Ubuntu
gsambad package

[CVE-2007-2838] Unsafe tmp file usage

Bug #124629 reported by Michael Bienia
254
Affects Status Importance Assigned to Milestone
gsambad (Ubuntu)
Fix Released
Undecided
Michael Bienia
Edgy
Fix Released
Undecided
Michael Bienia
Feisty
Fix Released
Undecided
Michael Bienia

Bug Description

Binary package hint: gsambad

Here is a debdiff for feisty. It's a relabeled gsambad 0.1.4-2etch1 package (only exchanged the changelog entry and updated the Maintainer field).

gsambad (0.1.4-2ubuntu0.1) feisty-security; urgency=low

  * SECURITY UPDATE: allows local users to overwrite arbitrary files via a
    symlink attack
  * Patch taken from gsambad 0.1.4-2etch1.
  * References:
    DSA-1327
    CVE-2007-2838
  * Set Maintainer to match DebianMaintainerSpec

 -- Michael Bienia <email address hidden> Sat, 07 Jul 2007 23:15:20 +0200

See original description

Related branches

lp:ubuntu/gutsy/gsambad

CVE References

Revision history for this message
Michael Bienia (geser) wrote :
description: updated
Jim Qode (jimqode)
Changed in gsambad:
status: New → Confirmed
Revision history for this message
William Grant (wgrant) wrote :

Does this affect releases prior to Feisty?

Changed in gsambad:
status: Confirmed → Fix Released
status: New → Confirmed
Revision history for this message
Michael Bienia (geser) wrote :

Here is a debdiff for edgy-security.

gsambad was first shipped with edgy.

Changed in gsambad:
status: New → Confirmed
Revision history for this message
Kees Cook (kees) wrote :

Thanks for getting these prepared! Two observations:

- the packaging uses "dpatch", so the patch needs to be re-worked to create a patch in debian/patches and update the 00list file.

- the fix isn't a full fix. I would have expected either the use of "mkstemp" or at least "umask" for the file creation, instead of only "mktmpnam", which isn't fully safe. (Perhaps there is something I don't know about that made Debian choose this less security solution.) It _is_ much safer than the prior code, though. :)

Thanks!

Changed in gsambad:
assignee: nobody → geser
status: Confirmed → In Progress
assignee: nobody → geser
status: Confirmed → In Progress
Revision history for this message
Michael Bienia (geser) wrote :

Updated debdiff for feisty.

Changed in gsambad:
assignee: nobody → geser
status: Fix Released → In Progress
Revision history for this message
Michael Bienia (geser) wrote :

Updated debdiff for edgy.

Revision history for this message
Kees Cook (kees) wrote :

Looks great! Thanks very much. Could you also open a Debian bug report about the "incomplete" fix? I'd like to see it fixed right in gutsy (hopefully with a sync from Debian). edgy/feisty are building currently, and I'll get them published shortly.

Changed in gsambad:
status: In Progress → Fix Committed
status: In Progress → Fix Committed
Revision history for this message
Michael Bienia (geser) wrote :

Filed in Debian as http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=433518

And I also uploaded the fix to gutsy (I only waited on your review of the improved patch).

Revision history for this message
Michael Bienia (geser) wrote :

gsambad (0.1.6-2ubuntu1) gutsy; urgency=low

  * debian/patches/04-cve-2007-2838.dpatch:
    This is an improved version of the debian patch, use it instead of
    04-tempfile.dpatch (LP: #124629)
  * debian/control: Modify Maintainer value to match
    DebianMaintainerField spec.

 -- Michael Bienia <email address hidden> Tue, 17 Jul 2007 18:59:24 +0200

Changed in gsambad:
status: In Progress → Fix Released
Revision history for this message
Kees Cook (kees) wrote :

Published now...

gsambad | 0.1.4-2ubuntu0.1 | feisty-security/universe
gsambad | 0.1.3-2ubuntu0.1 | edgy-security/universe

Changed in gsambad:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.