[Secure-testing-team] Bug#841722: libpaper: tmp file vulnerability in debian/rules clean target

Helmut Grohne helmut at subdivi.de
Sat Oct 22 17:45:43 UTC 2016 

Source: libpaper
Version: 1.1.21
Severity: serious
Tags: security patch sid stretch

The clean target includes a line "exec > /tmp/libpaper1.new". Since that
is a predictable path in a world writeable location, it can effectively
be used to compromise the build user.

Surprisingly, the counterpart target debian/libpaper1.config get's this
right. So the fix is pretty simple and thus attached.

Note that the ancient version number is correct. The bug was introduced
somewhen between sarge and etch and has persisted since. I'm also
tagging the bug sid stretch as I don't think it makes sense to fix it in
a stable update.

Helmut
-------------- next part --------------
diff --minimal -Nru libpaper-1.1.24+nmu4/debian/changelog libpaper-1.1.24+nmu5/debian/changelog
--- libpaper-1.1.24+nmu4/debian/changelog	2014-11-01 14:35:21.000000000 +0100
+++ libpaper-1.1.24+nmu5/debian/changelog	2016-10-22 17:54:12.000000000 +0200
@@ -1,3 +1,10 @@
+libpaper (1.1.24+nmu5) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix /tmp file vulnerability in debian/rules clean target (Closes: #-1)
+
+ -- Helmut Grohne <helmut at subdivi.de>  Sat, 22 Oct 2016 17:53:54 +0200
+
 libpaper (1.1.24+nmu4) unstable; urgency=medium
 
   * Non-maintainer upload.
diff --minimal -Nru libpaper-1.1.24+nmu4/debian/rules libpaper-1.1.24+nmu5/debian/rules
--- libpaper-1.1.24+nmu4/debian/rules	2014-11-01 14:26:20.000000000 +0100
+++ libpaper-1.1.24+nmu5/debian/rules	2016-10-22 17:53:51.000000000 +0200
@@ -64,10 +64,10 @@
 	[ ! -f Makefile ] || $(MAKE) distclean
 	dh_autoreconf_clean
 	dh_clean
-	exec > /tmp/libpaper1.new \
+	exec > debian/libpaper1.config.new \
 		&& sed -n '1,/^__BEGIN_PAPERSPECS__/p' debian/libpaper1.config \
 		&& sed -n '/^__END_PAPERSPECS__/,$$p' debian/libpaper1.config
-	mv /tmp/libpaper1.new debian/libpaper1.config
+	mv debian/libpaper1.config.new debian/libpaper1.config
 
 binary-indep:	DH_OPTIONS=-i
 binary-indep:	checkroot build

More information about the Secure-testing-team mailing list