Package: fabric
Version: 0.9.1-1
Justification: causes serious data loss
Severity: important
Tags: security
*** Please type your report below this line ***
Fabric includes two modules which are marked as "contrib", and are
included in the main package.
These two modules both suffer from the same issue:
* They write files with (semi-)predictable names, in world-readable
and world-writeable locations.
This allows a malicious local-user to pre-create the filenames which
will be used, and allow the overwriting of arbitrary files the user
invoking fabric controls.
The relevant code is included is:
fabric/contrib/projects.py:
tar_file = "/tmp/fab.%s.tar" % datetime.utcnow().strftime(
'%Y_%m_%d_%H-%M-%S')
cwd_name = getcwd().split(sep)[-1]
tgz_name = cwd_name + ".tar.gz"
local("tar -czf %s ." % tar_file)
fabric/contrib/files.py:
basename = os.path.basename(filename)
temp_destination = '/tmp/' + basename
...
...
put(tempfile_name, temp_destination)
[The latter case the upload happens on the *remote* system.]
-- System Information:
Debian Release: 6.0.1
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/3 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages fabric depends on:
ii python 2.6.6-3+squeeze6 interactive high-level object-orie
ii python-paramiko 1.7.6-5 Make ssh v2 connections with Pytho
ii python-pkg-resources 0.6.14-4 Package Discovery and Resource Acc
ii python-support 1.0.10 automated rebuilding support for P
fabric recommends no packages.
fabric suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
