From rea-fbsd@codelabs.ru  Sat Dec  6 20:18:33 2008
Return-Path: <rea-fbsd@codelabs.ru>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 99A051065672
	for <FreeBSD-gnats-submit@freebsd.org>; Sat,  6 Dec 2008 20:18:33 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45])
	by mx1.freebsd.org (Postfix) with ESMTP id 2832B8FC17
	for <FreeBSD-gnats-submit@freebsd.org>; Sat,  6 Dec 2008 20:18:32 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
Received: from phoenix.codelabs.ru (ppp91-78-250-32.pppoe.mtu-net.ru [91.78.250.32])
	by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256)
	id 1L93bj-000MH6-9U for FreeBSD-gnats-submit@freebsd.org; Sat, 06 Dec 2008 23:18:31 +0300
Message-Id: <20081206201839.01A26B8019@phoenix.codelabs.ru>
Date: Sat,  6 Dec 2008 23:18:39 +0300 (MSK)
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Reply-To: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [patch] [vuxml] comms/mgetty+sendfax: fix and document CVE-2008-4936
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         129471
>Category:       ports
>Synopsis:       [patch] [vuxml] comms/mgetty+sendfax: fix and document CVE-2008-4936
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    miwi
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Dec 06 20:20:01 UTC 2008
>Closed-Date:    Sun Dec 07 11:43:00 UTC 2008
>Last-Modified:  Sun Dec  7 18:50:01 UTC 2008
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 7.1-PRERELEASE amd64
>Organization:
Code Labs
>Environment:

System: FreeBSD 7.1-PRERELEASE amd64

>Description:

Mgetty is guilty in the creation and usage of insecure temporary files.

>How-To-Repeat:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496403
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4936

>Fix:

The following patch fixes the bug in the current version of
FreeBSD port.

--- fix-CVE-2008-4936.diff begins here ---
From 1a2271c4270da1f286c66ef8b002adf6269150f8 Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Date: Sat, 6 Dec 2008 23:10:26 +0300

Insecure temporary file usage was detected by Debian developer
Dmitry Oboukhov,
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496403

I am not updating the port to 1.1.36, since the bug is present even in
this version and I can't test the new port.  So now I am just patching
current FreeBSD port version, 1.1.35.

Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
---
 comms/mgetty+sendfax/Makefile                  |    2 +-
 comms/mgetty+sendfax/files/patch-CVE-2008-4936 |   68 ++++++++++++++++++++++++
 2 files changed, 69 insertions(+), 1 deletions(-)
 create mode 100644 comms/mgetty+sendfax/files/patch-CVE-2008-4936

diff --git a/comms/mgetty+sendfax/Makefile b/comms/mgetty+sendfax/Makefile
index f31fd5d..4376dd5 100644
--- a/comms/mgetty+sendfax/Makefile
+++ b/comms/mgetty+sendfax/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	mgetty
 PORTVERSION=	1.1.35
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	comms
 MASTER_SITES=	ftp://mgetty.greenie.net/pub/mgetty/source/1.1/
 DISTNAME=	${PORTNAME}${PORTVERSION}-Feb22
diff --git a/comms/mgetty+sendfax/files/patch-CVE-2008-4936 b/comms/mgetty+sendfax/files/patch-CVE-2008-4936
new file mode 100644
index 0000000..6260c12
--- /dev/null
+++ b/comms/mgetty+sendfax/files/patch-CVE-2008-4936
@@ -0,0 +1,68 @@
+Fixes CVE-2008-4936
+
+This patch takes ideas from both Debian and Gentoo patches for this
+problem:
+  http://mirror.yandex.ru/gentoo-portage/net-dialup/mgetty/files/mgetty-1.1.36-tmpfile.patch
+  http://ftp.de.debian.org/debian/pool/main/m/mgetty/mgetty_1.1.36.orig.tar.gz
+
+However, Gentoo's patch seems to be incorrect and Debian's one, well...,
+I like the idea of putting temporary file to the spooldir, not directly
+to /tmp (or $TMP).
+
+NB: This issue wasn't fixed even in 1.1.36 and this patch should go to
+NB: that version too.  It was written for 1.1.35 and 1.1.36, so it can
+NB: be left unmodified for these versions and may be even for the
+NB: future ones.
+
+--- fax/faxspool.in.orig	2008-12-06 22:30:36.000000000 +0300
++++ fax/faxspool.in	2008-12-06 22:48:40.000000000 +0300
+@@ -653,12 +653,12 @@
+ #
+ # mkdir a directory in $TMP (or /tmp), convert input to G3 in there
+ #
+-spooldir=${TMP:-/tmp}/$new_seq.$$.`date +%S`
++spooldir=`mktemp -d "${TMP:-/tmp}"/"$new_seq.$$".XXXXXXXX`
+ 
+-if ( umask 077 ; mkdir $spooldir ) ; then
++if [ $? -eq 0 ]; then
+     $echo "spooling to $spooldir (->$new_seq)..."
+ else
+-    $echo "ERROR: can't create work dir '$spooldir', giving up" >&2 ; exit 6
++    $echo "ERROR: can't create work dir inside '${TMP:-/tmp}', giving up" >&2 ; exit 6
+ fi
+ 
+ #
+@@ -675,9 +675,12 @@
+     if [ x$file = x- ]
+     then
+ 	$echo "spooling $file (stdin)..."
+-	trap "rm /tmp/faxsp.$$" 0
+-        cat - >/tmp/faxsp.$$
+-	file=/tmp/faxsp.$$
++	file=`mktemp "$spooldir/faxsp.XXXXXXXX"`
++	if [ -z "$file" ]; then
++		$echo "ERROR: can't create work file, giving up" >&2; exit 6
++	fi
++	trap "rm -f $file" 0
++        cat - >"$file"
+     else
+ 	$echo "spooling $file..."
+     fi
+@@ -924,7 +927,7 @@
+ then
+     $echo "\nnothing to do (no cover page, no data)." >&2
+     cd $FAX_SPOOL_OUT
+-    rmdir $spooldir
++    rm -rf $spooldir
+     exit 52
+ fi
+ 
+@@ -965,7 +968,7 @@
+ # clean up
+ rm $job.q
+ cd ..
+-rmdir $spooldir
++rm -rf $spooldir
+ 
+ if [ -z "`find $LAST_RUN -ctime -1 -print 2>/dev/null`" ]
+ then
-- 
1.6.0.4
--- fix-CVE-2008-4936.diff ends here ---

The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
  <vuln vid="46fdde22-c3d1-11dd-b08d-001fc66e7203">
    <topic>mgetty+sendfax -- symlink attack via insecure temporary files</topic>
    <affects>
      <package>
        <name>mgetty</name>
        <range><lt>1.1.35_2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>Entry for CVE-2008-4936 says:</p>
        <blockquote
          cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4936">
          <p>faxspool in mgetty 1.1.36 allows local users to overwrite
          arbitrary files via a symlink attack on a /tmp/faxsp.#####
          temporary file.</p>
        </blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2008-4936</cvename>
      <url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496403</url>
    </references>
    <dates>
      <discovery>24-08-2008</discovery>
      <entry>TODAY</entry>
    </dates>
  </vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->miwi 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Sat Dec 6 20:20:11 UTC 2008 
Responsible-Changed-Why:  
miwi@ wants his PRs (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=129471 
State-Changed-From-To: open->closed 
State-Changed-By: miwi 
State-Changed-When: Sun Dec 7 11:42:59 UTC 2008 
State-Changed-Why:  
documented with some changes, also added patch. Thanks for your 
submission. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=129471 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/129471: commit references a PR
Date: Sun,  7 Dec 2008 11:41:40 +0000 (UTC)

 miwi        2008-12-07 11:41:32 UTC
 
   FreeBSD ports repository
 
   Modified files:
     security/vuxml       vuln.xml 
   Log:
   - Document mgetty+sendfax -- symlink attack via insecure temporary files
   
   PR:             based on 129471
   Submitted by:   Eygene Ryabinkin <rea-fbsd@codelabs.ru>
   
   Revision  Changes    Path
   1.1780    +31 -1     ports/security/vuxml/vuln.xml
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/129471: commit references a PR
Date: Sun,  7 Dec 2008 11:47:30 +0000 (UTC)

 miwi        2008-12-07 11:47:22 UTC
 
   FreeBSD ports repository
 
   Modified files:
     comms/mgetty+sendfax Makefile 
   Added files:
     comms/mgetty+sendfax/files patch-CVE-2008-4936 
   Log:
   - Fix symlink attack via insecure temporary files
   
   PR:             129471
   Submitted by:   Eygene Ryabinkin <rea-fbsd@codelabs.ru>
   Obtained from:  debian
   Security:       http://www.vuxml.org/freebsd/44ee8160-c453-11dd-a721-0030843d3802.html
   
   Revision  Changes    Path
   1.57      +1 -1      ports/comms/mgetty+sendfax/Makefile
   1.1       +52 -0     ports/comms/mgetty+sendfax/files/patch-CVE-2008-4936 (new)
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 

From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: miwi@FreeBSD.org
Cc: bug-followup@freebsd.org
Subject: Re: ports/129471: [patch] [vuxml] comms/mgetty+sendfax: fix and
	document CVE-2008-4936
Date: Sun, 7 Dec 2008 21:43:27 +0300

 --tThc/1wpZn/ma/RB
 Content-Type: text/plain; charset=koi8-r
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 Martin, good evening.
 
 Sun, Dec 07, 2008 at 11:43:00AM +0000, miwi@FreeBSD.org wrote:
 > Synopsis: [patch] [vuxml] comms/mgetty+sendfax: fix and document CVE-2008=
 -4936
 >=20
 > State-Changed-From-To: open->closed
 > State-Changed-By: miwi
 > State-Changed-When: Sun Dec 7 11:42:59 UTC 2008
 > State-Changed-Why:=20
 > documented with some changes, also added patch. Thanks for your
 > submission.
 
 Thanks!  One neat: VuXML entry should read "faxspool in mgetty...",
 not the "axspool in mgetty'.
 --=20
 Eygene
  _                ___       _.--.   #
  \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
  /  ' `         ,       __.--'      #  to read the on-line manual  =20
  )/' _/     \   `-_,   /            #  while single-stepping the kernel.
  `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
      _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook=20
     {_.-``-'         {_/            #
 
 --tThc/1wpZn/ma/RB
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.9 (FreeBSD)
 
 iEYEARECAAYFAkk8GU8ACgkQthUKNsbL7YicGgCeMkOKWkqv+bX8NPiu6QksuI9k
 xvIAn0879ZU/OEnHgKZkbn2HuLHMc3jB
 =5Stg
 -----END PGP SIGNATURE-----
 
 --tThc/1wpZn/ma/RB--
>Unformatted:
