Your message dated Wed, 24 Apr 2013 22:47:33 +0000 with message-id <e1uv8tn-0000tk...@franck.debian.org> and subject line Bug#706095: fixed in autopostgresqlbackup 1.0-2 has caused the Debian Bug report #706095, regarding autopostgresqlbackup: Code injection via unsafe database names inside eval to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 706095: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706095 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: autopostgresqlbackup Version: 1.0-1 Severity: grave Tags: security patch Hi Emmanuel, as already mentioned in http://bugs.debian.org/706087, database names are used unmangled and unquoted inside several evals in autopgsqlbackup: # dgrep -n eval autopostgresqlbackup /usr/sbin/autopostgresqlbackup:302:eval rm -f "$BACKUPDIR/latest/*" /usr/sbin/autopostgresqlbackup:359: eval $PREBACKUP /usr/sbin/autopostgresqlbackup:460: eval rm -fv "$BACKUPDIR/weekly/$DB/${DB}_week.$REMW.*" /usr/sbin/autopostgresqlbackup:471: eval rm -fv "$BACKUPDIR/daily/$DB/*.$DOW.sql.*" /usr/sbin/autopostgresqlbackup:507: eval rm -fv "$BACKUPDIR/weekly/week.$REMW.*" /usr/sbin/autopostgresqlbackup:519: eval rm -fv "$BACKUPDIR/daily/*.$DOW.sql.*" /usr/sbin/autopostgresqlbackup:541: eval $POSTBACKUP /usr/sbin/autopostgresqlbackup:603:eval rm -f "$LOGFILE" /usr/sbin/autopostgresqlbackup:604:eval rm -f "$LOGERR" Since PostgreSQL allows arbitrary database names, this allows PostgreSQL users who are allowed to create databases to inject shell code into autopostgresqlbackup which will be executed as root via autopostgresqlbackup's cron.daily cron job. The fix should be easy though: All evals listed above except those for $POSTBACKUP and $PREBACKUP are unneeded and can be removed after slight quoting changes. The eval before $PREBACKUP and $POSTBACKUP can also just be removed if it's ok that backticks and variable expansion doesn't work within the value of $PREBACKUP and $POSTBACKUP. Patch: # diff -u /usr/sbin/autopostgresqlbackup.orig /usr/sbin/autopostgresqlbackup --- /usr/sbin/autopostgresqlbackup.orig 2011-05-28 20:49:12.000000000 +0200 +++ /usr/sbin/autopostgresqlbackup 2013-04-24 17:24:58.750245540 +0200 @@ -299,7 +299,7 @@ then mkdir -p "$BACKUPDIR/latest" fi -eval rm -f "$BACKUPDIR/latest/*" +rm -f "$BACKUPDIR"/latest/* fi # IO redirection for logging. @@ -356,7 +356,7 @@ echo ====================================================================== echo "Prebackup command output." echo - eval $PREBACKUP + $PREBACKUP echo echo ====================================================================== echo @@ -457,7 +457,7 @@ else REMW=`expr $W - 5` fi - eval rm -fv "$BACKUPDIR/weekly/$DB/${DB}_week.$REMW.*" + rm -fv "$BACKUPDIR/weekly/$DB/${DB}_week.$REMW".* echo dbdump "$DB" "$BACKUPDIR/weekly/$DB/${DB}_week.$W.$DATE.sql" compression "$BACKUPDIR/weekly/$DB/${DB}_week.$W.$DATE.sql" @@ -468,7 +468,7 @@ else echo Daily Backup of Database \( $DB \) echo Rotating last weeks Backup... - eval rm -fv "$BACKUPDIR/daily/$DB/*.$DOW.sql.*" + rm -fv "$BACKUPDIR/daily/$DB"/*."$DOW".sql.* echo dbdump "$DB" "$BACKUPDIR/daily/$DB/${DB}_$DATE.$DOW.sql" compression "$BACKUPDIR/daily/$DB/${DB}_$DATE.$DOW.sql" @@ -504,7 +504,7 @@ else REMW=`expr $W - 5` fi - eval rm -fv "$BACKUPDIR/weekly/week.$REMW.*" + rm -fv "$BACKUPDIR/weekly/week.$REMW".* echo dbdump "$DBNAMES" "$BACKUPDIR/weekly/week.$W.$DATE.sql" compression "$BACKUPDIR/weekly/week.$W.$DATE.sql" @@ -516,7 +516,7 @@ echo Daily Backup of Databases \( $DBNAMES \) echo echo Rotating last weeks Backup... - eval rm -fv "$BACKUPDIR/daily/*.$DOW.sql.*" + rm -fv "$BACKUPDIR"/daily/*."$DOW".sql.* echo dbdump "$DBNAMES" "$BACKUPDIR/daily/$DATE.$DOW.sql" compression "$BACKUPDIR/daily/$DATE.$DOW.sql" @@ -538,7 +538,7 @@ echo ====================================================================== echo "Postbackup command output." echo - eval $POSTBACKUP + $POSTBACKUP echo echo ====================================================================== fi @@ -600,7 +600,7 @@ fi # Clean up Logfile -eval rm -f "$LOGFILE" -eval rm -f "$LOGERR" +rm -f "$LOGFILE" +rm -f "$LOGERR" exit $STATUS Regards, Axel -- ,''`. | Axel Beckert <a...@debian.org>, http://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE `- | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
--- End Message ---
--- Begin Message ---Source: autopostgresqlbackup Source-Version: 1.0-2 We believe that the bug you reported is fixed in the latest version of autopostgresqlbackup, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 706...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Emmanuel Bouthenot <kol...@debian.org> (supplier of updated autopostgresqlbackup package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 24 Apr 2013 22:13:10 +0000 Source: autopostgresqlbackup Binary: autopostgresqlbackup Architecture: source all Version: 1.0-2 Distribution: unstable Urgency: high Maintainer: Emmanuel Bouthenot <kol...@debian.org> Changed-By: Emmanuel Bouthenot <kol...@debian.org> Description: autopostgresqlbackup - Automated tool to make periodic backups of PostgreSQL databases Closes: 706095 Changes: autopostgresqlbackup (1.0-2) unstable; urgency=high . * Add a patch to fix possible code injection via unsafe database names inside eval. Thanks to Axel Beckert for the patch (Closes: #706095) Checksums-Sha1: 80e5acf3cf1dc4d3e29daf87b69697168c226b70 1971 autopostgresqlbackup_1.0-2.dsc 09de277c09046a14a205be3afa1147ea149b64cc 8235 autopostgresqlbackup_1.0-2.debian.tar.gz c85c75a96ff8a29c3900cb7cadf01c082c2bd5c9 11232 autopostgresqlbackup_1.0-2_all.deb Checksums-Sha256: 403aca43d5509140ef5979f0bdb44841dde811341fdaeca715d39737bd544b85 1971 autopostgresqlbackup_1.0-2.dsc af764865ff7686dafd344f8c34da580fbe8a4e6f585b5167d8118f2ff953e4de 8235 autopostgresqlbackup_1.0-2.debian.tar.gz d0d487cd27152970528032cffd439a582f2d5f2e05a44cdea0f6643d6d717f85 11232 autopostgresqlbackup_1.0-2_all.deb Files: 60f276af7cd910a3fd863b55dab5aba7 1971 admin extra autopostgresqlbackup_1.0-2.dsc 2c7123ebd7da407b73db9be546514c19 8235 admin extra autopostgresqlbackup_1.0-2.debian.tar.gz 42eb43a8786f6af8a5aeb1a4481c22c9 11232 admin extra autopostgresqlbackup_1.0-2_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJReF68AAoJEEsHdyOSnULD+EoP/21p7Bctahps20RxWV8YiGdh JaoTyMFr134C+CiP8g8DFjVkEWiEXg6dBsy+FyMWSbvSUNFDZN1ON7EFuNGR9TuL uum4f9zgabexjPQccN9DzHKnbvpsWSM0ZJqlhRajKVaRxjhmxAjWNlHmZK6zJAuW nL6BxK9rn5bpPkboOSaLpzSjejfZ+OYKImPaTs2ZIhhLnmeQ8CMO2Tq5P6SLwMQ+ tcCxfygFI3NrTmg5haBPaHOepGNn3Yt1DKBrz0ID9CLN7sI/e6xHDF2rfPiq9PiK DTeTiwCJNUQu6PDctDfhlfRebhIs7GceLsnrpJU0K5axkPVtRE/HrqYVLlgfCiwL qqDSHXXBaxEFk/CzdBrwEnjojth2UuM2X5H6X3DIRSorJS0Gy7qQsqBdkdGKQqrf 3Vo86xjUX+cnXoKMXvlgocAJb5Y/xQxIWX+jFBtIfNBEuhMe7roSIZOsb3UfSKpR y83ag3lBLrY4LeHC/lbwt1lcV3b0I3ZJd+wBlZFC9LIjZiPX19pSE0mp8dv5OykQ a7gfWVj5GuTc8UECIQbJDzXXZw+dt15j3B6KOANYU8T+CUh4+LUvho2C2oRWicKd U76ts2fRkuiI5e7C7dMVfOgBIu0uu/Vo8JNLNtPwwN53CQLLIqKHRdvPgPtj2ZIT ESvsRCv5FNEdWpkuOoKM =/QnA -----END PGP SIGNATURE-----
--- End Message ---
