Skip site navigation (1)Skip section navigation (2)
Date:      Sat,  6 Dec 2008 23:18:39 +0300 (MSK)
From:      Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   ports/129471: [patch] [vuxml] comms/mgetty+sendfax: fix and document CVE-2008-4936
Message-ID:  <20081206201839.01A26B8019@phoenix.codelabs.ru>
Resent-Message-ID: <200812062020.mB6KK1MU061515@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         129471
>Category:       ports
>Synopsis:       [patch] [vuxml] comms/mgetty+sendfax: fix and document CVE-2008-4936
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Dec 06 20:20:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 7.1-PRERELEASE amd64
>Organization:
Code Labs
>Environment:

System: FreeBSD 7.1-PRERELEASE amd64

>Description:

Mgetty is guilty in the creation and usage of insecure temporary files.

>How-To-Repeat:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496403
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4936

>Fix:

The following patch fixes the bug in the current version of
FreeBSD port.

--- fix-CVE-2008-4936.diff begins here ---
>From 1a2271c4270da1f286c66ef8b002adf6269150f8 Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Date: Sat, 6 Dec 2008 23:10:26 +0300

Insecure temporary file usage was detected by Debian developer
Dmitry Oboukhov,
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496403

I am not updating the port to 1.1.36, since the bug is present even in
this version and I can't test the new port.  So now I am just patching
current FreeBSD port version, 1.1.35.

Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
---
 comms/mgetty+sendfax/Makefile                  |    2 +-
 comms/mgetty+sendfax/files/patch-CVE-2008-4936 |   68 ++++++++++++++++++++++++
 2 files changed, 69 insertions(+), 1 deletions(-)
 create mode 100644 comms/mgetty+sendfax/files/patch-CVE-2008-4936

diff --git a/comms/mgetty+sendfax/Makefile b/comms/mgetty+sendfax/Makefile
index f31fd5d..4376dd5 100644
--- a/comms/mgetty+sendfax/Makefile
+++ b/comms/mgetty+sendfax/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	mgetty
 PORTVERSION=	1.1.35
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	comms
 MASTER_SITES=	ftp://mgetty.greenie.net/pub/mgetty/source/1.1/
 DISTNAME=	${PORTNAME}${PORTVERSION}-Feb22
diff --git a/comms/mgetty+sendfax/files/patch-CVE-2008-4936 b/comms/mgetty+sendfax/files/patch-CVE-2008-4936
new file mode 100644
index 0000000..6260c12
--- /dev/null
+++ b/comms/mgetty+sendfax/files/patch-CVE-2008-4936
@@ -0,0 +1,68 @@
+Fixes CVE-2008-4936
+
+This patch takes ideas from both Debian and Gentoo patches for this
+problem:
+  http://mirror.yandex.ru/gentoo-portage/net-dialup/mgetty/files/mgetty-1.1.36-tmpfile.patch
+  http://ftp.de.debian.org/debian/pool/main/m/mgetty/mgetty_1.1.36.orig.tar.gz
+
+However, Gentoo's patch seems to be incorrect and Debian's one, well...,
+I like the idea of putting temporary file to the spooldir, not directly
+to /tmp (or $TMP).
+
+NB: This issue wasn't fixed even in 1.1.36 and this patch should go to
+NB: that version too.  It was written for 1.1.35 and 1.1.36, so it can
+NB: be left unmodified for these versions and may be even for the
+NB: future ones.
+
+--- fax/faxspool.in.orig	2008-12-06 22:30:36.000000000 +0300
++++ fax/faxspool.in	2008-12-06 22:48:40.000000000 +0300
+@@ -653,12 +653,12 @@
+ #
+ # mkdir a directory in $TMP (or /tmp), convert input to G3 in there
+ #
+-spooldir=${TMP:-/tmp}/$new_seq.$$.`date +%S`
++spooldir=`mktemp -d "${TMP:-/tmp}"/"$new_seq.$$".XXXXXXXX`
+ 
+-if ( umask 077 ; mkdir $spooldir ) ; then
++if [ $? -eq 0 ]; then
+     $echo "spooling to $spooldir (->$new_seq)..."
+ else
+-    $echo "ERROR: can't create work dir '$spooldir', giving up" >&2 ; exit 6
++    $echo "ERROR: can't create work dir inside '${TMP:-/tmp}', giving up" >&2 ; exit 6
+ fi
+ 
+ #
+@@ -675,9 +675,12 @@
+     if [ x$file = x- ]
+     then
+ 	$echo "spooling $file (stdin)..."
+-	trap "rm /tmp/faxsp.$$" 0
+-        cat - >/tmp/faxsp.$$
+-	file=/tmp/faxsp.$$
++	file=`mktemp "$spooldir/faxsp.XXXXXXXX"`
++	if [ -z "$file" ]; then
++		$echo "ERROR: can't create work file, giving up" >&2; exit 6
++	fi
++	trap "rm -f $file" 0
++        cat - >"$file"
+     else
+ 	$echo "spooling $file..."
+     fi
+@@ -924,7 +927,7 @@
+ then
+     $echo "\nnothing to do (no cover page, no data)." >&2
+     cd $FAX_SPOOL_OUT
+-    rmdir $spooldir
++    rm -rf $spooldir
+     exit 52
+ fi
+ 
+@@ -965,7 +968,7 @@
+ # clean up
+ rm $job.q
+ cd ..
+-rmdir $spooldir
++rm -rf $spooldir
+ 
+ if [ -z "`find $LAST_RUN -ctime -1 -print 2>/dev/null`" ]
+ then
-- 
1.6.0.4
--- fix-CVE-2008-4936.diff ends here ---

The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
  <vuln vid="46fdde22-c3d1-11dd-b08d-001fc66e7203">
    <topic>mgetty+sendfax -- symlink attack via insecure temporary files</topic>
    <affects>
      <package>
        <name>mgetty</name>
        <range><lt>1.1.35_2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">;
        <p>Entry for CVE-2008-4936 says:</p>
        <blockquote
          cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4936">;
          <p>faxspool in mgetty 1.1.36 allows local users to overwrite
          arbitrary files via a symlink attack on a /tmp/faxsp.#####
          temporary file.</p>
        </blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2008-4936</cvename>
      <url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496403</url>;
    </references>
    <dates>
      <discovery>24-08-2008</discovery>
      <entry>TODAY</entry>
    </dates>
  </vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081206201839.01A26B8019>