Summary: | net-misc/hylafax tmp file issue in xferfaxstats script | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | kingtaco, nerdboy |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=329384 | ||
Whiteboard: | B3 [glsa] jaervosz | ||
Package list: | Runtime testing required: | --- |
Description
Sune Kloppenborg Jeppesen (RETIRED)
2005-09-22 06:07:42 UTC
Package: hylafax Severity: critical Version: 1:4.2.1-7 Tags: woody sarge security patch This was a mail sent to the Debian security team, the hylafax Debian maintainer and the hylafax upstream maintainer a while back, since then, version 1:4.2.2+rc1 has been uploaded to testing (Sept 3rd 2005) making this issue public: * Added patches from Javier Fernandez-Sanguino Peña to cron jobs in order to redirect stderr, and to other scripts in order to fix temporary directory usage. (See patch 702) This is the mail sent describing the vulnerabilites (dated 6 Aug 2005). Attached is the patch (700, not 702 as mentioned in the changelog) used by the maintainer and based in may original patches. Notice that the patch only fixes the tempdir vulnerabilities, the last issue (the UNIX domain socket) has not yet been investigated. ------------------------------------------------------------------------- Hi there hylafax maintainer and Debian security team, While reviewing Debian packages for vulnerabilities due to the insecure use of temporary files I've found that the hylafax package contains a script (xferfaxstats) which is vulnerable to symlink attacks since it uses temporary files in an unsafe way: ------------------------------------------------------------------ (...) tmpAwk=/tmp/xferfax$$ trap "rm -f $tmpAwk; exit 1" 0 1 2 15 (...) )>$tmpAwk $AWK -f $tmpAwk -v TODAY="$TODAY" -v AGE="$AGE" -v SINCEDT="$SINCEDT" -v ENDDT=" ------------------------------------------------------------------ Furthermore, this script is run in a monthly basis by the predefined cron tasks in the package as root so it makes this vulnerability an exploitable issue in all systems that have this package installed. I've reviewed all other hylafax scripts which make use of /tmp too: /usr/sbin/recvstats, /usr/sbin/faxcron, /usr/sbin/faxaddmodem, /usr/sbin/faxsetup and /usr/sbin/probemodem and they use constructs which prevent symlink attacks from overwritting files. It seems that the Debian maintener fixed these bugs in 28 Sep 1998 (based on the changelog) but the xferstats script seems to have been missed. This script is available in all hylafax-server versions: woody, sarge, etch and sid. I'm also concerned that the hylafax package creates /var/spool/hylafax/tmp with mode 4777 supposedly, based on the manpages of those scripts, to be used as a temporary location of files but, instead, all of the files use /tmp instead directly. In order to clean up the code a little bit attached is a separate (untested) patch which reviews all the use of temporary files in scripts: 1.- It makes all of them use mktemp if available, this prevents DoS attacks agains the scripts since rogue users will find it more difficult to pre-create the temporary files. With the current code it is simple to prevent all scripts from executing just by populating the /tmp directory with symlinks. 2.- It makes all of them use TMPDIR if defined (through mktemp -t or through the use of $TMPDIR instead of /tmp if mktemp is not available) 3.- It generates proper error messages if temporary files cannot be created 4.- It changes cron jobs to forward error messages to the scripts to log files or to mail messages 5.- Do not define 'exit 1' when setting traps, since the exit status of the script will be changed (a 0 exit status will be 1 instead). Code sample: ------------------------------------------------ #!/bin/sh trap "echo trap; exit 1" 0 1 2 3 15 echo no trap exit 0 ---------------------------------------------- $ ./test.sh no trap trap $ echo $? 1 This patch could be used in the sid package since it is actually code cleamup. If it was added, the cron jobs could redefine TMPDIR to be /var/spool/hylafax/tmp before calling the scripts so that the claim of the manpages would be correct. Based on the current code that directory does not seem to be used at all. Finally, another concern, is that the default config file defines FAX_DEFUNIX as /tmp/hyla.unix to setup a transport mode based on UNIX domain sockets. The FaxClient code uses whatever transport mechanism is available (through Transport::getTransport) and the Transport code says: [ ./util/Transport.c++ ] 53 if (UnixTransport::isA(FAX_DEFUNIX)) { 54 client.setHost(FAX_DEFUNIX); 55 return *new UnixTransport(client); 56 } else { 57 client.setHost(FAX_DEFHOST); 58 return *new InetTransport(client); 59 } UnixTransport::isA is defined as: [ util/UnixTransport.c++ ] 35 UnixTransport::isA(const char* address) 36 { 37 return Sys::isSocketFile(address); 38 } I don't see that the Debian package creates the UNIX domain socket at all. ¿Does this code means that if a rogue local user where to create a UNIX socket at /tmp/hyla.unix all Hylafax clients in the system would use that instead of the other inettransport (localhost:4559)? ¿Does this means that a local user could get access to all faxes sent and prevent faxes from being sent to the proper Hylafax Server? Notice that this code disputes the claim from the hylafax-client that it only communicates through TCP/IP (the manpage does not mention it either) and can introduce a different vulnerability in the system than the ones fixed by the attached patches. Regards Javier Fernandez-Sanguino Steve, could you bump hylafax with the fixorz ? Pulling rest of herd to help as nerdboy doesn't seem to answer... Sorry, I got swamped; it says below "sent upstream" but xferfaxstats is still as shown below. I suppose I have to yank it from the debian site... Okay, all 4.2x versions are patched with the tmpdir patch; I'm removing 4.1.8 unless somebody screams real loud... nerdboy please don't close security bugs. Reopening for GLSA decision. I vote yes I vote YES too. Back to ebuild status. nerdboy please bump all affected versions so users will pick up the fixed versions and we can properly list affected versions. So, you want a revision bump on each of the remaining hylafax ebuilds? I.e., hylafax-4.2.0-r2.ebuild => hylafax-4.2.0-r3.ebuild and so on? This is what we have now: hylafax-4.2.1.ebuild hylafax-4.2.0-r2.ebuild hylafax-4.2.2.ebuild hylafax-4.2.1-r1.ebuild so I'm thinking of removing 4.2.1 and bumping 4.2.1-r1 to -r2 (plus the other two). Does that make sense? For each stable arch there should be a revision increase so they pickup the update. Preferably as few stable versions as possible, but no hard demand. We should at least have 4.2.1-r2 for x86 and sparc and possibly 4.2.0-r3 for hppa and amd64, otherwise they will have to mark 4.2.1-r2 stable. Done. Thx, ready for GLSA. GLSA 200509-21 |