Package: tetex-bin
Version: 1.0.7+20021025-6
Severity: grave
Tags: patch sid
Justification: user security hole
Hello,
The new xdvi wrapper in /usr/bin has the following problems:
- The temporary file that compressed files are decompressed into is
created in the current working directory. This creates a race
condition and exploitable security hole.
- File names containing an apostrophe or a backslash are not handled
for decompression.
- If xdvi.bin terminates with a nonzero exit code, the exit code of
the xdvi wrapper is not the same exit code but 256 times that code.
- If gzip or bzip2 is killed by a signal or dumps core, the xdvi
wrapper still proceeds to invoke xdvi.bin.
The following patch should fix these problems.
Thanks,
Ken
--- /usr/bin/xdvi.orig 2003-01-02 03:25:38.000000000 +0000
+++ /usr/bin/xdvi 2003-01-02 04:11:35.000000000 +0000
@@ -24,7 +24,6 @@
use strict;
use File::Basename;
-use File::Temp qw(tempfile);
my @NAMEOPT;
if (@ARGV == 1 and ($ARGV[0] eq '-help' or $ARGV[0] eq '-version')) {
@@ -56,31 +55,41 @@
my $status;
if (@ARGV) {
my $filename = pop @ARGV;
- my ($fh, $tempfile);
if ($filename =~ /\.(gz|Z|bz2)$/) {
- ($fh, $tempfile) = tempfile("tetexXXXXXX", SUFFIX => '.dvi');
- if ($filename =~ /\.(gz|Z)$/) {
- system("gzip -d -c '$filename' > $tempfile");
+ my @command = $1 eq 'bz2' ? qw(bzip2 -d -c) : qw(gzip -d -c);
+
+ require Fcntl;
+ open TEMP, "+>", undef
+ or die "xdvi: cannot create temporary file: $!\n";
+ fcntl TEMP, Fcntl::F_SETFD(), 0
+ or die "xdvi: disabling close-on-exec for temporary file: $!\n";
+
+ if (my $child = fork) {
+ 1 while wait != $child;
+ if ($? & 255) {
+ die "xdvi: $command[0] terminated abnormally: $?\n";
+ } elsif ($?) {
+ my $code = $? >> 8;
+ die "xdvi: $command[0] terminated with exit code $code\n";
+ }
+ } elsif (defined $child) {
+ open STDOUT, ">&TEMP";
+ exec @command, $filename;
} else {
- system("bzip2 -d -c '$filename' > $tempfile");
- }
- if ($? >> 8 != 0) {
- $status = $? >> 8;
- unlink $tempfile;
- exit $status;
+ die "xdvi: fork: $!\n";
}
-
- system('xdvi.bin', @NAMEOPT, @ARGV, $tempfile);
- $status = $?;
- unlink $tempfile;
+ $status = system('xdvi.bin', @NAMEOPT, @ARGV, "/dev/fd/".fileno(TEMP));
} else {
- system('xdvi.bin', @NAMEOPT, @ARGV, $filename);
- $status = $?;
+ $status = system('xdvi.bin', @NAMEOPT, @ARGV, $filename);
}
} else {
- system('xdvi.bin', @NAMEOPT);
- $status = $?;
+ $status = system('xdvi.bin', @NAMEOPT);
}
-exit $status;
+if ($status & 255) {
+ die "xdvi: xdvi.bin terminated abnormally: $?\n";
+} else {
+ my $code = $? >> 8;
+ exit $code;
+}
-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux proper 2.4.20 #1 Sun Dec 22 19:40:03 EST 2002 i686
Locale: LANG=C, LC_CTYPE=en_US
Versions of packages tetex-bin depends on:
ii debconf 1.2.21 Debian configuration management sy
ii debianutils 2.0.6 Miscellaneous utilities specific t
ii dpkg 1.10.9 Package maintenance system for Deb
ii ed 0.2-19 The classic unix line editor
ii libc6 2.3.1-8 GNU C Library: Shared libraries an
ii libkpathsea3 1.0.7+20021025-6 shared libkpathsea for teTeX
ii libpng12-0 1.2.5-8 PNG library - runtime
ii libwww0 5.4.0-5 The W3C WWW library
ii libxaw7 4.2.1-4 X Athena widget set library
ii perl-tk 1:800.024-1.1 Perl module providing the Tk graph
ii t1lib1 1.3.1-1 Type 1 font rasterizer library - r
ii tetex-base 1.0.2+20021025-3 basic teTeX library files
ii xlibs 4.2.1-4 X Window System client libraries
ii zlib1g 1:1.1.4-8 compression library - runtime
-- debconf information:
* tetex-bin/cnf_name:
* tetex-bin/userperm: false
* tetex-bin/groupname: users
* tetex-bin/groupperm: true
* tetex-bin/lsr-perms: true
--
Edit this signature at http://www.digitas.harvard.edu/cgi-bin/ken/sig
It is the army that finally makes a citizen of you; without it you still have a
chance, however slim, to remain a human being.
-- Joseph Brodsky, Less Than One
Attachment:
pgpavsrdkzcBV.pgp
Description: PGP signature