Your message dated Tue, 26 Aug 2008 09:17:12 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#496462: fixed in nvi 1.81.6-4
has caused the Debian Bug report #496462,
regarding nvi: security vulnerability in creation of shared directory in 
postinst
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
496462: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496462
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: nvi
Version: 1.79-25
Severity: grave
Tags: security patch

Hi everyone, 

Going through the list of packages listed at [1] I noticed the overrides are 
completely wrong and it *is* a security issue. I verified versions 1.79-25 
and 1.81.6-3 (etch and lenny, respectively) of the package and are both 
affected.

An attacker could create /var/tmp/vi.recover as a symlink pointing to some 
directory (e.g. /) and abuse the code in the postinst script to make it 
a+wxr.

The code portion follows:
if [ $1 = "configure" ] ; then
    [ -d /var/tmp/vi.recover ] || mkdir -p /var/tmp/vi.recover
    chown root:root /var/tmp/vi.recover
    chmod 1777 /var/tmp/vi.recover
fi

The main mistake is to ignore any possible failure of mkdir to create the 
directory (probably because it already exists, and might not be a directory).

Attached is a simple patch that aborts the execution of the postinst if mkdir 
fails, of course a better way to do it would be to use 'set -e' and review 
the usage of /var/tmp/vi.recover.

[1]http://lintian.debian.org/tags/possibly-insecure-handling-of-tmp-files-in-maintainer-script.html

Kind regards,
-- 
Atomo64 - Raphael

Please avoid sending me Word, PowerPoint or Excel attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html
diff -urN nvi-1.81.6.orig/debian/postinst nvi-1.81.6/debian/postinst
--- nvi-1.81.6.orig/debian/postinst	2008-08-24 17:10:47.000000000 -0500
+++ nvi-1.81.6/debian/postinst	2008-08-24 17:14:39.000000000 -0500
@@ -11,7 +11,7 @@
   --slave /usr/share/man/man1/editor.1.gz editor.1.gz /usr/share/man/man1/nvi.1.gz
 
 if [ $1 = "configure" ] ; then
-    [ -d /var/tmp/vi.recover ] || mkdir -p /var/tmp/vi.recover
+    [ -d /var/tmp/vi.recover ] || mkdir -p /var/tmp/vi.recover || exit $?
     chown root:root /var/tmp/vi.recover
     chmod 1777 /var/tmp/vi.recover
 fi

Attachment: signature.asc
Description: This is a digitally signed message part.


--- End Message ---
--- Begin Message ---
Source: nvi
Source-Version: 1.81.6-4

We believe that the bug you reported is fixed in the latest version of
nvi, which is due to be installed in the Debian FTP archive:

nvi-doc_1.81.6-4_all.deb
  to pool/main/n/nvi/nvi-doc_1.81.6-4_all.deb
nvi_1.81.6-4.diff.gz
  to pool/main/n/nvi/nvi_1.81.6-4.diff.gz
nvi_1.81.6-4.dsc
  to pool/main/n/nvi/nvi_1.81.6-4.dsc
nvi_1.81.6-4_amd64.deb
  to pool/main/n/nvi/nvi_1.81.6-4_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jan Christoph Nordholz <[EMAIL PROTECTED]> (supplier of updated nvi package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 25 Aug 2008 19:43:31 +0200
Source: nvi
Binary: nvi nvi-doc
Architecture: source all amd64
Version: 1.81.6-4
Distribution: unstable
Urgency: high
Maintainer: Jan Christoph Nordholz <[EMAIL PROTECTED]>
Changed-By: Jan Christoph Nordholz <[EMAIL PROTECTED]>
Description: 
 nvi        - 4.4BSD re-implementation of vi
 nvi-doc    - 4.4BSD re-implementation of vi - documentation files
Closes: 496462
Changes: 
 nvi (1.81.6-4) unstable; urgency=high
 .
   * Safeguard the creation of /var/tmp/vi.recover in the postinst
     against symlink attacks. Thanks Raphael Geissert for spotting
     this. RC security bug, urgency bumped. Closes: #496462.
Checksums-Sha1: 
 95f78b8fba8574d795288720795be9365fdc9f81 1067 nvi_1.81.6-4.dsc
 7f12911134d75c5d8611ea3eb706c3d2470e810a 83973 nvi_1.81.6-4.diff.gz
 d1ec29476af4dab80a046b4e86ac627fbdc17cbe 116294 nvi-doc_1.81.6-4_all.deb
 17a82f46e169374cc708e3268338a4cebd56125b 272574 nvi_1.81.6-4_amd64.deb
Checksums-Sha256: 
 95aadcaa5c2546d343bdc680a53dc0abef74fa4cb33b853ee4f32af24c01b1b9 1067 
nvi_1.81.6-4.dsc
 b1e3ae2c5d1b814ae014a85459db14cc1fc81b42b00ab7f0a49cc970c28e6946 83973 
nvi_1.81.6-4.diff.gz
 3d5219b46f58fd13efef7b9a04f1b5ac8dfd9923c8f3b7a04acec635a8003b10 116294 
nvi-doc_1.81.6-4_all.deb
 86bdbc630facaaa7035ef3f06d0f6b9bff03edcc52e49027b3f1844972c72942 272574 
nvi_1.81.6-4_amd64.deb
Files: 
 7dfc72ba4d38f0db6c0ab33728a65a8a 1067 editors optional nvi_1.81.6-4.dsc
 54ee55bcd37fd11eb2c124dc096bd613 83973 editors optional nvi_1.81.6-4.diff.gz
 86120874ac1994480c4e6e6f5c371930 116294 doc optional nvi-doc_1.81.6-4_all.deb
 974c1189e723ae4966f891393bff6a38 272574 editors optional nvi_1.81.6-4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkizxJcACgkQHYflSXNkfP9p1QCfSteuDjP15ZF3DY4PlY1+HPvs
OrIAnR3nasIIpyI2eVxQLLCfIQ2Ha7Ek
=rlR8
-----END PGP SIGNATURE-----



--- End Message ---

Reply via email to