Secure testing team - Oct 2007 - TWiki 4.1.2-2 fix for CVE-2007-5193

Hi Sven,

Amaya forwarded your mail to me, so that I can sponsor the upload as she is 
too busy currently...

On Sunday 14 October 2007 14:08, Sven wrote:
> is there any chance you could upload twiki_4.1.2-2_all.deb from
> http://distributedinformation.com/TWikiDebian/
> Its for fixing http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=444982
I just looked at the debdiff between the version in testing+unstable (4.1.2-1) 
and http://distributedinformation.com/TWikiDebian/twiki_4.1.2-2.dsc
and decided not to upload it, because I cannot easily say if all the changes 
are needed to fix the security issue (#444982 / CVE-2007-5193)

I noticed that you edited the changelog for 4.1.2-1 in the 4.1.2-2 package 
_and_ did some related changes to it (adding suggests) and did at least one 
(small) change which is not in changelog: change maintainer address.

This, _combined_ with my lack of knowledge of the package and therefore 
inability to understand the changes without some effort, let me to the 
decission to not sponsor the upload. Sorry.

But I''ve forwarded this issue to the testing-security team so they can
upload
it. I _do_ think think if someone with more experience in webapps 
_debian-packages_ looks at the patch, which is short, the package can 
probably uploaded like it is, as a non-pefect changelog is cosmetic and can 
be fixed in the next upload, while a security upload should be done rather 
asap. OTOH, feel free to prepare -3 with a better changelog ;-)


regards,
	Holger
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20071018/797d3e54/attachment.pgp

Hi all! :)
* Holger Levsen <holger at layer-acht.org> [2007-10-18
17:02]:
> Amaya forwarded your mail to me, so that I can sponsor the upload as she is
> too busy currently...
> 
> On Sunday 14 October 2007 14:08, Sven wrote:
> > is there any chance you could upload twiki_4.1.2-2_all.deb from
> > http://distributedinformation.com/TWikiDebian/
> > Its for fixing http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=444982
> 
> I just looked at the debdiff between the version in testing+unstable
(4.1.2-1)
> and http://distributedinformation.com/TWikiDebian/twiki_4.1.2-2.dsc
> and decided not to upload it, because I cannot easily say if all the
changes
> are needed to fix the security issue (#444982 / CVE-2007-5193)
> 
> I noticed that you edited the changelog for 4.1.2-1 in the 4.1.2-2 package 
> _and_ did some related changes to it (adding suggests) and did at least one
> (small) change which is not in changelog: change maintainer address.
> 
> This, _combined_ with my lack of knowledge of the package and therefore 
> inability to understand the changes without some effort, let me to the 
> decission to not sponsor the upload. Sorry.
> 
> But I''ve forwarded this issue to the testing-security team so they
can upload
> it.
[...] 
Without looking too deep into the changes sinec I have to
write an examn tomorrow I saw the following in postinst:
--- twiki-4.1.2/debian/postinst
+++ twiki-4.1.2/debian/postinst
@@ -139,13 +139,19 @@
        fi
 
        #create securer-twiki session dir
-       if [ ! -e /tmp/twiki ]; then
-               mkdir /tmp/twiki 
+       if [ ! -e /var/lib/twiki/working ]; then
+               mkdir /var/lib/twiki/working 
+       fi
+       if [ ! -e /var/lib/twiki/working/tmp ]; then
+               mkdir /var/lib/twiki/working/tmp 
+       fi
+       if [ ! -e /var/lib/twiki/working/work_areas ]; then
+               mkdir /var/lib/twiki/working/work_areas
        fi
        #mmmm, mailnotify etc may be running _not_ as www-data
        #and for some reason create a session
-       chmod 777 /tmp/twiki 
-       chown $TWIKI_OWNER.www-data /tmp/twiki 
+       chmod 777 /var/lib/twiki/working/tmp 
+       chown $TWIKI_OWNER.www-data /var/lib/twiki/working/tmp 
 
        #add softlinks to make adding plugins easier ()
        if [ ! -e /var/lib/twiki/lib ]; then

Thanks that you did not sponsor this upload. Why is setting the rights to 777 
done here? This would enable every user on the system to delete web content 
via a symlink attack. The old solution is of course not secure too.
Please fix this.
 
Kind regards 
Nico 

-- 
Nico Golde - http://ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20071018/9113a61e/attachment.pgp