Mgetty is guilty in the creation and usage of insecure temporary files. Fix: The following patch fixes the bug in the current version of FreeBSD port. The following VuXML entry should be evaluated and added: <vuln vid="46fdde22-c3d1-11dd-b08d-001fc66e7203"> <topic>mgetty+sendfax -- symlink attack via insecure temporary files</topic> <affects> <package> <name>mgetty</name> <range><lt>1.1.35_2</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>Entry for CVE-2008-4936 says:</p> <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4936"> <p>faxspool in mgetty 1.1.36 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/faxsp.##### temporary file.</p> </blockquote> </body> </description> <references> <cvename>CVE-2008-4936</cvename> <url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496403</url> </references> <dates> <discovery>24-08-2008</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here -----YhBAk3yholxiFeTRbmDafbCMeNI3v5H1eHZd7VsjkqORxVHQ Content-Type: text/plain; name="fix-CVE-2008-4936.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="fix-CVE-2008-4936.diff" From 1a2271c4270da1f286c66ef8b002adf6269150f8 Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Date: Sat, 6 Dec 2008 23:10:26 +0300 Insecure temporary file usage was detected by Debian developer Dmitry Oboukhov, http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496403 I am not updating the port to 1.1.36, since the bug is present even in this version and I can't test the new port. So now I am just patching current FreeBSD port version, 1.1.35. Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> --- comms/mgetty+sendfax/Makefile | 2 +- comms/mgetty+sendfax/files/patch-CVE-2008-4936 | 68 ++++++++++++++++++++++++ 2 files changed, 69 insertions(+), 1 deletions(-) create mode 100644 comms/mgetty+sendfax/files/patch-CVE-2008-4936 diff --git a/comms/mgetty+sendfax/Makefile b/comms/mgetty+sendfax/Makefile index f31fd5d..4376dd5 100644 --- a/comms/mgetty+sendfax/Makefile +++ b/comms/mgetty+sendfax/Makefile @@ -7,7 +7,7 @@ PORTNAME= mgetty PORTVERSION= 1.1.35 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= comms MASTER_SITES= ftp://mgetty.greenie.net/pub/mgetty/source/1.1/ DISTNAME= ${PORTNAME}${PORTVERSION}-Feb22 diff --git a/comms/mgetty+sendfax/files/patch-CVE-2008-4936 b/comms/mgetty+sendfax/files/patch-CVE-2008-4936 new file mode 100644 index 0000000..6260c12 --- /dev/null +++ b/comms/mgetty+sendfax/files/patch-CVE-2008-4936 @@ -0,0 +1,68 @@ +Fixes CVE-2008-4936 + +This patch takes ideas from both Debian and Gentoo patches for this +problem: + http://mirror.yandex.ru/gentoo-portage/net-dialup/mgetty/files/mgetty-1.1.36-tmpfile.patch + http://ftp.de.debian.org/debian/pool/main/m/mgetty/mgetty_1.1.36.orig.tar.gz + +However, Gentoo's patch seems to be incorrect and Debian's one, well..., +I like the idea of putting temporary file to the spooldir, not directly +to /tmp (or $TMP). + +NB: This issue wasn't fixed even in 1.1.36 and this patch should go to +NB: that version too. It was written for 1.1.35 and 1.1.36, so it can +NB: be left unmodified for these versions and may be even for the +NB: future ones. + +--- fax/faxspool.in.orig 2008-12-06 22:30:36.000000000 +0300 ++++ fax/faxspool.in 2008-12-06 22:48:40.000000000 +0300 +@@ -653,12 +653,12 @@ + # + # mkdir a directory in $TMP (or /tmp), convert input to G3 in there + # +-spooldir=${TMP:-/tmp}/$new_seq.$$.`date +%S` ++spooldir=`mktemp -d "${TMP:-/tmp}"/"$new_seq.$$".XXXXXXXX` + +-if ( umask 077 ; mkdir $spooldir ) ; then ++if [ $? -eq 0 ]; then + $echo "spooling to $spooldir (->$new_seq)..." + else +- $echo "ERROR: can't create work dir '$spooldir', giving up" >&2 ; exit 6 ++ $echo "ERROR: can't create work dir inside '${TMP:-/tmp}', giving up" >&2 ; exit 6 + fi + + # +@@ -675,9 +675,12 @@ + if [ x$file = x- ] + then + $echo "spooling $file (stdin)..." +- trap "rm /tmp/faxsp.$$" 0 +- cat - >/tmp/faxsp.$$ +- file=/tmp/faxsp.$$ ++ file=`mktemp "$spooldir/faxsp.XXXXXXXX"` ++ if [ -z "$file" ]; then ++ $echo "ERROR: can't create work file, giving up" >&2; exit 6 ++ fi ++ trap "rm -f $file" 0 ++ cat - >"$file" + else + $echo "spooling $file..." + fi +@@ -924,7 +927,7 @@ + then + $echo "\nnothing to do (no cover page, no data)." >&2 + cd $FAX_SPOOL_OUT +- rmdir $spooldir ++ rm -rf $spooldir + exit 52 + fi + +@@ -965,7 +968,7 @@ + # clean up + rm $job.q + cd .. +-rmdir $spooldir ++rm -rf $spooldir + + if [ -z "`find $LAST_RUN -ctime -1 -print 2>/dev/null`" ] + then -- 1.6.0.4 How-To-Repeat: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496403 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4936
Responsible Changed From-To: freebsd-ports-bugs->miwi miwi@ wants his PRs (via the GNATS Auto Assign Tool)
miwi 2008-12-07 11:41:32 UTC FreeBSD ports repository Modified files: security/vuxml vuln.xml Log: - Document mgetty+sendfax -- symlink attack via insecure temporary files PR: based on 129471 Submitted by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Revision Changes Path 1.1780 +31 -1 ports/security/vuxml/vuln.xml _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: open->closed documented with some changes, also added patch. Thanks for your submission.
miwi 2008-12-07 11:47:22 UTC FreeBSD ports repository Modified files: comms/mgetty+sendfax Makefile Added files: comms/mgetty+sendfax/files patch-CVE-2008-4936 Log: - Fix symlink attack via insecure temporary files PR: 129471 Submitted by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Obtained from: debian Security: http://www.vuxml.org/freebsd/44ee8160-c453-11dd-a721-0030843d3802.html Revision Changes Path 1.57 +1 -1 ports/comms/mgetty+sendfax/Makefile 1.1 +52 -0 ports/comms/mgetty+sendfax/files/patch-CVE-2008-4936 (new) _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Martin, good evening. Sun, Dec 07, 2008 at 11:43:00AM +0000, miwi@FreeBSD.org wrote: > Synopsis: [patch] [vuxml] comms/mgetty+sendfax: fix and document CVE-2008-4936 > > State-Changed-From-To: open->closed > State-Changed-By: miwi > State-Changed-When: Sun Dec 7 11:42:59 UTC 2008 > State-Changed-Why: > documented with some changes, also added patch. Thanks for your > submission. Thanks! One neat: VuXML entry should read "faxspool in mgetty...", not the "axspool in mgetty'. -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ #