lm-sensors: Insecure tempfile usage in pwmconfig

Bug #20127 reported by Debian Bug Importer
4
Affects Status Importance Assigned to Milestone
lm-sensors (Debian)
Fix Released
Unknown
lm-sensors (Ubuntu)
Fix Released
High
Martin Pitt

Bug Description

Automatically imported from Debian bug report #324193 http://bugs.debian.org/324193

CVE References

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Automatically imported from Debian bug report #324193 http://bugs.debian.org/324193

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Sat, 20 Aug 2005 22:21:13 +0200
From: Aurelien Jarno <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: lm-sensors: Insecure tempfile usage in pwmconfig

Package: lm-sensors
Version: 1:2.9.1-5
Severity: grave
Tags: security patch

lm-sensors's configuration script pwmconfig, which is used, generally as
root, to probe the fan controls and generate a new configuration file,
uses files under /tmp in an unsafe way which makes it possible to
conduct symlink attacks. The temporary filename used to create a
temporary configuration file is hardcoded to '/tmp/fancontrol'.

Thanks to Javier Fernández-Sanguino Peña <email address hidden> who first
reported me the bug.

--- pwmconfig.orig 2005-08-05 18:36:40.000000000 +0200
+++ pwmconfig 2005-08-05 18:37:47.000000000 +0200
@@ -465,9 +465,11 @@
 function SaveConfig {
  echo
  echo "Saving configuration to $FCCONFIG..."
- egrep -v '(INTERVAL|FCTEMPS|FCFANS|MAXTEMP|MINTEMP|MINSTART|MINSTOP)' $FCCONFIG >/tmp/fancontrol
- echo -e "INTERVAL=$INTERVAL\nFCTEMPS=$FCTEMPS\nFCFANS=$FCFANS\nMINTEMP=$MINTEMP\nMAXTEMP=$MAXTEMP\nMINSTART=$MINSTART\nMINSTOP=$MINSTOP" >>/tmp/fancontrol
- mv /tmp/fancontrol $FCCONFIG
+ tmpfile=`tempfile` || { echo "$0: Cannot create temporary file" >&2; exit 1; }
+ trap " [ -f \"$tmpfile\" ] && /bin/rm -f -- \"$tmpfile\"" 0 1 2 3 13 15
+ egrep -v '(INTERVAL|FCTEMPS|FCFANS|MAXTEMP|MINTEMP|MINSTART|MINSTOP)' $FCCONFIG >$tmpfile
+ echo -e "INTERVAL=$INTERVAL\nFCTEMPS=$FCTEMPS\nFCFANS=$FCFANS\nMINTEMP=$MINTEMP\nMAXTEMP=$MAXTEMP\nMINSTART=$MINSTART\nMINSTOP=$MINSTOP" >>$tmpfile
+ mv $tmpfile $FCCONFIG
  #check if file was written correctly
  echo 'Configuration saved'
 }

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to fr_FR.UTF-8)

Versions of packages lm-sensors depends on:
ii debconf [debconf-2.0] 1.4.57 Debian configuration management sy
ii libc6 2.3.5-3 GNU C Library: Shared libraries an
ii libsensors3 1:2.9.1-5 library to read temperature/voltag
ii makedev 2.3.1-78 creates device files in /dev
ii perl 5.8.7-4 Larry Wall's Practical Extraction
ii sed 4.1.4-2 The GNU sed stream editor
ii sysvinit 2.86.ds1-1 System-V like init
ii ucf 2.001 Update Configuration File: preserv

Versions of packages lm-sensors recommends:
ii kernel-image-2.6.12 [kernel 10.00.Custom Linux kernel binary image for vers
ii lm-sensors-2.4.27-2-k7 [lm- 1:2.9.1-5 kernel drivers to read temperature

-- debconf information excluded

Revision history for this message
Matt Zimmerman (mdz) wrote :

I thought this binary package was in universe, but apparently not...please look
into that as well

Revision history for this message
In , Aurelien Jarno (aurel32) wrote : Bug#324193: fixed in lm-sensors 1:2.9.1-7
Download full text (7.5 KiB)

Source: lm-sensors
Source-Version: 1:2.9.1-7

We believe that the bug you reported is fixed in the latest version of
lm-sensors, which is due to be installed in the Debian FTP archive:

kernel-patch-2.4-lm-sensors_2.9.1-7_all.deb
  to pool/main/l/lm-sensors/kernel-patch-2.4-lm-sensors_2.9.1-7_all.deb
libsensors-dev_2.9.1-7_hppa.deb
  to pool/main/l/lm-sensors/libsensors-dev_2.9.1-7_hppa.deb
libsensors-dev_2.9.1-7_i386.deb
  to pool/main/l/lm-sensors/libsensors-dev_2.9.1-7_i386.deb
libsensors-dev_2.9.1-7_mips.deb
  to pool/main/l/lm-sensors/libsensors-dev_2.9.1-7_mips.deb
libsensors-dev_2.9.1-7_powerpc.deb
  to pool/main/l/lm-sensors/libsensors-dev_2.9.1-7_powerpc.deb
libsensors-dev_2.9.1-7_sparc.deb
  to pool/main/l/lm-sensors/libsensors-dev_2.9.1-7_sparc.deb
libsensors3_2.9.1-7_hppa.deb
  to pool/main/l/lm-sensors/libsensors3_2.9.1-7_hppa.deb
libsensors3_2.9.1-7_i386.deb
  to pool/main/l/lm-sensors/libsensors3_2.9.1-7_i386.deb
libsensors3_2.9.1-7_mips.deb
  to pool/main/l/lm-sensors/libsensors3_2.9.1-7_mips.deb
libsensors3_2.9.1-7_powerpc.deb
  to pool/main/l/lm-sensors/libsensors3_2.9.1-7_powerpc.deb
libsensors3_2.9.1-7_sparc.deb
  to pool/main/l/lm-sensors/libsensors3_2.9.1-7_sparc.deb
lm-sensors-2.4.27-2-386_2.9.1-7_i386.deb
  to pool/main/l/lm-sensors/lm-sensors-2.4.27-2-386_2.9.1-7_i386.deb
lm-sensors-2.4.27-2-586tsc_2.9.1-7_i386.deb
  to pool/main/l/lm-sensors/lm-sensors-2.4.27-2-586tsc_2.9.1-7_i386.deb
lm-sensors-2.4.27-2-686-smp_2.9.1-7_i386.deb
  to pool/main/l/lm-sensors/lm-sensors-2.4.27-2-686-smp_2.9.1-7_i386.deb
lm-sensors-2.4.27-2-686_2.9.1-7_i386.deb
  to pool/main/l/lm-sensors/lm-sensors-2.4.27-2-686_2.9.1-7_i386.deb
lm-sensors-2.4.27-2-k6_2.9.1-7_i386.deb
  to pool/main/l/lm-sensors/lm-sensors-2.4.27-2-k6_2.9.1-7_i386.deb
lm-sensors-2.4.27-2-k7-smp_2.9.1-7_i386.deb
  to pool/main/l/lm-sensors/lm-sensors-2.4.27-2-k7-smp_2.9.1-7_i386.deb
lm-sensors-2.4.27-2-k7_2.9.1-7_i386.deb
  to pool/main/l/lm-sensors/lm-sensors-2.4.27-2-k7_2.9.1-7_i386.deb
lm-sensors-source_2.9.1-7_all.deb
  to pool/main/l/lm-sensors/lm-sensors-source_2.9.1-7_all.deb
lm-sensors_2.9.1-7.diff.gz
  to pool/main/l/lm-sensors/lm-sensors_2.9.1-7.diff.gz
lm-sensors_2.9.1-7.dsc
  to pool/main/l/lm-sensors/lm-sensors_2.9.1-7.dsc
lm-sensors_2.9.1-7_hppa.deb
  to pool/main/l/lm-sensors/lm-sensors_2.9.1-7_hppa.deb
lm-sensors_2.9.1-7_i386.deb
  to pool/main/l/lm-sensors/lm-sensors_2.9.1-7_i386.deb
lm-sensors_2.9.1-7_mips.deb
  to pool/main/l/lm-sensors/lm-sensors_2.9.1-7_mips.deb
lm-sensors_2.9.1-7_powerpc.deb
  to pool/main/l/lm-sensors/lm-sensors_2.9.1-7_powerpc.deb
lm-sensors_2.9.1-7_sparc.deb
  to pool/main/l/lm-sensors/lm-sensors_2.9.1-7_sparc.deb
sensord_2.9.1-7_hppa.deb
  to pool/main/l/lm-sensors/sensord_2.9.1-7_hppa.deb
sensord_2.9.1-7_i386.deb
  to pool/main/l/lm-sensors/sensord_2.9.1-7_i386.deb
sensord_2.9.1-7_mips.deb
  to pool/main/l/lm-sensors/sensord_2.9.1-7_mips.deb
sensord_2.9.1-7_powerpc.deb
  to pool/main/l/lm-sensors/sensord_2.9.1-7_powerpc.deb
sensord_2.9.1-7_sparc.deb
  to pool/main/l/lm-sensors/sensord_2.9.1-7_sparc.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will ...

Read more...

Revision history for this message
In , Aurelien Jarno (aurelien-aurel32) wrote : Reopening the bug for sarge and etch

reopen 324193
tag 324193 + sarge
tag 324193 + etch
thanks

--
  .''`. Aurelien Jarno | GPG: 1024D/F1BCDB73
 : :' : Debian GNU/Linux developer | Electrical Engineer
 `. `' <email address hidden> | <email address hidden>
   `- people.debian.org/~aurel32 | www.aurel32.net

Revision history for this message
Martin Pitt (pitti) wrote :

 lm-sensors (1:2.9.1-4ubuntu2) breezy; urgency=low
 .
   * SECURITY UPDATE: Fix insecure temporary file handling.
   * prog/pwm/pwmconfig:
     - Do not use hardcoded /tmp/fancontrol, but safe temporary name generated
       by tempfile.
     - Ubuntu #13887, Debian #324193

Fix pending for Hoary.

Revision history for this message
Martin Pitt (pitti) wrote :

Hoary fixed in USN-172-1, lm-sensors is universe for Warty.

Revision history for this message
In , Martin Pitt (pitti) wrote : Fwd: CAN-2005-2672 assigned to pwmconfig symlink

Hi!

This got a CAN number assigned. Can you please mention it in the
changelog when you fix this?

Thanks,

Martin

----- Forwarded message from "Steven M. Christey" <email address hidden> -----

Date: Tue, 23 Aug 2005 14:53:06 -0400 (EDT)
From: "Steven M. Christey" <email address hidden>
To: <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: CAN-2005-2672 assigned to pwmconfig symlink
X-Spam-Status: No, score=1.4 required=4.0 tests=AWL,BAYES_50 autolearn=no
 version=3.0.3

FYI...

======================================================
Candidate: CAN-2005-2672
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2672
Reference: BID:14624
Reference: URL:http://www.securityfocus.com/bid/14624
Reference: UBUNTU:USN-172-1
Reference: URL:http://www.ubuntulinux.org/support/documentation/usn/usn-172-1
Reference: CONFIRM:http://secure.netroedge.com/~lm78/cvs/lm_sensors2/CHANGES

pwmconfig in LM_sensors before 2.9.1 creates temporary files
insecurely, which allows local users to overwrite arbitrary files via
a symlink attack on the fancontrol temporary file.

----- End forwarded message -----

--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org

Revision history for this message
In , Aurelien Jarno (aurelien-aurel32) wrote : Re: Bug#324193: Fwd: CAN-2005-2672 assigned to pwmconfig symlink

On Wed, Aug 24, 2005 at 08:47:53AM +0200, Martin Pitt wrote:
> Hi!
>
> This got a CAN number assigned. Can you please mention it in the
> changelog when you fix this?

Well, the bug is now fixed for a few days. I have decided to fix it
without a CAN number because I was unable to get one (got no answer from
the security team, and it is still the case).

Should I upload a new version, just adding this CAN number.

Bye,
Aurelien

--
  .''`. Aurelien Jarno | GPG: 1024D/F1BCDB73
 : :' : Debian GNU/Linux developer | Electrical Engineer
 `. `' <email address hidden> | <email address hidden>
   `- people.debian.org/~aurel32 | www.aurel32.net

Revision history for this message
In , Martin Pitt (pitti) wrote :

Hi Aurelien!

Aurelien Jarno [2005-08-24 11:10 +0200]:
> On Wed, Aug 24, 2005 at 08:47:53AM +0200, Martin Pitt wrote:
> > Hi!
> >
> > This got a CAN number assigned. Can you please mention it in the
> > changelog when you fix this?
>
> Well, the bug is now fixed for a few days. I have decided to fix it
> without a CAN number because I was unable to get one (got no answer from
> the security team, and it is still the case).

Ah, fine.

> Should I upload a new version, just adding this CAN number.

No, that's not worth the trouble. However, it would be nice if you
could add it at the next regular upload.

Thanks!

Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org

Revision history for this message
In , Martin Schulze (joey-infodrom) wrote : Fixed in NMU of lm-sensors 1:2.9.1-1sarge2

tag 324193 + fixed

quit

This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 12 Sep 2005 09:13:40 +0200
Source: lm-sensors
Binary: lm-sensors-2.4.27-2-386 lm-sensors-source lm-sensors-2.4.27-2-k7 libsensors-dev lm-sensors-2.4.27-2-k7-smp lm-sensors-2.4.27-2-586tsc lm-sensors sensord kernel-patch-2.4-lm-sensors lm-sensors-2.4.27-2-686 lm-sensors-2.4.27-2-k6 lm-sensors-2.4.27-2-686-smp libsensors3
Architecture: source powerpc all
Version: 1:2.9.1-1sarge2
Distribution: stable-security
Urgency: high
Maintainer: Martin Schulze <email address hidden>
Changed-By: Martin Schulze <email address hidden>
Description:
 kernel-patch-2.4-lm-sensors - drivers to read temperature/voltage/fan sensors
 libsensors-dev - lm-sensors development kit
 libsensors3 - library to read temperature/voltage/fan sensors
 lm-sensors - utilities to read temperature/voltage/fan sensors
 lm-sensors-source - kernel drivers to read temperature/voltage/fan sensors (source)
 sensord - hardware sensor information logging daemon
Closes: 324193
Changes:
 lm-sensors (1:2.9.1-1sarge2) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team
   * Applied maintainer patch to fix insecure temporary file creation
     [prog/pwm/pwmconfig, CAN-2005-2672], Closes: Bug#324193
Files:
 b29b66e67c0cdc230e00e5183724427a 1089 utils extra lm-sensors_2.9.1-1sarge2.dsc
 551c338fbc31a17f7fd909c8c18f495e 32896 utils extra lm-sensors_2.9.1-1sarge2.diff.gz
 326fe3274869079637c4a425430d9cc9 476730 utils extra lm-sensors_2.9.1-1sarge2_powerpc.deb
 362b899e12a413c46a1aa3bb80ae9564 84122 libs optional libsensors3_2.9.1-1sarge2_powerpc.deb
 1c01fa48983ca51785fb6cebcb1352e7 105926 libdevel extra libsensors-dev_2.9.1-1sarge2_powerpc.deb
 2be27fc39b66107b8bc28df51bfd929f 59362 utils extra sensord_2.9.1-1sarge2_powerpc.deb
 9b936604bcb60dd90c26de965bc8ae7f 304604 devel extra kernel-patch-2.4-lm-sensors_2.9.1-1sarge2_all.deb
 a4cc7cf62245912cca061249e7ff153e 956166 misc extra lm-sensors-source_2.9.1-1sarge2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDJTECW5ql+IAeqTIRAuYEAKCD8P/umMhut8akP+7w4TF+B64QwACfW9p8
uH1Yn+P/8dLaOiF2Utez5nk=
=Q2Di
-----END PGP SIGNATURE-----

Revision history for this message
In , Aurelien Jarno (aurelien-aurel32) wrote : bug only present in etch

tag 324193 - sarge
tag 324193 - fixed
thanks

--
  .''`. Aurelien Jarno | GPG: 1024D/F1BCDB73
 : :' : Debian GNU/Linux developer | Electrical Engineer
 `. `' <email address hidden> | <email address hidden>
   `- people.debian.org/~aurel32 | www.aurel32.net

Revision history for this message
Debian Bug Importer (debzilla) wrote :
Download full text (7.7 KiB)

Message-Id: <email address hidden>
Date: Sat, 20 Aug 2005 17:17:06 -0700
From: Aurelien Jarno <email address hidden>
To: <email address hidden>
Subject: Bug#324193: fixed in lm-sensors 1:2.9.1-7

Source: lm-sensors
Source-Version: 1:2.9.1-7

We believe that the bug you reported is fixed in the latest version of
lm-sensors, which is due to be installed in the Debian FTP archive:

kernel-patch-2.4-lm-sensors_2.9.1-7_all.deb
  to pool/main/l/lm-sensors/kernel-patch-2.4-lm-sensors_2.9.1-7_all.deb
libsensors-dev_2.9.1-7_hppa.deb
  to pool/main/l/lm-sensors/libsensors-dev_2.9.1-7_hppa.deb
libsensors-dev_2.9.1-7_i386.deb
  to pool/main/l/lm-sensors/libsensors-dev_2.9.1-7_i386.deb
libsensors-dev_2.9.1-7_mips.deb
  to pool/main/l/lm-sensors/libsensors-dev_2.9.1-7_mips.deb
libsensors-dev_2.9.1-7_powerpc.deb
  to pool/main/l/lm-sensors/libsensors-dev_2.9.1-7_powerpc.deb
libsensors-dev_2.9.1-7_sparc.deb
  to pool/main/l/lm-sensors/libsensors-dev_2.9.1-7_sparc.deb
libsensors3_2.9.1-7_hppa.deb
  to pool/main/l/lm-sensors/libsensors3_2.9.1-7_hppa.deb
libsensors3_2.9.1-7_i386.deb
  to pool/main/l/lm-sensors/libsensors3_2.9.1-7_i386.deb
libsensors3_2.9.1-7_mips.deb
  to pool/main/l/lm-sensors/libsensors3_2.9.1-7_mips.deb
libsensors3_2.9.1-7_powerpc.deb
  to pool/main/l/lm-sensors/libsensors3_2.9.1-7_powerpc.deb
libsensors3_2.9.1-7_sparc.deb
  to pool/main/l/lm-sensors/libsensors3_2.9.1-7_sparc.deb
lm-sensors-2.4.27-2-386_2.9.1-7_i386.deb
  to pool/main/l/lm-sensors/lm-sensors-2.4.27-2-386_2.9.1-7_i386.deb
lm-sensors-2.4.27-2-586tsc_2.9.1-7_i386.deb
  to pool/main/l/lm-sensors/lm-sensors-2.4.27-2-586tsc_2.9.1-7_i386.deb
lm-sensors-2.4.27-2-686-smp_2.9.1-7_i386.deb
  to pool/main/l/lm-sensors/lm-sensors-2.4.27-2-686-smp_2.9.1-7_i386.deb
lm-sensors-2.4.27-2-686_2.9.1-7_i386.deb
  to pool/main/l/lm-sensors/lm-sensors-2.4.27-2-686_2.9.1-7_i386.deb
lm-sensors-2.4.27-2-k6_2.9.1-7_i386.deb
  to pool/main/l/lm-sensors/lm-sensors-2.4.27-2-k6_2.9.1-7_i386.deb
lm-sensors-2.4.27-2-k7-smp_2.9.1-7_i386.deb
  to pool/main/l/lm-sensors/lm-sensors-2.4.27-2-k7-smp_2.9.1-7_i386.deb
lm-sensors-2.4.27-2-k7_2.9.1-7_i386.deb
  to pool/main/l/lm-sensors/lm-sensors-2.4.27-2-k7_2.9.1-7_i386.deb
lm-sensors-source_2.9.1-7_all.deb
  to pool/main/l/lm-sensors/lm-sensors-source_2.9.1-7_all.deb
lm-sensors_2.9.1-7.diff.gz
  to pool/main/l/lm-sensors/lm-sensors_2.9.1-7.diff.gz
lm-sensors_2.9.1-7.dsc
  to pool/main/l/lm-sensors/lm-sensors_2.9.1-7.dsc
lm-sensors_2.9.1-7_hppa.deb
  to pool/main/l/lm-sensors/lm-sensors_2.9.1-7_hppa.deb
lm-sensors_2.9.1-7_i386.deb
  to pool/main/l/lm-sensors/lm-sensors_2.9.1-7_i386.deb
lm-sensors_2.9.1-7_mips.deb
  to pool/main/l/lm-sensors/lm-sensors_2.9.1-7_mips.deb
lm-sensors_2.9.1-7_powerpc.deb
  to pool/main/l/lm-sensors/lm-sensors_2.9.1-7_powerpc.deb
lm-sensors_2.9.1-7_sparc.deb
  to pool/main/l/lm-sensors/lm-sensors_2.9.1-7_sparc.deb
sensord_2.9.1-7_hppa.deb
  to pool/main/l/lm-sensors/sensord_2.9.1-7_hppa.deb
sensord_2.9.1-7_i386.deb
  to pool/main/l/lm-sensors/sensord_2.9.1-7_i386.deb
sensord_2.9.1-7_mips.deb
  to pool/main/l/lm-sensors/sensord_2.9.1-7_mips.deb
sensord_2.9.1-7_powerpc.deb
  to pool/main/l/lm-sensors/sensord_2.9.1-7_powerp...

Read more...

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Sun, 21 Aug 2005 12:17:59 +0200
From: Aurelien Jarno <email address hidden>
To: <email address hidden>
Subject: Reopening the bug for sarge and etch

reopen 324193
tag 324193 + sarge
tag 324193 + etch
thanks

--
  .''`. Aurelien Jarno | GPG: 1024D/F1BCDB73
 : :' : Debian GNU/Linux developer | Electrical Engineer
 `. `' <email address hidden> | <email address hidden>
   `- people.debian.org/~aurel32 | www.aurel32.net

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Wed, 24 Aug 2005 08:47:53 +0200
From: Martin Pitt <email address hidden>
To: <email address hidden>
Subject: Fwd: CAN-2005-2672 assigned to pwmconfig symlink

--wac7ysb48OaltWcw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi!

This got a CAN number assigned. Can you please mention it in the
changelog when you fix this?

Thanks,

Martin

----- Forwarded message from "Steven M. Christey" <email address hidden> -----

Date: Tue, 23 Aug 2005 14:53:06 -0400 (EDT)
=46rom: "Steven M. Christey" <email address hidden>
To: <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: CAN-2005-2672 assigned to pwmconfig symlink
X-Spam-Status: No, score=3D1.4 required=3D4.0 tests=3DAWL,BAYES_50 autolear=
n=3Dno=20
 version=3D3.0.3

FYI...

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
Candidate: CAN-2005-2672
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2005-2672
Reference: BID:14624
Reference: URL:http://www.securityfocus.com/bid/14624
Reference: UBUNTU:USN-172-1
Reference: URL:http://www.ubuntulinux.org/support/documentation/usn/usn-172=
-1
Reference: CONFIRM:http://secure.netroedge.com/~lm78/cvs/lm_sensors2/CHANGES

pwmconfig in LM_sensors before 2.9.1 creates temporary files
insecurely, which allows local users to overwrite arbitrary files via
a symlink attack on the fancontrol temporary file.

----- End forwarded message -----

--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org

--wac7ysb48OaltWcw
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDDBgYDecnbV4Fd/IRAlSPAJ4vG//KqksiBTIV+j2GVXTTjAwK8QCg7KIC
dEkdcQvYwek3Vn8vmnqInsY=
=U8DS
-----END PGP SIGNATURE-----

--wac7ysb48OaltWcw--

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Wed, 24 Aug 2005 11:10:53 +0200
From: Aurelien Jarno <email address hidden>
To: Martin Pitt <email address hidden>, <email address hidden>
Subject: Re: Bug#324193: Fwd: CAN-2005-2672 assigned to pwmconfig symlink

On Wed, Aug 24, 2005 at 08:47:53AM +0200, Martin Pitt wrote:
> Hi!
>
> This got a CAN number assigned. Can you please mention it in the
> changelog when you fix this?

Well, the bug is now fixed for a few days. I have decided to fix it
without a CAN number because I was unable to get one (got no answer from
the security team, and it is still the case).

Should I upload a new version, just adding this CAN number.

Bye,
Aurelien

--
  .''`. Aurelien Jarno | GPG: 1024D/F1BCDB73
 : :' : Debian GNU/Linux developer | Electrical Engineer
 `. `' <email address hidden> | <email address hidden>
   `- people.debian.org/~aurel32 | www.aurel32.net

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Wed, 24 Aug 2005 13:47:00 +0200
From: Martin Pitt <email address hidden>
To: Aurelien Jarno <email address hidden>, <email address hidden>
Subject: Re: Bug#324193: Fwd: CAN-2005-2672 assigned to pwmconfig symlink

Hi Aurelien!

Aurelien Jarno [2005-08-24 11:10 +0200]:
> On Wed, Aug 24, 2005 at 08:47:53AM +0200, Martin Pitt wrote:
> > Hi!
> >
> > This got a CAN number assigned. Can you please mention it in the
> > changelog when you fix this?
>
> Well, the bug is now fixed for a few days. I have decided to fix it
> without a CAN number because I was unable to get one (got no answer from
> the security team, and it is still the case).

Ah, fine.

> Should I upload a new version, just adding this CAN number.

No, that's not worth the trouble. However, it would be nice if you
could add it at the next regular upload.

Thanks!

Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Thu, 15 Sep 2005 07:17:12 -0700
From: Martin Schulze <email address hidden>
To: <email address hidden>
Cc: Martin Schulze <email address hidden>, Martin Schulze <email address hidden>
Subject: Fixed in NMU of lm-sensors 1:2.9.1-1sarge2

tag 324193 + fixed

quit

This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 12 Sep 2005 09:13:40 +0200
Source: lm-sensors
Binary: lm-sensors-2.4.27-2-386 lm-sensors-source lm-sensors-2.4.27-2-k7 libsensors-dev lm-sensors-2.4.27-2-k7-smp lm-sensors-2.4.27-2-586tsc lm-sensors sensord kernel-patch-2.4-lm-sensors lm-sensors-2.4.27-2-686 lm-sensors-2.4.27-2-k6 lm-sensors-2.4.27-2-686-smp libsensors3
Architecture: source powerpc all
Version: 1:2.9.1-1sarge2
Distribution: stable-security
Urgency: high
Maintainer: Martin Schulze <email address hidden>
Changed-By: Martin Schulze <email address hidden>
Description:
 kernel-patch-2.4-lm-sensors - drivers to read temperature/voltage/fan sensors
 libsensors-dev - lm-sensors development kit
 libsensors3 - library to read temperature/voltage/fan sensors
 lm-sensors - utilities to read temperature/voltage/fan sensors
 lm-sensors-source - kernel drivers to read temperature/voltage/fan sensors (source)
 sensord - hardware sensor information logging daemon
Closes: 324193
Changes:
 lm-sensors (1:2.9.1-1sarge2) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team
   * Applied maintainer patch to fix insecure temporary file creation
     [prog/pwm/pwmconfig, CAN-2005-2672], Closes: Bug#324193
Files:
 b29b66e67c0cdc230e00e5183724427a 1089 utils extra lm-sensors_2.9.1-1sarge2.dsc
 551c338fbc31a17f7fd909c8c18f495e 32896 utils extra lm-sensors_2.9.1-1sarge2.diff.gz
 326fe3274869079637c4a425430d9cc9 476730 utils extra lm-sensors_2.9.1-1sarge2_powerpc.deb
 362b899e12a413c46a1aa3bb80ae9564 84122 libs optional libsensors3_2.9.1-1sarge2_powerpc.deb
 1c01fa48983ca51785fb6cebcb1352e7 105926 libdevel extra libsensors-dev_2.9.1-1sarge2_powerpc.deb
 2be27fc39b66107b8bc28df51bfd929f 59362 utils extra sensord_2.9.1-1sarge2_powerpc.deb
 9b936604bcb60dd90c26de965bc8ae7f 304604 devel extra kernel-patch-2.4-lm-sensors_2.9.1-1sarge2_all.deb
 a4cc7cf62245912cca061249e7ff153e 956166 misc extra lm-sensors-source_2.9.1-1sarge2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDJTECW5ql+IAeqTIRAuYEAKCD8P/umMhut8akP+7w4TF+B64QwACfW9p8
uH1Yn+P/8dLaOiF2Utez5nk=
=Q2Di
-----END PGP SIGNATURE-----

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Thu, 15 Sep 2005 19:33:48 +0200
From: Aurelien Jarno <email address hidden>
To: <email address hidden>
Subject: bug only present in etch

tag 324193 - sarge
tag 324193 - fixed
thanks

--
  .''`. Aurelien Jarno | GPG: 1024D/F1BCDB73
 : :' : Debian GNU/Linux developer | Electrical Engineer
 `. `' <email address hidden> | <email address hidden>
   `- people.debian.org/~aurel32 | www.aurel32.net

Revision history for this message
In , Aurelien Jarno (aurelien-aurel32) wrote : Closing the bug

lm-sensors has been moved to etch. Closing the bug.

--
  .''`. Aurelien Jarno | GPG: 1024D/F1BCDB73
 : :' : Debian developer | Electrical Engineer
 `. `' <email address hidden> | <email address hidden>
   `- people.debian.org/~aurel32 | www.aurel32.net

Revision history for this message
In , Steve Langasek (vorlon) wrote : version tracking, please

reopen 324193
found 324193 1:2.9.1-1
close 324193 1:2.9.1-7
close 324193 1:2.9.1-1sarge2
thanks

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Fri, 21 Oct 2005 01:19:57 +0200
From: Aurelien Jarno <email address hidden>
To: <email address hidden>
Subject: Closing the bug

lm-sensors has been moved to etch. Closing the bug.

--
  .''`. Aurelien Jarno | GPG: 1024D/F1BCDB73
 : :' : Debian developer | Electrical Engineer
 `. `' <email address hidden> | <email address hidden>
   `- people.debian.org/~aurel32 | www.aurel32.net

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Thu, 20 Oct 2005 16:51:44 -0700
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: version tracking, please

reopen 324193
found 324193 1:2.9.1-1
close 324193 1:2.9.1-7
close 324193 1:2.9.1-1sarge2
thanks

Revision history for this message
In , Martin Schulze (joey-infodrom) wrote : Fixed in NMU of lm-sensors 1:2.9.1-1sarge2

tag 324193 + fixed

quit

This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 12 Sep 2005 09:13:40 +0200
Source: lm-sensors
Binary: lm-sensors-2.4.27-2-386 lm-sensors-source lm-sensors-2.4.27-2-k7 libsensors-dev lm-sensors-2.4.27-2-k7-smp lm-sensors-2.4.27-2-586tsc lm-sensors sensord kernel-patch-2.4-lm-sensors lm-sensors-2.4.27-2-686 lm-sensors-2.4.27-2-k6 lm-sensors-2.4.27-2-686-smp libsensors3
Architecture: source powerpc all
Version: 1:2.9.1-1sarge2
Distribution: stable-security
Urgency: high
Maintainer: Martin Schulze <email address hidden>
Changed-By: Martin Schulze <email address hidden>
Description:
 kernel-patch-2.4-lm-sensors - drivers to read temperature/voltage/fan sensors
 libsensors-dev - lm-sensors development kit
 libsensors3 - library to read temperature/voltage/fan sensors
 lm-sensors - utilities to read temperature/voltage/fan sensors
 lm-sensors-source - kernel drivers to read temperature/voltage/fan sensors (source)
 sensord - hardware sensor information logging daemon
Closes: 324193
Changes:
 lm-sensors (1:2.9.1-1sarge2) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team
   * Applied maintainer patch to fix insecure temporary file creation
     [prog/pwm/pwmconfig, CAN-2005-2672], Closes: Bug#324193
Files:
 b29b66e67c0cdc230e00e5183724427a 1089 utils extra lm-sensors_2.9.1-1sarge2.dsc
 551c338fbc31a17f7fd909c8c18f495e 32896 utils extra lm-sensors_2.9.1-1sarge2.diff.gz
 326fe3274869079637c4a425430d9cc9 476730 utils extra lm-sensors_2.9.1-1sarge2_powerpc.deb
 362b899e12a413c46a1aa3bb80ae9564 84122 libs optional libsensors3_2.9.1-1sarge2_powerpc.deb
 1c01fa48983ca51785fb6cebcb1352e7 105926 libdevel extra libsensors-dev_2.9.1-1sarge2_powerpc.deb
 2be27fc39b66107b8bc28df51bfd929f 59362 utils extra sensord_2.9.1-1sarge2_powerpc.deb
 9b936604bcb60dd90c26de965bc8ae7f 304604 devel extra kernel-patch-2.4-lm-sensors_2.9.1-1sarge2_all.deb
 a4cc7cf62245912cca061249e7ff153e 956166 misc extra lm-sensors-source_2.9.1-1sarge2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDJTECW5ql+IAeqTIRAuYEAKCD8P/umMhut8akP+7w4TF+B64QwACfW9p8
uH1Yn+P/8dLaOiF2Utez5nk=
=Q2Di
-----END PGP SIGNATURE-----

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Fri, 16 Dec 2005 21:33:03 -0800
From: Martin Schulze <email address hidden>
To: <email address hidden>
Cc: Martin Schulze <email address hidden>, Martin Schulze <email address hidden>
Subject: Fixed in NMU of lm-sensors 1:2.9.1-1sarge2

tag 324193 + fixed

quit

This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 12 Sep 2005 09:13:40 +0200
Source: lm-sensors
Binary: lm-sensors-2.4.27-2-386 lm-sensors-source lm-sensors-2.4.27-2-k7 libsensors-dev lm-sensors-2.4.27-2-k7-smp lm-sensors-2.4.27-2-586tsc lm-sensors sensord kernel-patch-2.4-lm-sensors lm-sensors-2.4.27-2-686 lm-sensors-2.4.27-2-k6 lm-sensors-2.4.27-2-686-smp libsensors3
Architecture: source powerpc all
Version: 1:2.9.1-1sarge2
Distribution: stable-security
Urgency: high
Maintainer: Martin Schulze <email address hidden>
Changed-By: Martin Schulze <email address hidden>
Description:
 kernel-patch-2.4-lm-sensors - drivers to read temperature/voltage/fan sensors
 libsensors-dev - lm-sensors development kit
 libsensors3 - library to read temperature/voltage/fan sensors
 lm-sensors - utilities to read temperature/voltage/fan sensors
 lm-sensors-source - kernel drivers to read temperature/voltage/fan sensors (source)
 sensord - hardware sensor information logging daemon
Closes: 324193
Changes:
 lm-sensors (1:2.9.1-1sarge2) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team
   * Applied maintainer patch to fix insecure temporary file creation
     [prog/pwm/pwmconfig, CAN-2005-2672], Closes: Bug#324193
Files:
 b29b66e67c0cdc230e00e5183724427a 1089 utils extra lm-sensors_2.9.1-1sarge2.dsc
 551c338fbc31a17f7fd909c8c18f495e 32896 utils extra lm-sensors_2.9.1-1sarge2.diff.gz
 326fe3274869079637c4a425430d9cc9 476730 utils extra lm-sensors_2.9.1-1sarge2_powerpc.deb
 362b899e12a413c46a1aa3bb80ae9564 84122 libs optional libsensors3_2.9.1-1sarge2_powerpc.deb
 1c01fa48983ca51785fb6cebcb1352e7 105926 libdevel extra libsensors-dev_2.9.1-1sarge2_powerpc.deb
 2be27fc39b66107b8bc28df51bfd929f 59362 utils extra sensord_2.9.1-1sarge2_powerpc.deb
 9b936604bcb60dd90c26de965bc8ae7f 304604 devel extra kernel-patch-2.4-lm-sensors_2.9.1-1sarge2_all.deb
 a4cc7cf62245912cca061249e7ff153e 956166 misc extra lm-sensors-source_2.9.1-1sarge2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDJTECW5ql+IAeqTIRAuYEAKCD8P/umMhut8akP+7w4TF+B64QwACfW9p8
uH1Yn+P/8dLaOiF2Utez5nk=
=Q2Di
-----END PGP SIGNATURE-----

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.