Bug 105000 - app-backup/flexbackup <= 1.2.1 multiples vulnerabilities
Bug#: 105000 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: zataz@zataz.net
Component: Default Configs
URL: 
Summary: app-backup/flexbackup <= 1.2.1 multiples vulnerabilities
Keywords:  
Status Whiteboard: [noglsa] jaervosz
Opened: 2005-09-06 04:05 0000
Description:   Opened: 2005-09-06 04:05 0000 
Hello,

* In /etc/flexbackup.conf :

$tmpdir = '/tmp';

* Into flexbackup :

&checkvar(\$cfg::tmpdir,'tmpdir','exist','/tmp');

If tmpdir is not defined /tmp is used by default, but here into conf file tmpdir
is by default set to /tmp

5229     my $tmp_script = "$cfg::tmpdir/buftest.$host.$PROCESS_ID.sh";

5236     # Create a script which tests the buffer program
5237     open(SCR,"> $tmp_script") || die;
5238     print SCR "#!/bin/sh\n";
5239     print SCR "tmp_data=/tmp/bufftest\$\$.txt\n";
5240     print SCR "tmp_err=/tmp/bufftest\$\$.err\n";
5241     print SCR "echo testme > \$tmp_data\n";
5242     print SCR "$buffer_cmd > /dev/null 2> \$tmp_err < \$tmp_data\n";
5243     print SCR "res=\$?\n";
5244     print SCR "out=\`cat \$tmp_err\`\n";
5245     print SCR "if [ \$res -eq 0 ]; then\n";
5246     print SCR "   echo successful\n";
5247     print SCR "else\n";
5248     print SCR "   echo \"unsuccessful: exit code \$res: \$out\" \n";
5249     print SCR "fi\n";
5250     print SCR "rm -f \$tmp_data \$tmp_err\n";
5251     close(SCR);

Here we have possible symlink attack (race condition), and also possibility to
create a untrusted script into the tmp_script (race condition).

The script how is created is also vulnerable to possible symlink attack (race
condition).

5253     if ($host eq 'localhost') {
5254         print $::msg "| Checking '$cfg::buffer' on this machine... ";
5255         $pipecmd = "sh $tmp_script ";
5256     } else {
5257         print $::msg "| Checking '$cfg::buffer' on host $host... ";
5258         $pipecmd =  "cat $tmp_script | ($::remoteshell $host 'cat >
$tmp_script; sh $tmp_script; rm -f $tmp_script'        )";

We see here that the untrusted script could be executed on localhost or remote host.

5446     my $tmp1 = "$cfg::tmpdir/test1.$PROCESS_ID";
5447     my $tmp2 = "$cfg::tmpdir/test2.$PROCESS_ID";
5448     my $tmp3 = "$cfg::tmpdir/test3.$PROCESS_ID";

Here the $cfg::pad_blocks should be false to exploit the possible symlink attack
(race condition). By default in the conf file pad_blocks is true. No risk if no
configuration modification.

359     if (defined($::pkgdelta)) {
360         if (defined($::local)) {
361             &list_packages('localhost');
362             &find_packaged_files('localhost');
363             &find_changed_files('localhost');
364         }
365         foreach my $host (keys %::remotehosts) {
366             &list_packages($host);
367             &find_packaged_files($host);
368             &find_changed_files($host);
369         }
370         $::pkgdelta_filelist = "$cfg::tmpdir/pkgdelta.$PROCESS_ID";
371         &line();
372     }

Here we have possible symlink attack (race condition)

619     my $exitscript = "$cfg::tmpdir/collectexit.$PROCESS_ID.sh";
620     my $result = "$cfg::tmpdir/exitstatus.$PROCESS_ID";

841         unlink($result);
842         open(SCR, "> $exitscript") || die;
843         print SCR '#!/bin/sh' . "\n"; 
844         print SCR '"$@"' . "\n";;
845         print SCR '[ $? = 0 ] || echo $@ >> ' . $result . "\n";
846         close(SCR);
847         chmod(0755, $exitscript);
848 
849         push(@cmds, "[ ! -e $result ]");
850     }

This one is more difficult to race.

Regards.

------- Comment #1 From Tavis Ormandy (RETIRED) 2005-09-13 05:50:59 0000 ------- 
yes, looks like a Default Config issue, changing component..

------- Comment #2 From Romang 2005-09-13 05:59:20 0000 ------- 
Hello,

Upsteam provide the config file with $tmpdir = '/tmp';

Should I contact upstream ?

Regards.

------- Comment #3 From Romang 2005-09-19 02:00:09 0000 ------- 
Hello,

Email send to upstream.

Edwin Huffstutler <edwinh+flexbackup@edwinh.org>

Regards.

------- Comment #4 From Romang 2005-09-30 01:07:41 0000 ------- 
Hello,

No response from upstream.

Release date : 2005-10-15

Send to vendor-sec@lst.de

Regards.

------- Comment #5 From Thierry Carrez (RETIRED) 2005-10-02 02:18:48 0000 ------- 
Created an attachment (id=69694) [details]
patch.CAN-2005-2965.flexbackup

Patch from Martin Schulze @Debian, removes insecure tmpfile usage rather than
fix the default conf value.

------- Comment #6 From Sune Kloppenborg Jeppesen 2005-10-06 12:00:56 0000 ------- 
max/mholzer please attach an updated ebuild. 
 
Do NOT commit anything to Portage.

------- Comment #7 From SpanKY 2005-10-06 16:09:23 0000 ------- 
Created an attachment (id=70020) [details]
flexbackup-1.2.1-r1.ebuild

i think both mholzer/max are afk

------- Comment #8 From Sune Kloppenborg Jeppesen 2005-10-06 22:23:13 0000 ------- 
Thx Mike.   
   
Calling arch security liaisons to test and report back on this bug:  
  
hppa  hansmi  
ppc  hansmi  
x86  tester

------- Comment #9 From Michael Hanselmann (hansmi) (RETIRED) 2005-10-08 06:35:06 0000 ------- 
Works on ppc and hppa.

------- Comment #10 From Olivier Crete 2005-10-08 21:08:46 0000 ------- 
you have my ok to commit straight to stable on x86

------- Comment #11 From Thierry Carrez (RETIRED) 2005-10-17 01:08:21 0000 ------- 
SpanKY feel free to commit the ebuild

------- Comment #12 From SpanKY 2005-10-20 10:09:11 0000 ------- 
added with x86 stable

------- Comment #13 From Michael Hanselmann (hansmi) (RETIRED) 2005-10-21 11:27:55 0000 ------- 
Stable on ppc and hppa.

------- Comment #14 From Sune Kloppenborg Jeppesen 2005-10-21 23:41:02 0000 ------- 
Default config -> closing without GLSA.

------- Comment #15 From Jochen Erwied 2005-12-23 07:51:13 0000 ------- 
(In reply to comment #14)
> Default config -> closing without GLSA. 
> 

The patch breaks the ability to backup remote machines.

The additional directory is created only locally, but not promoted to the
remote machine.

The errors look like this:

|------------------------------------------------------------
| File number 12, tape index 200512202202
| Backup of: border:/etc
| Date of this level 2 backup: Thu Dec 22 05:31:07 2005
| Date of last level 1 backup: Wed Dec 21 05:21:00 2005
|------------------------------------------------------------
| ssh border 'touch -t "200512210521.00" /tmp/6136/refdate.6136'
| ssh border 'printf "mp3 MP3 Z z gz gif zip ZIP lha jpeg jpg JPG taz tgz \
|   deb rpm bz2 lzo" > /tmp/6136/nocompress.6136'
| ssh border 'printf "Volume Label:\nlevel 2 border:/etc Thu Dec 22 \
|   05:31:07 2005 afio+gzip from joker\n\n" > /tmp/6136/label.6136'
| /tmp/6136/collectexit.6136.sh ssh border 'cd "/etc" && (printf \
|   "//--/tmp/6136/label.6136 flexbackup.volume_header_info\n" && find . \
|   -depth -xdev ! -type s -newer "/tmp/6136/refdate.6136" ! -regex \
|   ".*/[Cc]ache/.*" ! -regex ".*~"$ -print ) | afio -o -E \
|   /tmp/6136/nocompress.6136 -z -1 m -P gzip -Q -4 -Z -M 2m -T 3k -v -' | \
|   /tmp/6136/collectexit.6136.sh cat > "/dev/nst0"
| ssh border 'rm -f /tmp/6136/refdate.6136 /tmp/6136/nocompress.6136 \
|   /tmp/6136/label.6136'
| [ ! -e /tmp/6136/exitstatus.6136 ]
|------------------------------------------------------------
touch: cannot touch `/tmp/6136/refdate.6136': No such file or directory

ERROR: non-zero exit from:

------- Comment #16 From Thierry Carrez (RETIRED) 2005-12-23 10:35:09 0000 ------- 
You should open a new bug, this is no longer a security issue, it's just a
patch that broke functionality... and needs to be fixed.

------- Comment #17 From Jochen Erwied 2005-12-23 10:43:57 0000 ------- 
> You should open a new bug, this is no longer a security issue, it's just a
> patch that broke functionality... and needs to be fixed.

You're correct. Filed as bug #116510