Date: Sat, 6 Dec 2008 23:18:39 +0300 (MSK) From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/129471: [patch] [vuxml] comms/mgetty+sendfax: fix and document CVE-2008-4936 Message-ID: <20081206201839.01A26B8019@phoenix.codelabs.ru> Resent-Message-ID: <200812062020.mB6KK1MU061515@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 129471 >Category: ports >Synopsis: [patch] [vuxml] comms/mgetty+sendfax: fix and document CVE-2008-4936 >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Dec 06 20:20:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE amd64 >Organization: Code Labs >Environment: System: FreeBSD 7.1-PRERELEASE amd64 >Description: Mgetty is guilty in the creation and usage of insecure temporary files. >How-To-Repeat: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496403 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4936 >Fix: The following patch fixes the bug in the current version of FreeBSD port. --- fix-CVE-2008-4936.diff begins here --- >From 1a2271c4270da1f286c66ef8b002adf6269150f8 Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Date: Sat, 6 Dec 2008 23:10:26 +0300 Insecure temporary file usage was detected by Debian developer Dmitry Oboukhov, http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496403 I am not updating the port to 1.1.36, since the bug is present even in this version and I can't test the new port. So now I am just patching current FreeBSD port version, 1.1.35. Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> --- comms/mgetty+sendfax/Makefile | 2 +- comms/mgetty+sendfax/files/patch-CVE-2008-4936 | 68 ++++++++++++++++++++++++ 2 files changed, 69 insertions(+), 1 deletions(-) create mode 100644 comms/mgetty+sendfax/files/patch-CVE-2008-4936 diff --git a/comms/mgetty+sendfax/Makefile b/comms/mgetty+sendfax/Makefile index f31fd5d..4376dd5 100644 --- a/comms/mgetty+sendfax/Makefile +++ b/comms/mgetty+sendfax/Makefile @@ -7,7 +7,7 @@ PORTNAME= mgetty PORTVERSION= 1.1.35 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= comms MASTER_SITES= ftp://mgetty.greenie.net/pub/mgetty/source/1.1/ DISTNAME= ${PORTNAME}${PORTVERSION}-Feb22 diff --git a/comms/mgetty+sendfax/files/patch-CVE-2008-4936 b/comms/mgetty+sendfax/files/patch-CVE-2008-4936 new file mode 100644 index 0000000..6260c12 --- /dev/null +++ b/comms/mgetty+sendfax/files/patch-CVE-2008-4936 @@ -0,0 +1,68 @@ +Fixes CVE-2008-4936 + +This patch takes ideas from both Debian and Gentoo patches for this +problem: + http://mirror.yandex.ru/gentoo-portage/net-dialup/mgetty/files/mgetty-1.1.36-tmpfile.patch + http://ftp.de.debian.org/debian/pool/main/m/mgetty/mgetty_1.1.36.orig.tar.gz + +However, Gentoo's patch seems to be incorrect and Debian's one, well..., +I like the idea of putting temporary file to the spooldir, not directly +to /tmp (or $TMP). + +NB: This issue wasn't fixed even in 1.1.36 and this patch should go to +NB: that version too. It was written for 1.1.35 and 1.1.36, so it can +NB: be left unmodified for these versions and may be even for the +NB: future ones. + +--- fax/faxspool.in.orig 2008-12-06 22:30:36.000000000 +0300 ++++ fax/faxspool.in 2008-12-06 22:48:40.000000000 +0300 +@@ -653,12 +653,12 @@ + # + # mkdir a directory in $TMP (or /tmp), convert input to G3 in there + # +-spooldir=${TMP:-/tmp}/$new_seq.$$.`date +%S` ++spooldir=`mktemp -d "${TMP:-/tmp}"/"$new_seq.$$".XXXXXXXX` + +-if ( umask 077 ; mkdir $spooldir ) ; then ++if [ $? -eq 0 ]; then + $echo "spooling to $spooldir (->$new_seq)..." + else +- $echo "ERROR: can't create work dir '$spooldir', giving up" >&2 ; exit 6 ++ $echo "ERROR: can't create work dir inside '${TMP:-/tmp}', giving up" >&2 ; exit 6 + fi + + # +@@ -675,9 +675,12 @@ + if [ x$file = x- ] + then + $echo "spooling $file (stdin)..." +- trap "rm /tmp/faxsp.$$" 0 +- cat - >/tmp/faxsp.$$ +- file=/tmp/faxsp.$$ ++ file=`mktemp "$spooldir/faxsp.XXXXXXXX"` ++ if [ -z "$file" ]; then ++ $echo "ERROR: can't create work file, giving up" >&2; exit 6 ++ fi ++ trap "rm -f $file" 0 ++ cat - >"$file" + else + $echo "spooling $file..." + fi +@@ -924,7 +927,7 @@ + then + $echo "\nnothing to do (no cover page, no data)." >&2 + cd $FAX_SPOOL_OUT +- rmdir $spooldir ++ rm -rf $spooldir + exit 52 + fi + +@@ -965,7 +968,7 @@ + # clean up + rm $job.q + cd .. +-rmdir $spooldir ++rm -rf $spooldir + + if [ -z "`find $LAST_RUN -ctime -1 -print 2>/dev/null`" ] + then -- 1.6.0.4 --- fix-CVE-2008-4936.diff ends here --- The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- <vuln vid="46fdde22-c3d1-11dd-b08d-001fc66e7203"> <topic>mgetty+sendfax -- symlink attack via insecure temporary files</topic> <affects> <package> <name>mgetty</name> <range><lt>1.1.35_2</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>Entry for CVE-2008-4936 says:</p> <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4936"> <p>faxspool in mgetty 1.1.36 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/faxsp.##### temporary file.</p> </blockquote> </body> </description> <references> <cvename>CVE-2008-4936</cvename> <url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496403</url> </references> <dates> <discovery>24-08-2008</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081206201839.01A26B8019>