file in tmp hole in make_oidjoins_check

Automatically imported from Debian bug report #278262 http://bugs.debian.org/278262

Message-ID: <email address hidden>
Date: Mon, 25 Oct 2004 16:03:13 -0400
From: Joey Hess <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: file in tmp hole in make_oidjoins_check

--45Z9DzgjV8m4Oswq
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: postgresql
Version: 7.3.4-9
Severity: normal
Tags: security

The make_oidjoins_check script, which is only shipped in the source
package, creates /tmp files insecurely according to CAN-2004-0977 (and
I've verified this).

It should be fixed, just in case someone happens to find it in the
source package.

--=20
see shy jo

--45Z9DzgjV8m4Oswq
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBfVwBd8HHehbQuO8RAs8VAJ9NowXPTPvKlVO1Nh7UbSwx1cg9hQCfQydI
MLytT7wRE2K1gp1vUFLtHAw=
=dDTM
-----END PGP SIGNATURE-----

--45Z9DzgjV8m4Oswq--

Message-Id: <1098787254.10951.87.camel@linda>
Date: Tue, 26 Oct 2004 11:40:54 +0100
From: Oliver Elphick <email address hidden>
To: Joey Hess <email address hidden>, <email address hidden>
Subject: Re: Bug#278262: file in tmp hole in make_oidjoins_check

On Mon, 2004-10-25 at 16:03 -0400, Joey Hess wrote:
> Package: postgresql
> Version: 7.3.4-9
> Severity: normal
> Tags: security
>
> The make_oidjoins_check script, which is only shipped in the source
> package, creates /tmp files insecurely according to CAN-2004-0977 (and
> I've verified this).
>
> It should be fixed, just in case someone happens to find it in the
> source package.

Joey, I think you have rather lost your sense of proportion here.

We should next remove the upstream source, in case someone finds it
there...

--
Oliver Elphick <email address hidden>
Isle of Wight http://www.lfix.co.uk/oliver
GPG: 1024D/A54310EA 92C8 39E7 280E 3631 3F0E 1EC0 5664 7A2F A543 10EA
                 ========================================
     "Whosoever therefore shall be ashamed of me and of my
      words in this adulterous and sinful generation; of him
      also shall the Son of man be ashamed, when he cometh
      in the glory of his Father with the holy angels."
                                 Mark 8:38

Message-Id: <1098800599.2414.7.camel@linda>
Date: Tue, 26 Oct 2004 15:23:19 +0100
From: Oliver Elphick <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: Re: Bug#278262: file in tmp hole in make_oidjoins_check

On Tue, 2004-10-26 at 11:40 +0100, Oliver Elphick wrote:
> On Mon, 2004-10-25 at 16:03 -0400, Joey Hess wrote:
> > Package: postgresql
> > Version: 7.3.4-9
> > Severity: normal
> > Tags: security
> >
> > The make_oidjoins_check script, which is only shipped in the source
> > package, creates /tmp files insecurely according to CAN-2004-0977 (and
> > I've verified this).
> >
> > It should be fixed, just in case someone happens to find it in the
> > source package.
>
> Joey, I think you have rather lost your sense of proportion here.
>
> We should next remove the upstream source, in case someone finds it
> there...

But in fact it actually _is_ shipped in postgresql-contrib, not just the
source, so a fix is needed.

--
Oliver Elphick <email address hidden>
Isle of Wight http://www.lfix.co.uk/oliver
GPG: 1024D/A54310EA 92C8 39E7 280E 3631 3F0E 1EC0 5664 7A2F A543 10EA
                 ========================================
     "Whosoever therefore shall be ashamed of me and of my
      words in this adulterous and sinful generation; of him
      also shall the Son of man be ashamed, when he cometh
      in the glory of his Father with the holy angels."
                                 Mark 8:38

Message-ID: <email address hidden>
Date: Tue, 26 Oct 2004 16:41:09 +0200
From: Martin Pitt <email address hidden>
To: Joey Hess <email address hidden>, <email address hidden>
Subject: Re: Bug#278262: file in tmp hole in make_oidjoins_check

--AhhlLboLdkugWU4S
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi!

Joey Hess [2004-10-25 16:03 -0400]:
> Package: postgresql
> Version: 7.3.4-9
> Severity: normal
> Tags: security
>=20
> The make_oidjoins_check script, which is only shipped in the source
> package, creates /tmp files insecurely according to CAN-2004-0977 (and
> I've verified this).
>=20
> It should be fixed, just in case someone happens to find it in the
> source package.

It's shipped in -contrib, I merged this bug with #278336.

For the records, a stable update is ready and to be approved by the
security team; I will do an unstable upload soon.

Thanks and have a nice day!

Martin

--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org

--AhhlLboLdkugWU4S
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBfmIFDecnbV4Fd/IRAr0mAJ0Qx1q161IpaZosgftacfTJ3jE2PACg+MVP
Wh2ijFcRd2xdiEmwpFjxfqQ=
=HhXm
-----END PGP SIGNATURE-----

--AhhlLboLdkugWU4S--

Message-Id: <email address hidden>
Date: Tue, 26 Oct 2004 16:31:45 +0200
From: Martin Pitt <email address hidden>
To: <email address hidden>
Subject: severity of 278262 is critical, merging 278262 278336

# Automatically generated email from bts, devscripts version 2.7.95.1
severity 278262 critical
merge 278262 278336

*** Bug 9455 has been marked as a duplicate of this bug. ***

Message-Id: <1098802716.2414.13.camel@linda>
Date: Tue, 26 Oct 2004 15:58:36 +0100
From: Oliver Elphick <email address hidden>
To: Martin Pitt <email address hidden>, <email address hidden>
Subject: Re: Bug#278262: file in tmp hole in make_oidjoins_check

On Tue, 2004-10-26 at 16:41 +0200, Martin Pitt wrote:
> > The make_oidjoins_check script, which is only shipped in the source
> > package, creates /tmp files insecurely according to CAN-2004-0977 (and
> > I've verified this).

> It's shipped in -contrib, I merged this bug with #278336.

In 7.4.6, we should drop this script from postgresql-contrib, since it
is of no use to normal users.

--
Oliver Elphick <email address hidden>
Isle of Wight http://www.lfix.co.uk/oliver
GPG: 1024D/A54310EA 92C8 39E7 280E 3631 3F0E 1EC0 5664 7A2F A543 10EA
                 ========================================
     "Whosoever therefore shall be ashamed of me and of my
      words in this adulterous and sinful generation; of him
      also shall the Son of man be ashamed, when he cometh
      in the glory of his Father with the holy angels."
                                 Mark 8:38

Created an attachment (id=608)
interdiff to fix this

Bugzilla automatically closed the wrong duplicate bug, so I copy the interdiff
here.

The Hoary version is not yet fixed, adapting severity and target. Warty version
was fixed by today's security upload.

Message-ID: <email address hidden>
Date: Tue, 26 Oct 2004 12:20:50 -0400
From: Joey Hess <email address hidden>
To: Oliver Elphick <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#278262: file in tmp hole in make_oidjoins_check

--WplhKdTI2c8ulnbP
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Oliver Elphick wrote:
> On Mon, 2004-10-25 at 16:03 -0400, Joey Hess wrote:
> > Package: postgresql
> > Version: 7.3.4-9
> > Severity: normal
> > Tags: security
> >=20
> > The make_oidjoins_check script, which is only shipped in the source
> > package, creates /tmp files insecurely according to CAN-2004-0977 (and
> > I've verified this).
> >=20
> > It should be fixed, just in case someone happens to find it in the
> > source package.
>=20
> Joey, I think you have rather lost your sense of proportion here.

Not really; other linux dsitributions have shipped this script in binary
packages, it's obviously not too unlikely that someone would find it and
use it.

--=20
see shy jo

--WplhKdTI2c8ulnbP
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBfnlid8HHehbQuO8RAnwVAJ4jADl6zrHZB4INWXShPbZFjq2jhwCfV9QP
VfSe9Pb5SRKYr5X/Qu5zTig=
=mw//
-----END PGP SIGNATURE-----

--WplhKdTI2c8ulnbP--

Message-ID: <email address hidden>
Date: Tue, 26 Oct 2004 19:01:12 +0200
From: Florian Weimer <email address hidden>
To: Joey Hess <email address hidden>
Cc: <email address hidden>, Oliver Elphick <email address hidden>
Subject: Re: Bug#278262: file in tmp hole in make_oidjoins_check

* Joey Hess:

>> > It should be fixed, just in case someone happens to find it in the
>> > source package.
>>
>> Joey, I think you have rather lost your sense of proportion here.
>
> Not really; other linux dsitributions have shipped this script in binary
> packages, it's obviously not too unlikely that someone would find it and
> use it.

But any stable update has a potentially destabilizing effect, too, so
we have to carefully weigh our options. If a stable update is
scheduled because of the data loss bug, it should also incorporate the
security fix, but releasing a no-op security fix alone doesn't make
sense to me.

Message-ID: <email address hidden>
Date: Tue, 26 Oct 2004 19:32:53 +0200
From: Martin Pitt <email address hidden>
To: Florian Weimer <email address hidden>, <email address hidden>
Cc: Joey Hess <email address hidden>
Subject: Re: Bug#278262: file in tmp hole in make_oidjoins_check

--7ZAtKRhVyVSsbBD2
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi!

Florian Weimer [2004-10-26 19:01 +0200]:
> * Joey Hess:
>=20
> >> > It should be fixed, just in case someone happens to find it in the
> >> > source package.
> >>=20
> >> Joey, I think you have rather lost your sense of proportion here.
> >
> > Not really; other linux dsitributions have shipped this script in binary
> > packages, it's obviously not too unlikely that someone would find it and
> > use it.
>=20
> But any stable update has a potentially destabilizing effect, too, so
> we have to carefully weigh our options. If a stable update is
> scheduled because of the data loss bug, it should also incorporate the
> security fix, but releasing a no-op security fix alone doesn't make
> sense to me.

Just for the records again, we _do_ ship this file in
postgresql-contrib. I prepared an update which is currently in the
approval phase.

I would really like to put other fixes in to stable, too, but I
already asked several times to upload the (very sane) PostgreSQL point
releases, without success.

Martin

--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org

--7ZAtKRhVyVSsbBD2
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBfopFDecnbV4Fd/IRAghJAKCjIe4wEtV9qhfcSDlj0b4421lGGwCglx07
YzovVUm7kfjdK/6vlufhJso=
=D7Mm
-----END PGP SIGNATURE-----

--7ZAtKRhVyVSsbBD2--

Message-Id: <email address hidden>
Date: Wed, 27 Oct 2004 06:47:12 -0400
From: Martin Pitt <email address hidden>
To: <email address hidden>
Subject: Bug#278262: fixed in postgresql 7.4.6-1

Source: postgresql
Source-Version: 7.4.6-1

We believe that the bug you reported is fixed in the latest version of
postgresql, which is due to be installed in the Debian FTP archive:

libecpg-dev_7.4.6-1_i386.deb
  to pool/main/p/postgresql/libecpg-dev_7.4.6-1_i386.deb
libecpg4_7.4.6-1_i386.deb
  to pool/main/p/postgresql/libecpg4_7.4.6-1_i386.deb
libpgtcl-dev_7.4.6-1_i386.deb
  to pool/main/p/postgresql/libpgtcl-dev_7.4.6-1_i386.deb
libpgtcl_7.4.6-1_i386.deb
  to pool/main/p/postgresql/libpgtcl_7.4.6-1_i386.deb
libpq3_7.4.6-1_i386.deb
  to pool/main/p/postgresql/libpq3_7.4.6-1_i386.deb
postgresql-client_7.4.6-1_i386.deb
  to pool/main/p/postgresql/postgresql-client_7.4.6-1_i386.deb
postgresql-contrib_7.4.6-1_i386.deb
  to pool/main/p/postgresql/postgresql-contrib_7.4.6-1_i386.deb
postgresql-dev_7.4.6-1_i386.deb
  to pool/main/p/postgresql/postgresql-dev_7.4.6-1_i386.deb
postgresql-doc_7.4.6-1_all.deb
  to pool/main/p/postgresql/postgresql-doc_7.4.6-1_all.deb
postgresql_7.4.6-1.diff.gz
  to pool/main/p/postgresql/postgresql_7.4.6-1.diff.gz
postgresql_7.4.6-1.dsc
  to pool/main/p/postgresql/postgresql_7.4.6-1.dsc
postgresql_7.4.6-1_i386.deb
  to pool/main/p/postgresql/postgresql_7.4.6-1_i386.deb
postgresql_7.4.6.orig.tar.gz
  to pool/main/p/postgresql/postgresql_7.4.6.orig.tar.gz

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Martin Pitt <email address hidden> (supplier of updated postgresql package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 27 Oct 2004 12:08:01 +0200
Source: postgresql
Binary: postgresql-client libecpg4 libpgtcl-dev libpq3 postgresql-doc libecpg-dev postgresql-dev postgresql libpgtcl postgresql-contrib
Architecture: source i386 all
Version: 7.4.6-1
Distribution: unstable
Urgency: medium
Maintainer: Oliver Elphick <email address hidden>
Changed-By: Martin Pitt <email address hidden>
Description:
 libecpg-dev - Shared library libecpg.so for PostgreSQL - development files
 libecpg4 - Shared library libecpg.so.4 for PostgreSQL
 libpgtcl - Tcl procedural language, library and front-end for PostgreSQL
 libpgtcl-dev - Tcl library for PostgreSQL - development files
 libpq3 - Shared library libpq.so.3 for PostgreSQL
 postgresql - Object-relational SQL database, descended from POSTGRES
 postgresql-client - Front-end programs for PostgreSQL
 postgresql-contrib - Additional facilities for PostgreSQL
 postgresql-dev - Header files for libpq (postgresql library)
 postgresql-doc - Documentation for the PostgreSQL database
Closes: 273837 278262 2...

Fixed in Debian now, should automatically go into Hoary with one of the next syncs.

Message-Id: <email address hidden>
Date: Wed, 27 Oct 2004 13:30:19 +0200
From: Martin Pitt <email address hidden>
To: <email address hidden>
Subject: reopening 278336, tagging 278336

# Automatically generated email from bts, devscripts version 2.7.95.1
reopen 278336
tags 278336 woody pending

Fixed by the recent sid sync.

Message-ID: <email address hidden>
Date: Fri, 29 Oct 2004 12:41:01 +0200
From: Martin Pitt <email address hidden>
To: <email address hidden>
Subject: Fwd: Accepted postgresql 7.2.1-2woody6 (i386 source all)

--PNTmBPCT7hxwcZjr
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi!

The woody version is published, so this bug can be closed.

Martin

----- Forwarded message from Martin Pitt <email address hidden> -----

=46rom: Martin Pitt <email address hidden>
To: <email address hidden>
Subject: Accepted postgresql 7.2.1-2woody6 (i386 source all)
Date: Fri, 29 Oct 2004 06:17:12 -0400
X-Spam-Status: No, hits=3D-1.5 required=3D4.0 tests=3DAWL autolearn=3Dno ve=
rsion=3D2.64

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 26 Oct 2004 15:54:22 +0200
Source: postgresql
Binary: libpgtcl postgresql pgaccess odbc-postgresql libpgperl postgresql-c=
lient libecpg3 postgresql-contrib postgresql-dev postgresql-doc python-pygr=
esql libpgsql2
Architecture: source all i386
Version: 7.2.1-2woody6
Distribution: stable-security
Urgency: high
Maintainer: Martin Pitt <email address hidden>
Changed-By: Martin Pitt <email address hidden>
Description:=20
 libecpg3 - Shared library libecpg.so.3 for PostgreSQL
 libpgperl - Perl modules for PostgreSQL.
 libpgsql2 - Shared library libpq.so.2 for PostgreSQL
 libpgtcl - Tcl/Tk library and front-end for PostgreSQL.
 odbc-postgresql - ODBC support for PostgreSQL
 pgaccess - Tk/Tcl front-end for PostgreSQL database
 postgresql - Object-relational SQL database, descended from POSTGRES.
 postgresql-client - Front-end programs for PostgreSQL
 postgresql-contrib - Additional facilities for PostgreSQL
 postgresql-dev - Header files for libpq (postgresql library)
 postgresql-doc - Documentation for the PostgreSQL database.
 python-pygresql - PostgreSQL module for Python
Changes:=20
 postgresql (7.2.1-2woody6) stable-security; urgency=3Dhigh
 .
   * Security upload to fix insecure temporary file handling in
     contrib/findoidjoins/make_oidjoins_check:
     - use version from upstream release 7.2.6 as basis (introduces proper
       variables for the file names instead of repeatedly constructing them
       inline)
     - upstream still uses the $$ method for constructing file names; chang=
ed
       that to use mktemp
   * References:
     CAN-2004-0977
     http://www.postgresql.org/news/234.html
     http://bugs.debian.org/278336
Files:=20
 ded5f8b8dc34a7e1916526cc4fd7dc5a 966 misc optional postgresql_7.2.1-2woody=
6.dsc
 deb2918afe376395a218ebb3af0a58f2 119740 misc optional postgresql_7.2.1-2wo=
ody6.diff.gz
 761ab47664aa2091451117b36c1ed27a 2069286 doc optional postgresql-doc_7.2.1=
-2woody6_all.deb
 43435859901064f480b7d4075806c318 1553990 misc optional postgresql_7.2.1-2w=
oody6_i386.deb
 8a7f14be36ffcc3680019d17922608c5 281148 misc optional postgresql-client_7.=
2.1-2woody6_i386.deb
 0fd18eb00f7af4abc562fd38faec2856 497868 devel optional postgresql-dev_7.2.=
1-2woody6_i386.deb
 65fbeef01507d3da9ec33d841eb7c3f7 65928 libs optional libpgsql2_7.2.1-2wood=
y6_i386.deb
 10c495dd0a58995507af82394fc7365e 30622 libs op...