[Debian-med-packaging] Bug#496396: The possibility of attack with the help of symlinks in some Debian packages

Dmitry E. Oboukhov unera at debian.org
Mon Sep 22 14:56:28 UTC 2008

On 08:36 Mon 22 Sep     , Andreas Tille wrote:
> Hi,

> unfortunately I completely missed this bug because I had a "relaxing from
> DebConf" vacation and it must somehow vanished from my mailbox - so sorry
> for caring so late.

> Now I had a look at Arb packaging and have to admit I do not really
> understand which issue exactly fullfills the symlink attack problem.
> Could you please be a little bit more specific (provide the output of
> the script for arb) to enable us to fix this problem quickly?

> Kind regards and thanks for your QA work

look at full report: http://uvw.ru/report.lenny.txt

if attacker creates symlink /tmp/arb_fdnaml_${USER}_$$ or
	/tmp/arbdsmz.html then starting scripts 
	/usr/lib/arb/SH/arb_fastdnaml or
	/usr/lib/arb/SH/dszmconnect.pl will lead to data corrupt.

example for attacker script:

symlink '/tmp/arbdsmz.html', '/path/to/file';

for my $user (
	    map { 
	    	$_=[split ':', $_];
	    	[$_->[0], $_->[5]] 
	    } `cat /etc/passwd`
	    symlink "$$user[1]/.gnupg/secring.gpg",
	            "/tmp/arb_fdnaml_$$user[0]_$_" for ($$ .. $$+1000000);

use mktemp (1) (with option -t) for create temp-files in bash-scripts.
use File::Temp module for create temp files in perl-scripts.

cut of report:

Package: arb-common
Version: 0.0.20071207.1-4
Filename: pool/non-free/a/arb/arb-common_0.0.20071207.1-4_all.deb

Found error in /usr/lib/arb/SH/arb_fastdnaml:
    $ grep -A5 -B5 /tmp/ /usr/lib/arb/SH/arb_fastdnaml
    mv infile $tmp
    nice -19 $1 < $tmp &
    /bin/echo "$sig $$ \c" >>/tmp/arb_pids_${USER}_${ARB_PID}
    # echo $tmp not deleted for debugging purposes
    rm -f $tmp
    rm -f checkpoint.$sig
    mv treefile.$sig treefile

Found error in /usr/lib/arb/SH/dszmconnect.pl:
    $ grep -A5 -B5 /tmp/ /usr/lib/arb/SH/dszmconnect.pl
    open (OUTPUT , "> /tmp/arbdsmz.html") or die "cannot open input file /tmp/arbdsmz.html";
    if (scalar(@ARGV) == 0)
      {print OUTPUT $errordocument;
       die("no search items given ! Give at least one item!");}
    ##print length(@ARGV)."\n";
     my $selection_content = 'VAR_DATABASE=bact&VAR_HITS=25&VAR_DSMZITEM='."$item1".'&VAR_DSMZITEM2='."$item2".'&B1=Search';
     # Pass request to the user agent and get a response back
     my $res_selection = $ua_selection -> request($req_selection, '/tmp/arbdsmz.htm');
     # Check the outcome of the response
     if ($res_selection->is_success) {print $res_selection->content;} 
     else  {die "Bad luck this time, request failed\n";};
    open (INPUT , "< /tmp/arbdsmz.htm") or die "cannot open input file /tmp/arbdsmz.htm";
     my $htmlcontent;
    local $/;
    $htmlcontent =~ s{HREF="}{HREF="http://www.dsmz.de}igm;
    $htmlcontent =~ s{HREF=[^"]}{HREF=http://www.dsmz.de/}igm; ##"
    print OUTPUT $htmlcontent ;
    #exec ('netscape', '/tmp/arbdsmz.html');
    print "file:///tmp/arbdsmz.html";
    ##print "$htmlcontent\n";

. ''`. Dmitry E. Oboukhov
: :’  : unera at debian.org
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
  `- 1B23 D4F8 8EC0 D902 0555  E438 AB8C 00CF F8E2 6537
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/debian-med-packaging/attachments/20080922/b5c039ab/attachment.pgp 

More information about the Debian-med-packaging mailing list