Bug#482476: marked as done (Security: Unsafe lock file creation can be used to truncate arbitrary files)

Wed, 28 May 2008 07:34:08 -0700 

Your message dated Wed, 28 May 2008 14:02:05 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#482476: fixed in apt 0.7.14
has caused the Debian Bug report #482476,
regarding Security: Unsafe lock file creation can be used to truncate arbitrary 
files
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
482476: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=482476
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message --- 
Package: aptitude
Version: 0.4.11.2-1
Severity: serious

Since /var/lock is installed with mode 1777 on debian systems, if
/var/lock/aptitude does not yet exist, a normal user can symlink it to an
arbitrary location on the filesystem. Aptitude them attempts to open
this file with mode O_TRUNC, allowing an ordinary user to truncate an
arbitrary file on the filesystem the next time the system administrator
opens aptitude.

Aptitude should use O_NOFOLLOW on the open call in question to avoid
inadverant truncation.

-- Package-specific info:
aptitude 0.4.11.2 compiled at Apr 12 2008 04:21:26
Compiler: g++ 4.2.3 (Debian 4.2.3-3)
Compiled against:
  apt version 4.6.0
  NCurses version 5.6
  libsigc++ version: 2.0.18
  Ept support enabled.

Current library versions:
  NCurses version: ncurses 5.6.20080308
  cwidget version: 0.5.11
  Apt version: 4.6.0
        linux-gate.so.1 =>  (0xb7f38000)
        libapt-pkg-libc6.7-6.so.4.6 => /usr/lib/libapt-pkg-libc6.7-6.so.4.6 
(0xb7e63000)
        libncursesw.so.5 => /lib/libncursesw.so.5 (0xb7e27000)
        libsigc-2.0.so.0 => /usr/lib/libsigc-2.0.so.0 (0xb7e21000)
        libcwidget.so.3 => /usr/lib/libcwidget.so.3 (0xb7d30000)
        libept.so.0 => /usr/lib/libept.so.0 (0xb7cb8000)
        libxapian.so.15 => /usr/lib/libxapian.so.15 (0xb7b45000)
        libz.so.1 => /usr/lib/libz.so.1 (0xb7b30000)
        libpthread.so.0 => /lib/i686/cmov/libpthread.so.0 (0xb7b18000)
        libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0xb7a2b000)
        libm.so.6 => /lib/i686/cmov/libm.so.6 (0xb7a05000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0xb79f8000)
        libc.so.6 => /lib/i686/cmov/libc.so.6 (0xb78aa000)
        libutil.so.1 => /lib/i686/cmov/libutil.so.1 (0xb78a6000)
        libdl.so.2 => /lib/i686/cmov/libdl.so.2 (0xb78a2000)
        /lib/ld-linux.so.2 (0xb7f39000)
Terminal: screen
$DISPLAY not set.
`which aptitude`: /usr/bin/aptitude
aptitude version information:

aptitude linkage:

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.18.8-domU-linode7 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages aptitude depends on:
ii  apt [libapt-pkg-libc6. 0.7.11            Advanced front-end for dpkg
ii  libc6                  2.7-10            GNU C Library: Shared libraries
ii  libcwidget3            0.5.11-1          high-level terminal interface libr
ii  libept0                0.5.17            High-level library for managing De
ii  libgcc1                1:4.3.0-3         GCC support library
ii  libncursesw5           5.6+20080308-1    Shared libraries for terminal hand
ii  libsigc++-2.0-0c2a     2.0.18-2          type-safe Signal Framework for C++
ii  libstdc++6             4.3.0-3           The GNU Standard C++ Library v3
ii  libxapian15            1.0.5-1           Search engine library
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

Versions of packages aptitude recommends:
pn  aptitude-doc-en | aptitude-do <none>     (no description available)
ii  libparse-debianchangelog-perl 1.1.1-2    parse Debian changelogs and output

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: apt
Source-Version: 0.7.14

We believe that the bug you reported is fixed in the latest version of
apt, which is due to be installed in the Debian FTP archive:

apt-doc_0.7.14_all.deb
  to pool/main/a/apt/apt-doc_0.7.14_all.deb
apt-transport-https_0.7.14_i386.deb
  to pool/main/a/apt/apt-transport-https_0.7.14_i386.deb
apt-utils_0.7.14_i386.deb
  to pool/main/a/apt/apt-utils_0.7.14_i386.deb
apt_0.7.14.dsc
  to pool/main/a/apt/apt_0.7.14.dsc
apt_0.7.14.tar.gz
  to pool/main/a/apt/apt_0.7.14.tar.gz
apt_0.7.14_i386.deb
  to pool/main/a/apt/apt_0.7.14_i386.deb
libapt-pkg-dev_0.7.14_i386.deb
  to pool/main/a/apt/libapt-pkg-dev_0.7.14_i386.deb
libapt-pkg-doc_0.7.14_all.deb
  to pool/main/a/apt/libapt-pkg-doc_0.7.14_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Vogt <[EMAIL PROTECTED]> (supplier of updated apt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 28 May 2008 15:19:12 +0200
Source: apt
Binary: apt apt-doc libapt-pkg-dev libapt-pkg-doc apt-utils apt-transport-https
Architecture: source all i386
Version: 0.7.14
Distribution: unstable
Urgency: low
Maintainer: APT Development Team <[EMAIL PROTECTED]>
Changed-By: Michael Vogt <[EMAIL PROTECTED]>
Description: 
 apt        - Advanced front-end for dpkg
 apt-doc    - Documentation for APT
 apt-transport-https - APT https transport
 apt-utils  - APT utility programs
 libapt-pkg-dev - Development files for APT's libapt-pkg and libapt-inst
 libapt-pkg-doc - Documentation for APT development
Closes: 322470 387141 438803 459344 473360 479122 479313 479326 479342 479379 
479403 479426 479452 479748 479777 479792 479847 479871 480125 480150 480561 
480662 482476
Changes: 
 apt (0.7.14) unstable; urgency=low
 .
   [ Christian Perrier ]
   * Mark a message from dselect backend as translatable
     Thanks to Frédéric Bothamy for the patch
     Closes: #322470
 .
   [ Program translations ]
   * Simplified Chinese updated. Closes: #473360
   * Catalan fixes. Closes: #387141
   * Typo fix in Greek translation. Closes: #479122
   * French updated.
   * Thai updated. Closes: #479313
   * Italian updated. Closes: #479326
   * Polish updated. Closes: #479342
   * Bulgarian updated. Closes: #479379
   * Finnish updated. Closes: #479403
   * Korean updated. Closes: #479426
   * Basque updated. Closes: #479452
   * Vietnamese updated. Closes: #479748
   * Russian updated. Closes: #479777
   * Galician updated. Closes: #479792
   * Portuguese updated. Closes: #479847
   * Swedish updated. Closes: #479871
   * Dutch updated. Closes: #480125
   * Kurdish added. Closes: #480150
   * Brazilian Portuguese updated. Closes: #480561
   * Hungarian updated. Closes: #480662
 .
   [ Otavio Salvador ]
   * Apply patch to avoid truncating of arbitrary files. Thanks to Bryan
     Donlan <[EMAIL PROTECTED]> for the patch. Closes: #482476
   * Avoid using dbus if dbus-daemon isn't running. Closes: #438803
 .
   [ Michael Vogt ]
   * debian/apt.cron.daily:
     - apply patch based on the ideas of Francesco Poli for better
       behavior when the cache can not be locked (closes: #459344)
Checksums-Sha1: 
 d4021981f7b95ba3dbc90f17f7948f0187952149 1147 apt_0.7.14.dsc
 4ba8fab2346d71853defe86ef0d9058f520e693a 1944110 apt_0.7.14.tar.gz
 f03947cdee6859e0764a18ff255c1dac1bbb0b9d 96854 apt-doc_0.7.14_all.deb
 6bcf18d76912d3acf687b6d7163054743348824d 121650 libapt-pkg-doc_0.7.14_all.deb
 a3b13d64bd1bc3dc54ee04ebab77cbb5b04576a4 1650552 apt_0.7.14_i386.deb
 1cc7e75a955ec3941c691227551a76a61dc4acc0 104804 libapt-pkg-dev_0.7.14_i386.deb
 a61651ff5ce9edc794682e7bd7879a62faa78e58 192990 apt-utils_0.7.14_i386.deb
 d2eb3076a3c34f5000d03a049c93bd8d6a0748dd 54942 
apt-transport-https_0.7.14_i386.deb
Checksums-Sha256: 
 9e0313f98f8c12071b0648710c30a0e9830934db92d308b5a441bac6470bebc6 1147 
apt_0.7.14.dsc
 8fc06effaf8a4e4333308eedcdc6840f1c8056f2e924210f151dfc076bcd4045 1944110 
apt_0.7.14.tar.gz
 cbd9ff260faa5578f4f788e58d13fd0e51bbaab1886e1dac89e030ea404dd197 96854 
apt-doc_0.7.14_all.deb
 a8f52cef9ec35a73d0efe92a8297dc631f4c2522fca342db37ded1126c0a6ab1 121650 
libapt-pkg-doc_0.7.14_all.deb
 d67ff469bb411a9255559619be93587cf2a706e5d8648b1ef54a903dc21f3891 1650552 
apt_0.7.14_i386.deb
 1863932fb3329ea8bbbca873f85621c86d1c7fe00cb1a780d19ee821b09c253d 104804 
libapt-pkg-dev_0.7.14_i386.deb
 c08d03301cc63ffc61d04876b52c53af779bc59e92de517348974c4e64245b1f 192990 
apt-utils_0.7.14_i386.deb
 e730daeb7951c5e845860bed6e0ec4a2dc601f127afc8a372cf3f9e738549c2e 54942 
apt-transport-https_0.7.14_i386.deb
Files: 
 297e89ccb67af59f31e4280e0c79c647 1147 admin important apt_0.7.14.dsc
 19efa18fb1ef20c58b9b44e94258b814 1944110 admin important apt_0.7.14.tar.gz
 1217379c369da9911683c104d2beb8cc 96854 doc optional apt-doc_0.7.14_all.deb
 d5184b9df8d3bffe8c1ec142d58f38d0 121650 doc optional 
libapt-pkg-doc_0.7.14_all.deb
 faf295f61e4b953477ae1df54d5fae7c 1650552 admin important apt_0.7.14_i386.deb
 45b3f4bebb443670e37d220f1df5714f 104804 libdevel optional 
libapt-pkg-dev_0.7.14_i386.deb
 6e44ea4162f11f5dd0dff9696c16a01c 192990 admin important 
apt-utils_0.7.14_i386.deb
 c80751550df389c40e7f75964ef6a140 54942 admin optional 
apt-transport-https_0.7.14_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIPWGPliSD4VZixzQRAizKAJ4qOKZsk6kwRuw9GmfKVl7VR/7lxwCcCeVV
PJ7Tof9SowGJwwuApW3QVws=
=gUoy
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to