Your message dated Thu, 15 Sep 2005 15:02:25 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#321567: fixed in bugzilla 2.18.3-2
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 6 Aug 2005 08:55:29 +0000
>From [EMAIL PROTECTED] Sat Aug 06 01:55:29 2005
Return-path: <[EMAIL PROTECTED]>
Received: from 148.red-213-96-98.pooles.rima-tde.net (silicio) [213.96.98.148]
(Debian-exim)
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1E1KSn-0001uC-00; Sat, 06 Aug 2005 01:55:29 -0700
Received: from jfs by silicio with local (Exim 4.52)
id 1E1KSl-0007Z7-J3
for [EMAIL PROTECTED]; Sat, 06 Aug 2005 10:55:27 +0200
Date: Sat, 6 Aug 2005 10:55:27 +0200
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: bugzilla: Maintainer's postinst script use temporary files in an
unsafe way
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="KFztAG8eRSV9hGtP"
Content-Disposition: inline
User-Agent: Mutt/1.5.9i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
--KFztAG8eRSV9hGtP
Content-Type: multipart/mixed; boundary="UlVJffcvxoiEqYs2"
Content-Disposition: inline
--UlVJffcvxoiEqYs2
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Package: bugzilla
Version: 2.18.3-1
Severity: grave
Tags: sid etch security patch
The bugzilla package's postinst script uses temporary files in an unsafe
way which could be used to conduct symlink attacks against the root
user when the package is configured. This is because it uses a hardcoded
location for the output of checksetup that resides in /tmp and makes
no effort to verify if it is not a symlink. A rogue user could simply
create the file and then wait for the administrator to install/upgrade
the package which will result in files belonging to root being overwritten
by the script.
The attached patch fixes this issue by using mktemp instead of hardcoding
the path.
Regards
Javier
PS: Security team, this bug is not present in woody or sarge, the offending
code is not there.
--UlVJffcvxoiEqYs2
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="bugzilla_postinst.diff"
Content-Transfer-Encoding: quoted-printable
--- bugzilla-2.18.3/debian/bugzilla.postinst.orig 2005-08-06
10:44:10.00000=
0000 +0200
+++ bugzilla-2.18.3/debian/bugzilla.postinst 2005-08-06 10:45:37.000000000 =
+0200
@@ -86,7 +86,9 @@
# The params file will then be updated if needed, the resulting file
# will be saved in $params_218_new
debug "Running checksetup.pl..."
- /usr/share/bugzilla/lib/checksetup.pl $answerfile >
/tmp/bugzilla.checkse=
tup.log || true
+ tmpfile=3D`mktemp -t bugzilla.XXXXXX` || { echo "$0: Cannot create
tempor=
ary file" >&2; exit 1; }
+ trap " [ -f \"$tmpfile\" ] && /bin/rm -f -- \"$tmpfile\"" 1 2 3 13 15
+ /usr/share/bugzilla/lib/checksetup.pl $answerfile > $tmpfile || true
if [ ! -f $params_218_new ]; then
echo "Error in postinst: unable to find $params_218_new"
exit 13
@@ -99,7 +101,7 @@
rm -f $answerfile
=09
# a bit of cleaning
- rm -f /tmp/bugzilla.checksetup.log
+ rm -f $tmpfile
=09
# Now, our patched checksetup.pl had made a $params_218.new file, let's=
=20
# ask our fellow user if he likes to use it
--UlVJffcvxoiEqYs2--
--KFztAG8eRSV9hGtP
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFC9Hr/sandgtyBSwkRAoDSAJ0X2SYmSRUTPMLtG5nVF2sTdHcf9QCffTqX
AcVmw+dqDgeiv9PrQ6fpX/Q=
=76v7
-----END PGP SIGNATURE-----
--KFztAG8eRSV9hGtP--
---------------------------------------
Received: (at 321567-close) by bugs.debian.org; 15 Sep 2005 22:08:59 +0000
>From [EMAIL PROTECTED] Thu Sep 15 15:08:59 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
id 1EG1oH-0003bB-00; Thu, 15 Sep 2005 15:02:25 -0700
From: Alexis Sukrieh <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#321567: fixed in bugzilla 2.18.3-2
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Thu, 15 Sep 2005 15:02:25 -0700
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 6
Source: bugzilla
Source-Version: 2.18.3-2
We believe that the bug you reported is fixed in the latest version of
bugzilla, which is due to be installed in the Debian FTP archive:
bugzilla-doc_2.18.3-2_all.deb
to pool/main/b/bugzilla/bugzilla-doc_2.18.3-2_all.deb
bugzilla_2.18.3-2.diff.gz
to pool/main/b/bugzilla/bugzilla_2.18.3-2.diff.gz
bugzilla_2.18.3-2.dsc
to pool/main/b/bugzilla/bugzilla_2.18.3-2.dsc
bugzilla_2.18.3-2_all.deb
to pool/main/b/bugzilla/bugzilla_2.18.3-2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alexis Sukrieh <[EMAIL PROTECTED]> (supplier of updated bugzilla package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 13 Sep 2005 10:07:24 +0200
Source: bugzilla
Binary: bugzilla bugzilla-doc
Architecture: source all
Version: 2.18.3-2
Distribution: unstable
Urgency: low
Maintainer: Alexis Sukrieh <[EMAIL PROTECTED]>
Changed-By: Alexis Sukrieh <[EMAIL PROTECTED]>
Description:
bugzilla - web-based bug tracking system
bugzilla-doc - comprehensive guide to Bugzilla
Closes: 252076 305360 312925 320004 320005 321567 327041 327063
Changes:
bugzilla (2.18.3-2) unstable; urgency=low
.
* Postinst script now uses temporary files in an safe way, with mktemp
rather than using a non-changing path. Thanks to Javier
Fernández-Sanguino Peña.
(closes: #321567)
* Added a RewriteRule in the virtual hosts examples for correctly handling
the %urlbase% tokens in the templates. Thanks to Yann Dirson.
(closes: #252076)
* showdependencygraph should not require a 64x64 inches, patch added in
debian/patches. Thanks to Yann Dirson.
(closes: #305360)
* Updated the cron.daily script so that extra sites are processed
(/etc/bugzilla/sites/*). Thanks to Yann Dirson.
(closes: #320004)
* Updated the Makefile and added a new patch for enabling a correct path to
the DTD file. Thanks to Yann Dirson.
(closes: #327063)
* Filling empty values for MySQL username and password is not allowed.
(closes: #312925)
* Updated and cleaned the changelog file for correct utf8 encoding.
(closes: #327041)
* Updated the README.Debian file for giving more informations on how to
upgrade all the BUGZILLA_SITE's located in /etc/bugzilla/sites. Thanks to
Yann Dirson.
(closes: #320005)
Files:
6ee48de210a45f28a231a22cc4db525b 668 web optional bugzilla_2.18.3-2.dsc
6c6490e7cc0214840dfcfc2bf862cf45 68885 web optional bugzilla_2.18.3-2.diff.gz
da7e5677339c75faa94f9451be1823ac 615396 web optional bugzilla_2.18.3-2_all.deb
d729ae8cbb6a2e7347dafcba26cb7c68 568998 doc optional
bugzilla-doc_2.18.3-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDKevgpFNRmenyx0cRAt13AJ9E1cJs5J/uwnngNPcdmXvycn40yQCbBhun
nbkDe3u6+25U8nQGtookznk=
=08C1
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
