Debian Bug report logs - #21399
/usr/lib/dpkg/methods/disk/setup vulnerable to symlink-in-/tmp attacks

Package: dpkg; Maintainer for dpkg is Dpkg Developers <debian-dpkg@lists.debian.org>; Source for dpkg is src:dpkg (PTS, buildd, popcon).

Reported by: Richard Kettlewell <rjk@greenend.org.uk>

Date: Sun, 19 Apr 1998 19:48:02 UTC

Severity: fixed

Done: Anthony Towns <ajt@master.debian.org>

Bug is archived. No further changes may be made.

Forwarded to ian@davenant.greenend.org.uk

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Klee Dienes and Ian Jackson <dpkg-maint@chiark.greenend.org.uk>:
Bug#21399; Package dpkg. (full text, mbox, link).

Acknowledgement sent to Richard Kettlewell <rjk@greenend.org.uk>:
New bug report received and forwarded. Copy sent to Klee Dienes and Ian Jackson <dpkg-maint@chiark.greenend.org.uk>. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Richard Kettlewell <rjk@greenend.org.uk>
To: submit@bugs.debian.org
Subject: /usr/lib/dpkg/methods/disk/setup vulnerable to symlink-in-/tmp attacks
Date: Sun, 19 Apr 98 16:51:11 +0100 (BST)
Package: dpkg
Version: 1.4.0.21

This script writes to files in /tmp without using "set -C".  This is a 
security hole - a hostile user could leave a symlink in /tmp and
thereby trick the script into writing to any file on the system (since 
the script is run as root).

It could be fixed by using a different temporary directory.

ttfn/rjk

Information forwarded to debian-bugs-dist@lists.debian.org, Klee Dienes and Ian Jackson <dpkg-maint@chiark.greenend.org.uk>:
Bug#21399; Package dpkg. (full text, mbox, link).

Acknowledgement sent to dark@xs4all.nl (Richard Braakman):
Extra info received and forwarded to list. Copy sent to Klee Dienes and Ian Jackson <dpkg-maint@chiark.greenend.org.uk>. (full text, mbox, link).

Message #10 received at 21399@bugs.debian.org (full text, mbox, reply):

From: dark@xs4all.nl (Richard Braakman)
To: rjk@greenend.org.uk, 21399@bugs.debian.org
Subject: Re: Bug#21399: /usr/lib/dpkg/methods/disk/setup vulnerable to symlink-in-/tmp attacks
Date: Sun, 19 Apr 1998 22:49:58 +0200 (CEST)
Richard Kettlewell wrote:
> This script writes to files in /tmp without using "set -C".  [...]

Note that using -C is _not_ safe.  -C ("noclobber") only protects regular
files.  It is still possible to write to device files that way.

Richard Braakman

Severity set to `fixed'. Request was from Wichert Akkerman <wichert@cs.leidenuniv.nl> to control@bugs.debian.org. (full text, mbox, link).

Noted your statement that bug has been forwarded to ian@davenant.greenend.org.uk. Request was from Ian Jackson <ian@davenant.greenend.org.uk> to control@bugs.debian.org. (full text, mbox, link).

Bug reassigned from package `dpkg' to `dpkg-iwj'. Request was from Wichert Akkerman <wichert@cs.leidenuniv.nl> to control@bugs.debian.org. (full text, mbox, link).

Bug reassigned from package `dpkg-iwj' to `dpkg'. Request was from Anthony Towns <ajt@master.debian.org> to control@bugs.debian.org. (full text, mbox, link).

Bug closed, ack sent to submitter - they'd better know why ! Request was from Anthony Towns <ajt@master.debian.org> to control@bugs.debian.org. (full text, mbox, link).

Bug reassigned from package `dpkg' to `dpkg'. Request was from Anthony Towns <ajt@master.debian.org> to control@bugs.debian.org. (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 25 11:00:07 2024; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.