[CVE-2008-1633] unspecified vulnerability relating to use of /tmp

The 18 month support period for Edgy Eft 6.10 has reached it's end of life. As a result, we are closing the Edgy Eft task. However, please note that this report will remain open against the actively developed release. Thank you for your continued support and help as we debug this issue.

2.24-2ubuntu1 uploaded for Intrepid.

This bug was fixed in the package mondo - 2.24-2ubuntu1

---------------
mondo (2.24-2ubuntu1) intrepid; urgency=low

  * SECURITY UPDATE: fix errors related to the usage of /tmp or
    MINDI_CACHE instead of bkpinfo->tmpdir (LP: #216601).
  * References:
    - CVE-2008-1633
    - http://trac.mondorescue.org/browser/branches/2.2.5, revno 1644

 -- Luca Falavigna <email address hidden> Fri, 17 Oct 2008 00:03:44 +0200

I've accepted this package into intrepid because there's no freeze justification for not doing so, but this is *not* a security fix:

[...]
- if (length_of_file(MINDI_CACHE"/changed.files") > 2) {
+
+ if (length_of_file("/tmp/changed.files") > 2) {
[...]

        system("rm -f /var/cache/mondo-archive/last-backup.aborted");
+ system("rm -Rf /tmp.mondo.* /mondo.scratch.*");
        if (!retval) {

[...]

                log_if_success = TRUE;
                log_if_failure = TRUE;
        }
- sprintf(callstr, "%s > %s/mondo-run-prog-thing.tmp 2> %s/mondo-run-prog-thing.err",
- program, g_mondo_tmpdir, g_mondo_tmpdir);
+ sprintf(callstr, "%s > /tmp/mondo-run-prog-thing.tmp 2> /tmp/mondo-run-prog-thing.err",
+ program);
        while ((p = strchr(callstr, '\r'))) {
                *p = ' ';
        }
[...]
                }

                printf("---FATALERROR--- %s\n", error_string);
+ sprintf(command, "gzip -9c %s > /tmp/MA.log.gz 2> /dev/null", MONDO_LOGFILE);
- sprintf(command, "gzip -9c %s > %s/MA.log.gz 2> /dev/null", MONDO_LOGFILE, MINDI_CACHE);
                system(command);
                printf
                                ("If you require technical support, please contact the mailing list.\n");
[...]

Using predictable filenames under /tmp is wrong, and at least some of these changes do *exactly* the wrong thing with /tmp.

Reopening the bug.

It looks like the issue in CVE-2008-1633 had been addressed in the previous upload (though not referenced) and that this upload is a reversion of the referenced upstream checkin at http://trac.mondorescue.org/changeset/1644/branches/2.2.5

Indeed! My upload is totally broken and must be restored. And I need to figure out *why* I applied such a "fix". Thanks for catching up.

I erroneously inverted commit numbers while at http://tinyurl.com/5fpvds and reverted the fix, I'm very sorry for my silly error :( I reverted my previous upload to fix it.

This bug was fixed in the package mondo - 2.24-2ubuntu2

---------------
mondo (2.24-2ubuntu2) intrepid; urgency=low

  * Revert my previous, broken upload and blame myself for reverting
    an already fixed package, this re-includes fix for CVE-2008-1633 and
    closes LP: #216601.

 -- Luca Falavigna <email address hidden> Fri, 17 Oct 2008 13:36:57 +0200

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Thank you for reporting this bug to Ubuntu. dapper has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against dapper is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.