ports/129471: [patch] [vuxml] comms/mgetty+sendfax: fix and document CVE-2008-4936
Eygene Ryabinkin
rea-fbsd at codelabs.ru
Sat Dec 6 20:20:01 UTC 2008
>Number: 129471
>Category: ports
>Synopsis: [patch] [vuxml] comms/mgetty+sendfax: fix and document CVE-2008-4936
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Dec 06 20:20:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Eygene Ryabinkin
>Release: FreeBSD 7.1-PRERELEASE amd64
>Organization:
Code Labs
>Environment:
System: FreeBSD 7.1-PRERELEASE amd64
>Description:
Mgetty is guilty in the creation and usage of insecure temporary files.
>How-To-Repeat:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496403
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4936
>Fix:
The following patch fixes the bug in the current version of
FreeBSD port.
--- fix-CVE-2008-4936.diff begins here ---
>From 1a2271c4270da1f286c66ef8b002adf6269150f8 Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
Date: Sat, 6 Dec 2008 23:10:26 +0300
Insecure temporary file usage was detected by Debian developer
Dmitry Oboukhov,
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496403
I am not updating the port to 1.1.36, since the bug is present even in
this version and I can't test the new port. So now I am just patching
current FreeBSD port version, 1.1.35.
Signed-off-by: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
---
comms/mgetty+sendfax/Makefile | 2 +-
comms/mgetty+sendfax/files/patch-CVE-2008-4936 | 68 ++++++++++++++++++++++++
2 files changed, 69 insertions(+), 1 deletions(-)
create mode 100644 comms/mgetty+sendfax/files/patch-CVE-2008-4936
diff --git a/comms/mgetty+sendfax/Makefile b/comms/mgetty+sendfax/Makefile
index f31fd5d..4376dd5 100644
--- a/comms/mgetty+sendfax/Makefile
+++ b/comms/mgetty+sendfax/Makefile
@@ -7,7 +7,7 @@
PORTNAME= mgetty
PORTVERSION= 1.1.35
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= comms
MASTER_SITES= ftp://mgetty.greenie.net/pub/mgetty/source/1.1/
DISTNAME= ${PORTNAME}${PORTVERSION}-Feb22
diff --git a/comms/mgetty+sendfax/files/patch-CVE-2008-4936 b/comms/mgetty+sendfax/files/patch-CVE-2008-4936
new file mode 100644
index 0000000..6260c12
--- /dev/null
+++ b/comms/mgetty+sendfax/files/patch-CVE-2008-4936
@@ -0,0 +1,68 @@
+Fixes CVE-2008-4936
+
+This patch takes ideas from both Debian and Gentoo patches for this
+problem:
+ http://mirror.yandex.ru/gentoo-portage/net-dialup/mgetty/files/mgetty-1.1.36-tmpfile.patch
+ http://ftp.de.debian.org/debian/pool/main/m/mgetty/mgetty_1.1.36.orig.tar.gz
+
+However, Gentoo's patch seems to be incorrect and Debian's one, well...,
+I like the idea of putting temporary file to the spooldir, not directly
+to /tmp (or $TMP).
+
+NB: This issue wasn't fixed even in 1.1.36 and this patch should go to
+NB: that version too. It was written for 1.1.35 and 1.1.36, so it can
+NB: be left unmodified for these versions and may be even for the
+NB: future ones.
+
+--- fax/faxspool.in.orig 2008-12-06 22:30:36.000000000 +0300
++++ fax/faxspool.in 2008-12-06 22:48:40.000000000 +0300
+@@ -653,12 +653,12 @@
+ #
+ # mkdir a directory in $TMP (or /tmp), convert input to G3 in there
+ #
+-spooldir=${TMP:-/tmp}/$new_seq.$$.`date +%S`
++spooldir=`mktemp -d "${TMP:-/tmp}"/"$new_seq.$$".XXXXXXXX`
+
+-if ( umask 077 ; mkdir $spooldir ) ; then
++if [ $? -eq 0 ]; then
+ $echo "spooling to $spooldir (->$new_seq)..."
+ else
+- $echo "ERROR: can't create work dir '$spooldir', giving up" >&2 ; exit 6
++ $echo "ERROR: can't create work dir inside '${TMP:-/tmp}', giving up" >&2 ; exit 6
+ fi
+
+ #
+@@ -675,9 +675,12 @@
+ if [ x$file = x- ]
+ then
+ $echo "spooling $file (stdin)..."
+- trap "rm /tmp/faxsp.$$" 0
+- cat - >/tmp/faxsp.$$
+- file=/tmp/faxsp.$$
++ file=`mktemp "$spooldir/faxsp.XXXXXXXX"`
++ if [ -z "$file" ]; then
++ $echo "ERROR: can't create work file, giving up" >&2; exit 6
++ fi
++ trap "rm -f $file" 0
++ cat - >"$file"
+ else
+ $echo "spooling $file..."
+ fi
+@@ -924,7 +927,7 @@
+ then
+ $echo "\nnothing to do (no cover page, no data)." >&2
+ cd $FAX_SPOOL_OUT
+- rmdir $spooldir
++ rm -rf $spooldir
+ exit 52
+ fi
+
+@@ -965,7 +968,7 @@
+ # clean up
+ rm $job.q
+ cd ..
+-rmdir $spooldir
++rm -rf $spooldir
+
+ if [ -z "`find $LAST_RUN -ctime -1 -print 2>/dev/null`" ]
+ then
--
1.6.0.4
--- fix-CVE-2008-4936.diff ends here ---
The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
<vuln vid="46fdde22-c3d1-11dd-b08d-001fc66e7203">
<topic>mgetty+sendfax -- symlink attack via insecure temporary files</topic>
<affects>
<package>
<name>mgetty</name>
<range><lt>1.1.35_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Entry for CVE-2008-4936 says:</p>
<blockquote
cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4936">
<p>faxspool in mgetty 1.1.36 allows local users to overwrite
arbitrary files via a symlink attack on a /tmp/faxsp.#####
temporary file.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2008-4936</cvename>
<url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496403</url>
</references>
<dates>
<discovery>24-08-2008</discovery>
<entry>TODAY</entry>
</dates>
</vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list