Secure testing team - Apr 2009 - Bug#523476: pptp-linux: pptpsetup permissions

Hi Michael

Thanks a lot for your report!

On Fri, Apr 10, 2009 at 10:34:17AM -0400, Michael S. Gilbert
wrote:
> package: pptp-linux
> severity: important
> tags: security
> 
> Hello,
> 
> Fedora issued the following update for pptp-linux, which they have
> tagged as security-related:
> 
>   This update corrects the behaviour of pptpsetup when its --delete
>   option is used, retaining the permissions of /etc/ppp/chap-secrets
>   rather than creating a new file that is likely to be world-readable.
>   If you have previously used the --delete option of pptpsetup, you
>   should reset the permissions of /etc/ppp/chap- secrets to their
>   default value of 0600 unless you have good reasons to use another
>   value:    # chmod 600 /etc/ppp/chap-secrets
> 
> Is this problem present in debian, and should it be of concern to the
> security team?  From my perspective, the problem seems rather
> insignificant, but I will defer to your opinion as the maintainer.
It is a problem on Debian. I have successfully reproduced the problem.

The fix was very easy, just to add a chmod 600 /etc/ppp/chap-secrets.
I have uploaded a fixed package to unstable now.

I agree that it it not a critical bug but I think it is worth a DSA for this,
so I''m cc:ing the security team about this.

The corrected package is pptp-linux_1.7.2-2 and this is the only fix in
that package compared to stable.

Best regards,

// Ola
> See the Fedora security announcement for more details [1].
> 
> Thanks for your assistance on this issue.
> 
> [1] http://lwn.net/Articles/328042/
> 
> 
> 
-- 
 --------------------- Ola Lundqvist ---------------------------
/  opal at debian.org                     Annebergsslingan 37      \
|  ola at inguza.com                      654 65 KARLSTAD          |
|  http://inguza.com/                  +46 (0)70-332 1551       |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---------------------------------------------------------------

On Sun, Apr 12, 2009 at 06:56:34PM +0200, Ola Lundqvist
wrote:
> Hi Michael
> It is a problem on Debian. I have successfully reproduced the problem.
> 
> The fix was very easy, just to add a chmod 600 /etc/ppp/chap-secrets.
> I have uploaded a fixed package to unstable now.
> 
> I agree that it it not a critical bug but I think it is worth a DSA for
this,
> so I''m cc:ing the security team about this.
> 
> The corrected package is pptp-linux_1.7.2-2 and this is the only fix in
> that package compared to stable.
Could you please fix this through a stable point update for Lenny?

The best way to do that is to send the proposed debdiff to
debian-release at lists.debian.org with [stable] in the subject, so that the
stable release managers can review it.

Cheers,
        Moritz

Ok, I''ll do that.

// Ola

On Sun, Apr 26, 2009 at 10:17:16AM +0200, Moritz Muehlenhoff
wrote:
> On Sun, Apr 12, 2009 at 06:56:34PM +0200, Ola Lundqvist wrote:
> > Hi Michael
> > It is a problem on Debian. I have successfully reproduced the problem.
> > 
> > The fix was very easy, just to add a chmod 600 /etc/ppp/chap-secrets.
> > I have uploaded a fixed package to unstable now.
> > 
> > I agree that it it not a critical bug but I think it is worth a DSA
for this,
> > so I''m cc:ing the security team about this.
> > 
> > The corrected package is pptp-linux_1.7.2-2 and this is the only fix
in
> > that package compared to stable.
> 
> Could you please fix this through a stable point update for Lenny?
> 
> The best way to do that is to send the proposed debdiff to
> debian-release at lists.debian.org with [stable] in the subject, so that
the
> stable release managers can review it.
> 
> Cheers,
>         Moritz
> 
-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola at inguza.com                    Annebergsslingan 37        \
|  opal at debian.org                   654 65 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

Hi Moritz

This is the patch:

--- pptp-linux-1.7.2.orig/pptpsetup
+++ pptp-linux-1.7.2/pptpsetup
@@ -168,11 +168,14 @@
     # backup
     rename( $chap_file, "$chap_file.bkp" );
 
+    my $umask_save = umask();
+    umask 0077;
     # write new chap-secrets
     open( FILE, ">$chap_file" )
         or die "$0: can''t write ''$chap_file'':
$!\n";
     print FILE $new_chap;
     close FILE;
+    umask $umask_save;
 
     exit;
 }

I have uploaded a corrected version to unstable with this fix. It is the
only fix in that package compared to the version in stable. I used high
severity in order to get it into testing as soon as possible. I have also
made sure that it works well by reproducing the problem and testing it.

Uploading to ftp-master (via ftp to ftp.upload.debian.org):
  pptp-linux_1.7.2-3.dsc: done.
  pptp-linux_1.7.2-3.diff.gz: done.
  pptp-linux_1.7.2-3_i386.deb: done.
  pptp-linux_1.7.2-3_i386.changes: done.
Successfully uploaded packages.
Not running dinstall.

Best regards,

// Ola

On Sun, Apr 26, 2009 at 10:17:16AM +0200, Moritz Muehlenhoff
wrote:
> On Sun, Apr 12, 2009 at 06:56:34PM +0200, Ola Lundqvist wrote:
> > Hi Michael
> > It is a problem on Debian. I have successfully reproduced the problem.
> > 
> > The fix was very easy, just to add a chmod 600 /etc/ppp/chap-secrets.
> > I have uploaded a fixed package to unstable now.
> > 
> > I agree that it it not a critical bug but I think it is worth a DSA
for this,
> > so I''m cc:ing the security team about this.
> > 
> > The corrected package is pptp-linux_1.7.2-2 and this is the only fix
in
> > that package compared to stable.
> 
> Could you please fix this through a stable point update for Lenny?
> 
> The best way to do that is to send the proposed debdiff to
> debian-release at lists.debian.org with [stable] in the subject, so that
the
> stable release managers can review it.
> 
> Cheers,
>         Moritz
> 
-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola at inguza.com                    Annebergsslingan 37        \
|  opal at debian.org                   654 65 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------