[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#279680: , 278278: CAN-2004-0968 security issue with glibc

Hi Martin, Security team,

At Thu, 25 Nov 2004 09:01:15 +0100,
Martin Pitt wrote:
> GOTO Masanori [2004-11-25 11:16 +0900]:
> > Martin, I reviewed your patch.  It seems nice, but I have the
> > following question:
> > 
> >   * Looking at trap line, SIGQUIT is removed.  I think we should add
> >     "QUIT" to trap line.
> > 
> > 	-trap 'rm -f $TEMP $TEMPx; exit 1' 1 2 3 13 15
> > 	+trap 'rm -f "$TEMP" "$TEMPx"; exit 1' HUP INT PIPE TERM
> 
> Right, this was simply an oversight. Sorry for that.

Thanks for your checking, I include "QUIT" for the patch.

I've prepared the proposed patch for glibc 2.2.5-11.5 (woody) to fix
CAN-2004-0968 (#279680):

	http://www.srvf.org/~gotom/debian/glibc/2.2.5-11.6_CAN-2004-0968/

This directory contains the proposed build .debs, build log, and the
patch (diff for 2.2.5-11.5).

Security team, please check it out and hopefully pick it up.

Regards,
-- gotom


diff -Nuar glibc-2.2.5-11.5/debian/changelog glibc-2.2.5-11.6/debian/changelog
--- glibc-2.2.5-11.5/debian/changelog	2004-11-25 10:33:59.000000000 +0900
+++ glibc-2.2.5-11.6/debian/changelog	2004-11-25 10:37:13.000000000 +0900
@@ -1,3 +1,13 @@
+glibc (2.2.5-11.6) stable-security; urgency=high
+
+  * Added patch to fix catchsegv insecure temporary file creation.
+    (CAN-2004-0968)
+  * Added patch to fix glibcbug to use mktemp properly, quote all $TEMP
+    and $TEMPx variables (in case the path contains spaces).
+    Patched by Martin Pitt <mpitt@debian.org>.
+
+ -- GOTO Masanori <gotom@debian.org>  Thu, 25 Nov 2004 10:36:58 +0900
+
 glibc (2.2.5-11.5) stable-security; urgency=high
 
   * Non-maintainer upload by the Security Team
diff -Nuar glibc-2.2.5-11.5/debian/patches/0list glibc-2.2.5-11.6/debian/patches/0list
--- glibc-2.2.5-11.5/debian/patches/0list	2004-11-25 10:33:59.000000000 +0900
+++ glibc-2.2.5-11.6/debian/patches/0list	2004-11-25 14:25:01.000000000 +0900
@@ -41,3 +41,5 @@
 resolv-nss_dns
 glibc-xdr-malloc-security
 xdr_mem_security
+catchsegv-insecure-temp
+glibcbug-insecure-temp
diff -Nuar glibc-2.2.5-11.5/debian/patches/catchsegv-insecure-temp.dpatch glibc-2.2.5-11.6/debian/patches/catchsegv-insecure-temp.dpatch
--- glibc-2.2.5-11.5/debian/patches/catchsegv-insecure-temp.dpatch	1970-01-01 09:00:00.000000000 +0900
+++ glibc-2.2.5-11.6/debian/patches/catchsegv-insecure-temp.dpatch	2004-11-25 11:03:21.000000000 +0900
@@ -0,0 +1,59 @@
+#! /bin/sh -e
+
+# All lines beginning with `# DP:' are a description of the patch.
+# DP: Description: Fix insecure temporary file creation in catchsegv.sh
+# DP:		   (CAN-2004-0968)
+# DP: Related bugs: #278278
+# DP: Dpatch author: GOTO Masanori <gotom@debian.org>
+# DP: Patch author: 
+# DP: Upstream status: In CVS
+# DP: Status Details: 
+# DP: Date: 2004-11-25
+
+PATCHLEVEL=0
+
+if [ $# -ne 2 ]; then
+    echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
+    exit 1
+fi
+case "$1" in
+    -patch) patch -d "$2" -f --no-backup-if-mismatch -p$PATCHLEVEL < $0;;
+    -unpatch) patch -d "$2" -f --no-backup-if-mismatch -R -p$PATCHLEVEL < $0;;
+    *)
+	echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
+	exit 1
+esac
+exit 0
+
+# append the patch here and adjust the -p? flag in the patch calls.
+--- debug/catchsegv.sh.orig	2001-07-10 09:52:43.000000000 +0900
++++ debug/catchsegv.sh	2004-11-25 10:41:53.000000000 +0900
+@@ -49,9 +49,7 @@
+   esac
+ fi
+ 
+-segv_output=`basename "$prog"`.segv.$$
+-# Make sure this output file does not exist.
+-rm -f "$segv_output"
++segv_output=`mktemp ${TMPDIR:-/tmp}/segv_output.XXXXXX` || exit
+ 
+ # Redirect stderr to avoid termination message from shell.
+ (exec 3>&2 2>/dev/null
+@@ -64,7 +62,7 @@
+ # Check for output.  Even if the program terminated correctly it might
+ # be that a minor process (clone) failed.  Therefore we do not check the
+ # exit code.
+-if test -f "$segv_output"; then
++if test -s "$segv_output"; then
+   # The program caught a signal.  The output is in the file with the
+   # name we have in SEGFAULT_OUTPUT_NAME.  In the output the names of
+   # functions in shared objects are available, but names in the static
+@@ -100,7 +98,7 @@
+            ;;
+      esac
+    done)
+-   rm -f "$segv_output"
+ fi
++rm -f "$segv_output"
+ 
+ exit $exval
diff -Nuar glibc-2.2.5-11.5/debian/patches/glibcbug-insecure-temp.dpatch glibc-2.2.5-11.6/debian/patches/glibcbug-insecure-temp.dpatch
--- glibc-2.2.5-11.5/debian/patches/glibcbug-insecure-temp.dpatch	1970-01-01 09:00:00.000000000 +0900
+++ glibc-2.2.5-11.6/debian/patches/glibcbug-insecure-temp.dpatch	2004-11-25 14:24:48.000000000 +0900
@@ -0,0 +1,159 @@
+#! /bin/sh -e
+
+# All lines beginning with `# DP:' are a description of the patch.
+# DP: Description: fix insecure temporary file handling in glibcbug, quote all
+# DP: $TEMP and $TEMPX variables
+# DP: Related bugs: #278278
+# DP: Upstream status: CVS removed glibcbug, thus not vulnerable
+
+if [ $# -ne 2 ]; then
+    echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
+    exit 1
+fi
+case "$1" in
+    -patch) patch -d "$2" -f --no-backup-if-mismatch -p0 < $0;;
+    -unpatch) patch -d "$2" -f --no-backup-if-mismatch -R -p0 < $0;;
+    *)
+	echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
+	exit 1
+esac
+exit 0
+
+# append the patch here and adjust the -p? flag in the patch calls.
+--- glibcbug.in.orig	2004-11-25 14:19:07.000000000 +0900
++++ glibcbug.in	2004-11-25 14:23:51.000000000 +0900
+@@ -23,18 +23,14 @@
+ BUILD_STATIC_NSS="@static_nss@"
+ STDIO="@stdio@"
+ 
+-TEMP=`mktemp -q ${TMPDIR-/tmp}/glibcbugXXXXXX 2>/dev/null`
+-if test $? -ne 0; then
+-  TEMP={$TMPDIR-/tmp}/glibcbug.$$
+-  echo > $TEMP
+-  chmod 600 $TEMP
+-fi
+-TEMPx=`mktemp -q ${TMPDIR-/tmp}/glibcbugXXXXXX 2>/dev/null`
+-if test $? -ne 0; then
+-  TEMPx=${TMPDIR-/tmp}/glibcbug.$$.x
+-  echo > $TEMPx
+-  chmod 600 $TEMPx
+-fi
++TEMP="`mktemp -t glibcbugXXXXXXXXXX`" || exit 1
++TEMPx="`mktemp -t glibcbugXXXXXXXXXX`" || {
++  rm -f "$TEMP"
++  exit 1
++}
++
++trap 'rm -f "$TEMP" "$TEMPx"; exit 1' HUP INT QUIT PIPE TERM
++trap 'rm -f "$TEMP" "$TEMPx"' EXIT
+ 
+ BUGGLIBC="glibc-bug-reports-${RELEASE}@gnu.org"
+ BUGADDR=${1-$BUGGLIBC}
+@@ -43,10 +39,6 @@
+ 
+ : ${USER=${LOGNAME-`whoami`}}
+ 
+-trap 'rm -f $TEMP $TEMPx; exit 1' 1 2 3 13 15
+-trap 'rm -f $TEMP $TEMPx' 0
+-
+-
+ # How to read the passwd database.
+ PASSWD="cat /etc/passwd"
+ 
+@@ -73,8 +65,8 @@
+ else
+   # Must use temp file due to incompatibilities in quoting behavior
+   # and to protect shell metacharacters in the expansion of $LOGNAME
+-  $PASSWD | grep "^$LOGNAME:" | awk -F: '{print $5}' | sed -e 's/,.*//' > $TEMP
+-  ORIGINATOR="`cat $TEMP`"
++  $PASSWD | grep "^$LOGNAME:" | awk -F: '{print $5}' | sed -e 's/,.*//' > "$TEMP"
++  ORIGINATOR="`cat "$TEMP"`"
+ fi
+ 
+ if [ -n "$ORGANIZATION" ]; then
+@@ -126,7 +118,7 @@
+ FIX_C='<how to correct or work around the problem, if known (multiple lines)>'
+ 
+ 
+-cat > $TEMP <<EOF
++cat > "$TEMP" <<EOF
+ SEND-PR: -*- send-pr -*-
+ SEND-PR: Lines starting with \`SEND-PR' will be removed automatically, as
+ SEND-PR: will all comments (text enclosed in \`<' and \`>').
+@@ -175,12 +167,12 @@
+ 	$FIX_C
+ EOF
+ 
+-chmod u+w $TEMP
+-cp $TEMP $TEMPx
++chmod u+w "$TEMP"
++cp "$TEMP" "$TEMPx"
+ 
+-eval $EDIT $TEMP
++eval $EDIT "$TEMP"
+ 
+-if cmp -s $TEMP $TEMPx; then
++if cmp -s "$TEMP" "$TEMPx"; then
+ 	echo "File not changed, no bug report submitted."
+ 	exit 1
+ fi
+@@ -209,7 +201,7 @@
+   # 1) Severity
+   #
+   PATTERN=">Severity:"
+-  SEVERITY=`eval sed -n -e "\"$SED_CMD\"" $TEMP`
++  SEVERITY=`eval sed -n -e "\"$SED_CMD\"" "$TEMP"`
+   case "$SEVERITY" in
+     ""|non-critical|serious|critical) CNT=`expr $CNT + 1` ;;
+     *)  echo "$COMMAND: \`$SEVERITY' is not a valid value for \`Severity'."
+@@ -218,7 +210,7 @@
+   # 2) Priority
+   #
+   PATTERN=">Priority:"
+-  PRIORITY=`eval sed -n -e "\"$SED_CMD\"" $TEMP`
++  PRIORITY=`eval sed -n -e "\"$SED_CMD\"" "$TEMP"`
+   case "$PRIORITY" in
+     ""|low|medium|high) CNT=`expr $CNT + 1` ;;
+     *)  echo "$COMMAND: \`$PRIORITY' is not a valid value for \`Priority'."
+@@ -227,7 +219,7 @@
+   # 3) Class
+   #
+   PATTERN=">Class:"
+-  CLASS=`eval sed -n -e "\"$SED_CMD\"" $TEMP`
++  CLASS=`eval sed -n -e "\"$SED_CMD\"" "$TEMP"`
+   case "$CLASS" in
+     ""|sw-bug|doc-bug|change-request|support) CNT=`expr $CNT + 1` ;;
+     *)  echo "$COMMAND: \`$CLASS' is not a valid value for \`Class'."
+@@ -242,11 +234,11 @@
+     case "$input" in
+       a*)
+ 	echo "$COMMAND: problem report saved in $HOME/dead.glibcbug."
+-	cat $TEMP >> $HOME/dead.glibcbug
++	cat "$TEMP" >> $HOME/dead.glibcbug
+         xs=1; exit
+         ;;
+       e*)
+-        eval $EDIT $TEMP
++        eval $EDIT "$TEMP"
+         continue 2
+         ;;
+       s*)
+@@ -273,15 +265,15 @@
+ /^>Description:/,/^>[A-Za-z-]*:/s;$DESCRIPTION_C;;
+ /^>How-To-Repeat:/,/^>[A-Za-z-]*:/s;$HOW_TO_REPEAT_C;;
+ /^>Fix:/,/^>[A-Za-z-]*:/s;$FIX_C;;
+-" $TEMP > $TEMPx
++" "$TEMP" > "$TEMPx"
+ 
+-if $MAIL_AGENT < $TEMPx; then
++if $MAIL_AGENT < "$TEMPx"; then
+   echo "$COMMAND: problem report sent"
+   xs=0; exit
+ else
+   echo "$COMMAND: mysterious mail failure, report not sent."
+   echo "$COMMAND: problem report saved in $HOME/dead.glibcbug."
+-  cat $TEMP >> $HOME/dead.glibcbug
++  cat "$TEMP" >> $HOME/dead.glibcbug
+ fi
+ 
+ exit 0
Reply to: