[Pkg-alsa-devel] Bug#294128: marked as done (alsa-utils: Concerns due to unsafe /tmp usage in alsaconf)

Debian Bug Tracking System owner@bugs.debian.org
Sun, 20 Feb 2005 08:33:10 -0800 

Your message dated Sun, 20 Feb 2005 11:17:03 -0500
with message-id <E1D2tlX-0002Hd-00@newraff.debian.org>
and subject line Bug#294128: fixed in alsa-utils 1.0.8-3
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 8 Feb 2005 01:20:27 +0000
>From jfs@dat.etsit.upm.es Mon Feb 07 17:20:26 2005
Return-path: <jfs@dat.etsit.upm.es>
Received: from tornado.dat.etsit.upm.es (dat.etsit.upm.es) [138.100.17.73] 
	by spohr.debian.org with smtp (Exim 3.35 1 (Debian))
	id 1CyK39-0007ww-00; Mon, 07 Feb 2005 17:20:19 -0800
Received: (qmail 1155 invoked by uid 1013); 8 Feb 2005 01:20:17 -0000
Date: Tue, 8 Feb 2005 02:20:17 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <jfs@computer.org>
To: submit@bugs.debian.org
Subject: alsa-utils: Concerns due to unsafe /tmp usage in alsaconf
Message-ID: <20050208012017.GA724@dat.etsit.upm.es>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="Q68bSM7Ycu6FN28Q"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 


--Q68bSM7Ycu6FN28Q
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: alsa-utils
Version: 1.0.8-1
Priority: important
Tags: security upstream

While doing a security audit review of Debian packages for unsafe usage of=
=20
/tmp I've found this in alsa-utils' alsaconf:

   CARDID_DB=3D/var/tmp/alsaconf.cards
    if [ ! -r $CARDID_DB ]; then
        use_modinfo_db=3D1
    fi
(...)
    if [ $use_modinfo_db =3D 1 ]; then
        xecho "Building card database.."
        build_card_db $CARDID_DB
    fi

build_card_db is a function in alsaconf that starts like this:

build_card_db () {
    MODDIR=3D/lib/modules/`uname -r`
    last_driver=3D""
    echo -n > $1
(...)

This code is prone to a race condition since the CARDID_DB file is not=20
created inmediately, but created later on. Since alsaconf can only be used=
=20
by root this means that a rogue local user could have root overwrite any=20
files through a symlink attack by exploiting that race condition. Notice,=
=20
also, that the test for CARDID_DB is [ -r ] when it should really be [ -e ]

I'm not sure how to best fix this (since CARDID_DB seems to be created=20
under /var/tmp so it's not removed after reboots) but it looks like it=20
should, at least, check if the file exists and create it inmediately=20
afterwards. Also, the script should use the 'noclobber' and -e options for=
=20
additional safety.

Regards

Javier

--Q68bSM7Ycu6FN28Q
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCCBPRi4sehJTrj0oRAr5XAJ0dXN3JdGGB45RLsUWpTZSyamqg5gCfagBd
+ZfqDtLsQZF5CZABo1IGrnw=
=DsXq
-----END PGP SIGNATURE-----

--Q68bSM7Ycu6FN28Q--

---------------------------------------
Received: (at 294128-close) by bugs.debian.org; 20 Feb 2005 16:23:52 +0000
>From katie@ftp-master.debian.org Sun Feb 20 08:23:52 2005
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1D2ts8-0003yI-00; Sun, 20 Feb 2005 08:23:52 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
	id 1D2tlX-0002Hd-00; Sun, 20 Feb 2005 11:17:03 -0500
From: Jordi Mallach <jordi@debian.org>
To: 294128-close@bugs.debian.org
X-Katie: $Revision: 1.55 $
Subject: Bug#294128: fixed in alsa-utils 1.0.8-3
Message-Id: <E1D2tlX-0002Hd-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Sun, 20 Feb 2005 11:17:03 -0500
Delivered-To: 294128-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Source: alsa-utils
Source-Version: 1.0.8-3

We believe that the bug you reported is fixed in the latest version of
alsa-utils, which is due to be installed in the Debian FTP archive:

alsa-utils_1.0.8-3.diff.gz
  to pool/main/a/alsa-utils/alsa-utils_1.0.8-3.diff.gz
alsa-utils_1.0.8-3.dsc
  to pool/main/a/alsa-utils/alsa-utils_1.0.8-3.dsc
alsa-utils_1.0.8-3_i386.deb
  to pool/main/a/alsa-utils/alsa-utils_1.0.8-3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 294128@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jordi Mallach <jordi@debian.org> (supplier of updated alsa-utils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 20 Feb 2005 16:38:24 +0100
Source: alsa-utils
Binary: alsa-utils
Architecture: source i386
Version: 1.0.8-3
Distribution: unstable
Urgency: low
Maintainer: Debian ALSA Maintainers <pkg-alsa-devel@lists.alioth.debian.org>
Changed-By: Jordi Mallach <jordi@debian.org>
Description: 
 alsa-utils - ALSA utilities
Closes: 294128
Changes: 
 alsa-utils (1.0.8-3) unstable; urgency=low
 .
   * Thomas Hood
     - 20_alsaconf_safe_tmp:
       Generate card database temporary file safely and only run in
       "modinfo" mode  (Closes: #294128)
Files: 
 7058d68480b2eb2f31d43ffc96552364 830 sound optional alsa-utils_1.0.8-3.dsc
 096227268eeffd2c7255ba506eda0b67 13866 sound optional alsa-utils_1.0.8-3.diff.gz
 074e6bc3e6bb1f7631c4b43790989682 145902 sound optional alsa-utils_1.0.8-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCGLZNJYSUupF6Il4RAgDdAJwKqstJklPjQwIdxDUN9inIRxTqrQCg4orh
TVoAP28CYSf3UGoAdPZe7qM=
=B90l
-----END PGP SIGNATURE-----