Your message dated Mon, 08 Dec 2008 06:47:09 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#508111: fixed in devscripts 2.10.43
has caused the Debian Bug report #508111,
regarding [debsign] Insecure tempfile creation (redux)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
508111: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508111
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: devscripts
Version: 2.10.41
Severity: serious
Tags: patch security
Justification: Vulnerable to symlink attacks (unless I'm mistaken).
Hi,
mktemp(1) says it all:
,--
| The trailing ‘Xs’ are replaced with a combination of the cur‐
| rent process number and random letters. The name chosen
| depends both on the number of ‘Xs’ in the template and the num‐
| ber of collisions with pre-existing files. The number of
| unique filenames mktemp can return depends on the number of
| ‘Xs’ provided; ten ‘Xs’ will result in mktemp testing roughly
| 26 ** 10 combinations.
`--
but your usage of mktemp is bogus, since .$2 is appended to the X's. The
attached patch fixes this (I used local set -x/+x to check the filenames).
I only happened to discover this bug after signing was aborted (I wanted to
have an extra look at a package, so I hit “cancel” in pinentry), and when
running debsign the 2nd time on the very same package, nothing was happening.
strace'ing pointed to the same file being tried again and again, with all X's,
since that file didn't go away after the aborted signing step.
Since the filename is predictable, I guess debsign is vulnerable to symlink
attacks and the like (although I'm no security crack, etc., sorry if I'm
overthinking the consequences of this bug).
Mraw,
KiBi.
-- Package-specific info:
--- /etc/devscripts.conf ---
--- ~/.devscripts ---
export BTS_MAIL_READER='mutt -F ~/mail/SOMEFILEYOUDONTHAVETOKNOWABOUT.rc -f %s'
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.28-rc6-kibi-00189-g15d1ff2 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages devscripts depends on:
ii dpkg-dev 1.14.23 Debian package development tools
ii libc6 2.7-16 GNU C Library: Shared libraries
ii perl 5.10.0-18 Larry Wall's Practical Extraction
Versions of packages devscripts recommends:
ii at 3.1.10.2 Delayed job execution and batch pr
ii bsd-mailx [mailx] 8.1.2-0.20081101cvs-2 A simple mail user agent
ii bzr 1.5-1.1 easy to use distributed version co
ii curl 7.18.2-7 Get a file from an HTTP, HTTPS or
ii cvs 1:1.12.13-12 Concurrent Versions System
ii dctrl-tools 2.13.0 Command-line tools to process Debi
ii debian-keyring 2008.11.30 GnuPG (and obsolete PGP) keys of D
ii debian-maintainers 1.49 GPG keys of Debian maintainers
ii dput 0.9.2.36 Debian package upload tool
ii epiphany-gecko [ww 2.22.3-8+b1 Intuitive GNOME web browser - Geck
ii equivs 2.0.7-0.1 Circumvent Debian package dependen
ii fakeroot 1.11 Gives a fake root environment
ii git-core 1:1.5.6.5-1 fast, scalable, distributed revisi
ii gnupg 1.4.9-3 GNU privacy guard - a free PGP rep
ii konqueror [www-bro 4:3.5.9.dfsg.1-5 KDE's advanced file manager, web b
ii libauthen-sasl-per 2.12-1 Authen::SASL - SASL Authentication
ii libcrypt-ssleay-pe 0.57-1+b1 Support for https protocol in LWP
ii libparse-debcontro 2.005-2 Easy OO parsing of Debian control-
ii libsoap-lite-perl 0.710.08-1 Client and server side SOAP implem
ii libterm-size-perl 0.2-4+b1 Perl extension for retrieving term
ii libtimedate-perl 1.1600-9 Time and date functions for Perl
ii liburi-perl 1.35.dfsg.1-1 Manipulates and accesses URI strin
ii libwww-perl 5.820-1 WWW client/server library for Perl
ii libyaml-syck-perl 1.05-1 Fast, lightweight YAML loader and
ii links [www-browser 2.2-1 Web browser running in text mode
ii lintian 2.1.0 Debian package checker
ii lsb-release 3.2-20 Linux Standard Base version report
ii man-db 2.5.2-3 on-line manual pager
ii mercurial 1.0.1-5.1 Scalable distributed version contr
ii openssh-client [ss 1:5.1p1-4 secure shell client, an rlogin/rsh
ii patch 2.5.9-5 Apply a diff file to an original
ii patchutils 0.2.31-4 Utilities to work with patches
ii strace 4.5.17+cvs080723-2 A system call tracer
ii subversion 1.5.1dfsg1-1 Advanced version control system
ii unzip 5.52-12 De-archiver for .zip files
ii w3m [www-browser] 0.5.2-2+b1 WWW browsable pager with excellent
ii wdiff 0.5-18 Compares two files word by word
ii wget 1.11.4-2 retrieves files from the web
Versions of packages devscripts suggests:
ii build-essential 11.4 Informational list of build-essent
pn cvs-buildpackage <none> (no description available)
ii devscripts-el 29.4-1 Emacs wrappers for the commands in
ii gnuplot 4.2.4-4 A command-line driven interactive
pn libfile-desktopentry-perl <none> (no description available)
pn libnet-smtp-ssl-perl <none> (no description available)
ii mutt 1.5.18-4 text-based mailreader supporting M
ii svn-buildpackage 0.6.23 helper programs to maintain Debian
-- no debconf information
--- a/scripts/debsign.sh
+++ b/scripts/debsign.sh
@@ -116,7 +116,7 @@
local filename
if ! [ -w "$(dirname "$1")" ]; then
- filename=`mktemp -t "$(basename "$1").XXXXXXXXXX.$2"` || {
+ filename=`mktemp -t "$(basename "$1").$2.XXXXXXXXXX"` || {
echo "$PROGNAME: Unable to create temporary file; aborting" >&2
exit 1
}
--- End Message ---
--- Begin Message ---
Source: devscripts
Source-Version: 2.10.43
We believe that the bug you reported is fixed in the latest version of
devscripts, which is due to be installed in the Debian FTP archive:
devscripts_2.10.43.dsc
to pool/main/d/devscripts/devscripts_2.10.43.dsc
devscripts_2.10.43.tar.gz
to pool/main/d/devscripts/devscripts_2.10.43.tar.gz
devscripts_2.10.43_amd64.deb
to pool/main/d/devscripts/devscripts_2.10.43_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adam D. Barratt <[EMAIL PROTECTED]> (supplier of updated devscripts package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 08 Dec 2008 06:32:18 +0000
Source: devscripts
Binary: devscripts
Architecture: source amd64
Version: 2.10.43
Distribution: unstable
Urgency: low
Maintainer: Devscripts Devel Team <[EMAIL PROTECTED]>
Changed-By: Adam D. Barratt <[EMAIL PROTECTED]>
Description:
devscripts - scripts to make the life of a Debian Package maintainer easier
Closes: 508111
Changes:
devscripts (2.10.43) unstable; urgency=low
.
The "how did I miss that one?" release
.
* debsign: Fix a use of mktemp to actually generate unique filenames.
(Closes: #508111)
Checksums-Sha1:
d11892e0f13f3d11bfecab2401093d11b32e8549 1363 devscripts_2.10.43.dsc
78b134f7f8e395bcdba99826738e8713c98955d6 632966 devscripts_2.10.43.tar.gz
fd67004a828f32fada572a8ba7145e1ba2585289 543766 devscripts_2.10.43_amd64.deb
Checksums-Sha256:
81f1d01760d6c4b6abed49218f7f36e2dcc9350fd67349b915c74c9a2879e23c 1363
devscripts_2.10.43.dsc
0cf38c1cb3af982af813f82c8c3ec4861e044294d1ce2cdbf7f5f6524dfcba78 632966
devscripts_2.10.43.tar.gz
236f20dbbbdaab1baccbb240693b73a352d4bb7e5a6cd14fa0dde95e52ed5afc 543766
devscripts_2.10.43_amd64.deb
Files:
43096ced8f3b26e993bb22204523242c 1363 devel optional devscripts_2.10.43.dsc
4f746d9e6e4f1f41b750a29f60c2f12e 632966 devel optional
devscripts_2.10.43.tar.gz
85797e01f509d902cd068f7fa461aac6 543766 devel optional
devscripts_2.10.43_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkk8wHAACgkQokcE1TReOoU3hQCffzb+eO4lS2AM/lgP2CYr6j1w
IeYAn2WC1PDI/lwgT09UsfRKAWnERRqh
=Q4ZX
-----END PGP SIGNATURE-----
--- End Message ---
