[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#358501: marked as done (unsafe temp file creation (CAN-2004-2265))

Your message dated Sun, 26 Mar 2006 16:22:35 +0200
with message-id <87wtehcml0.fsf@diziet.irb.hr>
and subject line Removed
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: uudeview
Version: 0.5.20-2
Severity: serious
Tags: security

CAN-2004-2265 is a security hole in uudeview, although you won't find
much useful info in the advisories associated with that CAN.

After downloading OpenPKG's fix from
tp://ftp.openpkg.org/release/2.0/UPD/uudeview-0.5.19-2.0.1.src.rpm ,
I was able to verify the problem:

  if ((stdfile = tempnam (NULL, "uu")) == NULL) {
    fprintf (stderr, "proc_stdin: cannot get temporary file\n");
    return 0;
  }

  if ((target = fopen (stdfile, "wb")) == NULL) {
    fprintf (stderr, "proc_stdin: cannot open temp file %s for writing: %s\n",
             stdfile, strerror (errno));
    _FP_free (stdfile);
    return 0;
  }

This is a race, exploitable when uudeview is run on standard input.
I'm attaching OpenPKG's entire patch for uudeview 0.5.19, since you might
find unrelated changes also of interest. The relevent fixes for this hole
are change changes involving tempnam and _FP_tempnam.

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.4.27
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages uudeview depends on:
ii  libc6                       2.3.2.ds1-22 GNU C Library: Shared libraries an

uudeview recommends no packages.

-- no debconf information

-- 
see shy jo

Patch to defeat uudeview "UNKNOWN" filenames.
Problem introduced with 0.5.19
Problem remains in 0.5.20

Index: uuscan.c
--- uulib/uuscan.c.orig	2004-03-12 11:47:13.000000000 +0100
+++ uulib/uuscan.c	2004-03-12 13:37:54.000000000 +0100
@@ -1604,20 +1604,23 @@
     }
 
     /* skip empty lines */
-    prevpos = ftell (datei);
+    {
+    long localprevpos;
+    localprevpos = ftell (datei);
     if (IsLineEmpty (line)) {
       while (!feof (datei)) {
 	if (_FP_fgets (line, 255, datei) == NULL)
 	  break;
 	if (UUBUSYPOLL(ftell(datei),progress.fsize)) SPCANCEL();
 	if (!IsLineEmpty (line)) {
-	  fseek (datei, prevpos, SEEK_SET);
+	  fseek (datei, localprevpos, SEEK_SET);
 	  line[255] = '\0';
 	  break;
 	}
-	prevpos = ftell (datei);
+	localprevpos = ftell (datei);
       }
     }
+    }
 
     /*
      * If we don't have all valid MIME headers yet, but the following

mkstemp security enhancement. Similar to
FreeBSD http://www.freebsd.org/cgi/query-pr.cgi?pr=41508
SuSE uudeview-0.5.18-244.src.rpm

--- unix/uudeview.c
+++ unix/uudeview.c
@@ -434,7 +434,7 @@
     return 0;
   }
 
-  if ((stdfile = tempnam (NULL, "uu")) == NULL) {
+  if ((stdfile = _FP_tempnam (NULL, "uu")) == NULL) {
     fprintf (stderr, "proc_stdin: cannot get temporary file\n");
     return 0;
   }

--- uulib/fptools.c
+++ uulib/fptools.c
@@ -507,5 +507,15 @@
 char * TOOLEXPORT
 _FP_tempnam (char *dir, char *pfx)
 {
-  return _FP_strdup (tmpnam (NULL));
+  int fd;
+  char fileName[100];
+
+  strncpy(fileName, pfx, 90);
+  strcat(fileName, "XXXXXX");
+  fd = mkstemp(fileName);
+  if (fd == -1)
+	return NULL;
+  close(fd);
+  unlink(fileName);
+  return _FP_strdup (fileName);
 }

--- uulib/uunconc.c
+++ uulib/uunconc.c
@@ -1264,7 +1264,7 @@
   else
     mode = "wb";	/* otherwise in binary          */
 
-  if ((data->binfile = tempnam (NULL, "uu")) == NULL) {
+  if ((data->binfile = _FP_tempnam (NULL, "uu")) == NULL) {
     UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
 	       uustring (S_NO_TEMP_NAME));
     return UURET_NOMEM;
@@ -1426,7 +1426,7 @@
    */
 
   if (data->uudet == BH_ENCODED && data->binfile) {
-    if ((ntmp = tempnam (NULL, "uu")) == NULL) {
+    if ((ntmp = _FP_tempnam (NULL, "uu")) == NULL) {
       UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
 		 uustring (S_NO_TEMP_NAME));
       progress.action = 0;

http://www.fpx.de/fp/Software/UUDeview/HISTORY.txt
    0.5.20 (01.03.2004)
    --------
    - fix bug in parsing of header lines [uuscan.c@@155]
    - fix fgets to accept lines that are exactly of the maximum length [uunconc.c, uuscan.c]
    - fix two buffer overflows [uuscan.c@@391, fptools.c]

diff --unified=3 uudeview-0.5.19/uulib/fptools.c uudeview-0.5.20/uulib/fptools.c
--- uulib/fptools.c 1.7 2003-04-13 17:41:55.000000000 +0200
+++ uulib/fptools.c 1.8 2004-02-24 01:05:32.000000000 +0100
@@ -444,7 +444,7 @@
   if (feof (stream))
     return NULL;
 
-  while (--n) {
+  while (--n && !feof (stream)) {
     if ((c = fgetc (stream)) == EOF) {
       if (ferror (stream))
 	return NULL;
@@ -478,11 +478,28 @@
      */
     *buf++ = c;
   }
+
   /*
    * n-1 characters already transferred
    */
+
   *buf = '\0';
 
+  /*
+   * If a line break is coming up, read it
+   */
+
+  if (!feof (stream)) {
+    if ((c = fgetc (stream)) == '\015' && !feof (stream)) {
+      if ((c = fgetc (stream)) != '\012' && !feof (stream)) {
+	ungetc (c, stream);
+      }
+    }
+    else if (c != '\012' && !feof (stream)) {
+      ungetc (c, stream);
+    }
+  }
+
   return obp;
 }
 
diff --unified=3 uudeview-0.5.19/uulib/uunconc.c uudeview-0.5.20/uulib/uunconc.c
--- uulib/uunconc.c 1.36 2003-09-30 01:17:35.000000000 +0200
+++ uulib/uunconc.c 1.38 2004-03-01 23:52:27.000000000 +0100
@@ -1004,7 +1004,7 @@
   while (!feof (datain) && *state != DONE && 
 	 (ftell(datain)<maxpos || flags&FL_TOEND || maxpos==-1 ||
 	  (!(flags&FL_PROPER) && uu_fast_scanning))) {
-    if (_FP_fgets (line, 299, datain) == NULL)
+    if (_FP_fgets (line, 255, datain) == NULL)
       break;
 
     if (ferror (datain)) {
@@ -1046,7 +1046,7 @@
      * try to make sense of data
      */
 
-    line[299] = '\0'; /* For Safety of string functions */
+    line[255] = '\0'; /* For Safety of string functions */
     count     =  0;
 
     if (boundary && line[0]=='-' && line[1]=='-' &&
@@ -1113,7 +1113,7 @@
 	}
 
 	if (_FP_strstr (line, " part=") != NULL) {
-	  if (_FP_fgets (line, 299, datain) == NULL) {
+	  if (_FP_fgets (line, 255, datain) == NULL) {
 	    break;
 	  }
 
diff --unified=3 uudeview-0.5.19/uulib/uuscan.c uudeview-0.5.20/uulib/uuscan.c
--- uulib/uuscan.c 1.43 2003-07-06 20:29:35.000000000 +0200
+++ uulib/uuscan.c 1.46 2004-03-01 23:52:27.000000000 +0100
@@ -155,7 +155,7 @@
 {
   if (data == NULL) return 0;
   if (*data == ':') return 0;
-  while (*data && isalnum (*data)) data++;
+  while (*data && (isalnum (*data) || *data=='-')) data++;
   return (*data == ':') ? 1 : 0;
 }
 
@@ -391,8 +391,10 @@
 	   *attribute != '\\' &&*attribute != '"' &&
 	   *attribute != '/' && /* *attribute != '[' &&
 	   *attribute != ']' && */ *attribute != '?' &&
-	   *attribute != '=' && length < 255)
+	   *attribute != '=' && length < 255) {
       *ptr++ = *attribute++;
+      length++;
+    }
 
     *ptr = '\0';
   }
@@ -629,12 +631,12 @@
 
   while (!feof (datei)) {
     oldposition = ftell (datei);
-    if (_FP_fgets (line, 299, datei) == NULL)
+    if (_FP_fgets (line, 255, datei) == NULL)
       break;
     if (ferror (datei))
       break;
 
-    line[299] = '\0'; /* For Safety of string functions */
+    line[255] = '\0'; /* For Safety of string functions */
 
     /*
      * Make Busy Polls

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message --- 
goldedplus (to which this vulnerability also applies) has been removed
from Debian.  For details, please see <http://bugs.debian.org/334743>.

--- End Message ---
Reply to: