Your message dated Tue, 26 Aug 2008 09:17:12 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#496462: fixed in nvi 1.81.6-4 has caused the Debian Bug report #496462, regarding nvi: security vulnerability in creation of shared directory in postinst to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 496462: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496462 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems
--- Begin Message ---Package: nvi Version: 1.79-25 Severity: grave Tags: security patch Hi everyone, Going through the list of packages listed at [1] I noticed the overrides are completely wrong and it *is* a security issue. I verified versions 1.79-25 and 1.81.6-3 (etch and lenny, respectively) of the package and are both affected. An attacker could create /var/tmp/vi.recover as a symlink pointing to some directory (e.g. /) and abuse the code in the postinst script to make it a+wxr. The code portion follows: if [ $1 = "configure" ] ; then [ -d /var/tmp/vi.recover ] || mkdir -p /var/tmp/vi.recover chown root:root /var/tmp/vi.recover chmod 1777 /var/tmp/vi.recover fi The main mistake is to ignore any possible failure of mkdir to create the directory (probably because it already exists, and might not be a directory). Attached is a simple patch that aborts the execution of the postinst if mkdir fails, of course a better way to do it would be to use 'set -e' and review the usage of /var/tmp/vi.recover. [1]http://lintian.debian.org/tags/possibly-insecure-handling-of-tmp-files-in-maintainer-script.html Kind regards, -- Atomo64 - Raphael Please avoid sending me Word, PowerPoint or Excel attachments. See http://www.gnu.org/philosophy/no-word-attachments.htmldiff -urN nvi-1.81.6.orig/debian/postinst nvi-1.81.6/debian/postinst --- nvi-1.81.6.orig/debian/postinst 2008-08-24 17:10:47.000000000 -0500 +++ nvi-1.81.6/debian/postinst 2008-08-24 17:14:39.000000000 -0500 @@ -11,7 +11,7 @@ --slave /usr/share/man/man1/editor.1.gz editor.1.gz /usr/share/man/man1/nvi.1.gz if [ $1 = "configure" ] ; then - [ -d /var/tmp/vi.recover ] || mkdir -p /var/tmp/vi.recover + [ -d /var/tmp/vi.recover ] || mkdir -p /var/tmp/vi.recover || exit $? chown root:root /var/tmp/vi.recover chmod 1777 /var/tmp/vi.recover fi
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---Source: nvi Source-Version: 1.81.6-4 We believe that the bug you reported is fixed in the latest version of nvi, which is due to be installed in the Debian FTP archive: nvi-doc_1.81.6-4_all.deb to pool/main/n/nvi/nvi-doc_1.81.6-4_all.deb nvi_1.81.6-4.diff.gz to pool/main/n/nvi/nvi_1.81.6-4.diff.gz nvi_1.81.6-4.dsc to pool/main/n/nvi/nvi_1.81.6-4.dsc nvi_1.81.6-4_amd64.deb to pool/main/n/nvi/nvi_1.81.6-4_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jan Christoph Nordholz <[EMAIL PROTECTED]> (supplier of updated nvi package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Mon, 25 Aug 2008 19:43:31 +0200 Source: nvi Binary: nvi nvi-doc Architecture: source all amd64 Version: 1.81.6-4 Distribution: unstable Urgency: high Maintainer: Jan Christoph Nordholz <[EMAIL PROTECTED]> Changed-By: Jan Christoph Nordholz <[EMAIL PROTECTED]> Description: nvi - 4.4BSD re-implementation of vi nvi-doc - 4.4BSD re-implementation of vi - documentation files Closes: 496462 Changes: nvi (1.81.6-4) unstable; urgency=high . * Safeguard the creation of /var/tmp/vi.recover in the postinst against symlink attacks. Thanks Raphael Geissert for spotting this. RC security bug, urgency bumped. Closes: #496462. Checksums-Sha1: 95f78b8fba8574d795288720795be9365fdc9f81 1067 nvi_1.81.6-4.dsc 7f12911134d75c5d8611ea3eb706c3d2470e810a 83973 nvi_1.81.6-4.diff.gz d1ec29476af4dab80a046b4e86ac627fbdc17cbe 116294 nvi-doc_1.81.6-4_all.deb 17a82f46e169374cc708e3268338a4cebd56125b 272574 nvi_1.81.6-4_amd64.deb Checksums-Sha256: 95aadcaa5c2546d343bdc680a53dc0abef74fa4cb33b853ee4f32af24c01b1b9 1067 nvi_1.81.6-4.dsc b1e3ae2c5d1b814ae014a85459db14cc1fc81b42b00ab7f0a49cc970c28e6946 83973 nvi_1.81.6-4.diff.gz 3d5219b46f58fd13efef7b9a04f1b5ac8dfd9923c8f3b7a04acec635a8003b10 116294 nvi-doc_1.81.6-4_all.deb 86bdbc630facaaa7035ef3f06d0f6b9bff03edcc52e49027b3f1844972c72942 272574 nvi_1.81.6-4_amd64.deb Files: 7dfc72ba4d38f0db6c0ab33728a65a8a 1067 editors optional nvi_1.81.6-4.dsc 54ee55bcd37fd11eb2c124dc096bd613 83973 editors optional nvi_1.81.6-4.diff.gz 86120874ac1994480c4e6e6f5c371930 116294 doc optional nvi-doc_1.81.6-4_all.deb 974c1189e723ae4966f891393bff6a38 272574 editors optional nvi_1.81.6-4_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkizxJcACgkQHYflSXNkfP9p1QCfSteuDjP15ZF3DY4PlY1+HPvs OrIAnR3nasIIpyI2eVxQLLCfIQ2Ha7Ek =rlR8 -----END PGP SIGNATURE-----
--- End Message ---

