To: | krb5-bugs@mit.edu |
From: | Sam Hartman <hartmans@debian.org> |
Date: | Mon, 25 Oct 2004 17:19:20 -0400 |
Cc: | 278271-forwarded@bugs.debian.org |
Subject: | [Joey Hess] Bug#278271: send-pr used tmp files unsafely |
Return-Path: <debbugs@bugs.debian.org>
Received: from solipsist-nation ([unix socket])
by solipsist-nation (Cyrus v2.1.5-Debian2.1.5-1) with LMTP;
Mon, 25 Oct 2004 16:53:48 -0400
X-Sieve: CMU Sieve 2.2
Return-Path: <debbugs@bugs.debian.org>
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
[18.7.21.83]) by suchdamage.org (Postfix) with ESMTP id D002A1324F
for <hartmans@suchdamage.org>; Mon, 25 Oct 2004 16:53:47 -0400 (EDT)
Received: from spohr.debian.org (spohr.debian.org [128.193.0.4])
i9PKrhxq005760
for <hartmans@mit.edu>; Mon, 25 Oct 2004 16:53:43 -0400 (EDT)
Received: from debbugs by spohr.debian.org with local (Exim 3.35 1 (Debian))
id 1CMBlI-0007Nc-00; Mon, 25 Oct 2004 13:48:16 -0700
X-Loop: owner@bugs.debian.org
Subject: Bug#278271: send-pr used tmp files unsafely
Reply-To: Joey Hess <joeyh@debian.org>, 278271@bugs.debian.org
Resent-From: Joey Hess <joeyh@debian.org>
Resent-To: debian-bugs-dist@lists.debian.org
Resent-Cc: Sam Hartman <hartmans@debian.org>
Resent-Date: Mon, 25 Oct 2004 20:48:15 UTC
Resent-Message-ID: <handler.278271.B.109873654324454@bugs.debian.org>
X-Debian-PR-Message: report 278271
X-Debian-PR-Package: krb5
X-Debian-PR-Keywords:
Received: via spool by submit@bugs.debian.org id=B.109873654324454
(code B ref -1); Mon, 25 Oct 2004 20:48:15 UTC
Received: (at submit) by bugs.debian.org; 25 Oct 2004 20:35:43 +0000
Received: from kitenet.net [64.62.161.42] (postfix)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CMBZ9-0006M4-00; Mon, 25 Oct 2004 13:35:43 -0700
Received: from dragon.kitenet.net (unknown [66.168.94.144])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "Joey Hess", Issuer "Joey Hess" (verified OK))
by kitenet.net (Postfix) with ESMTP id 46A8717FDD
for <submit@bugs.debian.org>; Mon, 25 Oct 2004 20:35:40 +0000 (GMT)
Received: by dragon.kitenet.net (Postfix, from userid 1000)
id CB2E26E13C; Mon, 25 Oct 2004 16:36:52 -0400 (EDT)
Date: Mon, 25 Oct 2004 16:36:52 -0400
From: Joey Hess <joeyh@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Message-ID: <20041025203652.GA11705@kitenet.net>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="PNTmBPCT7hxwcZjr"
Content-Disposition: inline
X-Reportbug-Version: 3.0
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: submit@bugs.debian.org
Resent-Sender: Debian BTS <debbugs@bugs.debian.org>
X-Scanned-By: MIMEDefang 2.42
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on
solipsist-nation.suchdamage.org
X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=ham
version=2.63
X-Spam-Level:
--PNTmBPCT7hxwcZjr
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: krb5
Severity: normal
Tags: security.
The send-pr script, which is apparently not shipped in any binary
packages, but is present in the source package, uses file in /tmp
insecurely; this is vulnerable to symlink attacks.
This issue is CAN-2004-0971.
I think it should be fixed in case someone stumbles over the unsafe
script in the source package.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=3Den_US, LC_CTYPE=3Den_US (charmap=3DISO-8859-1)
--=20
see shy jo
--PNTmBPCT7hxwcZjr
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBfWPjd8HHehbQuO8RArwTAJ0ZYhB4YCmTU68HfwKPq+Uv4q6ESQCgy09r
134t+uR5rH/98ZwHTdbby80=
=GTYl
-----END PGP SIGNATURE-----
--PNTmBPCT7hxwcZjr--
Received: from solipsist-nation ([unix socket])
by solipsist-nation (Cyrus v2.1.5-Debian2.1.5-1) with LMTP;
Mon, 25 Oct 2004 16:53:48 -0400
X-Sieve: CMU Sieve 2.2
Return-Path: <debbugs@bugs.debian.org>
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
[18.7.21.83]) by suchdamage.org (Postfix) with ESMTP id D002A1324F
for <hartmans@suchdamage.org>; Mon, 25 Oct 2004 16:53:47 -0400 (EDT)
Received: from spohr.debian.org (spohr.debian.org [128.193.0.4])
i9PKrhxq005760
for <hartmans@mit.edu>; Mon, 25 Oct 2004 16:53:43 -0400 (EDT)
Received: from debbugs by spohr.debian.org with local (Exim 3.35 1 (Debian))
id 1CMBlI-0007Nc-00; Mon, 25 Oct 2004 13:48:16 -0700
X-Loop: owner@bugs.debian.org
Subject: Bug#278271: send-pr used tmp files unsafely
Reply-To: Joey Hess <joeyh@debian.org>, 278271@bugs.debian.org
Resent-From: Joey Hess <joeyh@debian.org>
Resent-To: debian-bugs-dist@lists.debian.org
Resent-Cc: Sam Hartman <hartmans@debian.org>
Resent-Date: Mon, 25 Oct 2004 20:48:15 UTC
Resent-Message-ID: <handler.278271.B.109873654324454@bugs.debian.org>
X-Debian-PR-Message: report 278271
X-Debian-PR-Package: krb5
X-Debian-PR-Keywords:
Received: via spool by submit@bugs.debian.org id=B.109873654324454
(code B ref -1); Mon, 25 Oct 2004 20:48:15 UTC
Received: (at submit) by bugs.debian.org; 25 Oct 2004 20:35:43 +0000
Received: from kitenet.net [64.62.161.42] (postfix)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CMBZ9-0006M4-00; Mon, 25 Oct 2004 13:35:43 -0700
Received: from dragon.kitenet.net (unknown [66.168.94.144])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "Joey Hess", Issuer "Joey Hess" (verified OK))
by kitenet.net (Postfix) with ESMTP id 46A8717FDD
for <submit@bugs.debian.org>; Mon, 25 Oct 2004 20:35:40 +0000 (GMT)
Received: by dragon.kitenet.net (Postfix, from userid 1000)
id CB2E26E13C; Mon, 25 Oct 2004 16:36:52 -0400 (EDT)
Date: Mon, 25 Oct 2004 16:36:52 -0400
From: Joey Hess <joeyh@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Message-ID: <20041025203652.GA11705@kitenet.net>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="PNTmBPCT7hxwcZjr"
Content-Disposition: inline
X-Reportbug-Version: 3.0
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: submit@bugs.debian.org
Resent-Sender: Debian BTS <debbugs@bugs.debian.org>
X-Scanned-By: MIMEDefang 2.42
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on
solipsist-nation.suchdamage.org
X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=ham
version=2.63
X-Spam-Level:
--PNTmBPCT7hxwcZjr
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: krb5
Severity: normal
Tags: security.
The send-pr script, which is apparently not shipped in any binary
packages, but is present in the source package, uses file in /tmp
insecurely; this is vulnerable to symlink attacks.
This issue is CAN-2004-0971.
I think it should be fixed in case someone stumbles over the unsafe
script in the source package.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=3Den_US, LC_CTYPE=3Den_US (charmap=3DISO-8859-1)
--=20
see shy jo
--PNTmBPCT7hxwcZjr
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBfWPjd8HHehbQuO8RArwTAJ0ZYhB4YCmTU68HfwKPq+Uv4q6ESQCgy09r
134t+uR5rH/98ZwHTdbby80=
=GTYl
-----END PGP SIGNATURE-----
--PNTmBPCT7hxwcZjr--