Bug#279680: , 278278: CAN-2004-0968 security issue with glibc
Hi Martin, Security team,
At Thu, 25 Nov 2004 09:01:15 +0100,
Martin Pitt wrote:
> GOTO Masanori [2004-11-25 11:16 +0900]:
> > Martin, I reviewed your patch. It seems nice, but I have the
> > following question:
> >
> > * Looking at trap line, SIGQUIT is removed. I think we should add
> > "QUIT" to trap line.
> >
> > -trap 'rm -f $TEMP $TEMPx; exit 1' 1 2 3 13 15
> > +trap 'rm -f "$TEMP" "$TEMPx"; exit 1' HUP INT PIPE TERM
>
> Right, this was simply an oversight. Sorry for that.
Thanks for your checking, I include "QUIT" for the patch.
I've prepared the proposed patch for glibc 2.2.5-11.5 (woody) to fix
CAN-2004-0968 (#279680):
http://www.srvf.org/~gotom/debian/glibc/2.2.5-11.6_CAN-2004-0968/
This directory contains the proposed build .debs, build log, and the
patch (diff for 2.2.5-11.5).
Security team, please check it out and hopefully pick it up.
Regards,
-- gotom
diff -Nuar glibc-2.2.5-11.5/debian/changelog glibc-2.2.5-11.6/debian/changelog
--- glibc-2.2.5-11.5/debian/changelog 2004-11-25 10:33:59.000000000 +0900
+++ glibc-2.2.5-11.6/debian/changelog 2004-11-25 10:37:13.000000000 +0900
@@ -1,3 +1,13 @@
+glibc (2.2.5-11.6) stable-security; urgency=high
+
+ * Added patch to fix catchsegv insecure temporary file creation.
+ (CAN-2004-0968)
+ * Added patch to fix glibcbug to use mktemp properly, quote all $TEMP
+ and $TEMPx variables (in case the path contains spaces).
+ Patched by Martin Pitt <mpitt@debian.org>.
+
+ -- GOTO Masanori <gotom@debian.org> Thu, 25 Nov 2004 10:36:58 +0900
+
glibc (2.2.5-11.5) stable-security; urgency=high
* Non-maintainer upload by the Security Team
diff -Nuar glibc-2.2.5-11.5/debian/patches/0list glibc-2.2.5-11.6/debian/patches/0list
--- glibc-2.2.5-11.5/debian/patches/0list 2004-11-25 10:33:59.000000000 +0900
+++ glibc-2.2.5-11.6/debian/patches/0list 2004-11-25 14:25:01.000000000 +0900
@@ -41,3 +41,5 @@
resolv-nss_dns
glibc-xdr-malloc-security
xdr_mem_security
+catchsegv-insecure-temp
+glibcbug-insecure-temp
diff -Nuar glibc-2.2.5-11.5/debian/patches/catchsegv-insecure-temp.dpatch glibc-2.2.5-11.6/debian/patches/catchsegv-insecure-temp.dpatch
--- glibc-2.2.5-11.5/debian/patches/catchsegv-insecure-temp.dpatch 1970-01-01 09:00:00.000000000 +0900
+++ glibc-2.2.5-11.6/debian/patches/catchsegv-insecure-temp.dpatch 2004-11-25 11:03:21.000000000 +0900
@@ -0,0 +1,59 @@
+#! /bin/sh -e
+
+# All lines beginning with `# DP:' are a description of the patch.
+# DP: Description: Fix insecure temporary file creation in catchsegv.sh
+# DP: (CAN-2004-0968)
+# DP: Related bugs: #278278
+# DP: Dpatch author: GOTO Masanori <gotom@debian.org>
+# DP: Patch author:
+# DP: Upstream status: In CVS
+# DP: Status Details:
+# DP: Date: 2004-11-25
+
+PATCHLEVEL=0
+
+if [ $# -ne 2 ]; then
+ echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
+ exit 1
+fi
+case "$1" in
+ -patch) patch -d "$2" -f --no-backup-if-mismatch -p$PATCHLEVEL < $0;;
+ -unpatch) patch -d "$2" -f --no-backup-if-mismatch -R -p$PATCHLEVEL < $0;;
+ *)
+ echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
+ exit 1
+esac
+exit 0
+
+# append the patch here and adjust the -p? flag in the patch calls.
+--- debug/catchsegv.sh.orig 2001-07-10 09:52:43.000000000 +0900
++++ debug/catchsegv.sh 2004-11-25 10:41:53.000000000 +0900
+@@ -49,9 +49,7 @@
+ esac
+ fi
+
+-segv_output=`basename "$prog"`.segv.$$
+-# Make sure this output file does not exist.
+-rm -f "$segv_output"
++segv_output=`mktemp ${TMPDIR:-/tmp}/segv_output.XXXXXX` || exit
+
+ # Redirect stderr to avoid termination message from shell.
+ (exec 3>&2 2>/dev/null
+@@ -64,7 +62,7 @@
+ # Check for output. Even if the program terminated correctly it might
+ # be that a minor process (clone) failed. Therefore we do not check the
+ # exit code.
+-if test -f "$segv_output"; then
++if test -s "$segv_output"; then
+ # The program caught a signal. The output is in the file with the
+ # name we have in SEGFAULT_OUTPUT_NAME. In the output the names of
+ # functions in shared objects are available, but names in the static
+@@ -100,7 +98,7 @@
+ ;;
+ esac
+ done)
+- rm -f "$segv_output"
+ fi
++rm -f "$segv_output"
+
+ exit $exval
diff -Nuar glibc-2.2.5-11.5/debian/patches/glibcbug-insecure-temp.dpatch glibc-2.2.5-11.6/debian/patches/glibcbug-insecure-temp.dpatch
--- glibc-2.2.5-11.5/debian/patches/glibcbug-insecure-temp.dpatch 1970-01-01 09:00:00.000000000 +0900
+++ glibc-2.2.5-11.6/debian/patches/glibcbug-insecure-temp.dpatch 2004-11-25 14:24:48.000000000 +0900
@@ -0,0 +1,159 @@
+#! /bin/sh -e
+
+# All lines beginning with `# DP:' are a description of the patch.
+# DP: Description: fix insecure temporary file handling in glibcbug, quote all
+# DP: $TEMP and $TEMPX variables
+# DP: Related bugs: #278278
+# DP: Upstream status: CVS removed glibcbug, thus not vulnerable
+
+if [ $# -ne 2 ]; then
+ echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
+ exit 1
+fi
+case "$1" in
+ -patch) patch -d "$2" -f --no-backup-if-mismatch -p0 < $0;;
+ -unpatch) patch -d "$2" -f --no-backup-if-mismatch -R -p0 < $0;;
+ *)
+ echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
+ exit 1
+esac
+exit 0
+
+# append the patch here and adjust the -p? flag in the patch calls.
+--- glibcbug.in.orig 2004-11-25 14:19:07.000000000 +0900
++++ glibcbug.in 2004-11-25 14:23:51.000000000 +0900
+@@ -23,18 +23,14 @@
+ BUILD_STATIC_NSS="@static_nss@"
+ STDIO="@stdio@"
+
+-TEMP=`mktemp -q ${TMPDIR-/tmp}/glibcbugXXXXXX 2>/dev/null`
+-if test $? -ne 0; then
+- TEMP={$TMPDIR-/tmp}/glibcbug.$$
+- echo > $TEMP
+- chmod 600 $TEMP
+-fi
+-TEMPx=`mktemp -q ${TMPDIR-/tmp}/glibcbugXXXXXX 2>/dev/null`
+-if test $? -ne 0; then
+- TEMPx=${TMPDIR-/tmp}/glibcbug.$$.x
+- echo > $TEMPx
+- chmod 600 $TEMPx
+-fi
++TEMP="`mktemp -t glibcbugXXXXXXXXXX`" || exit 1
++TEMPx="`mktemp -t glibcbugXXXXXXXXXX`" || {
++ rm -f "$TEMP"
++ exit 1
++}
++
++trap 'rm -f "$TEMP" "$TEMPx"; exit 1' HUP INT QUIT PIPE TERM
++trap 'rm -f "$TEMP" "$TEMPx"' EXIT
+
+ BUGGLIBC="glibc-bug-reports-${RELEASE}@gnu.org"
+ BUGADDR=${1-$BUGGLIBC}
+@@ -43,10 +39,6 @@
+
+ : ${USER=${LOGNAME-`whoami`}}
+
+-trap 'rm -f $TEMP $TEMPx; exit 1' 1 2 3 13 15
+-trap 'rm -f $TEMP $TEMPx' 0
+-
+-
+ # How to read the passwd database.
+ PASSWD="cat /etc/passwd"
+
+@@ -73,8 +65,8 @@
+ else
+ # Must use temp file due to incompatibilities in quoting behavior
+ # and to protect shell metacharacters in the expansion of $LOGNAME
+- $PASSWD | grep "^$LOGNAME:" | awk -F: '{print $5}' | sed -e 's/,.*//' > $TEMP
+- ORIGINATOR="`cat $TEMP`"
++ $PASSWD | grep "^$LOGNAME:" | awk -F: '{print $5}' | sed -e 's/,.*//' > "$TEMP"
++ ORIGINATOR="`cat "$TEMP"`"
+ fi
+
+ if [ -n "$ORGANIZATION" ]; then
+@@ -126,7 +118,7 @@
+ FIX_C='<how to correct or work around the problem, if known (multiple lines)>'
+
+
+-cat > $TEMP <<EOF
++cat > "$TEMP" <<EOF
+ SEND-PR: -*- send-pr -*-
+ SEND-PR: Lines starting with \`SEND-PR' will be removed automatically, as
+ SEND-PR: will all comments (text enclosed in \`<' and \`>').
+@@ -175,12 +167,12 @@
+ $FIX_C
+ EOF
+
+-chmod u+w $TEMP
+-cp $TEMP $TEMPx
++chmod u+w "$TEMP"
++cp "$TEMP" "$TEMPx"
+
+-eval $EDIT $TEMP
++eval $EDIT "$TEMP"
+
+-if cmp -s $TEMP $TEMPx; then
++if cmp -s "$TEMP" "$TEMPx"; then
+ echo "File not changed, no bug report submitted."
+ exit 1
+ fi
+@@ -209,7 +201,7 @@
+ # 1) Severity
+ #
+ PATTERN=">Severity:"
+- SEVERITY=`eval sed -n -e "\"$SED_CMD\"" $TEMP`
++ SEVERITY=`eval sed -n -e "\"$SED_CMD\"" "$TEMP"`
+ case "$SEVERITY" in
+ ""|non-critical|serious|critical) CNT=`expr $CNT + 1` ;;
+ *) echo "$COMMAND: \`$SEVERITY' is not a valid value for \`Severity'."
+@@ -218,7 +210,7 @@
+ # 2) Priority
+ #
+ PATTERN=">Priority:"
+- PRIORITY=`eval sed -n -e "\"$SED_CMD\"" $TEMP`
++ PRIORITY=`eval sed -n -e "\"$SED_CMD\"" "$TEMP"`
+ case "$PRIORITY" in
+ ""|low|medium|high) CNT=`expr $CNT + 1` ;;
+ *) echo "$COMMAND: \`$PRIORITY' is not a valid value for \`Priority'."
+@@ -227,7 +219,7 @@
+ # 3) Class
+ #
+ PATTERN=">Class:"
+- CLASS=`eval sed -n -e "\"$SED_CMD\"" $TEMP`
++ CLASS=`eval sed -n -e "\"$SED_CMD\"" "$TEMP"`
+ case "$CLASS" in
+ ""|sw-bug|doc-bug|change-request|support) CNT=`expr $CNT + 1` ;;
+ *) echo "$COMMAND: \`$CLASS' is not a valid value for \`Class'."
+@@ -242,11 +234,11 @@
+ case "$input" in
+ a*)
+ echo "$COMMAND: problem report saved in $HOME/dead.glibcbug."
+- cat $TEMP >> $HOME/dead.glibcbug
++ cat "$TEMP" >> $HOME/dead.glibcbug
+ xs=1; exit
+ ;;
+ e*)
+- eval $EDIT $TEMP
++ eval $EDIT "$TEMP"
+ continue 2
+ ;;
+ s*)
+@@ -273,15 +265,15 @@
+ /^>Description:/,/^>[A-Za-z-]*:/s;$DESCRIPTION_C;;
+ /^>How-To-Repeat:/,/^>[A-Za-z-]*:/s;$HOW_TO_REPEAT_C;;
+ /^>Fix:/,/^>[A-Za-z-]*:/s;$FIX_C;;
+-" $TEMP > $TEMPx
++" "$TEMP" > "$TEMPx"
+
+-if $MAIL_AGENT < $TEMPx; then
++if $MAIL_AGENT < "$TEMPx"; then
+ echo "$COMMAND: problem report sent"
+ xs=0; exit
+ else
+ echo "$COMMAND: mysterious mail failure, report not sent."
+ echo "$COMMAND: problem report saved in $HOME/dead.glibcbug."
+- cat $TEMP >> $HOME/dead.glibcbug
++ cat "$TEMP" >> $HOME/dead.glibcbug
+ fi
+
+ exit 0
Reply to: