Hello, * In /etc/flexbackup.conf : $tmpdir = '/tmp'; * Into flexbackup : &checkvar(\$cfg::tmpdir,'tmpdir','exist','/tmp'); If tmpdir is not defined /tmp is used by default, but here into conf file tmpdir is by default set to /tmp 5229 my $tmp_script = "$cfg::tmpdir/buftest.$host.$PROCESS_ID.sh"; 5236 # Create a script which tests the buffer program 5237 open(SCR,"> $tmp_script") || die; 5238 print SCR "#!/bin/sh\n"; 5239 print SCR "tmp_data=/tmp/bufftest\$\$.txt\n"; 5240 print SCR "tmp_err=/tmp/bufftest\$\$.err\n"; 5241 print SCR "echo testme > \$tmp_data\n"; 5242 print SCR "$buffer_cmd > /dev/null 2> \$tmp_err < \$tmp_data\n"; 5243 print SCR "res=\$?\n"; 5244 print SCR "out=\`cat \$tmp_err\`\n"; 5245 print SCR "if [ \$res -eq 0 ]; then\n"; 5246 print SCR " echo successful\n"; 5247 print SCR "else\n"; 5248 print SCR " echo \"unsuccessful: exit code \$res: \$out\" \n"; 5249 print SCR "fi\n"; 5250 print SCR "rm -f \$tmp_data \$tmp_err\n"; 5251 close(SCR); Here we have possible symlink attack (race condition), and also possibility to create a untrusted script into the tmp_script (race condition). The script how is created is also vulnerable to possible symlink attack (race condition). 5253 if ($host eq 'localhost') { 5254 print $::msg "| Checking '$cfg::buffer' on this machine... "; 5255 $pipecmd = "sh $tmp_script "; 5256 } else { 5257 print $::msg "| Checking '$cfg::buffer' on host $host... "; 5258 $pipecmd = "cat $tmp_script | ($::remoteshell $host 'cat > $tmp_script; sh $tmp_script; rm -f $tmp_script' )"; We see here that the untrusted script could be executed on localhost or remote host. 5446 my $tmp1 = "$cfg::tmpdir/test1.$PROCESS_ID"; 5447 my $tmp2 = "$cfg::tmpdir/test2.$PROCESS_ID"; 5448 my $tmp3 = "$cfg::tmpdir/test3.$PROCESS_ID"; Here the $cfg::pad_blocks should be false to exploit the possible symlink attack (race condition). By default in the conf file pad_blocks is true. No risk if no configuration modification. 359 if (defined($::pkgdelta)) { 360 if (defined($::local)) { 361 &list_packages('localhost'); 362 &find_packaged_files('localhost'); 363 &find_changed_files('localhost'); 364 } 365 foreach my $host (keys %::remotehosts) { 366 &list_packages($host); 367 &find_packaged_files($host); 368 &find_changed_files($host); 369 } 370 $::pkgdelta_filelist = "$cfg::tmpdir/pkgdelta.$PROCESS_ID"; 371 &line(); 372 } Here we have possible symlink attack (race condition) 619 my $exitscript = "$cfg::tmpdir/collectexit.$PROCESS_ID.sh"; 620 my $result = "$cfg::tmpdir/exitstatus.$PROCESS_ID"; 841 unlink($result); 842 open(SCR, "> $exitscript") || die; 843 print SCR '#!/bin/sh' . "\n"; 844 print SCR '"$@"' . "\n";; 845 print SCR '[ $? = 0 ] || echo $@ >> ' . $result . "\n"; 846 close(SCR); 847 chmod(0755, $exitscript); 848 849 push(@cmds, "[ ! -e $result ]"); 850 } This one is more difficult to race. Regards.
yes, looks like a Default Config issue, changing component..
Hello, Upsteam provide the config file with $tmpdir = '/tmp'; Should I contact upstream ? Regards.
Hello, Email send to upstream. Edwin Huffstutler <edwinh+flexbackup@edwinh.org> Regards.
Hello, No response from upstream. Release date : 2005-10-15 Send to vendor-sec@lst.de Regards.
Created attachment 69694 [details, diff] patch.CAN-2005-2965.flexbackup Patch from Martin Schulze @Debian, removes insecure tmpfile usage rather than fix the default conf value.
max/mholzer please attach an updated ebuild. Do NOT commit anything to Portage.
Created attachment 70020 [details] flexbackup-1.2.1-r1.ebuild i think both mholzer/max are afk
Thx Mike. Calling arch security liaisons to test and report back on this bug: hppa hansmi ppc hansmi x86 tester
Works on ppc and hppa.
you have my ok to commit straight to stable on x86
SpanKY feel free to commit the ebuild
added with x86 stable
Stable on ppc and hppa.
Default config -> closing without GLSA.
(In reply to comment #14) > Default config -> closing without GLSA. > The patch breaks the ability to backup remote machines. The additional directory is created only locally, but not promoted to the remote machine. The errors look like this: |------------------------------------------------------------ | File number 12, tape index 200512202202 | Backup of: border:/etc | Date of this level 2 backup: Thu Dec 22 05:31:07 2005 | Date of last level 1 backup: Wed Dec 21 05:21:00 2005 |------------------------------------------------------------ | ssh border 'touch -t "200512210521.00" /tmp/6136/refdate.6136' | ssh border 'printf "mp3 MP3 Z z gz gif zip ZIP lha jpeg jpg JPG taz tgz \ | deb rpm bz2 lzo" > /tmp/6136/nocompress.6136' | ssh border 'printf "Volume Label:\nlevel 2 border:/etc Thu Dec 22 \ | 05:31:07 2005 afio+gzip from joker\n\n" > /tmp/6136/label.6136' | /tmp/6136/collectexit.6136.sh ssh border 'cd "/etc" && (printf \ | "//--/tmp/6136/label.6136 flexbackup.volume_header_info\n" && find . \ | -depth -xdev ! -type s -newer "/tmp/6136/refdate.6136" ! -regex \ | ".*/[Cc]ache/.*" ! -regex ".*~"$ -print ) | afio -o -E \ | /tmp/6136/nocompress.6136 -z -1 m -P gzip -Q -4 -Z -M 2m -T 3k -v -' | \ | /tmp/6136/collectexit.6136.sh cat > "/dev/nst0" | ssh border 'rm -f /tmp/6136/refdate.6136 /tmp/6136/nocompress.6136 \ | /tmp/6136/label.6136' | [ ! -e /tmp/6136/exitstatus.6136 ] |------------------------------------------------------------ touch: cannot touch `/tmp/6136/refdate.6136': No such file or directory ERROR: non-zero exit from:
You should open a new bug, this is no longer a security issue, it's just a patch that broke functionality... and needs to be fixed.
> You should open a new bug, this is no longer a security issue, it's just a > patch that broke functionality... and needs to be fixed. You're correct. Filed as bug #116510