Bug#287601: marked as done (vdradmin: Vdradmin.pl script vulnerable to symlink attacks)

Debian Bug Tracking System pkg-vdr-dvb-devel@lists.alioth.debian.org
Fri, 07 Jan 2005 14:04:15 -0800 

Your message dated Fri, 7 Jan 2005 22:00:40 +0000
with message-id <20050107220040.GF5009@artemis.internal.robster.org.uk>
and subject line Fixed package has entered testing
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 28 Dec 2004 23:41:17 +0000
>From jfs@dat.etsit.upm.es Tue Dec 28 15:41:17 2004
Return-path: <jfs@dat.etsit.upm.es>
Received: from tornado.dat.etsit.upm.es (dat.etsit.upm.es) [138.100.17.73] 
	by spohr.debian.org with smtp (Exim 3.35 1 (Debian))
	id 1CjQxo-0001iq-00; Tue, 28 Dec 2004 15:41:17 -0800
Received: (qmail 16639 invoked by uid 1013); 28 Dec 2004 23:41:15 -0000
Date: Wed, 29 Dec 2004 00:41:15 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <jfs@computer.org>
To: submit@bugs.debian.org
Subject: vdradmin: Vdradmin.pl script vulnerable to symlink attacks
Message-ID: <20041228234115.GB13454@dat.etsit.upm.es>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="0ntfKIWw70PvrIHh"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040722i
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 


--0ntfKIWw70PvrIHh
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: vdradmin
Version: 0.96-2
Priority: critical
Tags: security sarge sid

[Note to security team: since this program has not been released I don't=20
believe a DSA should be necesary, but this bug should be tracked for the=20
next release]

The vdradmin.pl script does not protect itself from temporary file attacks
since it creates several temporary files in an insecure manner
(/tmp/vdradmin+time, /tmp/vdr.jpg). The script does not check if the
temporary files tries to use already exist before using them. The attached=
=20
patch (untested) tries to fix this issue.

Actually, the script will only try to create the first one itself. The=20
other is passed as a command to the vdr program:

        SendCMD("grab $file jpeg 40 $width $height");

I've checked the vdr sources and the cDvbDevice::GrabImage implementation
(see vdr-1.2.6/dvbdevice.c) will just open the file without any further=20
checks:

           isyslog("grabbing to %s (%s %d %d %d)", FileName, Jpeg ? "JPEG" =
: "PNM", Quality, vm.width, vm.height);
           FILE *f =3D fopen(FileName, "wb");

As a consequence, any local user in a system where vdradmin is used can=20
force a symlink attack by symlinking /tmp/vdr.jpg to files that the daemon=
=20
vdr can write to. Since the vdr program seems to run in Debian's default=20
configuration with root privileges IMHO this is a serious hole.

I believe that the vdr sources should be reviewed to make sure that an vdr
daemon running as root cannot compromise the whole system (there are no
checks for symlink attacks in the fopen calls). It should be worthwhile
trying to make the daemon work as a non-root user. I will file this as a=20
separate bug referencing this one, however.

Regards

Javier



--0ntfKIWw70PvrIHh
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB0e8bi4sehJTrj0oRAgM0AJ4tDNCXlaI4uKxbz6MyBZuDh9nunACeILCz
jyKS44o5VCY3hdU8n+++1BI=
=Tn5X
-----END PGP SIGNATURE-----

--0ntfKIWw70PvrIHh--

---------------------------------------
Received: (at 287601-done) by bugs.debian.org; 7 Jan 2005 21:59:29 +0000
>From robster@debian.org Fri Jan 07 13:59:29 2005
Return-path: <robster@debian.org>
Received: from 83-216-139-153.robert808.adsl.metronet.co.uk (localhost.localdomain) [83.216.139.153] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1Cn28n-00084k-00; Fri, 07 Jan 2005 13:59:29 -0800
Received: by localhost.localdomain (Postfix, from userid 1000)
	id 2382927B066; Fri,  7 Jan 2005 22:00:41 +0000 (GMT)
Date: Fri, 7 Jan 2005 22:00:40 +0000
From: Rob Bradford <robster@debian.org>
To: 287601-done@bugs.debian.org
Subject: Fixed package has entered testing
Message-ID: <20050107220040.GF5009@artemis.internal.robster.org.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: 287601-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no 
	version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

The fixed package (version 0.96-3) has entered testing.

Cheers,

Rob
-- 
Rob Bradford
http://www.robster.org.uk | GPG: DF81EE83