Bug#414237: lintian: Uses insecure temporary file /tmp/debug in objdump-info

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#414237: lintian: Uses insecure temporary file /tmp/debug in objdump-info
From: Josh Triplett <josh@freedesktop.org>
Date: Fri, 09 Mar 2007 22:21:56 -0800
Message-id: <[🔎] 20070310062156.17125.5785.reportbug@josh-mobile>
Reply-to: Josh Triplett <josh@freedesktop.org>, 414237@bugs.debian.org

Package: lintian
Version: 1.23.27
Severity: grave
Tags: security patch
Justification: user security hole

The lintian collection script objdump-info uses the insecure temporary file
/tmp/debug.  Any invocation of lintian on a package containing ELF binaries,
or containing files with ' ELF' in their nanes, will append lines of the form
"Processing $bin" to /tmp/debug (or through a symlink at /tmp/debug).  This
trivially allows a local attacker to corrupt another user's files.  If the
local attacker can control the contents of the package getting checked by
lintian, they can control the text after "Processing "; this would allow a
variety of exploits based on tools that would ignore the prefix, such as the
shell.  For example, consider the filename "; do nasty stuff # ELF".

This looks like debugging code, and lintian does not appear to use /tmp/debug
for anything else, so removing the line solves the problem.  Patch attached.

- Josh Triplett

-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.21-rc2test
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages lintian depends on:
ii  binutils               2.17-3            The GNU assembler, linker and bina
ii  diffstat               1.43-2            produces graph of changes introduc
ii  dpkg-dev               1.13.25           package building tools for Debian
ii  file                   4.19-1            Determines file type using "magic"
ii  gettext                0.16.1-1          GNU Internationalization utilities
ii  intltool-debian        0.35.0+20060710.1 Help i18n of RFC822 compliant conf
ii  libparse-debianchangel 1.0-1             parse Debian changelogs and output
ii  man-db                 2.4.3-6           The on-line manual pager
ii  perl [libdigest-md5-pe 5.8.8-7           Larry Wall's Practical Extraction 

lintian recommends no packages.

-- no debconf information

diff -Naur lintian-1.23.27.orig/collection/objdump-info lintian-1.23.27/collection/objdump-info
--- lintian-1.23.27.orig/collection/objdump-info	2006-11-19 20:28:06.000000000 -0800
+++ lintian-1.23.27/collection/objdump-info	2007-03-09 22:12:10.000000000 -0800
@@ -43,7 +43,6 @@
 # output in the objdump-info file and let the check script deal with
 # it later.
 for bin in `grep ' ELF' <../file-info | cut -d\: -f1`; do
-    echo "Processing $bin" >> /tmp/debug
     echo "-- $bin" >> ../objdump-info
     if head $bin | grep -q 'packed.*with.*UPX'; then
 	echo "objdump: $bin: Packed with UPX" >> ../objdump-info

Reply to:

Follow-Ups:
- Bug#414237: lintian: Uses insecure temporary file /tmp/debug in objdump-info
  - From: Russ Allbery <rra@debian.org>
- Bug#414237: marked as done (lintian: Uses insecure temporary file /tmp/debug in objdump-info)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: all new databases for the medical profession
Next by Date: lintian: r830 - branches
Previous by thread: all new databases for the medical profession
Next by thread: Bug#414237: lintian: Uses insecure temporary file /tmp/debug in objdump-info
Index(es):
- Date
- Thread