.pl
Binary-package: caudium (3:1.4.12-11)
    file: /usr/share/caudium/configvar
Binary-package: mgetty-fax (1.1.36-1.2)
    file: /usr/bin/faxspool
Binary-package: aegis (4.24-3)
    file: /usr/share/doc/aegis/examples/remind/bng_dvlpd.sh
    file: /usr/share/doc/aegis/examples/remind/bng_rvwd.sh
    file: /usr/share/doc/aegis/examples/remind/awt_dvlp.sh
    file: /usr/share/doc/aegis/examples/remind/awt_intgrtn.sh
Binary-package: aegis-web (4.24-3)
    file: /usr/lib/cgi-bin/aegis.cgi
Binary-package: digitaldj (0.7.5-6+b1)
    file: /usr/share/digitaldj/fest.pl
Binary-package: mon (0.99.2-12)
    file: /usr/lib/mon/alert.d/test.alert
Binary-package: feta (1.4.16)
    file: /usr/share/feta/plugins/to-upgrade
Binary-package: arb-common (0.0.20071207.1-4)
    file: /usr/lib/arb/SH/arb_fastdnaml
    file: /usr/lib/arb/SH/dszmconnect.pl
Binary-package: qemu (0.9.1-5)
    file: /usr/sbin/qemu-make-debian-root
Binary-package: apertium (3.0.7+1-1+b1)
    file: /usr/bin/apertium-gen-deformat
    file: /usr/bin/apertium-gen-reformat
    file: /usr/bin/apertium
Binary-package: xcal (4.1-18.3)
    file: /usr/bin/pscal
Binary-package: myspell-tools (1:3.1-20)
    file: /usr/bin/i2myspell
Binary-package: gccxml (0.9.0+cvs20080525-1)
    file: /usr/share/gccxml-0.9/MIPSpro/find_flags
Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4)
    file: /usr/share/freeradius-dialupadmin/bin/backup_radacct
    file: /usr/share/freeradius-dialupadmin/bin/clean_radacct
    file: /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/truncate_radacct
Binary-package: dhis-server (5.3-1)
    file: /usr/lib/dhis-server/dhis-dummy-log-engine
Binary-package: wims (3.62-13)
    file: /var/lib/wims/public_html/bin/coqweb
    file: /var/lib/wims/bin/account.sh
Binary-package: initramfs-tools (0.92f)
    file: /usr/share/initramfs-tools/init
Binary-package: realtimebattle-common (1.0.8-7)
    file: /usr/lib/realtimebattle/Robots/perl.robot
Binary-package: netmrg (0.20-1)
    file: /usr/bin/rrdedit
Binary-package: bulmages-servers (0.11.1-2)
    file: /usr/share/bulmages/examples/scripts/actualizabulmacont
    file: /usr/share/bulmages/examples/scripts/installbulmages-db
    file: /usr/share/bulmages/examples/scripts/creabulmafact
    file: /usr/share/bulmages/examples/scripts/creabulmacont
    file: /usr/share/bulmages/examples/scripts/actualizabulmafact
Binary-package: xastir (1.9.2-1)
    file: /usr/lib/xastir/get-maptools.sh
    file: /usr/lib/xastir/get_shapelib.sh
Binary-package: plait (1.5.2-1)
    file: /usr/bin/plaiter
    file: /usr/bin/plait
Binary-package: cdrw-taper (0.4-2)
    file: /usr/sbin/amlabel-cdrw
Binary-package: konwert-filters (1.8-11.1)
    file: /usr/share/konwert/filters/any-UTF8
Binary-package: gdrae (0.1-1)
    file: /usr/bin/gdrae
Binary-package: lazarus-src (0.9.24-0-9)
    file: /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh

Message #10 received at 496389@bugs.debian.org (full text, mbox, reply):

From: Stephen Gran <sgran@debian.org>

To: "Dmitry E. Oboukhov" <dimka@uvw.ru>, 496389@bugs.debian.org

Subject: Re: Bug#496389: The possibility of attack with the help of symlinks in some Debian packages

Date: Mon, 25 Aug 2008 01:03:08 +0100

[Message part 1 (text/plain, inline)]

This one time, at band camp, Dmitry E. Oboukhov said:
> Hi, maintainer!
> 
> This message about the error concerns a few packages  at  once.   I've
> tested all the packages (for Lenny) on my Debian mirror.  All  scripts
> of packages (marked as executable) were tested.

So, what is the error that is grave that I'm supposed to correct?
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------

[signature.asc (application/pgp-signature, inline)]

Message #19 received at 496389-close@bugs.debian.org (full text, mbox, reply):

From: Stephen Gran <sgran@debian.org>

To: 496389-close@bugs.debian.org

Subject: Bug#496389: fixed in freeradius 2.0.4+dfsg-6

Date: Sun, 07 Sep 2008 18:02:03 +0000

Source: freeradius
Source-Version: 2.0.4+dfsg-6

We believe that the bug you reported is fixed in the latest version of
freeradius, which is due to be installed in the Debian FTP archive:

freeradius-common_2.0.4+dfsg-6_all.deb
  to pool/main/f/freeradius/freeradius-common_2.0.4+dfsg-6_all.deb
freeradius-dbg_2.0.4+dfsg-6_amd64.deb
  to pool/main/f/freeradius/freeradius-dbg_2.0.4+dfsg-6_amd64.deb
freeradius-dialupadmin_2.0.4+dfsg-6_all.deb
  to pool/main/f/freeradius/freeradius-dialupadmin_2.0.4+dfsg-6_all.deb
freeradius-iodbc_2.0.4+dfsg-6_amd64.deb
  to pool/main/f/freeradius/freeradius-iodbc_2.0.4+dfsg-6_amd64.deb
freeradius-krb5_2.0.4+dfsg-6_amd64.deb
  to pool/main/f/freeradius/freeradius-krb5_2.0.4+dfsg-6_amd64.deb
freeradius-ldap_2.0.4+dfsg-6_amd64.deb
  to pool/main/f/freeradius/freeradius-ldap_2.0.4+dfsg-6_amd64.deb
freeradius-mysql_2.0.4+dfsg-6_amd64.deb
  to pool/main/f/freeradius/freeradius-mysql_2.0.4+dfsg-6_amd64.deb
freeradius-postgresql_2.0.4+dfsg-6_amd64.deb
  to pool/main/f/freeradius/freeradius-postgresql_2.0.4+dfsg-6_amd64.deb
freeradius-utils_2.0.4+dfsg-6_amd64.deb
  to pool/main/f/freeradius/freeradius-utils_2.0.4+dfsg-6_amd64.deb
freeradius_2.0.4+dfsg-6.diff.gz
  to pool/main/f/freeradius/freeradius_2.0.4+dfsg-6.diff.gz
freeradius_2.0.4+dfsg-6.dsc
  to pool/main/f/freeradius/freeradius_2.0.4+dfsg-6.dsc
freeradius_2.0.4+dfsg-6_amd64.deb
  to pool/main/f/freeradius/freeradius_2.0.4+dfsg-6_amd64.deb
libfreeradius-dev_2.0.4+dfsg-6_amd64.deb
  to pool/main/f/freeradius/libfreeradius-dev_2.0.4+dfsg-6_amd64.deb
libfreeradius2_2.0.4+dfsg-6_amd64.deb
  to pool/main/f/freeradius/libfreeradius2_2.0.4+dfsg-6_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 496389@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stephen Gran <sgran@debian.org> (supplier of updated freeradius package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 25 Aug 2008 14:18:48 +0100
Source: freeradius
Binary: freeradius freeradius-common freeradius-utils freeradius-krb5 freeradius-ldap freeradius-mysql freeradius-iodbc freeradius-postgresql libfreeradius2 libfreeradius-dev freeradius-dialupadmin freeradius-dbg
Architecture: source amd64 all
Version: 2.0.4+dfsg-6
Distribution: unstable
Urgency: low
Maintainer: Stephen Gran <sgran@debian.org>
Changed-By: Stephen Gran <sgran@debian.org>
Description: 
 freeradius - a high-performance and highly configurable RADIUS server
 freeradius-common - FreeRadius common files
 freeradius-dbg - a high-performance and highly configurable RADIUS server; debug s
 freeradius-dialupadmin - set of PHP scripts for administering a FreeRADIUS server
 freeradius-iodbc - iODBC module for FreeRADIUS server
 freeradius-krb5 - kerberos module for FreeRADIUS server
 freeradius-ldap - LDAP module for FreeRADIUS server
 freeradius-mysql - MySQL module for FreeRADIUS server
 freeradius-postgresql - PostgreSQL module for FreeRADIUS server
 freeradius-utils - FreeRadius client utilities
 libfreeradius-dev - FreeRADIUS shared library development files
 libfreeradius2 - FreeRADIUS shared library
Closes: 496389
Changes: 
 freeradius (2.0.4+dfsg-6) unstable; urgency=low
 .
   * Fix unsafe use of tempfile (closes: #496389)
Checksums-Sha1: 
 da7a4c961ad498d75025d0756361f076a7169b19 1476 freeradius_2.0.4+dfsg-6.dsc
 2feea2570ac4aa7e86622a6dd629a40961e22780 4860 freeradius_2.0.4+dfsg-6.diff.gz
 da302199e6ab84b930a0e8c9db540eab1da64dae 513730 freeradius_2.0.4+dfsg-6_amd64.deb
 4d9aca1c723df137e82f589d2893ac32f0c3ca8e 75148 freeradius-utils_2.0.4+dfsg-6_amd64.deb
 c52b5ceb1ecb036841da0ec1556f81970765cfa0 18320 freeradius-krb5_2.0.4+dfsg-6_amd64.deb
 cd2ffb449cb2d3f31f99b0232e8e2cd3f744ad56 35810 freeradius-ldap_2.0.4+dfsg-6_amd64.deb
 330e1c8f05d9c88728fede09e976997b92fb11cc 24938 freeradius-mysql_2.0.4+dfsg-6_amd64.deb
 cc5b30a26027778588615386a71f97fc9cfb205a 17592 freeradius-iodbc_2.0.4+dfsg-6_amd64.deb
 c4c1f36f5ba5e0e52a6e78b55f2e409e9e867323 37508 freeradius-postgresql_2.0.4+dfsg-6_amd64.deb
 9c26a1327f1f1610da38426298b52868f8b1235c 81292 libfreeradius2_2.0.4+dfsg-6_amd64.deb
 3cac5bd67859cfd43e0ba21987299bd48b8e5fb0 103662 libfreeradius-dev_2.0.4+dfsg-6_amd64.deb
 de8b63ef2b86d92d1a3bf3436b4776a8d7a3be33 841770 freeradius-dbg_2.0.4+dfsg-6_amd64.deb
 e41c229f282b5b0098178f2523fb5a04b2400cec 203976 freeradius-common_2.0.4+dfsg-6_all.deb
 3d93c707dcc2ebb7e91b414ef280f036cc3a9b59 130028 freeradius-dialupadmin_2.0.4+dfsg-6_all.deb
Checksums-Sha256: 
 b733fb660bad436d49ef6c5dd64e439b5759f0407dd280d143e0f49d173a587e 1476 freeradius_2.0.4+dfsg-6.dsc
 354ab8f92c3dd692d81a26d6da802435e359a84f320c07dd6e0dc6fb69214aa6 4860 freeradius_2.0.4+dfsg-6.diff.gz
 1db7a600861f63d715f091f45e79fbf3e43df0181863f03623ed0950a3f16678 513730 freeradius_2.0.4+dfsg-6_amd64.deb
 5be3515ed70467d2c7b3eba973cad9d9f14ddb6a3aac3dc46048ae8887a36caa 75148 freeradius-utils_2.0.4+dfsg-6_amd64.deb
 c8fab3e15fbfb0edb21d59b2eae7af5d112f156d1c76a7c6170823aacaf4b067 18320 freeradius-krb5_2.0.4+dfsg-6_amd64.deb
 c766f888f247f69dab5abfa808561cb3c30ef60d8731ba23914faed2860a243e 35810 freeradius-ldap_2.0.4+dfsg-6_amd64.deb
 ca877a168e09b65e7de0a269e45006398254653810b189e7fd8ecedab117a47e 24938 freeradius-mysql_2.0.4+dfsg-6_amd64.deb
 6ecd71d3f9784ff408bfaf8f9bac833243e2745256073e9134060e0e8057b5c7 17592 freeradius-iodbc_2.0.4+dfsg-6_amd64.deb
 326c3550d60fb08e26414b1de64ca0ed410118c6a0e9a7024906d0b9c1ae21f1 37508 freeradius-postgresql_2.0.4+dfsg-6_amd64.deb
 f920f86c737d6945aad0548e5d6bf8ac76e83ea582eaded71e4932bccdb7413d 81292 libfreeradius2_2.0.4+dfsg-6_amd64.deb
 e276d29af6b6f789fd83661840211fbe6d5c096ce963ba596cf5491a813e672a 103662 libfreeradius-dev_2.0.4+dfsg-6_amd64.deb
 428a66167a15e587eaf54b0aa9ccf76238ad45d4d4d04a77bf887db0c016bf7d 841770 freeradius-dbg_2.0.4+dfsg-6_amd64.deb
 d1f4d3654e232b6117b9f8922a2f96f71591a40c05f07aa41bf3f7a15b312805 203976 freeradius-common_2.0.4+dfsg-6_all.deb
 d1974c63371efa15098c79a2752a4b37b3168e5c8a074f5675c25a3210083261 130028 freeradius-dialupadmin_2.0.4+dfsg-6_all.deb
Files: 
 4f277e4a228c12d8b33b00662def93a6 1476 net optional freeradius_2.0.4+dfsg-6.dsc
 dfa7b1ae63bc33add3a2bd892fd858d0 4860 net optional freeradius_2.0.4+dfsg-6.diff.gz
 eda4234d5944a235884f3226e0e24135 513730 net optional freeradius_2.0.4+dfsg-6_amd64.deb
 6dbaf43f148495d723ea1df56b3d9c0f 75148 net optional freeradius-utils_2.0.4+dfsg-6_amd64.deb
 97718d885d682e550e949cfd729563b4 18320 net optional freeradius-krb5_2.0.4+dfsg-6_amd64.deb
 6edea391aea9d934282e9f6c5259614e 35810 net optional freeradius-ldap_2.0.4+dfsg-6_amd64.deb
 10c7d123ffaddf41de388886f78b98cf 24938 net optional freeradius-mysql_2.0.4+dfsg-6_amd64.deb
 dfe7400a58a0d6a4c64a886c6335d54f 17592 net optional freeradius-iodbc_2.0.4+dfsg-6_amd64.deb
 2aa09c0767dce7be1a5bc8afa95d3191 37508 net optional freeradius-postgresql_2.0.4+dfsg-6_amd64.deb
 3a4d04c84c9c0fdb7bd531480a0616ce 81292 net optional libfreeradius2_2.0.4+dfsg-6_amd64.deb
 3e3522453c9c0a60ceabfc6050fd524e 103662 libdevel optional libfreeradius-dev_2.0.4+dfsg-6_amd64.deb
 6a2f4d404bb1cb30785885ce117d80e8 841770 net extra freeradius-dbg_2.0.4+dfsg-6_amd64.deb
 91d6a4dd313a9778f0e90028cce71845 203976 net optional freeradius-common_2.0.4+dfsg-6_all.deb
 36bc6d011428478a66689074c8d2df8f 130028 net optional freeradius-dialupadmin_2.0.4+dfsg-6_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkjEFD8ACgkQNIW6CNDsByMragCfec4xi/OlezWe57+S15fic4nK
XEgAn23NESkKAFpRDWmNmr+WYTjkQZh4
=Xxtn
-----END PGP SIGNATURE-----

Message #24 received at 496389@bugs.debian.org (full text, mbox, reply):

From: Pavol Rusnak <prusnak@suse.cz>

To: 496389@bugs.debian.org

Subject: 4 more files to be fixed

Date: Thu, 09 Oct 2008 11:29:08 +0200

[Message part 1 (text/plain, inline)]

According to bugreport 5 files should be fixed and only one is fixed. 
I'm attaching patch that fixes another 4 in similar fashion.

-- 
Best Regards / S pozdravom,

Pavol RUSNAK                                       SUSE LINUX, s.r.o
Package Maintainer                                Lihovarska 1060/12
PGP 0xA6917144                                     19000 Praha 9, CR
prusnak[at]suse.cz                                http://www.suse.cz

[CVE-2008-4474.patch (text/x-patch, inline)]

--- dialup_admin/bin/clean_radacct
+++ dialup_admin/bin/clean_radacct
@@ -5,6 +5,7 @@
 # Works with mysql and postgresql
 #
 use POSIX;
+use File::Temp;
 
 $conf=shift||'/usr/share/dialup_admin/conf/admin.conf';
 $back_days = 35;
@@ -42,11 +43,10 @@
 
 $query = "DELETE FROM $sql_accounting_table WHERE AcctStopTime IS NULL AND AcctStartTime < '$date';";
 print "$query\n";
-open TMP, ">/tmp/clean_radacct.query"
-        or die "Could not open tmp file\n";
-print TMP $query;
-close TMP;
-$command = "$sqlcmd -h$sql_server -u$sql_username $sql_password $sql_database </tmp/clean_radacct.query" if ($sql_type eq 'mysql');
-$command = "$sqlcmd  -U $sql_username -f /tmp/clean_radacct.query $sql_database" if ($sql_type eq 'pg');
-$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' </tmp/clean_radacct.query" if ($sql_type eq 'sqlrelay');
+my ($fh, $tmp_filename) = tempfile() or die "Could not open tmp file\n";
+print $fh $query;
+close $fh;
+$command = "$sqlcmd -h$sql_server -u$sql_username $sql_password $sql_database < $tmp_filename" if ($sql_type eq 'mysql');
+$command = "$sqlcmd  -U $sql_username -f  $tmp_filename $sql_database" if ($sql_type eq 'pg');
+$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' < $tmp_filename" if ($sql_type eq 'sqlrelay');
 `$command`;
--- dialup_admin/bin/monthly_tot_stats
+++ dialup_admin/bin/monthly_tot_stats
@@ -1,5 +1,6 @@
 #!/usr/bin/perl
 use POSIX;
+use File::Temp;
 
 # Log in the mtotacct table aggregated accounting information for
 # each user spaning in one month period.
@@ -51,14 +52,13 @@
 	AcctDate <= '$date_end' GROUP BY UserName,NASIPAddress;";
 print "$query1\n";
 print "$query2\n";
-open TMP, ">/tmp/tot_stats.query"
-	or die "Could not open tmp file\n";
-print TMP "ALTER SESSION SET NLS_TIMESTAMP_TZ_FORMAT='YYYY-MM-DD HH24:MI:SS.FF TZH:TZM';\n" if ($sql_type eq 'oracle');
-print TMP $query1;
-print TMP $query2;
-close TMP;
-$command = "$sqlcmd -h $sql_server -u $sql_username $sql_password $sql_database </tmp/tot_stats.query" if ($sql_type eq 'mysql');
-$command = "$sqlcmd  -U $sql_username -f /tmp/tot_stats.query $sql_database" if ($sql_type eq 'pg');
+my ($fh, $tmp_filename) = tempfile() or die "Could not open tmp file\n";
+print $fh "ALTER SESSION SET NLS_TIMESTAMP_TZ_FORMAT='YYYY-MM-DD HH24:MI:SS.FF TZH:TZM';\n" if ($sql_type eq 'oracle');
+print $fh $query1;
+print $fh $query2;
+close $fh;
+$command = "$sqlcmd -h $sql_server -u $sql_username $sql_password $sql_database < $tmp_filename" if ($sql_type eq 'mysql');
+$command = "$sqlcmd  -U $sql_username -f  $tmp_filename $sql_database" if ($sql_type eq 'pg');
 $command = "$sqlcmd  $sql_username/$pass" . "@" . "$sql_database <$tmpfile.$server" if ($sql_type eq 'oracle');
-$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' </tmp/tot_stats.query" if ($sql_type eq 'sqlrelay');
+$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' < $tmp_filename" if ($sql_type eq 'sqlrelay');
 `$command`;
--- dialup_admin/bin/tot_stats
+++ dialup_admin/bin/tot_stats
@@ -1,5 +1,6 @@
 #!/usr/bin/perl
 use POSIX;
+use File::Temp;
 
 # Log in the totacct table aggregated daily accounting information for
 # each user.
@@ -48,14 +49,13 @@
 	AcctStopTime < '$date_end' GROUP BY UserName,NASIPAddress;";
 print "$query1\n";
 print "$query2\n";
-open TMP, ">/tmp/tot_stats.query"
-	or die "Could not open tmp file\n";
-print TMP "ALTER SESSION SET NLS_TIMESTAMP_TZ_FORMAT='YYYY-MM-DD HH24:MI:SS.FF TZH:TZM';\n" if ($sql_type eq 'oracle');
-print TMP $query1;
-print TMP $query2;
-close TMP;
-$command = "$sqlcmd -h $sql_server -u $sql_username $sql_password $sql_database </tmp/tot_stats.query" if ($sql_type eq 'mysql');
-$command = "$sqlcmd  -U $sql_username -f /tmp/tot_stats.query $sql_database" if ($sql_type eq 'pg');
+my ($fh, $tmp_filename) = tempfile() or die "Could not open tmp file\n";
+print $fh "ALTER SESSION SET NLS_TIMESTAMP_TZ_FORMAT='YYYY-MM-DD HH24:MI:SS.FF TZH:TZM';\n" if ($sql_type eq 'oracle');
+print $fh $query1;
+print $fh $query2;
+close $fh;
+$command = "$sqlcmd -h $sql_server -u $sql_username $sql_password $sql_database < $tmp_filename" if ($sql_type eq 'mysql');
+$command = "$sqlcmd  -U $sql_username -f  $tmp_filename $sql_database" if ($sql_type eq 'pg');
 $command = "$sqlcmd  $sql_username/$pass" . "@" . "$sql_database <$tmpfile.$server" if ($sql_type eq 'oracle');
-$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' </tmp/tot_stats.query" if ($sql_type eq 'sqlrelay');
+$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' < $tmp_filename" if ($sql_type eq 'sqlrelay');
 `$command`;
--- dialup_admin/bin/truncate_radacct
+++ dialup_admin/bin/truncate_radacct
@@ -5,6 +5,7 @@
 # Works with mysql and postgresql
 #
 use POSIX;
+use File::Temp;
 
 $conf=shift||'/usr/share/dialup_admin/conf/admin.conf';
 $back_days = 90;
@@ -44,13 +45,12 @@
 $query .= "DELETE FROM $sql_accounting_table WHERE AcctStopTime < '$date' AND AcctStopTime IS NOT NULL ;";
 $query .= "UNLOCK TABLES;" if ($sql_type eq 'mysql');
 print "$query\n";
-open TMP, ">/tmp/truncate_radacct.query"
-        or die "Could not open tmp file\n";
-print TMP "ALTER SESSION SET NLS_TIMESTAMP_TZ_FORMAT='YYYY-MM-DD HH24:MI:SS.FF TZH:TZM';\n" if ($sql_type eq 'oracle');
-print TMP $query;
-close TMP;
-$command = "$sqlcmd -h$sql_server -u$sql_username $sql_password $sql_database </tmp/truncate_radacct.query" if ($sql_type eq 'mysql');
-$command = "$sqlcmd  -U $sql_username -f /tmp/truncate_radacct.query $sql_database" if ($sql_type eq 'pg');
+my ($fh, $tmp_filename) = tempfile() or die "Could not open tmp file\n";
+print $fh "ALTER SESSION SET NLS_TIMESTAMP_TZ_FORMAT='YYYY-MM-DD HH24:MI:SS.FF TZH:TZM';\n" if ($sql_type eq 'oracle');
+print $fh $query;
+close $fh;
+$command = "$sqlcmd -h$sql_server -u$sql_username $sql_password $sql_database < $tmp_filename" if ($sql_type eq 'mysql');
+$command = "$sqlcmd  -U $sql_username -f  $tmp_filename $sql_database" if ($sql_type eq 'pg');
 $command = "$sqlcmd  $sql_username/$pass" . "@" . "$sql_database <$tmpfile.$server" if ($sql_type eq 'oracle');
-$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' </tmp/truncate_radacct.query" if ($sql_type eq 'sqlrelay');
+$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' < $tmp_filename" if ($sql_type eq 'sqlrelay');
 `$command`;

Message #29 received at 496389@bugs.debian.org (full text, mbox, reply):

From: Pavol Rusnak <prusnak@suse.cz>

To: Stephen Gran <sgran@debian.org>

Cc: 496389@bugs.debian.org

Subject: Re: Bug#496389: 4 more files to be fixed

Date: Thu, 09 Oct 2008 12:06:45 +0200

Stephen Gran wrote:
> Ah, fair enough.  Somehow I missed them in the initial review, possibly
> because none f them were mentioned :/

Upstream bug: http://bugs.freeradius.org/show_bug.cgi?id=605

-- 
Best Regards / S pozdravom,

Pavol RUSNAK                                       SUSE LINUX, s.r.o
Package Maintainer                                Lihovarska 1060/12
PGP 0xA6917144                                     19000 Praha 9, CR
prusnak[at]suse.cz                                http://www.suse.cz

Message #34 received at 496389@bugs.debian.org (full text, mbox, reply):

From: Stephen Gran <sgran@debian.org>

To: Pavol Rusnak <prusnak@suse.cz>, 496389@bugs.debian.org

Subject: Re: Bug#496389: 4 more files to be fixed

Date: Thu, 9 Oct 2008 11:02:03 +0100

[Message part 1 (text/plain, inline)]

This one time, at band camp, Pavol Rusnak said:
> According to bugreport 5 files should be fixed and only one is fixed. 
> I'm attaching patch that fixes another 4 in similar fashion.

Ah, fair enough.  Somehow I missed them in the initial review, possibly
because none f them were mentioned :/

Cheers,
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.