[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#298533: marked as done (kdelibs4-dev: Unsafe use of temporary file in dcopidlng script )

Your message dated Sun, 13 Mar 2005 18:17:51 -0500
with message-id <E1DAcLH-0004VB-00@newraff.debian.org>
and subject line Bug#298533: fixed in kdelibs 4:3.3.2-4
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

Received: (at submit) by bugs.debian.org; 8 Mar 2005 10:04:41 +0000
>From jfs@dat.etsit.upm.es Tue Mar 08 02:04:41 2005
Return-path: <jfs@dat.etsit.upm.es>
Received: from tornado.dat.etsit.upm.es (dat.etsit.upm.es) [] 
	by spohr.debian.org with smtp (Exim 3.35 1 (Debian))
	id 1D8bZv-0004iI-00; Tue, 08 Mar 2005 02:04:40 -0800
Received: (qmail 29985 invoked by uid 1013); 8 Mar 2005 10:04:38 -0000
Date: Tue, 8 Mar 2005 11:04:38 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <jfs@computer.org>
To: submit@bugs.debian.org
Subject: kdelibs4-dev: Unsafe use of temporary file in dcopidlng script 
Message-ID: <20050308100438.GA28237@dat.etsit.upm.es>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="o0ZfoUVt4BxPQnbU"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no 

Content-Type: multipart/mixed; boundary="5p8PegU4iirBW1oA"
Content-Disposition: inline

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: kdelibs4-dev
Version: 4:3.3.2-2
Priority: normal
Tags: patch security

Reviewing the Gentoo advisory GLSA 200503-14 [0] which refers to
CAN-2005-0365 I've checked out to see if our dcopidlng script was
vulnerable to the symlink attack found by Davide Madrisan even though it=20
does not use /tmp (that's why I'm setting this bug as 'normal' severity=20
instead of as 'important')

It seems ours (see version above) is not because the temporary file is=20
created in the local directory (instead of in /tmp) directly, however, the=
creation does provide a way for a race condition.

I think the attached patch is a better fix for this issue than the one=20
provided by Gentoo [1]. There are several bugs in Gentoo's fix:

1- The file is removed twice (once in the trap and once at the end of the=
2- Leaving temporary files in the home directory might not be good. Mktemp=
-t is better since users can set their TMPDIR environment variable to point=
to "/home/user/tmp" if they want to, but users without a home directory=20
(think chroot) will work in any case (failsback to /tmp)
3- The temporafy file is still being create in an unsafe way (but in a safe=
directory), mktemp does this better

So, please use the attached patch (and maybe forward it upstream) for a=20
next release.



[0] http://www.gentoo.org/security/en/glsa/glsa-200503-14.xml
[1] http://bugs.gentoo.org/attachment.cgi?id=3D51120&action=3Dview

Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="dcopidlng.diff"
Content-Transfer-Encoding: quoted-printable

--- dcopidlng.orig	2005-03-08 10:49:43.000000000 +0100
+++ dcopidlng	2005-03-08 10:51:08.000000000 +0100
@@ -1,15 +1,16 @@
-trap "rm -f dcopidlng.stderr.$$"
+tmpfile=3D`mktemp -t dcopidlng.XXXXXX` || { echo "$0: Cannot create tempor=
ary file" >&2; exit 1;  }
+trap " [ -f \"$tmpfile\" ] && /bin/rm -f -- \"$tmpfile\"" 0 1 2 3 13 15
 if test -z "$KDECONFIG"; then
 LIBDIR=3D"`$KDECONFIG --install data --expandvars`/dcopidlng"
-perl -I"$LIBDIR" "$LIBDIR/kalyptus" --allow_k_dcop_accessors -f dcopidl $1=
 2> dcopidlng.stderr.$$
+perl -I"$LIBDIR" "$LIBDIR/kalyptus" --allow_k_dcop_accessors -f dcopidl $1=
 2> $tmpfile
 if [ $RET -ne 0 ]
-   cat dcopidlng.stderr.$$ >&2
+   cat $tmpfile >&2
 exit $RET


Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

Version: GnuPG v1.2.5 (GNU/Linux)



Received: (at 298533-close) by bugs.debian.org; 13 Mar 2005 23:23:23 +0000
>From katie@ftp-master.debian.org Sun Mar 13 15:23:23 2005
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [] (mail)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DAcQc-0005Bg-00; Sun, 13 Mar 2005 15:23:22 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
	id 1DAcLH-0004VB-00; Sun, 13 Mar 2005 18:17:51 -0500
From: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
To: 298533-close@bugs.debian.org
X-Katie: $Revision: 1.55 $
Subject: Bug#298533: fixed in kdelibs 4:3.3.2-4
Message-Id: <E1DAcLH-0004VB-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Sun, 13 Mar 2005 18:17:51 -0500
Delivered-To: 298533-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 3

Source: kdelibs
Source-Version: 4:3.3.2-4

We believe that the bug you reported is fixed in the latest version of
kdelibs, which is due to be installed in the Debian FTP archive:

  to pool/main/k/kdelibs/kdelibs-bin_3.3.2-4_powerpc.deb
  to pool/main/k/kdelibs/kdelibs-data_3.3.2-4_all.deb
  to pool/main/k/kdelibs/kdelibs4-dev_3.3.2-4_powerpc.deb
  to pool/main/k/kdelibs/kdelibs4-doc_3.3.2-4_all.deb
  to pool/main/k/kdelibs/kdelibs4_3.3.2-4_powerpc.deb
  to pool/main/k/kdelibs/kdelibs_3.3.2-4.diff.gz
  to pool/main/k/kdelibs/kdelibs_3.3.2-4.dsc
  to pool/main/k/kdelibs/kdelibs_3.3.2-4_all.deb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 298533@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> (supplier of updated kdelibs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)

Hash: SHA1

Format: 1.7
Date: Sat, 12 Mar 2005 18:02:54 +0100
Source: kdelibs
Binary: kdelibs4 kdelibs-bin kdelibs kdelibs4-doc kdelibs-data kdelibs4-dev
Architecture: source powerpc all
Version: 4:3.3.2-4
Distribution: unstable
Urgency: low
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
 kdelibs    - KDE core libraries metapackage
 kdelibs-bin - KDE core binaries
 kdelibs-data - KDE core shared data
 kdelibs4   - KDE core libraries
 kdelibs4-dev - KDE core libraries (development files)
 kdelibs4-doc - KDE core library documentation
Closes: 296240 298308 298533 298615
 kdelibs (4:3.3.2-4) unstable; urgency=low
   * Improve the fix for CAN-2005-0365 ("insecure temporary file
     creation") with a patch provided by Javier Fernández-Sanguino Peña:
     now mktemp is used, previously the temporary file was still created
     in an unsafe way, although in a safe directory. (Closes: #298533)
   * KDE_3_3_BRANCH update, with several improvements for the IDN situation:
     - matches SSL certificates based on the punycode version of the hostname.
     - some TLDs are whitelisted and IDN domains will be resolved for them.
       These are, by default: at, ch, cn, de, dk, kr, jp, li, no, se, tw.
       The KDE_USE_IDN environment variable can be set to a colon-separated
       list of TLDs to override this default, so if empty IDN will be disabled.
   * Backport small patch from KDE 3.4 to prevent kate from printing lots of
     assertion failures to stderr when editing a long line. (Closes: #298308)
   * Backport small patch from KDE 3.4 to make KSpell search for dictionaries
     in /usr/lib/aspell-0.6, which is now used by Aspell. (Closes: #296240)
   * As OpenOffice.org 1.1.3 will enter testing together with this version of
     kdelibs, re-add to kdelibs-data the template .desktop files removed in
     3.3.2-1. Replace openoffice.org-mimelnk (<< 1.1.3), but don't conflict.
   * This upload will get built with a non-broken gcc version in mipsel,
     and thus closes: #298615.
 bdf19d95b59cfc08a266b91f79646296 1302 libs optional kdelibs_3.3.2-4.dsc
 1cf68c00a7b7d61ca558c34de9cf0ca1 458802 libs optional kdelibs_3.3.2-4.diff.gz
 13e7367a4d1e8fafbb896f2e06f1ce15 894852 libs optional kdelibs-bin_3.3.2-4_powerpc.deb
 8dafb784bd5c45f1d6b7b73273895ccb 7911796 libs optional kdelibs4_3.3.2-4_powerpc.deb
 e7bb87b4312c8462876c6b3bdb2d98d4 1233894 libdevel optional kdelibs4-dev_3.3.2-4_powerpc.deb
 01c8b86fbea7d37d0a1dd6c6c0e87dbc 19434 kde optional kdelibs_3.3.2-4_all.deb
 43870e72465373b23e04924abc48b7ac 7086730 libs optional kdelibs-data_3.3.2-4_all.deb
 35c9334552e7ebf450c92e64da06046b 11572596 doc optional kdelibs4-doc_3.3.2-4_all.deb

Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Signed by Isaac Clerencia <isaac@warp.es>


Reply to: