[Secure-testing-team] TWiki 4.1.2-2 fix for CVE-2007-5193

Nico Golde debian-secure-testing+ml at ngolde.de
Thu Oct 18 16:54:06 UTC 2007 

Hi all! :)
* Holger Levsen <holger at layer-acht.org> [2007-10-18 17:02]:
> Amaya forwarded your mail to me, so that I can sponsor the upload as she is 
> too busy currently...
> 
> On Sunday 14 October 2007 14:08, Sven wrote:
> > is there any chance you could upload twiki_4.1.2-2_all.deb from
> > http://distributedinformation.com/TWikiDebian/
> > Its for fixing http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=444982
> 
> I just looked at the debdiff between the version in testing+unstable (4.1.2-1) 
> and http://distributedinformation.com/TWikiDebian/twiki_4.1.2-2.dsc
> and decided not to upload it, because I cannot easily say if all the changes 
> are needed to fix the security issue (#444982 / CVE-2007-5193)
> 
> I noticed that you edited the changelog for 4.1.2-1 in the 4.1.2-2 package 
> _and_ did some related changes to it (adding suggests) and did at least one 
> (small) change which is not in changelog: change maintainer address.
> 
> This, _combined_ with my lack of knowledge of the package and therefore 
> inability to understand the changes without some effort, let me to the 
> decission to not sponsor the upload. Sorry.
> 
> But I've forwarded this issue to the testing-security team so they can upload 
> it.
[...] 
Without looking too deep into the changes sinec I have to
write an examn tomorrow I saw the following in postinst:
--- twiki-4.1.2/debian/postinst
+++ twiki-4.1.2/debian/postinst
@@ -139,13 +139,19 @@
        fi
 
        #create securer-twiki session dir
-       if [ ! -e /tmp/twiki ]; then
-               mkdir /tmp/twiki 
+       if [ ! -e /var/lib/twiki/working ]; then
+               mkdir /var/lib/twiki/working 
+       fi
+       if [ ! -e /var/lib/twiki/working/tmp ]; then
+               mkdir /var/lib/twiki/working/tmp 
+       fi
+       if [ ! -e /var/lib/twiki/working/work_areas ]; then
+               mkdir /var/lib/twiki/working/work_areas
        fi
        #mmmm, mailnotify etc may be running _not_ as www-data
        #and for some reason create a session
-       chmod 777 /tmp/twiki 
-       chown $TWIKI_OWNER.www-data /tmp/twiki 
+       chmod 777 /var/lib/twiki/working/tmp 
+       chown $TWIKI_OWNER.www-data /var/lib/twiki/working/tmp 
 
        #add softlinks to make adding plugins easier ()
        if [ ! -e /var/lib/twiki/lib ]; then

Thanks that you did not sponsor this upload. Why is setting the rights to 777 
done here? This would enable every user on the system to delete web content 
via a symlink attack. The old solution is of course not secure too.
Please fix this.
 
Kind regards 
Nico 

-- 
Nico Golde - http://ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20071018/9113a61e/attachment.pgp

More information about the Secure-testing-team mailing list