Bug#261386: marked as done (/usr/lib/libkdeinit_dcopserver.so: not using mkstemp, creating temp file unsafely)
Your message dated Tue, 03 Aug 2004 00:47:16 -0400
with message-id <E1BrrCm-0007vd-00@newraff.debian.org>
and subject line Bug#261386: fixed in kdelibs 4:3.2.3-4
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 25 Jul 2004 17:56:42 +0000
>From cph@cph.demon.co.uk Sun Jul 25 10:56:42 2004
Return-path: <cph@cph.demon.co.uk>
Received: from anchor-post-36.mail.demon.net (anchor-post-37.mail.demon.net) [194.217.242.86]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1BonEn-0004Ne-00; Sun, 25 Jul 2004 10:56:42 -0700
Received: from cph.demon.co.uk ([83.104.40.52])
by anchor-post-37.mail.demon.net with esmtp (Exim 3.35 #1)
id 1BonEl-0001mx-0b
for submit@bugs.debian.org; Sun, 25 Jul 2004 17:56:40 +0000
Received: by cph.demon.co.uk (Postfix, from userid 1000)
id 4F8DA56FFA; Sun, 25 Jul 2004 18:55:51 +0100 (BST)
Date: Sun, 25 Jul 2004 18:55:50 +0100
From: Colin Phipps <cph@cph.demon.co.uk>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: /usr/lib/libkdeinit_dcopserver.so: not using mkstemp, creating temp file unsafely
Message-ID: <20040725175550.GA6785@cph.demon.co.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Reportbug-Version: 2.63
User-Agent: Mutt/1.5.6+20040523i
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
Package: kdelibs-bin
Version: 4:3.2.3-2
Severity: grave
File: /usr/lib/libkdeinit_dcopserver.so
Tags: security patch
Justification: user security hole
dcop/dcopserver.cpp creates a temporary file /tmp/dcopXXXXXX. This file
should be created using mkstemp(3), to avoid /tmp symlink races/attacks.
However, due to a build file oversight, the configure script does not
test for the availability of mkstemp, so HAVE_MKSTEMP is not defined,
and dcopserver.cpp falls back on the insecure tempnam(3) instead.
So every time the dcopserver is started, it creates its temporary file
unsafely, making it potentially vulnerable to symlink attacks. As the
file in question is passed to iceauth, this could expose local
authentication data, or be used to submit mischevious commands to
iceauth.
% nm -D /usr/lib/libkdeinit_dcopserver.so|egrep 'tempnam|mkstemp'
U tempnam
The patch below should correct (I haven't the nerve to rebuild the whole
of kdelibs :-), but have checked that the individual source file
recompiles correctly) the build scripts to detect mkstemp, enabling the
safe code path in dcopserver.cpp. Of course, in addition to the patch
below, configure.in, configure & config.h.in must be regenerated in the
normal way. This should result in a config.h that defined HAVE_MKSTEMP,
and libkdeinit_dcopserver.so should then use mkstemp instead.
diff -pru kdelibs-3.2.3/acinclude.m4 ../kdelibs-3.2.3/acinclude.m4
--- kdelibs-3.2.3/acinclude.m4 2004-07-25 18:08:43.000000000 +0100
+++ ../kdelibs-3.2.3/acinclude.m4 2004-07-25 18:14:05.000000000 +0100
@@ -2302,6 +2302,19 @@ mkstemps("/tmp/aaaXXXXXX", 6);
[MKSTEMPS])
])
+AC_DEFUN([AC_CHECK_MKSTEMP],
+[
+ KDE_CHECK_FUNC_EXT(mkstemp, [
+#include <stdlib.h>
+#include <unistd.h>
+],
+ [
+mkstemp("/tmp/aaaXXXXXX");
+],
+ [int mkstemp(char *, int)],
+ [MKSTEMP])
+])
+
AC_DEFUN([AC_CHECK_MKDTEMP],
[
KDE_CHECK_FUNC_EXT(mkdtemp, [
diff -pru kdelibs-3.2.3/configure.in.in ../kdelibs-3.2.3/configure.in.in
--- kdelibs-3.2.3/configure.in.in 2004-01-19 13:01:23.000000000 +0000
+++ ../kdelibs-3.2.3/configure.in.in 2004-07-25 18:03:36.000000000 +0100
@@ -111,6 +113,7 @@ AC_CHECK_SETENV
AC_CHECK_UNSETENV
AC_CHECK_RANDOM
AC_CHECK_MKSTEMPS
+AC_CHECK_MKSTEMP
AC_CHECK_MKDTEMP
AC_CHECK_FUNCS(strtoll socket seteuid setegid strfmon stpcpy gettimeofday)
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.22
Locale: LANG=en_GB, LC_CTYPE=en_GB
Versions of packages kdelibs-bin depends on:
ii kdelibs4 4:3.2.3-2 KDE core libraries
ii libart-2.0-2 2.3.16-5 Library of functions for 2D graphi
ii libbz2-1.0 1.0.2-1 A high-quality block-sorting file
ii libc6 2.3.2.ds1-13 GNU C Library: Shared libraries an
ii libcupsys2-gnu 1.1.20final+cvs20040330-4 Common UNIX Printing System(tm) -
ii libfam0c102 2.7.0-5 client library to control the FAM
ii libgcc1 1:3.3.4-3 GCC support library
ii libice6 4.3.0.dfsg.1-4 Inter-Client Exchange library
ii libpng12-0 1.2.5.0-6 PNG library - runtime
ii libqt3c102-mt 3:3.2.3-4 Qt GUI Library (Threaded runtime v
ii libsm6 4.3.0.dfsg.1-4 X Window System Session Management
ii libstdc++5 1:3.3.4-3 The GNU Standard C++ Library v3
ii libx11-6 4.3.0.dfsg.1-4 X Window System protocol client li
ii libxext6 4.3.0.dfsg.1-4 X Window System miscellaneous exte
ii libxml2 2.6.10-3 GNOME XML library
ii libxrender1 0.8.3-7 X Rendering Extension client libra
ii libxslt1.1 1.1.7-1 XSLT processing library - runtime
ii menu-xdg 0.1 freedesktop.org menu compliant win
ii netpbm 2:10.0-4 Graphics conversion tools
ii python 2.3.4-1 An interactive high-level object-o
ii xlibs 4.3.0.dfsg.1-4 X Window System client libraries m
ii zlib1g 1:1.2.1.1-3 compression library - runtime
-- no debconf information
--
Colin Phipps <cph@cph.demon.co.uk>
---------------------------------------
Received: (at 261386-close) by bugs.debian.org; 3 Aug 2004 04:55:05 +0000
>From katie@ftp-master.debian.org Mon Aug 02 21:55:05 2004
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1BrrKL-0007W6-00; Mon, 02 Aug 2004 21:55:05 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1BrrCm-0007vd-00; Tue, 03 Aug 2004 00:47:16 -0400
From: Christopher L Cheney <ccheney@debian.org>
To: 261386-close@bugs.debian.org
X-Katie: $Revision: 1.51 $
Subject: Bug#261386: fixed in kdelibs 4:3.2.3-4
Message-Id: <E1BrrCm-0007vd-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Tue, 03 Aug 2004 00:47:16 -0400
Delivered-To: 261386-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
X-CrossAssassin-Score: 3
Source: kdelibs
Source-Version: 4:3.2.3-4
We believe that the bug you reported is fixed in the latest version of
kdelibs, which is due to be installed in the Debian FTP archive:
kdelibs-bin_3.2.3-4_i386.deb
to pool/main/k/kdelibs/kdelibs-bin_3.2.3-4_i386.deb
kdelibs-data_3.2.3-4_all.deb
to pool/main/k/kdelibs/kdelibs-data_3.2.3-4_all.deb
kdelibs4-dev_3.2.3-4_i386.deb
to pool/main/k/kdelibs/kdelibs4-dev_3.2.3-4_i386.deb
kdelibs4-doc_3.2.3-4_all.deb
to pool/main/k/kdelibs/kdelibs4-doc_3.2.3-4_all.deb
kdelibs4_3.2.3-4_i386.deb
to pool/main/k/kdelibs/kdelibs4_3.2.3-4_i386.deb
kdelibs_3.2.3-4.diff.gz
to pool/main/k/kdelibs/kdelibs_3.2.3-4.diff.gz
kdelibs_3.2.3-4.dsc
to pool/main/k/kdelibs/kdelibs_3.2.3-4.dsc
kdelibs_3.2.3-4_all.deb
to pool/main/k/kdelibs/kdelibs_3.2.3-4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 261386@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christopher L Cheney <ccheney@debian.org> (supplier of updated kdelibs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 2 Aug 2004 22:00:00 -0500
Source: kdelibs
Binary: kdelibs4 kdelibs-bin kdelibs kdelibs4-doc kdelibs-data kdelibs4-dev
Architecture: source i386 all
Version: 4:3.2.3-4
Distribution: unstable
Urgency: high
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Christopher L Cheney <ccheney@debian.org>
Description:
kdelibs - KDE core libraries metapackage
kdelibs-bin - KDE core binaries
kdelibs-data - KDE core shared data
kdelibs4 - KDE core libraries
kdelibs4-dev - KDE core libraries (development files)
kdelibs4-doc - KDE core library documentation
Closes: 261386 262589 262832
Changes:
kdelibs (4:3.2.3-4) unstable; urgency=high
.
* KDE_3_2_BRANCH Update.
* Apply patch for mktemp security issue. (Closes: #261386)
* Build-Depends: libtiff4-dev. (Closes: #262589, #262832)
Files:
109efad62ca6541b69b9e30009e3bf24 1086 libs optional kdelibs_3.2.3-4.dsc
982c57a6ef80af0a638572289b7c8ef0 120036 libs optional kdelibs_3.2.3-4.diff.gz
73ec9cc182290540a30ed2ed3a725bb8 837718 libs optional kdelibs-bin_3.2.3-4_i386.deb
b2e44181732d5baf5ae04deede754445 7600792 libs optional kdelibs4_3.2.3-4_i386.deb
81b01172dbd8c8747bf5d7020b4a2c3b 1132562 libdevel optional kdelibs4-dev_3.2.3-4_i386.deb
23baa9681023462e1ac1cea13f2fb09e 16228 kde optional kdelibs_3.2.3-4_all.deb
82a218799afb7dfcd2c583ef89c83de9 6392016 libs optional kdelibs-data_3.2.3-4_all.deb
e9d9d0bba292147676bab226dd657228 11615116 doc optional kdelibs4-doc_3.2.3-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBDwzi0QZas444SvIRAtCWAKCIjNo/v39qjWiDsQyHb/Vf//zJjwCgw4Ya
u/kbUXxsQA8ViDxvvxmAAEk=
=dYk5
-----END PGP SIGNATURE-----
Reply to: