[Debian-med-packaging] Bug#496366: Bug#496366: The possibility of attack with the help of symlinks in some Debian packages

Thijs Kinkhorst thijs at debian.org
Mon Aug 25 07:01:53 UTC 2008 

tags 496366 confirmed
thanks

Hi Charles,

> What is the relevance of this bug for the releasability of the package?
> Upstream is already at a much higher version number and I am not able to
> solve the prolem by myself.

I've confirmed that the bug is indeed well-present: the script in question 
uses a number of files directly in /tmp with only the PID as a unique factor.

I've checked the latest upstream and that also has the exact same problem, so 
I don't think it's really relevant that upstream is many versions ahead. If 
they fix it, the fix can be applied to the current mafft package. I don't 
know on why you cannot fix the bug yourself, but at least an upstream fix 
would be easily backportable.

But applying the fix yourself would not be very invasive either. The script 
makes extensive use of the system() call, so you could simply add system 
calls to use essential 'mktemp' to create the files safely.

In the attachment is an example patch which solves the first occurrence. As 
you can see its very simple.

If you want a pure Ruby solution it would probably be a bit more invasive, but 
in that case http://ruby-stemp.rubyforge.org/ is available.

> Since the vulnerabiilty can only be exploited by other local users, and
> since mafft is a scientific software either used on personnal computers
> or on scientific workstations in trusted environments, can I ignore the
> bug for Lenny and work with Upsteam on a fix in the latest release?

In the security team, issuing a DSA for an issue that has all these properties 
is normally not high on the priority list. However, that doesn't mean that 
I'm happy with new packages entering stable that have known bugs of this 
kind. So yes, I believe this bug should be resolved before lenny, especially 
as I don't see the problem in doing so.


Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: example.patch
Type: text/x-diff
Size: 762 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/debian-med-packaging/attachments/20080825/8951a840/attachment.patch 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 477 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/debian-med-packaging/attachments/20080825/8951a840/attachment.pgp

More information about the Debian-med-packaging mailing list