Bug#1003304: debsigs uses a predictable /tmp directory name

Fri, 07 Jan 2022 13:21:16 -0800 

Package: debsigs
Version: 0.1.25
Severity: normal
Tags: patch

Dear Maintainer,

When debsigs creates its temporary directory, it just uses
"/tmp/debsigndeb.$$" where "$$" is the process ID.  Using a predictable
temporary file name can be a security issue if an attacker is able to
create the path first.  However, Since debsig uses a temporary directory,
not a file, only a denial of service attack is possible.

It would be safer to use the built-in mkdtemp() function when creating
the temporary directory, which creates a random name and will retry
as needed if the chose name already exists.

The attached fix is also in gitlab as:
    https://gitlab.com/debsigs/debsigs/-/merge_requests/2

 - todd

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
   * What exactly did you do (or not do) that was effective (or
     ineffective)?
   * What was the outcome of this action?
   * What outcome did you expect instead?

*** End of the template - remove these template lines ***


-- System Information:
Debian Release: 11.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-8-amd64 (SMP w/2 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages debsigs depends on:
ii  binutils  2.35.2-2
ii  gnupg     2.2.27-2
ii  perl      5.32.1-4+deb11u2

Versions of packages debsigs recommends:
ii  debsig-verify  0.23+b2

debsigs suggests no packages.

-- no debconf information

commit 9cd7c457001ec6b10fc77ae370046583511c6d24
Author: Todd C. Miller <todd.mil...@sudo.ws>
Date:   Sun Sep 26 19:31:20 2021 -0600

    Use mkdtemp() to create the temp dir instead of using a predictable name.

diff --git a/debsigs b/debsigs
index ee77ff8..903ee14 100644
--- a/debsigs
+++ b/debsigs
@@ -25,6 +25,7 @@ use Debian::debsigs::forktools ':all';
 use Debian::debsigs::gpg;
 use Getopt::Long;
 use List::Util qw(first);
+use File::Temp qw(:mktemp);
 use IO::File;
 use POSIX ":sys_wait_h";
 
@@ -185,8 +186,8 @@ sub cmd_delete($) {
 
 
 sub mktempdir() {
-  mkdir("/tmp/debsigndeb.$$", 0700) or die "couldn't mkdir: $!";
-  return "/tmp/debsigndeb.$$";
+  my $dir = mkdtemp("/tmp/debsigs.XXXXXX") or die "couldn't mkdtemp: $!";
+  return $dir;
 }
 
 sub syntax($) {

Reply via email to