tmpfile vunerability

Bug #261962 reported by Stefan Ebner on 2008-08-27
258
Affects Status Importance Assigned to Milestone
twiki (Ubuntu)
Undecided
Unassigned
Intrepid
Undecided
Unassigned

Bug Description

Binary package hint: twiki

 twiki (1:4.1.2-4) unstable; urgency=emergency
 .
   * move session files to /var/lib/twiki/working/tmp (Closes: #494648)
   * related issue with passthrough files (Closes: #468159)
   * fix dependancys on apache* rather than apache*-common (Closes: #482285)
   * remove TWikiGuest user with hardcoded password from htpassword.
   * Build instructions moved from section -arch to -indep (closes lintian warning).

 -- Sven Dowideit <email address hidden> Thu, 14 Aug 2008 09:53:40 +0100

Remaining changes:

    - Add a horrible hack to try and detect if htpasswd supports -b.
    - Prefer apache2 to apache in the webserver list, and add mini-httpd.
    - Only attempt to restart any of the apache's if /usr/sbin/apachectl
      exists and is executable, doing the same favour for apache2.
    - Update Maintainer field as per spec

CVE References

Daniel Holbach (dholbach) wrote :

What about these changes

twiki (1:4.1.2-3.2ubuntu1) intrepid; urgency=low

  * Merge from Debian Unstable (LP: #182415), remaining Ubuntu changes:
    - Add a horrible hack to try and detect if htpasswd supports -b.
    - Prefer apache2 to apache in the webserver list, and add mini-httpd.
    - Only attempt to restart any of the apache's if /usr/sbin/apachectl
      exists and is executable, doing the same favour for apache2.
    - Update Maintainer field as per spec

 -- Emanuele Gentili < <email address hidden>> Sun, 20 Jul 2008 19:30:18 +0200

Changed in twiki:
status: New → Incomplete

Sorry for the trouble ... hmm, and better late than never :)
Dropping the ugly fix since debian dropped the TWikiGuest user and not mentioning the the Maintainer thing since it's not necessary mentioning anymore. Mind sponsoring Daniel?

description: updated
Changed in twiki:
status: Incomplete → Confirmed
James Westby (james-w) wrote :

Hi Stefan,

The postinst still calls htpasswd, so it could still fail with mini-httpd.
Also, please file a bug on the Debian mini-httpd package asking for
-b support so that we can get rid of this hack one day.

Also, there is a failure waiting to happen if the user installs and
then removes and doesn't purge mini-httpd, so please extend the
checks for apachectl to check for something that indicates the
mini-httpd package is installed.

Perhaps we are better off dropping mini-httpd support. It's not even
listed as an alternative in the depends, so you have to install apache
anyway.

Thanks,

James

Steve Kowalik (stevenk) wrote :

Speaking as the guy who added the horrid hack for -b, I recall it wasn't added for mini-httpd, but another web server. I can't currently recall which, though.

Stefan Ebner (sebner) wrote :

Security Update für intrepid

James Westby (james-w) wrote :

Hi,

The merge of a later version from Debian has been done.

Thanks,

James

Changed in twiki:
status: Confirmed → Fix Released
Artur Rona (ari-tczew) wrote :

I'm subscribing ubuntu-security-sponsors for intrepid's debdiff review.

Jamie Strandboge (jdstrand) wrote :

Sorry the security patch got neglected for so long. It didn't pop up on our reports due to how it was filed.

ACK (the patch is slightly different from what landed in Jaunty, but is nearly the same).

Changed in twiki (Ubuntu Intrepid):
status: New → Confirmed
Jamie Strandboge (jdstrand) wrote :

Uploaded to security queue.

Changed in twiki (Ubuntu Intrepid):
status: Confirmed → Fix Committed
Jamie Strandboge (jdstrand) wrote :

twiki (1:4.1.2-3.2ubuntu1.1) intrepid-security; urgency=low

  * Changes taken from Debian version 4.1.2-4
  * SECURITY UPDATE: Possible symlink attack through /tmp directory
    - move session files to /var/lib/twiki/working/tmp
    - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494648
  * debian/patches: 001_WorkingDir.dpatch
    - Modyfied patch to fix Template Login
    - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=468159

Changed in twiki (Ubuntu Intrepid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.