Your message dated Thu, 03 Feb 2005 00:34:08 +0100
with message-id <[EMAIL PROTECTED]>
and subject line wmfrog: multiple unsafe uses of files in /tmp fixed by package
removal
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 22 Nov 2004 02:08:28 +0000
>From [EMAIL PROTECTED] Sun Nov 21 18:08:28 2004
Return-path: <[EMAIL PROTECTED]>
Received: from kitenet.net [64.62.161.42] (postfix)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CW3cy-0005Jj-00; Sun, 21 Nov 2004 18:08:28 -0800
Received: from dragon.kitenet.net (unknown [66.168.94.144])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "Joey Hess", Issuer "Joey Hess" (verified OK))
by kitenet.net (Postfix) with ESMTP id 89524180A5
for <[EMAIL PROTECTED]>; Mon, 22 Nov 2004 02:08:22 +0000 (GMT)
Received: by dragon.kitenet.net (Postfix, from userid 1000)
id 85A546E636; Sun, 21 Nov 2004 21:09:58 -0500 (EST)
Date: Sun, 21 Nov 2004 21:09:58 -0500
From: Joey Hess <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: multiple unsafe uses of files in /tmp
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="SLDf9lqlvOQaIe6s"
Content-Disposition: inline
X-Reportbug-Version: 3.2
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
--SLDf9lqlvOQaIe6s
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: wmfrog
Version: 0.1.6-2
Severity: grave
Tags: security
By default wmfrog uses /tmp as its teporary directory. No care is used
when writing or accessing files in this directory, which means that
wmfrog is vulnerable to symlink attacks, which a local attacker can
easily use to overwrite files owned by the user who runs wmfrog. There
are also potentially other attacks, such as buffer overflows.
#define TMP "/tmp/"
=2E..
char tmp[255]=3DTMP;
=2E..
sprintf(command, "/usr/lib/wmfrog/weather.pl %s %s %s &", Stati=
onID, tmp, proto);
my ($station, $tmpfolder, $proto) =3D @ARGV;
my $tmpfile =3D "$tmpfolder/$station.TMP";
`wget -q -O '$tmpfile' '$URI'`;
wget does not open -O files in a manner that is appropriate for use in /tmp.
This is easily exploitable with a symlink attack.
=2E..
open(FILE,"> $tmpfolder/$station") || die "Couldn't open $tmpfolder/$statio=
n:$!";
Completly unsafe for use in /tmp again symlink attackable.
=2E..
sprintf(FileName, "/tmp/%s", StationID);
if ((fp =3D fopen(FileName, "r")) !=3D NULL){
=2E..
weatherFound=3Dfscanf(fp, "Weather:%as", &Weather);
Are Weather and other character arrays safe from buffer overflows if fed
malicious data by an attacker? I have not checked.
There is a simple workaround: set -tmp to a directory only you can write to.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=3Den_US.UTF-8, LC_CTYPE=3Den_US.UTF-8 (charmap=3DUTF-8)
Versions of packages wmfrog depends on:
ii libc6 2.3.2.ds1-18 GNU C Library: Shared librarie=
s an
ii libx11-6 4.3.0.dfsg.1-8 X Window System protocol clien=
t li
ii libxext6 4.3.0.dfsg.1-8 X Window System miscellaneous =
exte
ii libxpm4 4.3.0.dfsg.1-8 X pixmap library
ii xlibs 4.3.0.dfsg.1-8 X Window System client librari=
es m
-- no debconf information
--=20
see shy jo
--SLDf9lqlvOQaIe6s
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBoUp1d8HHehbQuO8RAsklAJ9cGnfFRTyInLYVxqUKm7arhDF2HQCgtoj3
wdXr5XaA+z5Cs1S1LOUUBfk=
=wr/0
-----END PGP SIGNATURE-----
--SLDf9lqlvOQaIe6s--
---------------------------------------
Received: (at 282434-done) by bugs.debian.org; 2 Feb 2005 23:34:57 +0000
>From [EMAIL PROTECTED] Wed Feb 02 15:34:57 2005
Return-path: <[EMAIL PROTECTED]>
Received: from gandalf.iplace.info [195.60.111.55]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CwU1Q-0001tM-00; Wed, 02 Feb 2005 15:34:56 -0800
Received: from p83.129.50.107.tisdip.tiscali.de ([83.129.50.107] helo=Asfaloth)
by gandalf.iplace.info with asmtp (TLS-1.0:RSA_AES_128_CBC_SHA:16)
(Exim 4.34)
id 1CwU0f-00031u-Ur
for [EMAIL PROTECTED]; Thu, 03 Feb 2005 00:34:10 +0100
Received: from localhost
([127.0.0.1] helo=Asfaloth ident=identistdoof)
by Asfaloth with esmtp (Exim 4.44)
id 1CwU0f-0007KH-1f
for [EMAIL PROTECTED]; Thu, 03 Feb 2005 00:34:09 +0100
From: Marc 'HE' Brockschmidt <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: wmfrog: multiple unsafe uses of files in /tmp fixed by package removal
Organization: CPU+Mainboard-FAQ: http://www.dch-faq.de/
Date: Thu, 03 Feb 2005 00:34:08 +0100
Message-ID: <[EMAIL PROTECTED]>
User-Agent: Gnus/5.110003 (No Gnus v0.3) XEmacs/21.4.16 (linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Hi,
The package was removed from the archive.
Marc
--
BOFH #275:
Bit rot
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
