Fsniper doesn't safely check file names.

Bug #403113 reported by Dave Walker on 2009-07-22
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
fsniper (Ubuntu)
Undecided
Dave Walker
Jaunty
Undecided
Dave Walker
Karmic
Undecided
Dave Walker

Bug Description

Fsniper doesn't safely check for singlequotes and doublequotes on watched files, this could potentially cause some injection. This has been discovered upstream, and thier patch is attached.

Dave Walker (davewalker) wrote :
Changed in fsniper (Ubuntu):
status: New → In Progress
assignee: nobody → Dave Walker (davewalker)
Dave Walker (davewalker) wrote :

debdiff attached

Changed in fsniper (Ubuntu):
status: In Progress → Fix Committed
visibility: private → public
Brian Murray (brian-murray) wrote :

Looking at your debdiff I noticed that you have:

(Closes LP:#403116)

However, the correct for closing the Launchpad bug includes a space so you'll really want:

(Closes LP: #403116)

Of course this is also true for the other bug in the changelog. Thanks!

Dave Walker (davewalker) wrote :

Oops! Thanks, replacement debdiff attached.

Kees Cook (kees) wrote :

Hi! Thanks for the debdiff. For Karmic, the MOTU sponsors should be able to handle this. For jaunty, we need to follow https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Most notably, https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation mentions that the pocket must be jaunty-security, and the jaunty version should be -0ubuntu1.1 (to not conflict with karmic's updates). Generally, we try to avoid adding patching systems to already published sources. It does make sense for karmic, though.

Changed in fsniper (Ubuntu Karmic):
status: Fix Committed → In Progress
Changed in fsniper (Ubuntu Jaunty):
status: New → In Progress
Changed in fsniper (Ubuntu Karmic):
status: In Progress → Triaged
Changed in fsniper (Ubuntu Jaunty):
assignee: nobody → Dave Walker (davewalker)
status: In Progress → Triaged
Dave Walker (davewalker) wrote :

Thanks Kees.

Jaunty debdiff attached with version -0ubuntu1.1 and packet jaunty-security.

Jamie Strandboge (jdstrand) wrote :
Changed in fsniper (Ubuntu Jaunty):
status: Triaged → In Progress
Jamie Strandboge (jdstrand) wrote :

For Jaunty it is preferred that you do not add a patch system since it introduces more changes to the package than are necessary. If you insist on adding the patch system, please follow https://wiki.ubuntu.com/UbuntuDevelopment/PatchTaggingGuidelines. As it is now, there is no attribution, origination of patches or upstream references anywhere in the debdiff, which makes it difficult to review. See https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging for more details. Please update, resubmit and mark the bug back to 'In Progress'. Thanks for your work on this!

Changed in fsniper (Ubuntu Jaunty):
status: In Progress → Incomplete
Dave Walker (davewalker) wrote :

Attached is a further debdiff with modified changelog, and richer headers in the patches - as per PatchTaggingGuidelines.

If this is suitable, and gets an "Ack" I will attach a suitable debdiff for Karmic. (or should it just be merged?).

Changed in fsniper (Ubuntu Jaunty):
status: Incomplete → In Progress
Marc Deslauriers (mdeslaur) wrote :

Thanks for the debdiff. The jaunty update is currently building.

Please get a MOTU to sponsor the karmic upload to preserve the upgrade path.

Changed in fsniper (Ubuntu Jaunty):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package fsniper - 1.3.1-0ubuntu1.1

---------------
fsniper (1.3.1-0ubuntu1.1) jaunty-security; urgency=low

  * SECURITY UPDATE: Permissions of PID file are set on current
    umask rather than 600. (LP: #403116)
    - debian/patches/pid_file_permissons_to_600.patch: adjust
      src/main.c to set permissions of PID to 600. Based on
      upstream patch.
  * SECURITY UPDATE: Quotation marks not safely checked in
    filenames. (LP: #403113)
    - debian/patches/singlequote_doublequote_issue.patch:
      adjust src/handle_event.c to include checking for both
      single and double quotation marks. Based on upstream
      patch.
  * Added quilt support to manage patches.
  * Bumped Debian package Standards-Version to 3.8.2

 -- Dave Walker (Daviey) <email address hidden> Fri, 24 Jul 2009 21:59:07 +0100

Changed in fsniper (Ubuntu Jaunty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package fsniper - 1.3.1-0ubuntu2

---------------
fsniper (1.3.1-0ubuntu2) karmic; urgency=low

  * SECURITY UPDATE: Permissions of PID file are set on current
    umask rather than 600. (LP: #403116)
    - debian/patches/pid_file_permissons_to_600.patch: adjust
      src/main.c to set permissions of PID to 600. Based on
      upstream patch.
  * SECURITY UPDATE: Quotation marks not safely checked in
    filenames. (LP: #403113)
    - debian/patches/singlequote_doublequote_issue.patch:
      adjust src/handle_event.c to include checking for both
      single and double quotation marks. Based on upstream
      patch.
  * Added quilt support to manage patches.
  * Bumped Debian package Standards-Version to 3.8.2

 -- Dave Walker (Daviey) <email address hidden> Fri, 24 Jul 2009 21:59:07 +0100

Changed in fsniper (Ubuntu Karmic):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers