Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages

To: debian-devel@lists.debian.org
Subject: Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
From: "Dmitry E. Oboukhov" <unera@debian.org>
Date: 2008年8月11日 17:10:48 +0400
Message-id: <[🔎] 20080811131048.GR1912@work.uvw.ru>
In-reply-to: <[🔎] 20080811122421.GM1912@work.uvw.ru>
References: <[🔎] E1KSRLo-0005hY-Fe@apache.rbscorp.ru> <[🔎] 20080811122421.GM1912@work.uvw.ru>

DEO> Package: mplayer nws ppp twiki
DEO> Severity: grave
DEO> Tags: security
DEO> This message about the error concerns a few packages at once. I've
DEO> tested all the packages on my Debian mirror. (post|pre)(inst|rm) and
DEO> config scripts were tested.
DEO> In some packages I've discovered scripts with errors which may be used
DEO> by a user for damaging important system files.
DEO> For example if a script uses in its work a temp file which is created
DEO> in /tmp directory, then every user can create symlink with the same
DEO> name in this directory in order to destroy or rewrite some	system
DEO> file.
DEO> I set Severity into grave for this bug. The table	of discovered
DEO> problems is below.
DEO> +------------------+-----------------+----------------------------------
DEO> | package | script | file for attack
DEO> +------------------+-----------------+----------------------------------
DEO> | mplayer-1.0~rc2 | config | /tmp/HACK (pipe)
DEO> | | |
DEO> | nws-2.13 | postinst | /tmp/nws.debug (cp)
DEO> | | |
mplayer & nws - mistake, sorry
DEO> | ppp-2.4.4rel | postinst | /tmp/probe-finished (rm -f, pipe)
DEO> | | postinst | /tmp/ppp-errors (rm -f, pipe)
DEO> | ppp-udeb | /etc/ppp/ip-up | /tmp/resolv.conf.tmp (cp)
DEO> | | |
DEO> | twiki-4.1.2 | postinst | /tmp/twiki (chmod 1777, chown)
DEO> +------------------+-----------------+----------------------------------
I could make few mistakes, sorry if :)
 additional table:
 package script in usr/bin file for attack
 or etc
 or /usr/sbin
 arb_0.0.20071207.1-4 arb-kill /tmp/arb_pids_${USER}_*
 /tmp/arb_pids_*_* (rm -f)
 newsgate_1.6-23 mkmailpost /tmp/mmp$$ (pipe, rm -f)
 libalps-bin_1.2.2-1 changestylesheet /tmp/tmp$$ (pipe)
 convert2html /tmp/input$$ (pipe)
 convert2text /tmp/input$$ (pipe)
 extractgp /tmp/archive2plot$$.xsl (pipe)
 /tmp/archive$$ (pipe)
 /tmp/plot$$ (pipe)
 extracthtml /tmp/archive2plot$$.xsl (pipe)
 /tmp/plot$$ (pipe)
 /tmp/archive$$ (pipe)
 extracttext /tmp/archive$$ (pipe)
 /tmp/archive2plot$$.xsl (pipe)
 /tmp/plot$$ (pipe)
 transformall /tmp/archive$$ (pipe)
 /tmp/plot$$ (pipe)
 netdisco-mibs-installer_1.0 netdisco-mibs-install /tmp/netdisco-mibs-0.6.tar.gz (unpack)
 netdisco-mibs-download /tmp/netdisco-mibs-0.6.tar.gz (write)
 cman_2.20080801-1 fence_apc_snmp /tmp/apclog (append)
 nvidia-cg-toolkit_2.0.0015 nvidia-cg-toolkit-installer /tmp/nvidia-cg-toolkit-manifest (w)
 osdsh_0.7.0-9 osdshconfig /tmp/osdsh.$uid (fifo)
 os-prober_1.17 os-prober /tmp/mounted-map (pipe)
 /tmp/raided-map (pipe)
 netmrg_0.20-1 rrdedit /tmp/1ドル.xml (pipe)
 xcal_4.1-18 pscal /tmp/pscal$$ (pipe, rm -f)
 tkusr_0.82 tkusr /tmp/tkusr.pgm (w)
 tkman_2.2-3 tkman /tmp/ll (pipe)
 /tmp/tkman$$
 mysql-client-5.1 mysqlbug /tmp/failed-mysql-bugreport (mv)
 libpam-mount_0.43-1 passwdehd /tmp/passwdehd.$$ (pipe, mv)
 libmyspell-dev_3.1-18 i2myspell /tmp/i2my$$.1 (pipe)
 jailer_0.4-9 updatejail /tmp/$$.updatejail (pipe, append)
 ltp_20060918-2.1 ltpmenu /tmp/runltp.mainmenu.$$ (pipe)
 mafft_6.240-1 mafft-homologs /tmp/_vf$$ (pipe)
 mailscanner_4.55.10-3 trend-autoupdate.new /tmp/opr.ini.$$ (write)
 /tmp/lpt$NEWVER.zip (write, move to /etc/iscan)
 gpsdrive_2.09-2.1 geo-code /tmp/geo$$ (tempfile)
 (gpsdrive-scripts) /tmp/geo.yahoo (pipe)
 /tmp/geo.coords (cp)
 geo-nearest /tmp/geocaching.loc (cp)
 /tmp/geo$$.* | /tmp/geo.* (pipe, write..)
 flamethrower_0.1.8-1 flamethrower /tmp/multicast.tar.$$ (write, rm)
 dist_3.70-31 patcil /tmp/cil$$ (pipe)
 paddiff /tmp/pdo$$ (cp)
 /tmp/pdn$$ (cp)
 crip_3.7-3 editcomment /tmp/1ドル.tag.tmp (pipe, mv)
 freebsd-sendpr_3.113+5.3 sendbug /tmp/pr.$$ (mv)
 apertium_3.0.7+1-1 apertium /tmp/$$odtsalida.zip (write)
 aview_1.3.0rc1-8 asciiview /tmp/aview$$.pgm (mkfifo, pipe)
 fwbuilder_2.1.19-3 fwb_install /tmp/ssh-agent.$$ (pipe)
 mgetty-fax_1.1.36-1.2 faxspool /tmp/faxsp.$$ (pipe)
 mindi_2.20-2 mindi /tmp/spongebob.squarepants.txt (pipe)
 /tmp/parted2fdisk.log (touch)
 /tmp/mke2fs.$$ (pipe)
 /tmp/$$.mk (pipe)
 /tmp/*.img, /tmp/*.mpt..
 multi-gnome-terminal_1.6.2 mgt-helper /tmp/$WHOAMI.debug (pipe)
 /tmp/$WHOAMI.env (pipe)
--
... mpd is off
. ''`. Dmitry E. Oboukhov
: :’ : unera@debian.org
`. `~’ GPGKey: 1024D / F8E26537 2006年11月21日
 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
  - From: Joey Hess <joeyh@debian.org>

References:
- Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
  - From: "Dmitry E. Oboukhov" <dimka@uvw.ru>
- Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
  - From: "Dmitry E. Oboukhov" <unera@debian.org>

Prev by Date: Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
Next by Date: Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
Previous by thread: Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
Next by thread: Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
Index(es):
- Date
- Thread