Re: trackballs update for sarge

To: Ari Pollak <ari@debian.org>
Cc: debian-release@lists.debian.org, 302454@bugs.debian.org, control@bugs.debian.org
Subject: Re: trackballs update for sarge
From: Joey Hess <joeyh@debian.org>
Date: Mon, 9 May 2005 15:46:02 -0400
Message-id: <[🔎] 20050509194602.GA27206@kitenet.net>
Mail-followup-to: Ari Pollak <ari@debian.org>, debian-release@lists.debian.org, 302454@bugs.debian.org, control@bugs.debian.org
In-reply-to: <[🔎] 427EA015.1050805@debian.org>
References: <[🔎] 427EA015.1050805@debian.org>

reopen 302454
thanks, but the fix doesn't guard against races; see below

Ari Pollak wrote:
> I just uploaded trackballs 1.0.0-10 to unstable, which fixes bug
> #302454, a severity:important and minor security issue, so I'd like to
> get this into sarge. An interdiff between revisions -9 and -10 is attached.

> --- trackballs-1.0.0/config.guess
> +++ trackballs-1.0.0/config.guess
> --- trackballs-1.0.0/config.sub
> +++ trackballs-1.0.0/config.sub

Hurrah for pointless config.* updates in security updates.

> diff -u trackballs-1.0.0/share/icons/Makefile.in trackballs-1.0.0/share/icons/Makefile.in
> --- trackballs-1.0.0/share/icons/Makefile.in
> +++ trackballs-1.0.0/share/icons/Makefile.in
> @@ -195,8 +195,8 @@
>  maintainer-clean-generic clean mostlyclean distclean maintainer-clean
>  
>  
> -install-pkgdataDATA:
> -	./installIcons $(bindir) ${DESTDIR}
> +#install-pkgdataDATA:
> +#	./installIcons $(bindir) ${DESTDIR}
>  
>  # Tell versions [3.59,3.63) of GNU make to not export all variables.
>  # Otherwise a system limit (for SysV at least) may be exceeded.
> diff -u trackballs-1.0.0/share/icons/trackballs.desktop trackballs-1.0.0/share/icons/trackballs.desktop
> --- trackballs-1.0.0/share/icons/trackballs.desktop
> +++ trackballs-1.0.0/share/icons/trackballs.desktop
> @@ -9,14 +8,0 @@
> -Exec=/usr/local/bin/trackballs
> -Exec=/usr/games/trackballs
> -Exec=/usr/games/trackballs
> -Exec=/usr/games/trackballs
> -Exec=/usr/games/trackballs
> -Exec=/usr/games/trackballs
> -Exec=/usr/games/trackballs
> -Exec=/usr/games/trackballs
> -Exec=/usr/games/trackballs
> -Exec=/usr/games/trackballs
> -Exec=/usr/games/trackballs
> -Exec=/usr/games/trackballs
> -Exec=/usr/games/trackballs
> -Exec=/usr/games/trackballs

> +  * Don't bother running the script to install a GNOME .desktop file
> +    since it doesn't work anyway

Doesn't explain why you modified the .desktop file, although I think I
see why -- the script was appending to it on each build, right?

Anyway, I ended up wasting at least 10 minutes reading the code and
doing my own test build on a system with /usr/share/applications present
to satisfy myself that installIcons never manages to do anything and
that this change is indeed a no-op. If you want quick service for
security fixes, please do not conflate them with unrelated changes like
this one.

> diff -u trackballs-1.0.0/debian/changelog trackballs-1.0.0/debian/changelog
> --- trackballs-1.0.0/debian/changelog
> +++ trackballs-1.0.0/debian/changelog
> @@ -1,3 +1,11 @@
> +trackballs (1.0.0-10) unstable; urgency=low
> +
> +  * Backport symlink checking code from upstream CVS (Closes: #302454)
> +
> + -- Ari Pollak <ari@debian.org>  Sun,  8 May 2005 18:49:27 -0400
> +
>  trackballs (1.0.0-9) unstable; urgency=low
>  
>    * Somehow I uploaded -8 without the fix. Really do that this time.
> only in patch2:
> unchanged:
> --- trackballs-1.0.0.orig/src/general.cc
> +++ trackballs-1.0.0/src/general.cc
> @@ -25,6 +25,8 @@
>  #include "font.h"
>  #include "glHelp.h"
>  #include "SDL/SDL_image.h"
> +#include <sys/types.h>
> +#include <sys/stat.h>
>  
>  using namespace std;
>  
> @@ -58,3 +60,10 @@
>    if(fp) { fclose(fp); return 1; }
>    return 0;
>  }
> +
> +int pathIsLink(char *path) {
> +  struct stat m;
> +  if(lstat(path,&m)) return 0;
> +  if(S_ISLNK(m.st_mode)) return 1;
> +  return 0;
> +}

This patch immediatly raises a red flag here, since this kind of check
cannot guard against races and is thus useless.

> --- trackballs-1.0.0.orig/src/settings.cc
> +++ trackballs-1.0.0/src/settings.cc
> @@ -140,9 +140,17 @@
>    int version=4;
>  
>    snprintf(str,sizeof(str)-1,"%s/.trackballs",getenv("HOME"));
> +  if(pathIsLink(str)) {
> +	fprintf(stderr,"Error, %s is a symbolic link. Cannot save settings\n",str);
> +	return;
> +  }
>  
>    mkdir(str,S_IXUSR|S_IRUSR|S_IWUSR|S_IXGRP|S_IRGRP|S_IWGRP);
>    snprintf(str,sizeof(str)-1,"%s/.trackballs/settings",getenv("HOME"));
> +  if(pathIsLink(str)) {
> +	fprintf(stderr,"Error, %s is a symbolic link. Cannot save settings\n",str);
> +	return;
> +  }
>    
>    /* TODO. Save all settings here */
>    FILE *fp = fopen(str,"wb");

And sure enough, the way this patch uses pathIsLink does not guard
against an attacker racing trackballs and replacing a valid path with a
symlink bewteen the lstat and the fopen. This fails to fix the security
hole.

A correct fix would be to drop permissions before writing to files under
the user's control.


So sorry, I cannot accept this to testing. If you re-do the patch to
really be secure, I'd appreciate it if the new version doesn't include
the gnome desktop file change -- that would help speed its review.

-- 
see shy jo

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- trackballs update for sarge
  - From: Ari Pollak <ari@debian.org>

Prev by Date: Re: Re: Please let mp3burn back to sarge
Next by Date: Re: packages missing from sarge
Previous by thread: trackballs update for sarge
Next by thread: Please allow kernel-patch-skas into sarge
Index(es):
- Date
- Thread