Debian Bug report logs - #495705
lintian: Please improve insecure /tmp checks

Package: lintian; Maintainer for lintian is Debian Lintian Maintainers <[email protected]>; Source for lintian is src:lintian (PTS, buildd, popcon).

Reported by: "Dmitry E. Oboukhov" <[email protected]>

Date: Tue, 19 Aug 2008 20:09:04 UTC

Severity: wishlist

Fix blocked by 629247: lintian: Please use a decent shell script parser

Reply or subscribe to this bug.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to [email protected], Debian Lintian Maintainers <[email protected]>:
Bug#495705; Package lintian. (full text, mbox, link).

Acknowledgement sent to "Dmitry E. Oboukhov" <[email protected]>:
New Bug report received and forwarded. Copy sent to Debian Lintian Maintainers <[email protected]>. (full text, mbox, link).

Message #5 received at [email protected] (full text, mbox, reply):

From: "Dmitry E. Oboukhov" <[email protected]>
To: [email protected], Steve Kemp <[email protected]>
Cc: [email protected]
Subject: Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
Date: Wed, 20 Aug 2008 00:07:31 +0400
[Message part 1 (text/plain, inline)]
Package: lintian
Tags: patch, security
Severity: wishlist

Hello, lintan maintainers!
please, see full discussion in -devel:
    http://lists.debian.org/debian-devel/2008/08/msg00271.html
for example, see the bug
	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494648
	(if attacker makes symlink from /tmp/twiki to /etc/shadow, then
	 he takes full access to the system (when twiki installs or
	 upgrades))




Hi all!

I wrote the check script for the lintian package. This additional check
verifies the debian packages for the presents of the discussed bug.

Notes and additions are welcome.

patch has been placed in attache

PS: X11 also uses the /tmp/.X11-unix directory, which may  be  used  for
attacks, I don't known :(

but many scripts (in different packages) use /tmp/.X11-unix, if this  is
not a security problem, may be I must add ignoring for this directory in
the lintian script?

I don't known yet :(

DEO> This message about the error concerns a few packages  at  once.   I've
DEO> tested all the packages on my Debian mirror.  (post|pre)(inst|rm)  and
DEO> config scripts were tested.

DEO> In some packages I've discovered scripts with errors which may be used
DEO> by a user for damaging important system files.

DEO> For example if a script uses in its work a temp file which is  created
DEO> in /tmp directory, then every user can create symlink  with  the  same
DEO> name in this directory in order to  destroy  or  rewrite  some	system
DEO> file.

DEO> I set Severity into grave for  this  bug.   The  table	of  discovered
DEO> problems is below.
--
... mpd is off

. ''`. Dmitry E. Oboukhov
: :’  : [email protected]
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
  `- 1B23 D4F8 8EC0 D902 0555  E438 AB8C 00CF F8E2 6537

[symlinks_attacks_check.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to [email protected], Debian Lintian Maintainers <[email protected]>:
Bug#495705; Package lintian. (full text, mbox, link).

Acknowledgement sent to Russ Allbery <[email protected]>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <[email protected]>. (full text, mbox, link).

Message #10 received at [email protected] (full text, mbox, reply):

From: Russ Allbery <[email protected]>
To: "Dmitry E. Oboukhov" <[email protected]>
Cc: [email protected], [email protected], Steve Kemp <[email protected]>
Subject: Re: Bug#495705: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
Date: Tue, 19 Aug 2008 13:17:12 -0700
"Dmitry E. Oboukhov" <[email protected]> writes:

> Package: lintian
> Tags: patch, security
> Severity: wishlist
>
> Hello, lintan maintainers!
> please, see full discussion in -devel:
>     http://lists.debian.org/debian-devel/2008/08/msg00271.html
> for example, see the bug
> 	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494648
> 	(if attacker makes symlink from /tmp/twiki to /etc/shadow, then
> 	 he takes full access to the system (when twiki installs or
> 	 upgrades))
>
> I wrote the check script for the lintian package. This additional check
> verifies the debian packages for the presents of the discussed bug.

Lintian already checks for this.  If the current check is not sufficient
(which is certainly believable), it should be improved, rather than adding
a new, separate check.  See
possibly-insecure-handling-of-tmp-files-in-maintainer-script.

This, like various other checks, should be extended to more than just
maintainer scripts, which requires some additional infrastruture work on
the lintian script checking.

-- 
Russ Allbery ([email protected])               <http://www.eyrie.org/~eagle/>

Information forwarded to [email protected], Debian Lintian Maintainers <[email protected]>:
Bug#495705; Package lintian. (Wed, 31 Dec 2008 07:36:03 GMT) (full text, mbox, link).

Acknowledgement sent to Russ Allbery <[email protected]>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <[email protected]>. (Wed, 31 Dec 2008 07:36:03 GMT) (full text, mbox, link).

Message #15 received at [email protected] (full text, mbox, reply):

From: Russ Allbery <[email protected]>
To: [email protected]
Cc: [email protected]
Subject: tagging 495705, retitle 495705 to [checks/scripts] improvements to insecure /tmp checks
Date: Tue, 30 Dec 2008 23:32:46 -0800
# Automatically generated email from bts, devscripts version 2.10.35
# There are some good ideas here, but it's not a patch
tags 495705 - patch
retitle 495705 [checks/scripts] improvements to insecure /tmp checks

Tags removed: patch Request was from Russ Allbery <[email protected]> to [email protected]. (Wed, 31 Dec 2008 07:36:04 GMT) (full text, mbox, link).

Changed Bug title to `[checks/scripts] improvements to insecure /tmp checks' from `Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages'. Request was from Russ Allbery <[email protected]> to [email protected]. (Wed, 31 Dec 2008 07:36:04 GMT) (full text, mbox, link).

Information forwarded to [email protected], Debian Lintian Maintainers <[email protected]>:
Bug#495705; Package lintian. (Wed, 31 Dec 2008 07:42:02 GMT) (full text, mbox, link).

Acknowledgement sent to Russ Allbery <[email protected]>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <[email protected]>. (Wed, 31 Dec 2008 07:42:02 GMT) (full text, mbox, link).

Message #24 received at [email protected] (full text, mbox, reply):

From: Russ Allbery <[email protected]>
To: [email protected]
Cc: [email protected], [email protected]
Subject: tagging 495705
Date: Tue, 30 Dec 2008 23:40:34 -0800
# Automatically generated email from bts, devscripts version 2.10.35
# Also not a security bug in Lintian
tags 495705 - security

Tags removed: security Request was from Russ Allbery <[email protected]> to [email protected]. (Wed, 31 Dec 2008 07:42:03 GMT) (full text, mbox, link).

Added blocking bug(s) of 495705: 629247 Request was from Niels Thykier <[email protected]> to [email protected]. (Sat, 04 Jun 2011 20:42:07 GMT) (full text, mbox, link).

Changed Bug title to 'lintian: Please improve insecure /tmp checks' from '[checks/scripts] improvements to insecure /tmp checks'. Request was from Chris Lamb <[email protected]> to [email protected]. (Mon, 29 Jan 2018 13:48:21 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Tue May 13 09:28:27 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.