Your message dated Mon, 17 Oct 2005 20:46:56 -0400
with message-id <[EMAIL PROTECTED]>
and subject line recording fixed version properly
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 21 Sep 2005 14:00:52 +0000
>From [EMAIL PROTECTED] Wed Sep 21 07:00:52 2005
Return-path: <[EMAIL PROTECTED]>
Received: from 148.red-213-96-98.staticip.rima-tde.net (javifsp.no-ip.org)
[213.96.98.148] (Debian-exim)
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EI59X-00016G-00; Wed, 21 Sep 2005 07:00:51 -0700
Received: from jfs by javifsp.no-ip.org with local (Exim 4.52)
id 1EI59U-0002PM-Or
for [EMAIL PROTECTED]; Wed, 21 Sep 2005 16:00:48 +0200
Date: Wed, 21 Sep 2005 16:00:48 +0200
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: hylafax: Temporary file vulnerability in xferfaxstats and other
security concerns
Message-ID: <[EMAIL PROTECTED]>
Mail-Followup-To: [EMAIL PROTECTED]
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="Y7xTucakfITjPcLV"
Content-Disposition: inline
User-Agent: Mutt/1.5.10i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
--Y7xTucakfITjPcLV
Content-Type: multipart/mixed; boundary="ibTvN161/egqYuK8"
Content-Disposition: inline
--ibTvN161/egqYuK8
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: hylafax
Severity: critical
Version: 1:4.2.1-7
Tags: woody sarge security patch
This was a mail sent to the Debian security team, the hylafax Debian
maintainer and the hylafax upstream maintainer a while back, since
then, version 1:4.2.2+rc1 has been uploaded to testing (Sept 3rd 2005)
making this issue public:
* Added patches from Javier Fernandez-Sanguino Pe=F1a to cron jobs in
order to redirect stderr, and to other scripts in order to fix
temporary directory usage. (See patch 702)
This is the mail sent describing the vulnerabilites (dated 6 Aug 2005).
Attached is the patch (700, not 702 as mentioned in the changelog) used by
the maintainer and based in may original patches.
Notice that the patch only fixes the tempdir vulnerabilities, the last issue
(the UNIX domain socket) has not yet been investigated.
-------------------------------------------------------------------------
Hi there hylafax maintainer and Debian security team,
While reviewing Debian packages for vulnerabilities due to the insecure
use of temporary files I've found that the hylafax package contains a=20
script (xferfaxstats) which is vulnerable to symlink attacks since
it uses temporary files in an unsafe way:
------------------------------------------------------------------
(...)
tmpAwk=3D/tmp/xferfax$$
trap "rm -f $tmpAwk; exit 1" 0 1 2 15
(...)
)>$tmpAwk
$AWK -f $tmpAwk -v TODAY=3D"$TODAY" -v AGE=3D"$AGE" -v SINCEDT=3D"$SINCEDT"=
-v ENDDT=3D"
------------------------------------------------------------------
Furthermore, this script is run in a monthly basis by the predefined cron
tasks in the package as root so it makes this vulnerability an exploitable
issue in all systems that have this package installed.
I've reviewed all other hylafax scripts which make use of /tmp too:
/usr/sbin/recvstats, /usr/sbin/faxcron, /usr/sbin/faxaddmodem,=20
/usr/sbin/faxsetup and /usr/sbin/probemodem and they use constructs which
prevent symlink attacks from overwritting files. It seems that the Debian
maintener fixed these bugs in 28 Sep 1998 (based on the changelog) but
the xferstats script seems to have been missed.=20
This script is available in all hylafax-server versions: woody, sarge,
etch and sid.
I'm also concerned that the hylafax package creates /var/spool/hylafax/tmp
with mode 4777 supposedly, based on the manpages of those scripts, to be
used as a temporary location of files but, instead, all of the files use
/tmp instead directly.
In order to clean up the code a little bit attached is a separate
(untested) patch which reviews all the use of temporary files in scripts:
1.- It makes all of them use mktemp if available, this prevents DoS attacks
agains the scripts since rogue users will find it more difficult
to pre-create the temporary files. With the current code it is
simple to prevent all scripts from executing just by populating
the /tmp directory with symlinks.
2.- It makes all of them use TMPDIR if defined (through mktemp -t or
through the use of $TMPDIR instead of /tmp if mktemp is not available)
3.- It generates proper error messages if temporary files cannot be
created
4.- It changes cron jobs to forward error messages to the scripts to log
files or to mail messages
5.- Do not define 'exit 1' when setting traps, since the exit status=20
of the script will be changed (a 0 exit status will be 1 instead).
Code sample:
------------------------------------------------
#!/bin/sh
trap "echo trap; exit 1" 0 1 2 3 15
echo no trap
exit 0
----------------------------------------------
$ ./test.sh
no trap
trap
$ echo $?
1
This patch could be used in the sid package since it is actually code
cleamup. If it was added, the cron jobs could redefine TMPDIR to be=20
/var/spool/hylafax/tmp before calling the scripts so that the claim=20
of the manpages would be correct. Based on the current code that directory
does not seem to be used at all.
Finally, another concern, is that the default config file defines
FAX_DEFUNIX as /tmp/hyla.unix to setup a transport mode based on UNIX
domain sockets. The FaxClient code uses whatever transport mechanism
is available (through Transport::getTransport) and the Transport code says:
[ ./util/Transport.c++ ]
53 if (UnixTransport::isA(FAX_DEFUNIX)) {
54 client.setHost(FAX_DEFUNIX);
55 return *new UnixTransport(client);
56 } else {
57 client.setHost(FAX_DEFHOST);
58 return *new InetTransport(client);
59 }
UnixTransport::isA is defined as:
[ util/UnixTransport.c++ ]
35 UnixTransport::isA(const char* address)
36 {
37 return Sys::isSocketFile(address);
38 }
I don't see that the Debian package creates the UNIX domain socket at all.
=BFDoes this code means that if a rogue local user where to create a UNIX
socket at /tmp/hyla.unix all Hylafax clients in the system would use that
instead of the other inettransport (localhost:4559)? =BFDoes this means
that a local user could get access to all faxes sent and prevent faxes
=66rom being sent to the proper Hylafax Server? Notice that this code
disputes the claim from the hylafax-client that it only communicates through
TCP/IP (the manpage does not mention it either) and can introduce
a different vulnerability in the system than the ones fixed by the
attached patches.
Regards
Javier Fernandez-Sanguino
--ibTvN161/egqYuK8
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: attachment; filename="700_hylafax-tmpdir.dpatch"
Content-Transfer-Encoding: quoted-printable
#!/bin/sh -e
## 700_hylafax-tmpdir by Giuseppe Sacco <[EMAIL PROTECTED]>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: This patch fixes a lot of problems with temporary directory
## DP: It was written by Javier Fern=E1ndez-Sanguino Pe=F1a
if [ $# -lt 1 ]; then
echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
exit 1
fi
[ -f debian/patches/00patch-opts ] && . debian/patches/00patch-opts
patch_opts=3D"${patch_opts:--f --no-backup-if-mismatch} ${2:+-d $2}"
case "$1" in
-patch) patch $patch_opts -p1 < $0;;
-unpatch) patch $patch_opts -p1 -R < $0;;
*)
echo >&2 "`basename $0`: script expects -patch|-unpatch as =
argument"
exit 1;;
esac
exit 0
diff -ru hylafax-4.2.1/util/faxcron.sh.in hylafax-4.2.1.new/util/faxcron.sh=
=2Ein
--- hylafax-4.2.1/util/faxcron.sh.in 2004-12-22 14:44:06.000000000 +0100
+++ hylafax-4.2.1.new/util/faxcron.sh.in 2005-08-06 12:24:16.000000000
+0200
@@ -69,12 +69,18 @@
UPDATE=3D"date +'%D %H:%M' >$LAST"
=20
# security
-TMPDIR=3D/tmp/.faxcron.sh$$
-rm -rf $TMPDIR
-mkdir $TMPDIR || exit 1
+if test -n "`type -p mktemp`" ; then
+ TMPFDIR=3D`mktemp -d -t xferfax.XXXXXX` || { echo "$0: Cannot cre=
ate temporary dir!" >&2 ; exit 1; }
+else
+ TMPFDIR=3D${TMPDIR-/tmp}/.faxcron.sh$$
+ rm -rf $TMPFDIR
+ mkdir $TMPFDIR || { echo "$0: Cannot create temporary dir! Aborting." ;
e=
xit 1; }
+fi
+
+JUNK=3D$TMPFDIR/faxjunk$$ # temp file used multiple times
+AWKTMP=3D$TMPFDIR/faxawk$$ # temp file for awk program
=20
-JUNK=3D$TMPDIR/faxjunk$$ # temp file used multiple times
-AWKTMP=3D$TMPDIR/faxawk$$ # temp file for awk program
+trap "$RM \$AWKTMP \$JUNK; [ -d $TMPFDIR ] && $RM -rf $TMPFDIR" 0 1 2 15
=20
while [ x"$1" !=3D x"" ] ; do
case $1 in
@@ -90,7 +96,6 @@
shift
done
=20
-trap "$RM \$AWKTMP \$JUNK; $RM -rf $TMPDIR; exit 1" 0 1 2 15
=20
=20
test -z "$LASTRUN" && LASTRUN=3D`$CAT $LAST 2>/dev/null`
@@ -285,7 +290,7 @@
EOF
$AWK -f $AWKTMP -v LASTRUN=3D"$LASTRUN" TRANSCRIPT=3D"\
LOGFILE=3Dlog/%s;\
- TMP=3D$TMPDIR/faxlog\$\$;\
+ TMP=3D$TMPFDIR/faxlog\$\$;\
if [ -f \$LOGFILE ]; then\
$SED -n -e '/%s %s %s.*SESSION BEGIN/,/SESSION END/p' \$LOGFILE |\
$SED -e '/start.*timer/d'\
diff -ru hylafax-4.2.1/util/recvstats.sh.in hylafax-4.2.1.new/util/recvstat=
s.sh.in
--- hylafax-4.2.1/util/recvstats.sh.in 2004-06-18 06:10:29.000000000 +0200
+++ hylafax-4.2.1.new/util/recvstats.sh.in 2005-08-06 12:25:17.000000000
+0=
200
@@ -153,15 +153,16 @@
=20
#
# Generate an awk program to process the statistics file.
-#
-tmpAwk=3D/tmp/xferfax$$
-trap "rm -f $tmpAwk; exit 1" 0 1 2 15
-
-# security
-rm -rf $tmpAwk
-${NOCLOBBER_ON}
-> $tmpAwk || exit 1
-${NOCLOBBER_OFF}
+if test -n "`type -p mktemp`" ; then
+ tmpAwk=3D`mktemp -t xferfax.XXXXXX` || { echo "$0: Cannot create =
temporary file!" >&2 ; exit 1; }
+else
+ tmpAwk=3D${TMPDIR-/tmp}/xferfax$$
+ rm -f $tmpAwk
+ ${NOCLOBBER_ON}
+ > $tmpAwk || { echo "$0: Cannot create temporary file! Aborting." =
; exit 1; }
+ ${NOCLOBBER_OFF}
+fi
+trap "[ -f $tmpAwk ] && rm -f $tmpAwk" 0 1 2 15
=20
($CAT<<'EOF'
#
diff -ru hylafax-4.2.1/util/xferfaxstats.sh.in hylafax-4.2.1.new/util/xferf=
axstats.sh.in
--- hylafax-4.2.1/util/xferfaxstats.sh.in 2004-06-18 06:10:29.000000000
+02=
00
+++ hylafax-4.2.1.new/util/xferfaxstats.sh.in 2005-08-06 12:25:28.000000000=
+0200
@@ -26,6 +26,9 @@
# LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE=
=20
# OF THIS SOFTWARE.
#
+# security
[EMAIL PROTECTED]@
[EMAIL PROTECTED]@
=20
#
# Print Statistics about Transmitted Facsimile.
@@ -169,8 +172,17 @@
#
# Generate an awk program to process the statistics file.
#
-tmpAwk=3D/tmp/xferfax$$
-trap "rm -f $tmpAwk; exit 1" 0 1 2 15
+if test -n "`type -p mktemp`" ; then
+ tmpAwk=3D`mktemp -t xferfax.XXXXXX` || { echo "$0: Cannot create =
temporary file!" >&2 ; exit 1; }
+else
+ tmpAwk=3D${TMPDIR-/tmp}/xferfax$$
+ rm -f $tmpAwk
+ ${NOCLOBBER_ON}
+ > $tmpAwk || { echo "$0: Cannot create temporary file! Aborting." ;
exit =
1; }
+ ${NOCLOBBER_OFF}
+fi
+trap "[ -f $tmpAwk ] && rm -f $tmpAwk" 0 1 2 15
+
=20
($CAT<<'EOF'
#
--ibTvN161/egqYuK8--
--Y7xTucakfITjPcLV
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDMWeQsandgtyBSwkRAuuoAJ0UGMQH9IrKz6B9MC0dHiARP9Qd9QCeK/rp
yFIgSsyyANczlRkdx3VJnM4=
=qJVd
-----END PGP SIGNATURE-----
--Y7xTucakfITjPcLV--
---------------------------------------
Received: (at 329384-done) by bugs.debian.org; 18 Oct 2005 00:47:09 +0000
>From [EMAIL PROTECTED] Mon Oct 17 17:47:09 2005
Return-path: <[EMAIL PROTECTED]>
Received: from kitenet.net [64.62.161.42] (postfix)
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1ERfdF-0003OO-00; Mon, 17 Oct 2005 17:47:09 -0700
Received: from dragon.kitenet.net (97-148-dial.xtn.net [66.118.97.148])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "Joey Hess", Issuer "Joey Hess" (verified OK))
by kitenet.net (Postfix) with ESMTP id 9E7321816D
for <[EMAIL PROTECTED]>; Tue, 18 Oct 2005 00:47:07 +0000 (GMT)
Received: by dragon.kitenet.net (Postfix, from userid 1000)
id B55FEBF0AA; Mon, 17 Oct 2005 20:46:56 -0400 (EDT)
Date: Mon, 17 Oct 2005 20:46:56 -0400
From: Joey Hess <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: recording fixed version properly
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="oyUTqETQ0mS9luUI"
Content-Disposition: inline
User-Agent: Mutt/1.5.11
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
--oyUTqETQ0mS9luUI
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Version: 1:4.2.2+rc1
=2E. because people still can't figure out how to do this on their own :-P
--=20
see shy jo
--oyUTqETQ0mS9luUI
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDVEX/d8HHehbQuO8RAgZYAKC733g9UrxhrMdwl9a5XwyBl3r0VwCg54kX
WNC7ZP22zeYvCtKBNfJnFjU=
=8UMb
-----END PGP SIGNATURE-----
--oyUTqETQ0mS9luUI--
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
