lm-sensors: Insecure tempfile usage in pwmconfig
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lm-sensors (Debian) |
Fix Released
|
Unknown
|
|||
lm-sensors (Ubuntu) |
Fix Released
|
High
|
Martin Pitt |
Bug Description
Automatically imported from Debian bug report #324193 http://
CVE References
Debian Bug Importer (debzilla) wrote : | #1 |
Debian Bug Importer (debzilla) wrote : | #2 |
Message-Id: <email address hidden>
Date: Sat, 20 Aug 2005 22:21:13 +0200
From: Aurelien Jarno <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: lm-sensors: Insecure tempfile usage in pwmconfig
Package: lm-sensors
Version: 1:2.9.1-5
Severity: grave
Tags: security patch
lm-sensors's configuration script pwmconfig, which is used, generally as
root, to probe the fan controls and generate a new configuration file,
uses files under /tmp in an unsafe way which makes it possible to
conduct symlink attacks. The temporary filename used to create a
temporary configuration file is hardcoded to '/tmp/fancontrol'.
Thanks to Javier Fernández-Sanguino Peña <email address hidden> who first
reported me the bug.
--- pwmconfig.orig 2005-08-05 18:36:40.000000000 +0200
+++ pwmconfig 2005-08-05 18:37:47.000000000 +0200
@@ -465,9 +465,11 @@
function SaveConfig {
echo
echo "Saving configuration to $FCCONFIG..."
- egrep -v '(INTERVAL|
- echo -e "INTERVAL=
- mv /tmp/fancontrol $FCCONFIG
+ tmpfile=`tempfile` || { echo "$0: Cannot create temporary file" >&2; exit 1; }
+ trap " [ -f \"$tmpfile\" ] && /bin/rm -f -- \"$tmpfile\"" 0 1 2 3 13 15
+ egrep -v '(INTERVAL|
+ echo -e "INTERVAL=
+ mv $tmpfile $FCCONFIG
#check if file was written correctly
echo 'Configuration saved'
}
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=
Versions of packages lm-sensors depends on:
ii debconf [debconf-2.0] 1.4.57 Debian configuration management sy
ii libc6 2.3.5-3 GNU C Library: Shared libraries an
ii libsensors3 1:2.9.1-5 library to read temperature/voltag
ii makedev 2.3.1-78 creates device files in /dev
ii perl 5.8.7-4 Larry Wall's Practical Extraction
ii sed 4.1.4-2 The GNU sed stream editor
ii sysvinit 2.86.ds1-1 System-V like init
ii ucf 2.001 Update Configuration File: preserv
Versions of packages lm-sensors recommends:
ii kernel-image-2.6.12 [kernel 10.00.Custom Linux kernel binary image for vers
ii lm-sensors-
-- debconf information excluded
Matt Zimmerman (mdz) wrote : | #3 |
I thought this binary package was in universe, but apparently not...please look
into that as well
In Debian Bug tracker #324193, Aurelien Jarno (aurel32) wrote : Bug#324193: fixed in lm-sensors 1:2.9.1-7 | #4 |
Source: lm-sensors
Source-Version: 1:2.9.1-7
We believe that the bug you reported is fixed in the latest version of
lm-sensors, which is due to be installed in the Debian FTP archive:
kernel-
to pool/main/
libsensors-
to pool/main/
libsensors-
to pool/main/
libsensors-
to pool/main/
libsensors-
to pool/main/
libsensors-
to pool/main/
libsensors3_
to pool/main/
libsensors3_
to pool/main/
libsensors3_
to pool/main/
libsensors3_
to pool/main/
libsensors3_
to pool/main/
lm-sensors-
to pool/main/
lm-sensors-
to pool/main/
lm-sensors-
to pool/main/
lm-sensors-
to pool/main/
lm-sensors-
to pool/main/
lm-sensors-
to pool/main/
lm-sensors-
to pool/main/
lm-sensors-
to pool/main/
lm-sensors_
to pool/main/
lm-sensors_
to pool/main/
lm-sensors_
to pool/main/
lm-sensors_
to pool/main/
lm-sensors_
to pool/main/
lm-sensors_
to pool/main/
lm-sensors_
to pool/main/
sensord_
to pool/main/
sensord_
to pool/main/
sensord_
to pool/main/
sensord_
to pool/main/
sensord_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will ...
In Debian Bug tracker #324193, Aurelien Jarno (aurelien-aurel32) wrote : Reopening the bug for sarge and etch | #5 |
reopen 324193
tag 324193 + sarge
tag 324193 + etch
thanks
--
.''`. Aurelien Jarno | GPG: 1024D/F1BCDB73
: :' : Debian GNU/Linux developer | Electrical Engineer
`. `' <email address hidden> | <email address hidden>
`- people.
Martin Pitt (pitti) wrote : | #6 |
lm-sensors (1:2.9.1-4ubuntu2) breezy; urgency=low
.
* SECURITY UPDATE: Fix insecure temporary file handling.
* prog/pwm/pwmconfig:
- Do not use hardcoded /tmp/fancontrol, but safe temporary name generated
by tempfile.
- Ubuntu #13887, Debian #324193
Fix pending for Hoary.
Martin Pitt (pitti) wrote : | #7 |
Hoary fixed in USN-172-1, lm-sensors is universe for Warty.
In Debian Bug tracker #324193, Martin Pitt (pitti) wrote : Fwd: CAN-2005-2672 assigned to pwmconfig symlink | #8 |
Hi!
This got a CAN number assigned. Can you please mention it in the
changelog when you fix this?
Thanks,
Martin
----- Forwarded message from "Steven M. Christey" <email address hidden> -----
Date: Tue, 23 Aug 2005 14:53:06 -0400 (EDT)
From: "Steven M. Christey" <email address hidden>
To: <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: CAN-2005-2672 assigned to pwmconfig symlink
X-Spam-Status: No, score=1.4 required=4.0 tests=AWL,BAYES_50 autolearn=no
version=3.0.3
FYI...
=======
Candidate: CAN-2005-2672
URL: http://
Reference: BID:14624
Reference: URL:http://
Reference: UBUNTU:USN-172-1
Reference: URL:http://
Reference: CONFIRM:http://
pwmconfig in LM_sensors before 2.9.1 creates temporary files
insecurely, which allows local users to overwrite arbitrary files via
a symlink attack on the fancontrol temporary file.
----- End forwarded message -----
--
Martin Pitt http://
Ubuntu Developer http://
Debian Developer http://
In Debian Bug tracker #324193, Aurelien Jarno (aurelien-aurel32) wrote : Re: Bug#324193: Fwd: CAN-2005-2672 assigned to pwmconfig symlink | #9 |
On Wed, Aug 24, 2005 at 08:47:53AM +0200, Martin Pitt wrote:
> Hi!
>
> This got a CAN number assigned. Can you please mention it in the
> changelog when you fix this?
Well, the bug is now fixed for a few days. I have decided to fix it
without a CAN number because I was unable to get one (got no answer from
the security team, and it is still the case).
Should I upload a new version, just adding this CAN number.
Bye,
Aurelien
--
.''`. Aurelien Jarno | GPG: 1024D/F1BCDB73
: :' : Debian GNU/Linux developer | Electrical Engineer
`. `' <email address hidden> | <email address hidden>
`- people.
In Debian Bug tracker #324193, Martin Pitt (pitti) wrote : | #10 |
Hi Aurelien!
Aurelien Jarno [2005-08-24 11:10 +0200]:
> On Wed, Aug 24, 2005 at 08:47:53AM +0200, Martin Pitt wrote:
> > Hi!
> >
> > This got a CAN number assigned. Can you please mention it in the
> > changelog when you fix this?
>
> Well, the bug is now fixed for a few days. I have decided to fix it
> without a CAN number because I was unable to get one (got no answer from
> the security team, and it is still the case).
Ah, fine.
> Should I upload a new version, just adding this CAN number.
No, that's not worth the trouble. However, it would be nice if you
could add it at the next regular upload.
Thanks!
Martin
--
Martin Pitt http://
Ubuntu Developer http://
Debian Developer http://
In Debian Bug tracker #324193, Martin Schulze (joey-infodrom) wrote : Fixed in NMU of lm-sensors 1:2.9.1-1sarge2 | #11 |
tag 324193 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 12 Sep 2005 09:13:40 +0200
Source: lm-sensors
Binary: lm-sensors-
Architecture: source powerpc all
Version: 1:2.9.1-1sarge2
Distribution: stable-security
Urgency: high
Maintainer: Martin Schulze <email address hidden>
Changed-By: Martin Schulze <email address hidden>
Description:
kernel-
libsensors-dev - lm-sensors development kit
libsensors3 - library to read temperature/
lm-sensors - utilities to read temperature/
lm-sensors-source - kernel drivers to read temperature/
sensord - hardware sensor information logging daemon
Closes: 324193
Changes:
lm-sensors (1:2.9.1-1sarge2) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team
* Applied maintainer patch to fix insecure temporary file creation
[prog/
Files:
b29b66e67c0cdc
551c338fbc31a1
326fe327486907
362b899e12a413
1c01fa48983ca5
2be27fc39b6610
9b936604bcb60d
a4cc7cf6224591
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDJTECW5q
uH1Yn+P/
=Q2Di
-----END PGP SIGNATURE-----
In Debian Bug tracker #324193, Aurelien Jarno (aurelien-aurel32) wrote : bug only present in etch | #12 |
tag 324193 - sarge
tag 324193 - fixed
thanks
--
.''`. Aurelien Jarno | GPG: 1024D/F1BCDB73
: :' : Debian GNU/Linux developer | Electrical Engineer
`. `' <email address hidden> | <email address hidden>
`- people.
Debian Bug Importer (debzilla) wrote : | #13 |
Message-Id: <email address hidden>
Date: Sat, 20 Aug 2005 17:17:06 -0700
From: Aurelien Jarno <email address hidden>
To: <email address hidden>
Subject: Bug#324193: fixed in lm-sensors 1:2.9.1-7
Source: lm-sensors
Source-Version: 1:2.9.1-7
We believe that the bug you reported is fixed in the latest version of
lm-sensors, which is due to be installed in the Debian FTP archive:
kernel-
to pool/main/
libsensors-
to pool/main/
libsensors-
to pool/main/
libsensors-
to pool/main/
libsensors-
to pool/main/
libsensors-
to pool/main/
libsensors3_
to pool/main/
libsensors3_
to pool/main/
libsensors3_
to pool/main/
libsensors3_
to pool/main/
libsensors3_
to pool/main/
lm-sensors-
to pool/main/
lm-sensors-
to pool/main/
lm-sensors-
to pool/main/
lm-sensors-
to pool/main/
lm-sensors-
to pool/main/
lm-sensors-
to pool/main/
lm-sensors-
to pool/main/
lm-sensors-
to pool/main/
lm-sensors_
to pool/main/
lm-sensors_
to pool/main/
lm-sensors_
to pool/main/
lm-sensors_
to pool/main/
lm-sensors_
to pool/main/
lm-sensors_
to pool/main/
lm-sensors_
to pool/main/
sensord_
to pool/main/
sensord_
to pool/main/
sensord_
to pool/main/
sensord_
to pool/main/
Debian Bug Importer (debzilla) wrote : | #14 |
Message-ID: <email address hidden>
Date: Sun, 21 Aug 2005 12:17:59 +0200
From: Aurelien Jarno <email address hidden>
To: <email address hidden>
Subject: Reopening the bug for sarge and etch
reopen 324193
tag 324193 + sarge
tag 324193 + etch
thanks
--
.''`. Aurelien Jarno | GPG: 1024D/F1BCDB73
: :' : Debian GNU/Linux developer | Electrical Engineer
`. `' <email address hidden> | <email address hidden>
`- people.
Debian Bug Importer (debzilla) wrote : | #15 |
Message-ID: <email address hidden>
Date: Wed, 24 Aug 2005 08:47:53 +0200
From: Martin Pitt <email address hidden>
To: <email address hidden>
Subject: Fwd: CAN-2005-2672 assigned to pwmconfig symlink
--wac7ysb48OaltWcw
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Hi!
This got a CAN number assigned. Can you please mention it in the
changelog when you fix this?
Thanks,
Martin
----- Forwarded message from "Steven M. Christey" <email address hidden> -----
Date: Tue, 23 Aug 2005 14:53:06 -0400 (EDT)
=46rom: "Steven M. Christey" <email address hidden>
To: <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: CAN-2005-2672 assigned to pwmconfig symlink
X-Spam-Status: No, score=3D1.4 required=3D4.0 tests=3DAWL,
n=3Dno=20
version=3D3.0.3
FYI...
=3D=3D=
=3D=3D=
=3D=3D=3D=3D
Candidate: CAN-2005-2672
URL: http://
Reference: BID:14624
Reference: URL:http://
Reference: UBUNTU:USN-172-1
Reference: URL:http://
-1
Reference: CONFIRM:http://
pwmconfig in LM_sensors before 2.9.1 creates temporary files
insecurely, which allows local users to overwrite arbitrary files via
a symlink attack on the fancontrol temporary file.
----- End forwarded message -----
--=20
Martin Pitt http://
Ubuntu Developer http://
Debian Developer http://
--wac7ysb48OaltWcw
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDDBgYDec
dEkdcQvYwek3Vn8
=U8DS
-----END PGP SIGNATURE-----
--wac7ysb48Oalt
Debian Bug Importer (debzilla) wrote : | #16 |
Message-ID: <email address hidden>
Date: Wed, 24 Aug 2005 11:10:53 +0200
From: Aurelien Jarno <email address hidden>
To: Martin Pitt <email address hidden>, <email address hidden>
Subject: Re: Bug#324193: Fwd: CAN-2005-2672 assigned to pwmconfig symlink
On Wed, Aug 24, 2005 at 08:47:53AM +0200, Martin Pitt wrote:
> Hi!
>
> This got a CAN number assigned. Can you please mention it in the
> changelog when you fix this?
Well, the bug is now fixed for a few days. I have decided to fix it
without a CAN number because I was unable to get one (got no answer from
the security team, and it is still the case).
Should I upload a new version, just adding this CAN number.
Bye,
Aurelien
--
.''`. Aurelien Jarno | GPG: 1024D/F1BCDB73
: :' : Debian GNU/Linux developer | Electrical Engineer
`. `' <email address hidden> | <email address hidden>
`- people.
Debian Bug Importer (debzilla) wrote : | #17 |
Message-ID: <email address hidden>
Date: Wed, 24 Aug 2005 13:47:00 +0200
From: Martin Pitt <email address hidden>
To: Aurelien Jarno <email address hidden>, <email address hidden>
Subject: Re: Bug#324193: Fwd: CAN-2005-2672 assigned to pwmconfig symlink
Hi Aurelien!
Aurelien Jarno [2005-08-24 11:10 +0200]:
> On Wed, Aug 24, 2005 at 08:47:53AM +0200, Martin Pitt wrote:
> > Hi!
> >
> > This got a CAN number assigned. Can you please mention it in the
> > changelog when you fix this?
>
> Well, the bug is now fixed for a few days. I have decided to fix it
> without a CAN number because I was unable to get one (got no answer from
> the security team, and it is still the case).
Ah, fine.
> Should I upload a new version, just adding this CAN number.
No, that's not worth the trouble. However, it would be nice if you
could add it at the next regular upload.
Thanks!
Martin
--
Martin Pitt http://
Ubuntu Developer http://
Debian Developer http://
Debian Bug Importer (debzilla) wrote : | #18 |
Message-Id: <email address hidden>
Date: Thu, 15 Sep 2005 07:17:12 -0700
From: Martin Schulze <email address hidden>
To: <email address hidden>
Cc: Martin Schulze <email address hidden>, Martin Schulze <email address hidden>
Subject: Fixed in NMU of lm-sensors 1:2.9.1-1sarge2
tag 324193 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 12 Sep 2005 09:13:40 +0200
Source: lm-sensors
Binary: lm-sensors-
Architecture: source powerpc all
Version: 1:2.9.1-1sarge2
Distribution: stable-security
Urgency: high
Maintainer: Martin Schulze <email address hidden>
Changed-By: Martin Schulze <email address hidden>
Description:
kernel-
libsensors-dev - lm-sensors development kit
libsensors3 - library to read temperature/
lm-sensors - utilities to read temperature/
lm-sensors-source - kernel drivers to read temperature/
sensord - hardware sensor information logging daemon
Closes: 324193
Changes:
lm-sensors (1:2.9.1-1sarge2) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team
* Applied maintainer patch to fix insecure temporary file creation
[prog/
Files:
b29b66e67c0cdc
551c338fbc31a1
326fe327486907
362b899e12a413
1c01fa48983ca5
2be27fc39b6610
9b936604bcb60d
a4cc7cf6224591
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDJTECW5q
uH1Yn+P/
=Q2Di
-----END PGP SIGNATURE-----
Debian Bug Importer (debzilla) wrote : | #19 |
Message-ID: <email address hidden>
Date: Thu, 15 Sep 2005 19:33:48 +0200
From: Aurelien Jarno <email address hidden>
To: <email address hidden>
Subject: bug only present in etch
tag 324193 - sarge
tag 324193 - fixed
thanks
--
.''`. Aurelien Jarno | GPG: 1024D/F1BCDB73
: :' : Debian GNU/Linux developer | Electrical Engineer
`. `' <email address hidden> | <email address hidden>
`- people.
In Debian Bug tracker #324193, Aurelien Jarno (aurelien-aurel32) wrote : Closing the bug | #20 |
lm-sensors has been moved to etch. Closing the bug.
--
.''`. Aurelien Jarno | GPG: 1024D/F1BCDB73
: :' : Debian developer | Electrical Engineer
`. `' <email address hidden> | <email address hidden>
`- people.
In Debian Bug tracker #324193, Steve Langasek (vorlon) wrote : version tracking, please | #21 |
reopen 324193
found 324193 1:2.9.1-1
close 324193 1:2.9.1-7
close 324193 1:2.9.1-1sarge2
thanks
Debian Bug Importer (debzilla) wrote : | #22 |
Message-ID: <email address hidden>
Date: Fri, 21 Oct 2005 01:19:57 +0200
From: Aurelien Jarno <email address hidden>
To: <email address hidden>
Subject: Closing the bug
lm-sensors has been moved to etch. Closing the bug.
--
.''`. Aurelien Jarno | GPG: 1024D/F1BCDB73
: :' : Debian developer | Electrical Engineer
`. `' <email address hidden> | <email address hidden>
`- people.
Debian Bug Importer (debzilla) wrote : | #23 |
Message-ID: <email address hidden>
Date: Thu, 20 Oct 2005 16:51:44 -0700
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: version tracking, please
reopen 324193
found 324193 1:2.9.1-1
close 324193 1:2.9.1-7
close 324193 1:2.9.1-1sarge2
thanks
In Debian Bug tracker #324193, Martin Schulze (joey-infodrom) wrote : Fixed in NMU of lm-sensors 1:2.9.1-1sarge2 | #24 |
tag 324193 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 12 Sep 2005 09:13:40 +0200
Source: lm-sensors
Binary: lm-sensors-
Architecture: source powerpc all
Version: 1:2.9.1-1sarge2
Distribution: stable-security
Urgency: high
Maintainer: Martin Schulze <email address hidden>
Changed-By: Martin Schulze <email address hidden>
Description:
kernel-
libsensors-dev - lm-sensors development kit
libsensors3 - library to read temperature/
lm-sensors - utilities to read temperature/
lm-sensors-source - kernel drivers to read temperature/
sensord - hardware sensor information logging daemon
Closes: 324193
Changes:
lm-sensors (1:2.9.1-1sarge2) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team
* Applied maintainer patch to fix insecure temporary file creation
[prog/
Files:
b29b66e67c0cdc
551c338fbc31a1
326fe327486907
362b899e12a413
1c01fa48983ca5
2be27fc39b6610
9b936604bcb60d
a4cc7cf6224591
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDJTECW5q
uH1Yn+P/
=Q2Di
-----END PGP SIGNATURE-----
Debian Bug Importer (debzilla) wrote : | #25 |
Message-Id: <email address hidden>
Date: Fri, 16 Dec 2005 21:33:03 -0800
From: Martin Schulze <email address hidden>
To: <email address hidden>
Cc: Martin Schulze <email address hidden>, Martin Schulze <email address hidden>
Subject: Fixed in NMU of lm-sensors 1:2.9.1-1sarge2
tag 324193 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 12 Sep 2005 09:13:40 +0200
Source: lm-sensors
Binary: lm-sensors-
Architecture: source powerpc all
Version: 1:2.9.1-1sarge2
Distribution: stable-security
Urgency: high
Maintainer: Martin Schulze <email address hidden>
Changed-By: Martin Schulze <email address hidden>
Description:
kernel-
libsensors-dev - lm-sensors development kit
libsensors3 - library to read temperature/
lm-sensors - utilities to read temperature/
lm-sensors-source - kernel drivers to read temperature/
sensord - hardware sensor information logging daemon
Closes: 324193
Changes:
lm-sensors (1:2.9.1-1sarge2) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team
* Applied maintainer patch to fix insecure temporary file creation
[prog/
Files:
b29b66e67c0cdc
551c338fbc31a1
326fe327486907
362b899e12a413
1c01fa48983ca5
2be27fc39b6610
9b936604bcb60d
a4cc7cf6224591
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDJTECW5q
uH1Yn+P/
=Q2Di
-----END PGP SIGNATURE-----
Automatically imported from Debian bug report #324193 http:// bugs.debian. org/324193