Package: devscripts
Version: 2.10.41
Severity: serious
Tags: patch security
Justification: Vulnerable to symlink attacks (unless I'm mistaken).
Hi,
mktemp(1) says it all:
,--
| The trailing ‘Xs’ are replaced with a combination of the cur‐
| rent process number and random letters. The name chosen
| depends both on the number of ‘Xs’ in the template and the num‐
| ber of collisions with pre-existing files. The number of
| unique filenames mktemp can return depends on the number of
| ‘Xs’ provided; ten ‘Xs’ will result in mktemp testing roughly
| 26 ** 10 combinations.
`--
but your usage of mktemp is bogus, since .$2 is appended to the X's. The
attached patch fixes this (I used local set -x/+x to check the filenames).
I only happened to discover this bug after signing was aborted (I wanted to
have an extra look at a package, so I hit “cancel” in pinentry), and when
running debsign the 2nd time on the very same package, nothing was happening.
strace'ing pointed to the same file being tried again and again, with all X's,
since that file didn't go away after the aborted signing step.
Since the filename is predictable, I guess debsign is vulnerable to symlink
attacks and the like (although I'm no security crack, etc., sorry if I'm
overthinking the consequences of this bug).
Mraw,
KiBi.
-- Package-specific info:
--- /etc/devscripts.conf ---
--- ~/.devscripts ---
export BTS_MAIL_READER='mutt -F ~/mail/SOMEFILEYOUDONTHAVETOKNOWABOUT.rc -f %s'
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.28-rc6-kibi-00189-g15d1ff2 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages devscripts depends on:
ii dpkg-dev 1.14.23 Debian package development tools
ii libc6 2.7-16 GNU C Library: Shared libraries
ii perl 5.10.0-18 Larry Wall's Practical Extraction
Versions of packages devscripts recommends:
ii at 3.1.10.2 Delayed job execution and batch pr
ii bsd-mailx [mailx] 8.1.2-0.20081101cvs-2 A simple mail user agent
ii bzr 1.5-1.1 easy to use distributed version co
ii curl 7.18.2-7 Get a file from an HTTP, HTTPS or
ii cvs 1:1.12.13-12 Concurrent Versions System
ii dctrl-tools 2.13.0 Command-line tools to process Debi
ii debian-keyring 2008.11.30 GnuPG (and obsolete PGP) keys of D
ii debian-maintainers 1.49 GPG keys of Debian maintainers
ii dput 0.9.2.36 Debian package upload tool
ii epiphany-gecko [ww 2.22.3-8+b1 Intuitive GNOME web browser - Geck
ii equivs 2.0.7-0.1 Circumvent Debian package dependen
ii fakeroot 1.11 Gives a fake root environment
ii git-core 1:1.5.6.5-1 fast, scalable, distributed revisi
ii gnupg 1.4.9-3 GNU privacy guard - a free PGP rep
ii konqueror [www-bro 4:3.5.9.dfsg.1-5 KDE's advanced file manager, web b
ii libauthen-sasl-per 2.12-1 Authen::SASL - SASL Authentication
ii libcrypt-ssleay-pe 0.57-1+b1 Support for https protocol in LWP
ii libparse-debcontro 2.005-2 Easy OO parsing of Debian control-
ii libsoap-lite-perl 0.710.08-1 Client and server side SOAP implem
ii libterm-size-perl 0.2-4+b1 Perl extension for retrieving term
ii libtimedate-perl 1.1600-9 Time and date functions for Perl
ii liburi-perl 1.35.dfsg.1-1 Manipulates and accesses URI strin
ii libwww-perl 5.820-1 WWW client/server library for Perl
ii libyaml-syck-perl 1.05-1 Fast, lightweight YAML loader and
ii links [www-browser 2.2-1 Web browser running in text mode
ii lintian 2.1.0 Debian package checker
ii lsb-release 3.2-20 Linux Standard Base version report
ii man-db 2.5.2-3 on-line manual pager
ii mercurial 1.0.1-5.1 Scalable distributed version contr
ii openssh-client [ss 1:5.1p1-4 secure shell client, an rlogin/rsh
ii patch 2.5.9-5 Apply a diff file to an original
ii patchutils 0.2.31-4 Utilities to work with patches
ii strace 4.5.17+cvs080723-2 A system call tracer
ii subversion 1.5.1dfsg1-1 Advanced version control system
ii unzip 5.52-12 De-archiver for .zip files
ii w3m [www-browser] 0.5.2-2+b1 WWW browsable pager with excellent
ii wdiff 0.5-18 Compares two files word by word
ii wget 1.11.4-2 retrieves files from the web
Versions of packages devscripts suggests:
ii build-essential 11.4 Informational list of build-essent
pn cvs-buildpackage <none> (no description available)
ii devscripts-el 29.4-1 Emacs wrappers for the commands in
ii gnuplot 4.2.4-4 A command-line driven interactive
pn libfile-desktopentry-perl <none> (no description available)
pn libnet-smtp-ssl-perl <none> (no description available)
ii mutt 1.5.18-4 text-based mailreader supporting M
ii svn-buildpackage 0.6.23 helper programs to maintain Debian
-- no debconf information
--- a/scripts/debsign.sh
+++ b/scripts/debsign.sh
@@ -116,7 +116,7 @@
local filename
if ! [ -w "$(dirname "$1")" ]; then
- filename=`mktemp -t "$(basename "$1").XXXXXXXXXX.$2"` || {
+ filename=`mktemp -t "$(basename "$1").$2.XXXXXXXXXX"` || {
echo "$PROGNAME: Unable to create temporary file; aborting" >&2
exit 1
}
