Bug#629003: fabric is prone to file-overwrite security issue(s).

Sat, 22 Feb 2014 15:45:24 -0800 

Version: 1.7.0-2

Hi Steve,

On Thu, Jun 02, 2011 at 11:25:01PM +0100, Steve Kemp wrote:
> 
> Package: fabric
> Version: 0.9.1-1
> Justification: causes serious data loss
> Severity: important
> Tags: security
> 
> *** Please type your report below this line ***
> 
> Fabric includes two modules which are marked as "contrib", and are
> included in the main package.
> 
> These two modules both suffer from the same issue:
> 
>   * They write files with (semi-)predictable names, in world-readable
>     and world-writeable locations.
> 
> This allows a malicious local-user to pre-create the filenames which
> will be used, and allow the overwriting of arbitrary files the user
> invoking fabric controls.
> 
> The relevant code is included is:
> 
> fabric/contrib/projects.py:
> 
>      tar_file = "/tmp/fab.%s.tar" % datetime.utcnow().strftime(
>              '%Y_%m_%d_%H-%M-%S')
>      cwd_name = getcwd().split(sep)[-1]
>      tgz_name = cwd_name + ".tar.gz"
>      local("tar -czf %s ." % tar_file)
> 

This uses now mkdtemp.

> 
> fabric/contrib/files.py:
>         basename = os.path.basename(filename)
>         temp_destination = '/tmp/' + basename
>         ...
>         ...
>         put(tempfile_name, temp_destination)
> 
>  [The latter case the upload happens on the *remote* system.]

This code seems to have dissapeared.


Ana




> 
> 
> -- System Information:
> Debian Release: 6.0.1
>   APT prefers stable
>   APT policy: (500, 'stable')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 2.6.32-5-amd64 (SMP w/3 CPU cores)
> Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> 
> Versions of packages fabric depends on:
> ii  python                  2.6.6-3+squeeze6 interactive high-level 
> object-orie
> ii  python-paramiko         1.7.6-5          Make ssh v2 connections with 
> Pytho
> ii  python-pkg-resources    0.6.14-4         Package Discovery and Resource 
> Acc
> ii  python-support          1.0.10           automated rebuilding support for 
> P
> 
> fabric recommends no packages.
> 
> fabric suggests no packages.
> 
> -- no debconf information
> 
> 
> 


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to