Ubuntu
twiki package

tmpfile vunerability

Bug #261962 reported by Stefan Ebner on 2008-08-27

258

Affects		Status	Importance	Assigned to	Milestone
	twiki (Ubuntu)	Fix Released	Undecided	Unassigned
	Intrepid	Fix Released	Undecided	Unassigned

Bug Description

Binary package hint: twiki

twiki (1:4.1.2-4) unstable; urgency=emergency
.
   * move session files to /var/lib/twiki/working/tmp (Closes: #494648)
   * related issue with passthrough files (Closes: #468159)
   * fix dependancys on apache* rather than apache*-common (Closes: #482285)
   * remove TWikiGuest user with hardcoded password from htpassword.
   * Build instructions moved from section -arch to -indep (closes lintian warning).

-- Sven Dowideit <email address hidden> Thu, 14 Aug 2008 09:53:40 +0100

Remaining changes:

    - Add a horrible hack to try and detect if htpasswd supports -b.
    - Prefer apache2 to apache in the webserver list, and add mini-httpd.
    - Only attempt to restart any of the apache's if /usr/sbin/apachectl
      exists and is executable, doing the same favour for apache2.
    - Update Maintainer field as per spec

See original description

CVE References

2008-4998

Revision history for this message

Daniel Holbach (dholbach) wrote on 2008-08-28:

What about these changes

twiki (1:4.1.2-3.2ubuntu1) intrepid; urgency=low

  * Merge from Debian Unstable (LP: #182415), remaining Ubuntu changes:
    - Add a horrible hack to try and detect if htpasswd supports -b.
    - Prefer apache2 to apache in the webserver list, and add mini-httpd.
    - Only attempt to restart any of the apache's if /usr/sbin/apachectl
      exists and is executable, doing the same favour for apache2.
    - Update Maintainer field as per spec

-- Emanuele Gentili < <email address hidden>> Sun, 20 Jul 2008 19:30:18 +0200

Changed in twiki:
status:	New → Incomplete

Revision history for this message

Stefan Ebner (sebner) wrote on 2008-10-02: Re: Merge twiki 4.1.2-4 from Debian(Unstable)

twiki_4.1.2-4ubuntu1.debdiff Edit (4.8 KiB, text/plain)

Sorry for the trouble ... hmm, and better late than never :)
Dropping the ugly fix since debian dropped the TWikiGuest user and not mentioning the the Maintainer thing since it's not necessary mentioning anymore. Mind sponsoring Daniel?

description:	updated
Changed in twiki:
status:	Incomplete → Confirmed

Revision history for this message

James Westby (james-w) wrote on 2008-10-09:

Hi Stefan,

The postinst still calls htpasswd, so it could still fail with mini-httpd.
Also, please file a bug on the Debian mini-httpd package asking for
-b support so that we can get rid of this hack one day.

Also, there is a failure waiting to happen if the user installs and
then removes and doesn't purge mini-httpd, so please extend the
checks for apachectl to check for something that indicates the
mini-httpd package is installed.

Perhaps we are better off dropping mini-httpd support. It's not even
listed as an alternative in the depends, so you have to install apache
anyway.

Thanks,

James

Revision history for this message

Steve Kowalik (stevenk) wrote on 2008-10-24:

Speaking as the guy who added the horrid hack for -b, I recall it wasn't added for mini-httpd, but another web server. I can't currently recall which, though.

Revision history for this message

Stefan Ebner (sebner) wrote on 2008-11-05:

twiki_4.1.2-3.2ubuntu1.1.debdiff Edit (4.7 KiB, text/plain)

Security Update für intrepid

Revision history for this message

James Westby (james-w) wrote on 2008-11-28:

Hi,

The merge of a later version from Debian has been done.

Thanks,

James

Changed in twiki:
status:	Confirmed → Fix Released

Revision history for this message

Artur Rona (ari-tczew) wrote on 2010-03-20:

I'm subscribing ubuntu-security-sponsors for intrepid's debdiff review.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2010-03-26:

Sorry the security patch got neglected for so long. It didn't pop up on our reports due to how it was filed.

ACK (the patch is slightly different from what landed in Jaunty, but is nearly the same).

Changed in twiki (Ubuntu Intrepid):
status:	New → Confirmed

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2010-03-26:

#10

Uploaded to security queue.

Changed in twiki (Ubuntu Intrepid):
status:	Confirmed → Fix Committed

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2010-03-29:

#11

twiki (1:4.1.2-3.2ubuntu1.1) intrepid-security; urgency=low

  * Changes taken from Debian version 4.1.2-4
  * SECURITY UPDATE: Possible symlink attack through /tmp directory
    - move session files to /var/lib/twiki/working/tmp
    - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494648
  * debian/patches: 001_WorkingDir.dpatch
    - Modyfied patch to fix Template Login
    - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=468159