[Secure-testing-team] CLOSED - Re: Bug#496518: Insecure use of /tmp in sympa_wizard may lead to system damage

[Olivier Berger]

On Mon, Aug 25, 2008 at 02:22:54PM +0200, Olivier Berger wrote:
> 
> AFAICT (and thanks to Thijs Kinkhorst <thijs at debian.org> : http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494969#21) there are more insecure use of /tmp in sympa.
> 
> One quite nasty is the one in /usr/lib/sympa/bin/sympa_wizard.pl, as this script is used during sympa's postinst, so with root provileges, IMHO.
> 
> Note that the sympa_wizard.pl which needs to be fixed is in debian/ in package sources (see #496514). Still, the insecure code is also present in upstream's sympa_wizard.pl.
> 

Sh*t. There's no problem in sympa_wizard.pl actually.

The current sympa_wizard doesn't use any insecure file in /tmp.

This is again a "false positive", as the $new_wwsympa_conf = '/tmp/wwsympa.conf' and $new_sympa_conf = '/tmp/sympa.conf' aren't used for a long time (http://sourcesup.cru.fr/cgi/viewvc.cgi/trunk/src/sympa_wizard.pl?view=diff&r1=1613&r2=1614)... but the fix was incompletely done (remaining $new_[ww]sympa_conf variables although @new_[ww]sympa_conf are the only ones used).

Thus, the attached patch may be better, to finally get rid of the /tmp path.

Too bas, this wasn't really obvious looking at the code :(.

Sorry about bothering.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: sympa_wizard.patch
Type: text/x-diff
Size: 722 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080825/8ec9ab18/attachment.patch