Bug#629003: fabric is prone to file-overwrite security issue(s).
Version: 1.7.0-2
Hi Steve,
On Thu, Jun 02, 2011 at 11:25:01PM +0100, Steve Kemp wrote:
>
> Package: fabric
> Version: 0.9.1-1
> Justification: causes serious data loss
> Severity: important
> Tags: security
>
> *** Please type your report below this line ***
>
> Fabric includes two modules which are marked as "contrib", and are
> included in the main package.
>
> These two modules both suffer from the same issue:
>
> * They write files with (semi-)predictable names, in world-readable
> and world-writeable locations.
>
> This allows a malicious local-user to pre-create the filenames which
> will be used, and allow the overwriting of arbitrary files the user
> invoking fabric controls.
>
> The relevant code is included is:
>
> fabric/contrib/projects.py:
>
> tar_file = "/tmp/fab.%s.tar" % datetime.utcnow().strftime(
> '%Y_%m_%d_%H-%M-%S')
> cwd_name = getcwd().split(sep)[-1]
> tgz_name = cwd_name + ".tar.gz"
> local("tar -czf %s ." % tar_file)
>
This uses now mkdtemp.
>
> fabric/contrib/files.py:
> basename = os.path.basename(filename)
> temp_destination = '/tmp/' + basename
> ...
> ...
> put(tempfile_name, temp_destination)
>
> [The latter case the upload happens on the *remote* system.]
This code seems to have dissapeared.
Ana
>
>
> -- System Information:
> Debian Release: 6.0.1
> APT prefers stable
> APT policy: (500, 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 2.6.32-5-amd64 (SMP w/3 CPU cores)
> Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
>
> Versions of packages fabric depends on:
> ii python 2.6.6-3+squeeze6 interactive high-level object-orie
> ii python-paramiko 1.7.6-5 Make ssh v2 connections with Pytho
> ii python-pkg-resources 0.6.14-4 Package Discovery and Resource Acc
> ii python-support 1.0.10 automated rebuilding support for P
>
> fabric recommends no packages.
>
> fabric suggests no packages.
>
> -- no debconf information
>
>
>
Reply to: