Bug#496377: The possibility of attack with the help of symlinks in some Debian packages

Sun, 24 Aug 2008 14:05:03 -0700 

severity 496377 normal
thanks

Another false positive.

    file: /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh

This script does:

if [ "x$Download" = "xyes" ]; then
  echo "downloading lazarus svn ..."
  cd /tmp
  rm -rf /tmp/lazarus
  svn export http://svn.freepascal.org/svn/lazarus/trunk lazarus
  cd -
else
  echo "extracting lazarus from local svn ..."
  SourceDir=$(pwd | sed -e 's#lazarus[_0-9]*/tools.*$#lazarus#')
  rm -rf /tmp/lazarus
  svn export $SourceDir /tmp/lazarus
fi

Revision=$(svnversion /tmp/lazarus)
echo "const RevisionStr = '$Revision';" > /tmp/lazarus/ide/revision.inc

cd /tmp
echo "packing ..."
tar cvzf lazarus.tgz lazarus
cd -
mv /tmp/lazarus.tgz $OutputFile
rm -rf /tmp/lazarus


Here's what svn does when you try a symlink attack against it:

$ ln -s /etc/network lazarus
$ svn export http://svn.freepascal.org/svn/lazarus/trunk lazarus
svn: 'lazarus' exists and is not a directory
$ rm lazarus
$ mkdir lazarus
$ ln -s /etc/network lazarus/.svn
$ svn export http://svn.freepascal.org/svn/lazarus/trunk lazarus
svn: Destination directory exists; please remove the directory or use --force 
to overwrite
svn: 'lazarus' already exists
$

And this script is set -e, so if the svn export fails, the script exits.

So that part is not vulnerable.

The subsequent tar cvzf command is potentially vulnerable, as tar will
happily follow the /tmp/lazarus.tgz symlink.

However, these tools are not used in the normal operation of this package;
they're scripts only useful for updating the version of the source itself,
which is already contained in the package, so this script is only useful to
a maintainer and not to a user.  As such, the risk is minimal and this
should not be treated as "grave".

The script is buggy and should be fixed, but there's nothing here that
should be RC.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
[EMAIL PROTECTED]                                     [EMAIL PROTECTED]



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to