Bug#287601: marked as done (vdradmin: Vdradmin.pl script
vulnerable to symlink attacks)
Debian Bug Tracking System
pkg-vdr-dvb-devel@lists.alioth.debian.org
Tue, 04 Jan 2005 07:03:44 -0800
Your message dated Tue, 04 Jan 2005 09:47:29 -0500
with message-id <E1Clpy5-0004KK-00@newraff.debian.org>
and subject line Bug#287601: fixed in vdradmin 0.96-3
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 28 Dec 2004 23:41:17 +0000
>From jfs@dat.etsit.upm.es Tue Dec 28 15:41:17 2004
Return-path: <jfs@dat.etsit.upm.es>
Received: from tornado.dat.etsit.upm.es (dat.etsit.upm.es) [138.100.17.73]
by spohr.debian.org with smtp (Exim 3.35 1 (Debian))
id 1CjQxo-0001iq-00; Tue, 28 Dec 2004 15:41:17 -0800
Received: (qmail 16639 invoked by uid 1013); 28 Dec 2004 23:41:15 -0000
Date: Wed, 29 Dec 2004 00:41:15 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <jfs@computer.org>
To: submit@bugs.debian.org
Subject: vdradmin: Vdradmin.pl script vulnerable to symlink attacks
Message-ID: <20041228234115.GB13454@dat.etsit.upm.es>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="0ntfKIWw70PvrIHh"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040722i
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
--0ntfKIWw70PvrIHh
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: vdradmin
Version: 0.96-2
Priority: critical
Tags: security sarge sid
[Note to security team: since this program has not been released I don't=20
believe a DSA should be necesary, but this bug should be tracked for the=20
next release]
The vdradmin.pl script does not protect itself from temporary file attacks
since it creates several temporary files in an insecure manner
(/tmp/vdradmin+time, /tmp/vdr.jpg). The script does not check if the
temporary files tries to use already exist before using them. The attached=
=20
patch (untested) tries to fix this issue.
Actually, the script will only try to create the first one itself. The=20
other is passed as a command to the vdr program:
SendCMD("grab $file jpeg 40 $width $height");
I've checked the vdr sources and the cDvbDevice::GrabImage implementation
(see vdr-1.2.6/dvbdevice.c) will just open the file without any further=20
checks:
isyslog("grabbing to %s (%s %d %d %d)", FileName, Jpeg ? "JPEG" =
: "PNM", Quality, vm.width, vm.height);
FILE *f =3D fopen(FileName, "wb");
As a consequence, any local user in a system where vdradmin is used can=20
force a symlink attack by symlinking /tmp/vdr.jpg to files that the daemon=
=20
vdr can write to. Since the vdr program seems to run in Debian's default=20
configuration with root privileges IMHO this is a serious hole.
I believe that the vdr sources should be reviewed to make sure that an vdr
daemon running as root cannot compromise the whole system (there are no
checks for symlink attacks in the fopen calls). It should be worthwhile
trying to make the daemon work as a non-root user. I will file this as a=20
separate bug referencing this one, however.
Regards
Javier
--0ntfKIWw70PvrIHh
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFB0e8bi4sehJTrj0oRAgM0AJ4tDNCXlaI4uKxbz6MyBZuDh9nunACeILCz
jyKS44o5VCY3hdU8n+++1BI=
=Tn5X
-----END PGP SIGNATURE-----
--0ntfKIWw70PvrIHh--
---------------------------------------
Received: (at 287601-close) by bugs.debian.org; 4 Jan 2005 14:50:21 +0000
>From katie@ftp-master.debian.org Tue Jan 04 06:50:21 2005
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Clq0q-0006JS-00; Tue, 04 Jan 2005 06:50:20 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1Clpy5-0004KK-00; Tue, 04 Jan 2005 09:47:29 -0500
From: Debian VDR Team <pkg-vdr-dvb-devel@lists.alioth.debian.org>
To: 287601-close@bugs.debian.org
X-Katie: $Revision: 1.54 $
Subject: Bug#287601: fixed in vdradmin 0.96-3
Message-Id: <E1Clpy5-0004KK-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Tue, 04 Jan 2005 09:47:29 -0500
Delivered-To: 287601-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Source: vdradmin
Source-Version: 0.96-3
We believe that the bug you reported is fixed in the latest version of
vdradmin, which is due to be installed in the Debian FTP archive:
vdradmin_0.96-3.diff.gz
to pool/main/v/vdradmin/vdradmin_0.96-3.diff.gz
vdradmin_0.96-3.dsc
to pool/main/v/vdradmin/vdradmin_0.96-3.dsc
vdradmin_0.96-3_all.deb
to pool/main/v/vdradmin/vdradmin_0.96-3_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 287601@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Debian VDR Team <pkg-vdr-dvb-devel@lists.alioth.debian.org> (supplier of updated vdradmin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 29 Dec 2004 12:32:10 +0100
Source: vdradmin
Binary: vdradmin
Architecture: source all
Version: 0.96-3
Distribution: unstable
Urgency: high
Maintainer: Debian VDR Team <pkg-vdr-dvb-devel@lists.alioth.debian.org>
Changed-By: Debian VDR Team <pkg-vdr-dvb-devel@lists.alioth.debian.org>
Description:
vdradmin - Web-based administration tool for vdr
Closes: 287601
Changes:
vdradmin (0.96-3) unstable; urgency=high
.
* Thomas Schmidt <thomas.schmidt@in.stud.tu-ilmenau.de>
- Urgency high, because it fixes a security issue
- Added 02_sectmpfiles.dpatch: use File::Temp to create temporary
files, to prevent possible symlink-attacks (Closes: #287601)
- Set permissions of /etc/vdradmin/vdradmind.conf to 600 on new
installations (users with an existing installation should
ensure that the cfg-file has a permission of 600)
- Changed Maintainer to Debian VDR Team
<pkg-vdr-dvb-devel@lists.alioth.debian.org>
- Added myself as uploader
- Build-depend on dpatch (>= 2.0.9)
- Converted 01_dist-var.dpatch to the new short format
Files:
4b9bf72dc5aea1893f1fb0a75a058eb2 715 web optional vdradmin_0.96-3.dsc
4dd78d3e30110eb9b036fbc2cffd8cfe 5478 web optional vdradmin_0.96-3.diff.gz
a1b27fb6538bacf6941be64084f4739e 318064 web optional vdradmin_0.96-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFB2qljgeVih7XOVJcRAggdAJwJHlzD6eooaQwyk0T0VjvFh3reegCePaY+
Z0QbRFnstnt+895EJf+K2bQ=
=QmlV
-----END PGP SIGNATURE-----