[Secure-testing-team] Bug#496520: Insecure use of /tmp in sympa scripts
Olivier Berger
olivier.berger at it-sudparis.eu
Mon Aug 25 12:36:09 UTC 2008
Package: sympa
Version: 5.3.4-5.1
Severity: grave
Tags: security
Justification: user security hole
AFAICT (and thanks to Thijs Kinkhorst <thijs at debian.org> : http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494969#21) there are more insecure use of /tmp in sympa.
Besides the one in #496518 there is also a problem with /usr/lib/sympa/bin/tools.pl in the smime_sign_check() code, which uses a /tmp temporary file in an unsecure manner.
AFAICT, this may be exploited to overwrite contents of a file with provileges of the user sympa runs under, but in a non so predictable way as the filename changes (includes process pid, I guess). And of course this would only occur if mime signing was used in sympa... which is not so frequent maybe.
This is not most serious, as may only be exploited in specific conditions, but still, needs to be addressed, IMHO.
This is upstream code, not Debian specific, AFAICT.
Note also that in the grep done in the package files (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494969#31) there are (besides #496518) some other apprent issues, but which are false positives :
/usr/lib/sympa/bin/tt2.pl (strange perl comment ? to be confirmed)
/usr/lib/sympa/bin/CAS.pm (POD example)
/usr/lib/sympa/bin/sympa_soap_client.pl (unused code in example script, see #496515)
Hope this helps,
-- System Information:
Debian Release: lenny/sid
APT prefers testing-proposed-updates
APT policy: (500, 'testing-proposed-updates'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.24-openvz-24-004.1d1-686 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages sympa depends on:
ii adduser 3.110 add and remove users and groups
ii debconf [debconf-2.0] 1.5.22 Debian configuration management sy
ii exim4-daemon-light [mail-tra 4.69-6 lightweight Exim MTA (v4) daemon
pn libarchive-zip-perl <none> (no description available)
ii libc6 2.7-13 GNU C Library: Shared libraries
pn libcgi-fast-perl <none> (no description available)
pn libcrypt-ciphersaber-perl <none> (no description available)
pn libdbd-mysql-perl | libdbd-p <none> (no description available)
ii libdbi-perl 1.605-1 Perl5 database interface by Tim Bu
ii libfcgi-perl 0.67-2.1+b1 FastCGI Perl module
ii libintl-perl 1.16-4 Uniforum message translations syst
ii libio-stringy-perl 2.110-4 Perl modules for IO from scalars a
ii libmailtools-perl 2.03-1 Manipulate email in perl programs
pn libmd5-perl <none> (no description available)
ii libmime-tools-perl [libmime- 5.427-1 Perl5 modules for MIME-compliant m
pn libmsgcat-perl <none> (no description available)
pn libnet-ldap-perl <none> (no description available)
pn libtemplate-perl <none> (no description available)
ii libxml-libxml-perl 1.66-1+b1 Perl module for using the GNOME li
pn mhonarc <none> (no description available)
ii perl [libmime-base64-perl] 5.10.0-13 Larry Wall's Practical Extraction
pn perl-suid <none> (no description available)
ii sysklogd [system-log-daemon] 1.5-5 System Logging Daemon
Versions of packages sympa recommends:
ii doc-base 0.8.16 utilities to manage online documen
ii logrotate 3.7.1-3 Log rotation utility
Versions of packages sympa suggests:
ii apache2-mpm-prefork [httpd] 2.2.9-7 Apache HTTP Server - traditional n
pn libapache-mod-fastcgi <none> (no description available)
pn mysql-server | postgresql <none> (no description available)
ii openssl 0.9.8g-13 Secure Socket Layer (SSL) binary a
More information about the Secure-testing-team
mailing list