105000 2005-09-06 04:05 0000 app-backup/flexbackup <= 1.2.1 multiples vulnerabilities 2005-12-23 10:43:57 0000 1 Unclassified Gentoo Security Default Configs unspecified All Linux RESOLVED FIXED [noglsa] jaervosz P2 normal --- 1 zataz@zataz.net security@gentoo.org jochen@gentoo.erwied.de max@gentoo.org mholzer@gentoo.org tester@gentoo.org zataz@zataz.net 2005-09-06 04:05:02 0000 Hello, * In /etc/flexbackup.conf : $tmpdir = '/tmp'; * Into flexbackup : &checkvar(\$cfg::tmpdir,'tmpdir','exist','/tmp'); If tmpdir is not defined /tmp is used by default, but here into conf file tmpdir is by default set to /tmp 5229 my $tmp_script = "$cfg::tmpdir/buftest.$host.$PROCESS_ID.sh"; 5236 # Create a script which tests the buffer program 5237 open(SCR,"> $tmp_script") || die; 5238 print SCR "#!/bin/sh\n"; 5239 print SCR "tmp_data=/tmp/bufftest\$\$.txt\n"; 5240 print SCR "tmp_err=/tmp/bufftest\$\$.err\n"; 5241 print SCR "echo testme > \$tmp_data\n"; 5242 print SCR "$buffer_cmd > /dev/null 2> \$tmp_err < \$tmp_data\n"; 5243 print SCR "res=\$?\n"; 5244 print SCR "out=\`cat \$tmp_err\`\n"; 5245 print SCR "if [ \$res -eq 0 ]; then\n"; 5246 print SCR " echo successful\n"; 5247 print SCR "else\n"; 5248 print SCR " echo \"unsuccessful: exit code \$res: \$out\" \n"; 5249 print SCR "fi\n"; 5250 print SCR "rm -f \$tmp_data \$tmp_err\n"; 5251 close(SCR); Here we have possible symlink attack (race condition), and also possibility to create a untrusted script into the tmp_script (race condition). The script how is created is also vulnerable to possible symlink attack (race condition). 5253 if ($host eq 'localhost') { 5254 print $::msg "| Checking '$cfg::buffer' on this machine... "; 5255 $pipecmd = "sh $tmp_script "; 5256 } else { 5257 print $::msg "| Checking '$cfg::buffer' on host $host... "; 5258 $pipecmd = "cat $tmp_script | ($::remoteshell $host 'cat > $tmp_script; sh $tmp_script; rm -f $tmp_script' )"; We see here that the untrusted script could be executed on localhost or remote host. 5446 my $tmp1 = "$cfg::tmpdir/test1.$PROCESS_ID"; 5447 my $tmp2 = "$cfg::tmpdir/test2.$PROCESS_ID"; 5448 my $tmp3 = "$cfg::tmpdir/test3.$PROCESS_ID"; Here the $cfg::pad_blocks should be false to exploit the possible symlink attack (race condition). By default in the conf file pad_blocks is true. No risk if no configuration modification. 359 if (defined($::pkgdelta)) { 360 if (defined($::local)) { 361 &list_packages('localhost'); 362 &find_packaged_files('localhost'); 363 &find_changed_files('localhost'); 364 } 365 foreach my $host (keys %::remotehosts) { 366 &list_packages($host); 367 &find_packaged_files($host); 368 &find_changed_files($host); 369 } 370 $::pkgdelta_filelist = "$cfg::tmpdir/pkgdelta.$PROCESS_ID"; 371 &line(); 372 } Here we have possible symlink attack (race condition) 619 my $exitscript = "$cfg::tmpdir/collectexit.$PROCESS_ID.sh"; 620 my $result = "$cfg::tmpdir/exitstatus.$PROCESS_ID"; 841 unlink($result); 842 open(SCR, "> $exitscript") || die; 843 print SCR '#!/bin/sh' . "\n"; 844 print SCR '"$@"' . "\n";; 845 print SCR '[ $? = 0 ] || echo $@ >> ' . $result . "\n"; 846 close(SCR); 847 chmod(0755, $exitscript); 848 849 push(@cmds, "[ ! -e $result ]"); 850 } This one is more difficult to race. Regards. taviso@gentoo.org 2005-09-13 05:50:59 0000 yes, looks like a Default Config issue, changing component.. zataz@zataz.net 2005-09-13 05:59:20 0000 Hello, Upsteam provide the config file with $tmpdir = '/tmp'; Should I contact upstream ? Regards. zataz@zataz.net 2005-09-19 02:00:09 0000 Hello, Email send to upstream. Edwin Huffstutler <edwinh+flexbackup@edwinh.org> Regards. zataz@zataz.net 2005-09-30 01:07:41 0000 Hello, No response from upstream. Release date : 2005-10-15 Send to vendor-sec@lst.de Regards. koon@gentoo.org 2005-10-02 02:18:48 0000 Created an attachment (id=69694) patch.CAN-2005-2965.flexbackup Patch from Martin Schulze @Debian, removes insecure tmpfile usage rather than fix the default conf value. jaervosz@gentoo.org 2005-10-06 12:00:56 0000 max/mholzer please attach an updated ebuild. Do NOT commit anything to Portage. vapier@gentoo.org 2005-10-06 16:09:23 0000 Created an attachment (id=70020) flexbackup-1.2.1-r1.ebuild i think both mholzer/max are afk jaervosz@gentoo.org 2005-10-06 22:23:13 0000 Thx Mike. Calling arch security liaisons to test and report back on this bug: hppa hansmi ppc hansmi x86 tester hansmi@gentoo.org 2005-10-08 06:35:06 0000 Works on ppc and hppa. tester@gentoo.org 2005-10-08 21:08:46 0000 you have my ok to commit straight to stable on x86 koon@gentoo.org 2005-10-17 01:08:21 0000 SpanKY feel free to commit the ebuild vapier@gentoo.org 2005-10-20 10:09:11 0000 added with x86 stable hansmi@gentoo.org 2005-10-21 11:27:55 0000 Stable on ppc and hppa. jaervosz@gentoo.org 2005-10-21 23:41:02 0000 Default config -> closing without GLSA. jochen@gentoo.erwied.de 2005-12-23 07:51:13 0000 (In reply to comment #14) > Default config -> closing without GLSA. > The patch breaks the ability to backup remote machines. The additional directory is created only locally, but not promoted to the remote machine. The errors look like this: |------------------------------------------------------------ | File number 12, tape index 200512202202 | Backup of: border:/etc | Date of this level 2 backup: Thu Dec 22 05:31:07 2005 | Date of last level 1 backup: Wed Dec 21 05:21:00 2005 |------------------------------------------------------------ | ssh border 'touch -t "200512210521.00" /tmp/6136/refdate.6136' | ssh border 'printf "mp3 MP3 Z z gz gif zip ZIP lha jpeg jpg JPG taz tgz \ | deb rpm bz2 lzo" > /tmp/6136/nocompress.6136' | ssh border 'printf "Volume Label:\nlevel 2 border:/etc Thu Dec 22 \ | 05:31:07 2005 afio+gzip from joker\n\n" > /tmp/6136/label.6136' | /tmp/6136/collectexit.6136.sh ssh border 'cd "/etc" && (printf \ | "//--/tmp/6136/label.6136 flexbackup.volume_header_info\n" && find . \ | -depth -xdev ! -type s -newer "/tmp/6136/refdate.6136" ! -regex \ | ".*/[Cc]ache/.*" ! -regex ".*~"$ -print ) | afio -o -E \ | /tmp/6136/nocompress.6136 -z -1 m -P gzip -Q -4 -Z -M 2m -T 3k -v -' | \ | /tmp/6136/collectexit.6136.sh cat > "/dev/nst0" | ssh border 'rm -f /tmp/6136/refdate.6136 /tmp/6136/nocompress.6136 \ | /tmp/6136/label.6136' | [ ! -e /tmp/6136/exitstatus.6136 ] |------------------------------------------------------------ touch: cannot touch `/tmp/6136/refdate.6136': No such file or directory ERROR: non-zero exit from: koon@gentoo.org 2005-12-23 10:35:09 0000 You should open a new bug, this is no longer a security issue, it's just a patch that broke functionality... and needs to be fixed. jochen@gentoo.erwied.de 2005-12-23 10:43:57 0000 > You should open a new bug, this is no longer a security issue, it's just a > patch that broke functionality... and needs to be fixed. You're correct. Filed as bug #116510 69694 2005-10-02 02:18 0000 patch.CAN-2005-2965.flexbackup patch.CAN-2005-2965.flexbackup text/plain LS0tIGZsZXhiYWNrdXB+CTIwMDMtMTAtMTAgMTY6MTI6MDkuMDAwMDAwMDAwICswMjAwCisrKyBm bGV4YmFja3VwCTIwMDUtMTAtMDEgMTk6MzU6MjUuMDAwMDAwMDAwICswMjAwCkBAIC0yNjksNiAr MjY5LDcgQEAgaWYgKCgkOjptb2RlICF+IG0vXihsaXN0fGV4dHJhY3R8cmVzdG9yZQogICAgIHVu dGllKCU6OmluZGV4KTsKIH0KIAorc3lzdGVtICgncm0nLCAnLXJmJywgJGNmZzo6dG1wZGlyKSBp ZiAoZGVmaW5lZCgkY2ZnOjpkZWx0bXBkaXIpKTsKIGV4aXQoMCk7CiAKICMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMK QEAgLTI3MjUsNiArMjcyNiwxMyBAQCBzdWIgb3B0aW9uY2hlY2sgewogICAgICZjaGVja3Zhcihc JGNmZzo6cHJlZml4LCdwcmVmaXgnLCdleGlzdCcsJycpOwogICAgICZjaGVja3ZhcihcJGNmZzo6 c3ByZWZpeCwnc3ByZWZpeCcsJ2V4aXN0JywnJyk7CiAKKyAgICAjIENyZWF0ZSBhIHN1YmRpcmVj dG9yeSBpbnNpZGUgL3RtcAorICAgIGlmICgkY2ZnOjp0bXBkaXIgZXEgJy90bXAnKSB7CisgICAg ICAgJGNmZzo6dG1wZGlyID0gJGNmZzo6dG1wZGlyIC4nLycuJCQ7CisgICAgICAgbWtkaXIgKCRj Zmc6OnRtcGRpcikgfHwgZGllICJDYW4ndCBjcmVhdGUgdGVtcG9yYXJ5IGRpcmVjdG9yeSwgJCEi OworICAgICAgICRjZmc6OmRlbHRtcGRpciA9IDE7CisgICAgfQorCiAgICAgaWYgKEA6OmVycm9y cykgewogCXByaW50ICQ6Om1zZyAiRXJyb3JzOlxuIjsKIAl3aGlsZShAOjplcnJvcnMpIHsKQEAg LTUyMzYsOCArNTI0NCw4IEBAIHN1YiB0ZXN0X2J1ZmZlcnByb2cgewogICAgICMgQ3JlYXRlIGEg c2NyaXB0IHdoaWNoIHRlc3RzIHRoZSBidWZmZXIgcHJvZ3JhbQogICAgIG9wZW4oU0NSLCI+ICR0 bXBfc2NyaXB0IikgfHwgZGllOwogICAgIHByaW50IFNDUiAiIyEvYmluL3NoXG4iOwotICAgIHBy aW50IFNDUiAidG1wX2RhdGE9L3RtcC9idWZmdGVzdFwkXCQudHh0XG4iOwotICAgIHByaW50IFND UiAidG1wX2Vycj0vdG1wL2J1ZmZ0ZXN0XCRcJC5lcnJcbiI7CisgICAgcHJpbnQgU0NSICJ0bXBf ZGF0YT1cYHRlbXBmaWxlXGBcbiI7CisgICAgcHJpbnQgU0NSICJ0bXBfZXJyPVxgdGVtcGZpbGVc YFxuIjsKICAgICBwcmludCBTQ1IgImVjaG8gdGVzdG1lID4gXCR0bXBfZGF0YVxuIjsKICAgICBw cmludCBTQ1IgIiRidWZmZXJfY21kID4gL2Rldi9udWxsIDI+IFwkdG1wX2VyciA8IFwkdG1wX2Rh dGFcbiI7CiAgICAgcHJpbnQgU0NSICJyZXM9XCQ/XG4iOwo= 70020 2005-10-06 16:09 0000 flexbackup-1.2.1-r1.ebuild flexbackup-1.2.1-r1.ebuild text/plain IyBDb3B5cmlnaHQgMTk5OS0yMDA1IEdlbnRvbyBGb3VuZGF0aW9uCiMgRGlzdHJpYnV0ZWQgdW5k ZXIgdGhlIHRlcm1zIG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZSB2MgojICRIZWFk ZXI6IC92YXIvY3Zzcm9vdC9nZW50b28teDg2L2FwcC1iYWNrdXAvZmxleGJhY2t1cC9mbGV4YmFj a3VwLTEuMi4xLmVidWlsZCx2IDEuMSAyMDA1LzA3LzA0IDA1OjE2OjU0IHJvYmJhdDIgRXhwICQK CmluaGVyaXQgZXV0aWxzCgpERVNDUklQVElPTj0iRmxleGlibGUgYmFja3VwIHNjcmlwdCB1c2lu ZyBwZXJsIgpIT01FUEFHRT0iaHR0cDovL2ZsZXhiYWNrdXAuc291cmNlZm9yZ2UubmV0LyIKU1JD X1VSST0ibWlycm9yOi8vc291cmNlZm9yZ2UvJHtQTn0vJHtQfS50YXIuZ3oiCgpMSUNFTlNFPSJH UEwtMiIKU0xPVD0iMCIKS0VZV09SRFM9In5hbWQ2NCB+aHBwYSB+cHBjIH54ODYiCklVU0U9IiIK ClJERVBFTkQ9ImRldi1sYW5nL3BlcmwKCXN5cy1hcHBzL2ZpbmR1dGlscwoJYXBwLWFyY2gvdGFy CglhcHAtYXJjaC9tdC1zdCIKCnNyY191bnBhY2soKSB7Cgl1bnBhY2sgJHtBfQoJY2QgIiR7U30i CgllcGF0Y2ggIiR7RklMRVNESVJ9Ii8ke1B9LUNBTi0yMDA1LTI5NjUucGF0Y2gKCXNlZCAtaSBc CgkJLWUgJy9eXCR0eXBlID0gL3M6YWZpbzp0YXI6JyBcCgkJLWUgIi9eXCRidWZmZXIgPSAvczon YnVmZmVyJzonZmFsc2UnOiIgXAoJCWZsZXhiYWNrdXAuY29uZiB8fCBkaWUKfQoKc3JjX2luc3Rh bGwoKSB7Cglkb2RpciAvZXRjIC91c3IvYmluIC91c3Ivc2hhcmUvbWFuL21hbnsxLDV9CgltYWtl IGluc3RhbGwgXAoJCVBSRUZJWD0iJHtEfSIvdXNyIFwKCQlDT05GRklMRT0iJHtEfSIvZXRjL2Zs ZXhiYWNrdXAuY29uZiBcCgkJfHwgZGllCgoJZG9kb2MgQ0hBTkdFUyBDUkVESVRTIElOU1RBTEwg UkVBRE1FIFRPRE8KCWRvaHRtbCBmYXEuaHRtbAp9Cgpwa2dfcG9zdGluc3QoKSB7CgllaW5mbyAi UGxlYXNlIGVkaXQgeW91ciAvZXRjL2ZsZXhiYWNrdXAuY29uZiBmaWxlIHRvIHN1aXQgeW91ciIK CWVpbmZvICJuZWVkcy4gIElmIHlvdSBhcmUgdXNpbmcgZGV2ZnMsIHRoZSB0YXBlIGRldmljZSBz aG91bGQiCgllaW5mbyAiYmUgc2V0IHRvIC9kZXYvdGFwZXMvdGFwZTAvbXRuLiAgSWYgeW91IG5l ZWQgdG8gdXNlIGFueSIKCWVpbmZvICJhcmNoaXZlciBvdGhlciB0aGFuIHRhciwgcGxlYXNlIGVt ZXJnZSBpdCBzZXBhcmF0ZWx5LiIKfQo=