Bug#298533: marked as done (kdelibs4-dev: Unsafe use of temporary file in dcopidlng script )
Your message dated Sun, 13 Mar 2005 18:17:51 -0500
with message-id <E1DAcLH-0004VB-00@newraff.debian.org>
and subject line Bug#298533: fixed in kdelibs 4:3.3.2-4
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 8 Mar 2005 10:04:41 +0000
>From jfs@dat.etsit.upm.es Tue Mar 08 02:04:41 2005
Return-path: <jfs@dat.etsit.upm.es>
Received: from tornado.dat.etsit.upm.es (dat.etsit.upm.es) [138.100.17.73]
by spohr.debian.org with smtp (Exim 3.35 1 (Debian))
id 1D8bZv-0004iI-00; Tue, 08 Mar 2005 02:04:40 -0800
Received: (qmail 29985 invoked by uid 1013); 8 Mar 2005 10:04:38 -0000
Date: Tue, 8 Mar 2005 11:04:38 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <jfs@computer.org>
To: submit@bugs.debian.org
Subject: kdelibs4-dev: Unsafe use of temporary file in dcopidlng script
Message-ID: <[🔎] 20050308100438.GA28237@dat.etsit.upm.es>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="o0ZfoUVt4BxPQnbU"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--o0ZfoUVt4BxPQnbU
Content-Type: multipart/mixed; boundary="5p8PegU4iirBW1oA"
Content-Disposition: inline
--5p8PegU4iirBW1oA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: kdelibs4-dev
Version: 4:3.3.2-2
Priority: normal
Tags: patch security
Reviewing the Gentoo advisory GLSA 200503-14 [0] which refers to
CAN-2005-0365 I've checked out to see if our dcopidlng script was
vulnerable to the symlink attack found by Davide Madrisan even though it=20
does not use /tmp (that's why I'm setting this bug as 'normal' severity=20
instead of as 'important')
It seems ours (see version above) is not because the temporary file is=20
created in the local directory (instead of in /tmp) directly, however, the=
=20
creation does provide a way for a race condition.
I think the attached patch is a better fix for this issue than the one=20
provided by Gentoo [1]. There are several bugs in Gentoo's fix:
1- The file is removed twice (once in the trap and once at the end of the=
=20
fix)
2- Leaving temporary files in the home directory might not be good. Mktemp=
=20
-t is better since users can set their TMPDIR environment variable to point=
=20
to "/home/user/tmp" if they want to, but users without a home directory=20
(think chroot) will work in any case (failsback to /tmp)
3- The temporafy file is still being create in an unsafe way (but in a safe=
=20
directory), mktemp does this better
So, please use the attached patch (and maybe forward it upstream) for a=20
next release.
Regards
Javier
[0] http://www.gentoo.org/security/en/glsa/glsa-200503-14.xml
[1] http://bugs.gentoo.org/attachment.cgi?id=3D51120&action=3Dview
--5p8PegU4iirBW1oA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="dcopidlng.diff"
Content-Transfer-Encoding: quoted-printable
--- dcopidlng.orig 2005-03-08 10:49:43.000000000 +0100
+++ dcopidlng 2005-03-08 10:51:08.000000000 +0100
@@ -1,15 +1,16 @@
#!/bin/sh
=20
-trap "rm -f dcopidlng.stderr.$$"
+tmpfile=3D`mktemp -t dcopidlng.XXXXXX` || { echo "$0: Cannot create tempor=
ary file" >&2; exit 1; }
+trap " [ -f \"$tmpfile\" ] && /bin/rm -f -- \"$tmpfile\"" 0 1 2 3 13 15
=20
if test -z "$KDECONFIG"; then
KDECONFIG=3Dkde-config
fi
LIBDIR=3D"`$KDECONFIG --install data --expandvars`/dcopidlng"
-perl -I"$LIBDIR" "$LIBDIR/kalyptus" --allow_k_dcop_accessors -f dcopidl $1=
2> dcopidlng.stderr.$$
+perl -I"$LIBDIR" "$LIBDIR/kalyptus" --allow_k_dcop_accessors -f dcopidl $1=
2> $tmpfile
RET=3D$?
if [ $RET -ne 0 ]
then
- cat dcopidlng.stderr.$$ >&2
+ cat $tmpfile >&2
fi
exit $RET
--5p8PegU4iirBW1oA--
--o0ZfoUVt4BxPQnbU
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCLXi1i4sehJTrj0oRAuU2AKCg9nFi0jxbVdkAsUr8qxCsDXz5jwCgsLU8
svMOa5JecV6n6eaKW5Io+qE=
=jwn0
-----END PGP SIGNATURE-----
--o0ZfoUVt4BxPQnbU--
---------------------------------------
Received: (at 298533-close) by bugs.debian.org; 13 Mar 2005 23:23:23 +0000
>From katie@ftp-master.debian.org Sun Mar 13 15:23:23 2005
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DAcQc-0005Bg-00; Sun, 13 Mar 2005 15:23:22 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DAcLH-0004VB-00; Sun, 13 Mar 2005 18:17:51 -0500
From: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
To: 298533-close@bugs.debian.org
X-Katie: $Revision: 1.55 $
Subject: Bug#298533: fixed in kdelibs 4:3.3.2-4
Message-Id: <E1DAcLH-0004VB-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Sun, 13 Mar 2005 18:17:51 -0500
Delivered-To: 298533-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 3
Source: kdelibs
Source-Version: 4:3.3.2-4
We believe that the bug you reported is fixed in the latest version of
kdelibs, which is due to be installed in the Debian FTP archive:
kdelibs-bin_3.3.2-4_powerpc.deb
to pool/main/k/kdelibs/kdelibs-bin_3.3.2-4_powerpc.deb
kdelibs-data_3.3.2-4_all.deb
to pool/main/k/kdelibs/kdelibs-data_3.3.2-4_all.deb
kdelibs4-dev_3.3.2-4_powerpc.deb
to pool/main/k/kdelibs/kdelibs4-dev_3.3.2-4_powerpc.deb
kdelibs4-doc_3.3.2-4_all.deb
to pool/main/k/kdelibs/kdelibs4-doc_3.3.2-4_all.deb
kdelibs4_3.3.2-4_powerpc.deb
to pool/main/k/kdelibs/kdelibs4_3.3.2-4_powerpc.deb
kdelibs_3.3.2-4.diff.gz
to pool/main/k/kdelibs/kdelibs_3.3.2-4.diff.gz
kdelibs_3.3.2-4.dsc
to pool/main/k/kdelibs/kdelibs_3.3.2-4.dsc
kdelibs_3.3.2-4_all.deb
to pool/main/k/kdelibs/kdelibs_3.3.2-4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 298533@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> (supplier of updated kdelibs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 12 Mar 2005 18:02:54 +0100
Source: kdelibs
Binary: kdelibs4 kdelibs-bin kdelibs kdelibs4-doc kdelibs-data kdelibs4-dev
Architecture: source powerpc all
Version: 4:3.3.2-4
Distribution: unstable
Urgency: low
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Description:
kdelibs - KDE core libraries metapackage
kdelibs-bin - KDE core binaries
kdelibs-data - KDE core shared data
kdelibs4 - KDE core libraries
kdelibs4-dev - KDE core libraries (development files)
kdelibs4-doc - KDE core library documentation
Closes: 296240 298308 298533 298615
Changes:
kdelibs (4:3.3.2-4) unstable; urgency=low
.
* Improve the fix for CAN-2005-0365 ("insecure temporary file
creation") with a patch provided by Javier Fernández-Sanguino Peña:
now mktemp is used, previously the temporary file was still created
in an unsafe way, although in a safe directory. (Closes: #298533)
.
* KDE_3_3_BRANCH update, with several improvements for the IDN situation:
- matches SSL certificates based on the punycode version of the hostname.
- some TLDs are whitelisted and IDN domains will be resolved for them.
These are, by default: at, ch, cn, de, dk, kr, jp, li, no, se, tw.
The KDE_USE_IDN environment variable can be set to a colon-separated
list of TLDs to override this default, so if empty IDN will be disabled.
.
* Backport small patch from KDE 3.4 to prevent kate from printing lots of
assertion failures to stderr when editing a long line. (Closes: #298308)
.
* Backport small patch from KDE 3.4 to make KSpell search for dictionaries
in /usr/lib/aspell-0.6, which is now used by Aspell. (Closes: #296240)
.
* As OpenOffice.org 1.1.3 will enter testing together with this version of
kdelibs, re-add to kdelibs-data the template .desktop files removed in
3.3.2-1. Replace openoffice.org-mimelnk (<< 1.1.3), but don't conflict.
.
* This upload will get built with a non-broken gcc version in mipsel,
and thus closes: #298615.
Files:
bdf19d95b59cfc08a266b91f79646296 1302 libs optional kdelibs_3.3.2-4.dsc
1cf68c00a7b7d61ca558c34de9cf0ca1 458802 libs optional kdelibs_3.3.2-4.diff.gz
13e7367a4d1e8fafbb896f2e06f1ce15 894852 libs optional kdelibs-bin_3.3.2-4_powerpc.deb
8dafb784bd5c45f1d6b7b73273895ccb 7911796 libs optional kdelibs4_3.3.2-4_powerpc.deb
e7bb87b4312c8462876c6b3bdb2d98d4 1233894 libdevel optional kdelibs4-dev_3.3.2-4_powerpc.deb
01c8b86fbea7d37d0a1dd6c6c0e87dbc 19434 kde optional kdelibs_3.3.2-4_all.deb
43870e72465373b23e04924abc48b7ac 7086730 libs optional kdelibs-data_3.3.2-4_all.deb
35c9334552e7ebf450c92e64da06046b 11572596 doc optional kdelibs4-doc_3.3.2-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Signed by Isaac Clerencia <isaac@warp.es>
iD8DBQFCNLtrQET2GFTmct4RApaMAJ9yj6lL3VhKyMJuQrsDIqDQZOWQiACcCGjn
pRDpoH729gofH9ktDj/0gSE=
=7htN
-----END PGP SIGNATURE-----
Reply to: