Bug#629003: marked as done (fabric is prone to file-overwrite security issue(s).)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sun, 23 Feb 2014 00:43:27 +0100
with message-id <[🔎] 20140222234327.GA5443@pryan.ekaia.org>
and subject line Re: Bug#629003: fabric is prone to file-overwrite security issue(s).
has caused the Debian Bug report #629003,
regarding fabric is prone to file-overwrite security issue(s).
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
629003: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629003
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: fabric is prone to file-overwrite security issue(s).
• From: Steve Kemp <steve@steve.org.uk>
• Date: Thu, 2 Jun 2011 23:25:01 +0100
• Message-id: <20110602222501.GA16216@steve.org.uk>

Package: fabric
Version: 0.9.1-1
Justification: causes serious data loss
Severity: important
Tags: security

*** Please type your report below this line ***

Fabric includes two modules which are marked as "contrib", and are
included in the main package.

These two modules both suffer from the same issue:

  * They write files with (semi-)predictable names, in world-readable
    and world-writeable locations.

This allows a malicious local-user to pre-create the filenames which
will be used, and allow the overwriting of arbitrary files the user
invoking fabric controls.

The relevant code is included is:

fabric/contrib/projects.py:

     tar_file = "/tmp/fab.%s.tar" % datetime.utcnow().strftime(
             '%Y_%m_%d_%H-%M-%S')
     cwd_name = getcwd().split(sep)[-1]
     tgz_name = cwd_name + ".tar.gz"
     local("tar -czf %s ." % tar_file)


fabric/contrib/files.py:
        basename = os.path.basename(filename)
        temp_destination = '/tmp/' + basename
        ...
        ...
        put(tempfile_name, temp_destination)

 [The latter case the upload happens on the *remote* system.]



-- System Information:
Debian Release: 6.0.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/3 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages fabric depends on:
ii  python                  2.6.6-3+squeeze6 interactive high-level object-orie
ii  python-paramiko         1.7.6-5          Make ssh v2 connections with Pytho
ii  python-pkg-resources    0.6.14-4         Package Discovery and Resource Acc
ii  python-support          1.0.10           automated rebuilding support for P

fabric recommends no packages.

fabric suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

• To: Steve Kemp <steve@steve.org.uk>, 629003@bugs.debian.org
• Cc: 629003-done@bugs.debian.org
• Subject: Re: Bug#629003: fabric is prone to file-overwrite security issue(s).
• From: Ana Guerrero Lopez <ana@debian.org>
• Date: Sun, 23 Feb 2014 00:43:27 +0100
• Message-id: <[🔎] 20140222234327.GA5443@pryan.ekaia.org>
• In-reply-to: <20110602222501.GA16216@steve.org.uk>
• References: <20110602222501.GA16216@steve.org.uk>

Version: 1.7.0-2

Hi Steve,

On Thu, Jun 02, 2011 at 11:25:01PM +0100, Steve Kemp wrote:
> 
> Package: fabric
> Version: 0.9.1-1
> Justification: causes serious data loss
> Severity: important
> Tags: security
> 
> *** Please type your report below this line ***
> 
> Fabric includes two modules which are marked as "contrib", and are
> included in the main package.
> 
> These two modules both suffer from the same issue:
> 
>   * They write files with (semi-)predictable names, in world-readable
>     and world-writeable locations.
> 
> This allows a malicious local-user to pre-create the filenames which
> will be used, and allow the overwriting of arbitrary files the user
> invoking fabric controls.
> 
> The relevant code is included is:
> 
> fabric/contrib/projects.py:
> 
>      tar_file = "/tmp/fab.%s.tar" % datetime.utcnow().strftime(
>              '%Y_%m_%d_%H-%M-%S')
>      cwd_name = getcwd().split(sep)[-1]
>      tgz_name = cwd_name + ".tar.gz"
>      local("tar -czf %s ." % tar_file)
> 

This uses now mkdtemp.

> 
> fabric/contrib/files.py:
>         basename = os.path.basename(filename)
>         temp_destination = '/tmp/' + basename
>         ...
>         ...
>         put(tempfile_name, temp_destination)
> 
>  [The latter case the upload happens on the *remote* system.]

This code seems to have dissapeared.


Ana




> 
> 
> -- System Information:
> Debian Release: 6.0.1
>   APT prefers stable
>   APT policy: (500, 'stable')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 2.6.32-5-amd64 (SMP w/3 CPU cores)
> Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> 
> Versions of packages fabric depends on:
> ii  python                  2.6.6-3+squeeze6 interactive high-level object-orie
> ii  python-paramiko         1.7.6-5          Make ssh v2 connections with Pytho
> ii  python-pkg-resources    0.6.14-4         Package Discovery and Resource Acc
> ii  python-support          1.0.10           automated rebuilding support for P
> 
> fabric recommends no packages.
> 
> fabric suggests no packages.
> 
> -- no debconf information
> 
> 
> 

--- End Message ---