Bug#261386: /usr/lib/libkdeinit_dcopserver.so: not using mkstemp, creating temp file unsafely
Package: kdelibs-bin
Version: 4:3.2.3-2
Severity: grave
File: /usr/lib/libkdeinit_dcopserver.so
Tags: security patch
Justification: user security hole
dcop/dcopserver.cpp creates a temporary file /tmp/dcopXXXXXX. This file
should be created using mkstemp(3), to avoid /tmp symlink races/attacks.
However, due to a build file oversight, the configure script does not
test for the availability of mkstemp, so HAVE_MKSTEMP is not defined,
and dcopserver.cpp falls back on the insecure tempnam(3) instead.
So every time the dcopserver is started, it creates its temporary file
unsafely, making it potentially vulnerable to symlink attacks. As the
file in question is passed to iceauth, this could expose local
authentication data, or be used to submit mischevious commands to
iceauth.
% nm -D /usr/lib/libkdeinit_dcopserver.so|egrep 'tempnam|mkstemp'
U tempnam
The patch below should correct (I haven't the nerve to rebuild the whole
of kdelibs :-), but have checked that the individual source file
recompiles correctly) the build scripts to detect mkstemp, enabling the
safe code path in dcopserver.cpp. Of course, in addition to the patch
below, configure.in, configure & config.h.in must be regenerated in the
normal way. This should result in a config.h that defined HAVE_MKSTEMP,
and libkdeinit_dcopserver.so should then use mkstemp instead.
diff -pru kdelibs-3.2.3/acinclude.m4 ../kdelibs-3.2.3/acinclude.m4
--- kdelibs-3.2.3/acinclude.m4 2004-07-25 18:08:43.000000000 +0100
+++ ../kdelibs-3.2.3/acinclude.m4 2004-07-25 18:14:05.000000000 +0100
@@ -2302,6 +2302,19 @@ mkstemps("/tmp/aaaXXXXXX", 6);
[MKSTEMPS])
])
+AC_DEFUN([AC_CHECK_MKSTEMP],
+[
+ KDE_CHECK_FUNC_EXT(mkstemp, [
+#include <stdlib.h>
+#include <unistd.h>
+],
+ [
+mkstemp("/tmp/aaaXXXXXX");
+],
+ [int mkstemp(char *, int)],
+ [MKSTEMP])
+])
+
AC_DEFUN([AC_CHECK_MKDTEMP],
[
KDE_CHECK_FUNC_EXT(mkdtemp, [
diff -pru kdelibs-3.2.3/configure.in.in ../kdelibs-3.2.3/configure.in.in
--- kdelibs-3.2.3/configure.in.in 2004-01-19 13:01:23.000000000 +0000
+++ ../kdelibs-3.2.3/configure.in.in 2004-07-25 18:03:36.000000000 +0100
@@ -111,6 +113,7 @@ AC_CHECK_SETENV
AC_CHECK_UNSETENV
AC_CHECK_RANDOM
AC_CHECK_MKSTEMPS
+AC_CHECK_MKSTEMP
AC_CHECK_MKDTEMP
AC_CHECK_FUNCS(strtoll socket seteuid setegid strfmon stpcpy gettimeofday)
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.22
Locale: LANG=en_GB, LC_CTYPE=en_GB
Versions of packages kdelibs-bin depends on:
ii kdelibs4 4:3.2.3-2 KDE core libraries
ii libart-2.0-2 2.3.16-5 Library of functions for 2D graphi
ii libbz2-1.0 1.0.2-1 A high-quality block-sorting file
ii libc6 2.3.2.ds1-13 GNU C Library: Shared libraries an
ii libcupsys2-gnu 1.1.20final+cvs20040330-4 Common UNIX Printing System(tm) -
ii libfam0c102 2.7.0-5 client library to control the FAM
ii libgcc1 1:3.3.4-3 GCC support library
ii libice6 4.3.0.dfsg.1-4 Inter-Client Exchange library
ii libpng12-0 1.2.5.0-6 PNG library - runtime
ii libqt3c102-mt 3:3.2.3-4 Qt GUI Library (Threaded runtime v
ii libsm6 4.3.0.dfsg.1-4 X Window System Session Management
ii libstdc++5 1:3.3.4-3 The GNU Standard C++ Library v3
ii libx11-6 4.3.0.dfsg.1-4 X Window System protocol client li
ii libxext6 4.3.0.dfsg.1-4 X Window System miscellaneous exte
ii libxml2 2.6.10-3 GNOME XML library
ii libxrender1 0.8.3-7 X Rendering Extension client libra
ii libxslt1.1 1.1.7-1 XSLT processing library - runtime
ii menu-xdg 0.1 freedesktop.org menu compliant win
ii netpbm 2:10.0-4 Graphics conversion tools
ii python 2.3.4-1 An interactive high-level object-o
ii xlibs 4.3.0.dfsg.1-4 X Window System client libraries m
ii zlib1g 1:1.2.1.1-3 compression library - runtime
-- no debconf information
--
Colin Phipps <cph@cph.demon.co.uk>
Reply to: