Bug#291373: marked as done (gs-gpl: Insecure usage of /tmp in auxiliary scripts)

To: Masayuki Hatta (mhatta) <mhatta@debian.org>
Subject: Bug#291373: marked as done (gs-gpl: Insecure usage of /tmp in auxiliary scripts)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sat, 05 May 2007 01:09:03 +0000
Message-id: <handler.291373.D291373.117832720420515.ackdone@bugs.debian.org>
References:

Your message dated Sat, 05 May 2007 01:02:03 +0000
with message-id <E1Hk8ex-0004Iw-Jx@ries.debian.org>
and subject line Bug#291373: fixed in gs-gpl 8.56.dfsg.1-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

To: submit@bugs.debian.org
Subject: gs-gpl: Insecure usage of /tmp in auxiliary scripts
From: Javier Fernández-Sanguino Peña <jfs@computer.org>
Date: Thu, 20 Jan 2005 12:18:49 +0100
Message-id: <20050120111848.GA6933@dat.etsit.upm.es>

Package: gs-gpl
Version: 8.01-5
Priority: minor
Tags: security patch

While doing a source code audit I've noticed a number of unsafe usage of
/tmp in some of gs-gpl's scripts. Some of they are used in distibution or
building of the package and one (ps2epsi) seems targeted at users, none of
them seem to be included in the Debian binary package which is built from
these sources. Ps2epsi, however seems to be distributed with gs-common.

As for ps2epsi, this was recently fixed in gs-common (see #278282 and 
CAN-2004-0967)

I believe this /tmp usage should be removed from the package altogether
since it might introduces security vulnerabilities in developer's build 
systems.

Attached is a proposed (untested) patch which tries to fix this issues. For 
the Tcl/tk code I've used the sample at http://wiki.tcl.tk/772, it seems 
that tcl does not provide a mktemp() implementation. Consider this patch as 
a sample, to be improved upon.

Hope this is useful, please forward it upstream.

Regards

Javier

diff -Nru gs-gpl-8.01.orig/lib/ps2epsi gs-gpl-8.01/lib/ps2epsi
--- gs-gpl-8.01.orig/lib/ps2epsi	2002-02-21 22:49:28.000000000 +0100
+++ gs-gpl-8.01/lib/ps2epsi	2005-01-20 09:09:31.000000000 +0100
@@ -1,7 +1,9 @@
 #!/bin/sh
 # $Id: ps2epsi,v 1.9 2002/02/21 21:49:28 giles Exp $
 
-tmpfile=/tmp/ps2epsi$$
+tmpfile=`mktemp -t ps2epsi.XXXXXX || tempfile --prefix=ps2epsi` || { echo "$0: Cannot create temporary file" >&2; exit 1; }
+trap "rm -f -- \"$tmpfile\";" 0 1 2 3 13 15
+
 
 export outfile
 
@@ -52,7 +54,6 @@
 	' U="$USERNAME$LOGNAME"  F=1 - F=2 "${infile}" >$tmpfile
 
 gs -q -dNOPAUSE -dSAFER -dDELAYSAFER -r72 -sDEVICE=bit -sOutputFile=/dev/null $tmpfile ps2epsi.ps $tmpfile <"${infile}" 1>&2
-rm -f $tmpfile
 
 (
 cat << BEGINEPS
diff -Nru gs-gpl-8.01.orig/toolbin/3way.tcl gs-gpl-8.01/toolbin/3way.tcl
--- gs-gpl-8.01.orig/toolbin/3way.tcl	2002-02-21 23:44:45.000000000 +0100
+++ gs-gpl-8.01/toolbin/3way.tcl	2005-01-20 09:20:34.000000000 +0100
@@ -25,7 +25,29 @@
 # produces a report for merging the olddir/branchdir changes into maindir.
 
 proc filesame {f1 f2} {
-    set t /tmp/t
+    # There is no Tcl builtin for temporary files
+    # This is taken from http://wiki.tcl.tk/772
+    switch $tcl_platform(platform) {
+	unix {
+		set tmpdir /tmp   # or even $::env(TMPDIR), at times.
+	} macintosh {
+		set tmpdir $::env(TRASH_FOLDER)  ;# a better place?
+	} default {
+		set tmpdir [pwd]
+			catch {set tmpdir $::env(TMP)}
+		catch {set tmpdir $::env(TEMP)}
+	}
+    }
+    set t [file join $tmpdir [pid]]
+    set access [list RDWR CREAT EXCL TRUNC]
+    set perm 0600
+    if {[catch {open $t $access $perm} fid ]} {
+        # something went wrong
+        error "Could not open tempfile."
+     }
+    if {[catch {close $t} err]} {
+         error "Failed closing temporary file: $err"
+    }
     if {![catch {exec diff $f1 $f2 > $t}]} {
 	return 1
     }
@@ -50,6 +72,9 @@
 	break
     }
     close $in
+    if {![catch {exec rm $t}]} {
+         error "Failed removing temporary file"
+    }
     return $same
 }
 
diff -Nru gs-gpl-8.01.orig/toolbin/gsindent gs-gpl-8.01/toolbin/gsindent
--- gs-gpl-8.01.orig/toolbin/gsindent	2002-02-21 23:44:45.000000000 +0100
+++ gs-gpl-8.01/toolbin/gsindent	2005-01-20 09:21:46.000000000 +0100
@@ -21,12 +21,13 @@
 # The perl invocations work around a bug in GNU indent.
 
 if [ $# -ne 0 ]; then
+    tempfile=`mktemp -t || tempfile` || { echo "$0: Cannot create temporary file" >&2; exit 1; }
     for f in $*
     do
-	$0 < $f > /tmp/$$
+	$0 < $f > $tempfile
 	cp -p $f $f.bak
 	if ( test ! -e $f~ ) then cp -p $f $f~; fi
-	mv /tmp/$$ $f
+	mv $tempfile $f
     done
     exit
 fi
diff -Nru gs-gpl-8.01.orig/toolbin/gssubst gs-gpl-8.01/toolbin/gssubst
--- gs-gpl-8.01.orig/toolbin/gssubst	2002-02-21 23:44:45.000000000 +0100
+++ gs-gpl-8.01/toolbin/gssubst	2005-01-20 09:24:18.000000000 +0100
@@ -35,7 +35,27 @@
 }
 puts "$from => $to"
 flush stdout
-set tmp /tmp/[pid]
+switch $tcl_platform(platform) {
+	unix {
+		set tmpdir /tmp   # or even $::env(TMPDIR), at times.
+	} macintosh {
+		set tmpdir $::env(TRASH_FOLDER)  ;# a better place?
+	} default {
+		set tmpdir [pwd]
+			catch {set tmpdir $::env(TMP)}
+		catch {set tmpdir $::env(TEMP)}
+	}
+}
+set tmp [file join $tmpdir [pid]]
+set access [list RDWR CREAT EXCL TRUNC]
+set perm 0600
+if {[catch {open $tmp $access $perm} fid ]} {
+# something went wrong
+	error "Could not open tempfile."
+}
+if {[catch {close $tmp} err]} {
+	error "Failed closing temporary file: $err"
+}
 foreach f [lreplace $argv 0 1] {
     if {![file exists $f~]} {exec cp -p $f $f~}
     exec perl -pe "s\{\\b${from}\\b\}\{${to}\}g" < $f > $tmp
diff -Nru gs-gpl-8.01.orig/toolbin/makeset.tcl gs-gpl-8.01/toolbin/makeset.tcl
--- gs-gpl-8.01.orig/toolbin/makeset.tcl	2002-08-07 01:24:47.000000000 +0200
+++ gs-gpl-8.01/toolbin/makeset.tcl	2005-01-20 09:37:42.000000000 +0100
@@ -157,7 +157,23 @@
     set ogfonts $cwd/gnu-gs-fonts-other-$Dot.tar.gz
 
     file delete $afonts $ofonts $agfonts $ogfonts
-    set tmp /tmp/[pid].tmp
+    switch $tcl_platform(platform) {
+        unix {
+                set tmpdir /tmp   # or even $::env(TMPDIR), at times.
+        } macintosh {
+                set tmpdir $::env(TRASH_FOLDER)  ;# a better place?
+        } default {
+                set tmpdir [pwd]
+                        catch {set tmpdir $::env(TMP)}
+                catch {set tmpdir $::env(TEMP)}
+        }
+    }
+    set tmp [file join $tmpdir [pid]]
+    exec umask 077
+    if {[catch {exec mkdir $tmp}]} {
+        # something went wrong
+        error "Could not create temporary dir."
+     }
 
     licensefonts $tmp annotURWAladdin -u
     sh -c "\
@@ -346,7 +362,15 @@
 proc makehist {} {
     global Dot
 
-    set tmpname /tmp/[pid].htm
+    set tmpname [file join $tmpdir [pid] htm]
+    set access [list RDWR CREAT EXCL TRUNC]
+    set perm 0600
+    if {[catch {open $tmpname $access $perm} fid ]} {
+	    error "Could not open tempfile."
+    }
+    if {[catch {close $tmpname} err]} {
+	    error "Failed closing temporary file: $err"
+    }
     set news [open doc/News.htm]
     set changes [open doc/Changes.htm]
     set inum [expr int($Dot)]
@@ -379,7 +403,15 @@
     set cwd [pwd]
     set atmp $cwd/gs${Num3}.zip
     set asetup gs${Num3}.bat
-    set tmp /tmp/[pid].tmp
+    set tmp [file join $tmpdir [pid] tmp]
+    set access [list RDWR CREAT EXCL TRUNC]
+    set perm 0600
+    if {[catch {open $tmp $access $perm} fid ]} {
+	    error "Could not open tempfile."
+    }
+    if {[catch {close $tmp} err]} {
+	    error "Failed closing temporary file: $err"
+    }
 
     file delete $atmp $asetup $Dir
     ln-s . $Dir
diff -Nru gs-gpl-8.01.orig/toolbin/many2pdf.tcl gs-gpl-8.01/toolbin/many2pdf.tcl
--- gs-gpl-8.01.orig/toolbin/many2pdf.tcl	2002-02-21 23:44:45.000000000 +0100
+++ gs-gpl-8.01/toolbin/many2pdf.tcl	2005-01-20 09:39:47.000000000 +0100
@@ -24,7 +24,24 @@
 # Define the file containing the list of input file names.
 set LIST_FILE_NAME /gs/show.lst
 # Define the directory where the output will be stored.
-set PDF_DIR /gs/tmp-pdf
+switch $tcl_platform(platform) {
+   unix {
+	   set tmpdir /tmp   # or even $::env(TMPDIR), at times.
+   } macintosh {
+	   set tmpdir $::env(TRASH_FOLDER)  ;# a better place?
+   } default {
+	   set tmpdir [pwd]
+	   catch {set tmpdir $::env(TMP)}
+	   catch {set tmpdir $::env(TEMP)}
+   }
+}
+set PDF_DIR [file join $tmpdir [pid]]
+set perm 0600
+exec umask 077
+if {[catch {exec mkdir $PDF_DIR} ]} {
+    # something went wrong
+    error "Could not create temporary directory."
+}
 
 proc maxwaitfor {filesize} {
     return [expr $filesize / 5000 + 30]
@@ -50,8 +67,22 @@
 	    puts "****** $ps FAILED, DOES NOT EXIST ******"
 	    continue
 	}
-	set script /tmp/${pid}.tcl
-	set status /tmp/${pid}.out
+	set script [file join $tmpdir [pid] .tcl ]
+	set status [file join $tmpdir [pid] .out ]
+	set access [list RDWR CREAT EXCL TRUNC]
+	set perm 0600
+	if {[catch {open $script $access $perm} fid ]} {
+		error "Could not open tempfile."
+	}
+	if {[catch {close $script} err]} {
+		error "Failed closing temporary file: $err"
+	}
+	if {[catch {open $status $access $perm} fid ]} {
+		error "Could not open tempfile."
+	}
+	if {[catch {close $status} err]} {
+		error "Failed closing temporary file: $err"
+	}
 	set tmp [open $script w]
 	puts $tmp "\
 	set tmp \[open $status w\]
diff -Nru gs-gpl-8.01.orig/toolbin/pre.tcl gs-gpl-8.01/toolbin/pre.tcl
--- gs-gpl-8.01.orig/toolbin/pre.tcl	2002-03-29 01:44:34.000000000 +0100
+++ gs-gpl-8.01/toolbin/pre.tcl	2005-01-20 09:34:32.000000000 +0100
@@ -183,12 +183,31 @@
 	lappend doclist $d
     }
 }
+switch $tcl_platform(platform) {
+     unix {
+         set tmpdir /tmp   # or even $::env(TMPDIR), at times.
+     } macintosh {
+         set tmpdir $::env(TRASH_FOLDER)  ;# a better place?
+     } default {
+         set tmpdir [pwd]
+         catch {set tmpdir $::env(TMP)}
+         catch {set tmpdir $::env(TEMP)}
+     }
+}
 
 if {$argv == {update}} {
 	# Update dates in .htm and .1 files.
     proc updoc {doc before after} {
-	set tmpfile /tmp/[pid]
-	catch {file delete $tmpfile}
+        set tmpfile [file join $tmpdir [pid]]
+        set access [list RDWR CREAT EXCL TRUNC]
+        set perm 0600
+        if {[catch {open $tempfile $access $perm} fid ]} {
+             # something went wrong
+             error "Could not open tempfile."
+        }
+        if {[catch {close $t} err]} {
+             error "Failed closing temporary file: $err"
+        }
 	exec perl -pwe "s{$before}{$after}" < $doc > $tmpfile
 	file rename -force $tmpfile $doc
     }

Attachment: signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

To: 291373-close@bugs.debian.org
Subject: Bug#291373: fixed in gs-gpl 8.56.dfsg.1-1
From: Masayuki Hatta (mhatta) <mhatta@debian.org>
Date: Sat, 05 May 2007 01:02:03 +0000
Message-id: <E1Hk8ex-0004Iw-Jx@ries.debian.org>

Source: gs-gpl
Source-Version: 8.56.dfsg.1-1

We believe that the bug you reported is fixed in the latest version of
gs-gpl, which is due to be installed in the Debian FTP archive:

gs-gpl_8.56.dfsg.1-1.diff.gz
  to pool/main/g/gs-gpl/gs-gpl_8.56.dfsg.1-1.diff.gz
gs-gpl_8.56.dfsg.1-1.dsc
  to pool/main/g/gs-gpl/gs-gpl_8.56.dfsg.1-1.dsc
gs-gpl_8.56.dfsg.1-1_i386.deb
  to pool/main/g/gs-gpl/gs-gpl_8.56.dfsg.1-1_i386.deb
gs-gpl_8.56.dfsg.1.orig.tar.gz
  to pool/main/g/gs-gpl/gs-gpl_8.56.dfsg.1.orig.tar.gz
gs_8.56.dfsg.1-1_all.deb
  to pool/main/g/gs-gpl/gs_8.56.dfsg.1-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 291373@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Masayuki Hatta (mhatta) <mhatta@debian.org> (supplier of updated gs-gpl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 05 May 2007 00:58:39 +0900
Source: gs-gpl
Binary: gs-gpl gs
Architecture: source i386 all
Version: 8.56.dfsg.1-1
Distribution: unstable
Urgency: low
Maintainer: Masayuki Hatta (mhatta) <mhatta@debian.org>
Changed-By: Masayuki Hatta (mhatta) <mhatta@debian.org>
Description: 
 gs         - Transitional package
 gs-gpl     - The GPL Ghostscript PostScript interpreter
Closes: 291373 323534 401755 405049
Changes: 
 gs-gpl (8.56.dfsg.1-1) unstable; urgency=low
 .
   * New upstream release.
   * man/gs.1: Paths are adjusted to Debian - closes: #405049
   * man/gs.1: Fixed various typos - closes: #323534
   * Fixed insecure /tmp usage in toolbin scripts (CAN-2005-2352) - closes: #291373
   * Now opdfread.ps is installed - closes: #401755
Files: 
 1938cd82b818dfe8d0cd5da749226de2 819 text optional gs-gpl_8.56.dfsg.1-1.dsc
 f7c5fa2f4e5c2d9af4f652ea4f76009d 11235213 text optional gs-gpl_8.56.dfsg.1.orig.tar.gz
 a0b9b48e3e513fc6f8d9a793b8db674b 125836 text optional gs-gpl_8.56.dfsg.1-1.diff.gz
 0b0d34cd4b813ae86a6f0fd518e9d128 14348 text extra gs_8.56.dfsg.1-1_all.deb
 d59806bb1ffb2384f8fefb63b398db61 4980734 text optional gs-gpl_8.56.dfsg.1-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGO9Ryy2+jQOcHWlQRAuSkAJ4g0Bo6F0HaaAg2Yd2IzTPYHQRswACeOXhU
wcFNDL9/Y8he/xOFiDb+mcY=
=HeMC
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Accepted gs-gpl 8.56.dfsg.1-1 (source i386 all)
Next by Date: Bug#401755: marked as done (gs-gpl: ps2write is missing opdfread.ps)
Previous by thread: Accepted gs-gpl 8.56.dfsg.1-1 (source i386 all)
Next by thread: Bug#401755: marked as done (gs-gpl: ps2write is missing opdfread.ps)
Index(es):
- Date
- Thread