Bug#298533: kdelibs4-dev: Unsafe use of temporary file in dcopidlng script

To: submit@bugs.debian.org
Subject: Bug#298533: kdelibs4-dev: Unsafe use of temporary file in dcopidlng script
From: Javier Fernández-Sanguino Peña <jfs@computer.org>
Date: Tue, 8 Mar 2005 11:04:38 +0100
Message-id: <[🔎] 20050308100438.GA28237@dat.etsit.upm.es>
Reply-to: Javier Fernández-Sanguino Peña <jfs@computer.org>, 298533@bugs.debian.org

Package: kdelibs4-dev
Version: 4:3.3.2-2
Priority: normal
Tags: patch security

Reviewing the Gentoo advisory GLSA 200503-14 [0] which refers to
CAN-2005-0365 I've checked out to see if our dcopidlng script was
vulnerable to the symlink attack found by Davide Madrisan even though it 
does not use /tmp (that's why I'm setting this bug as 'normal' severity 
instead of as 'important')

It seems ours (see version above) is not because the temporary file is 
created in the local directory (instead of in /tmp) directly, however, the 
creation does provide a way for a race condition.

I think the attached patch is a better fix for this issue than the one 
provided by Gentoo [1]. There are several bugs in Gentoo's fix:

1- The file is removed twice (once in the trap and once at the end of the 
fix)
2- Leaving temporary files in the home directory might not be good. Mktemp 
-t is better since users can set their TMPDIR environment variable to point 
to "/home/user/tmp" if they want to, but users without a home directory 
(think chroot) will work in any case (failsback to /tmp)
3- The temporafy file is still being create in an unsafe way (but in a safe 
directory), mktemp does this better

So, please use the attached patch (and maybe forward it upstream) for a 
next release.

Regards

Javier


[0] http://www.gentoo.org/security/en/glsa/glsa-200503-14.xml
[1] http://bugs.gentoo.org/attachment.cgi?id=51120&action=view

--- dcopidlng.orig	2005-03-08 10:49:43.000000000 +0100
+++ dcopidlng	2005-03-08 10:51:08.000000000 +0100
@@ -1,15 +1,16 @@
 #!/bin/sh
 
-trap "rm -f dcopidlng.stderr.$$"
+tmpfile=`mktemp -t dcopidlng.XXXXXX` || { echo "$0: Cannot create temporary file" >&2; exit 1;  }
+trap " [ -f \"$tmpfile\" ] && /bin/rm -f -- \"$tmpfile\"" 0 1 2 3 13 15
 
 if test -z "$KDECONFIG"; then
     KDECONFIG=kde-config
 fi
 LIBDIR="`$KDECONFIG --install data --expandvars`/dcopidlng"
-perl -I"$LIBDIR" "$LIBDIR/kalyptus" --allow_k_dcop_accessors -f dcopidl $1 2> dcopidlng.stderr.$$
+perl -I"$LIBDIR" "$LIBDIR/kalyptus" --allow_k_dcop_accessors -f dcopidl $1 2> $tmpfile
 RET=$?
 if [ $RET -ne 0 ]
 then
-   cat dcopidlng.stderr.$$ >&2
+   cat $tmpfile >&2
 fi
 exit $RET

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Bug#298533: marked as done (kdelibs4-dev: Unsafe use of temporary file in dcopidlng script )
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: KDE_3_4_BRANCH: kdeaddons/debian
Next by Date: Bug#298534: kmail crash when moving emails between to folders on same imap server, same account
Previous by thread: KDE_3_4_BRANCH: kdeaddons/debian
Next by thread: Bug#298533: marked as done (kdelibs4-dev: Unsafe use of temporary file in dcopidlng script )
Index(es):
- Date
- Thread