Hi, jumpnbump handles files in /tmp in an unsecure manner, allowing overwrite of files via a symlink attack (see #500611). The security team said the update is probably more suited for a stable point update, not an upload to security.debian.org. I prepared an update for Etch and tested it in a stable chroot. I couldn't test sound tough (doesn't seem to work in my chroot at all), but it is almost the same fix as for unstable. I attached an interdiff for the proposed update. Regards, Ansgar -- pgp: 0xF1F477C0 2BE4 CE2A E9CB 27D3 29F4 502E 53B1 6D9C F1F4 77C0
diff -u jumpnbump-1.50/debian/control jumpnbump-1.50/debian/control --- jumpnbump-1.50/debian/control +++ jumpnbump-1.50/debian/control @@ -1,7 +1,8 @@ Source: jumpnbump Section: games Priority: optional -Maintainer: Francois Marier <francois@debian.org> +Maintainer: Debian Games Team <pkg-games-devel@lists.alioth.debian.org> +Uploaders: Francois Marier <francois@debian.org>, Ansgar Burchardt <ansgar@43-1.org> Build-Depends: debhelper (>> 4), libsdl1.2-dev (>= 1.2.2-3.1), libsdl-mixer1.2-dev (>= 1.2.0-1.1), libsdl-net1.2-dev (>= 1.2.0-5.1) Standards-Version: 3.7.2 diff -u jumpnbump-1.50/debian/changelog jumpnbump-1.50/debian/changelog --- jumpnbump-1.50/debian/changelog +++ jumpnbump-1.50/debian/changelog @@ -1,3 +1,12 @@ +jumpnbump (1.50-6etch1) stable; urgency=high + + * Update for etch to address a security issue. + * Fix insecure handling of /tmp (Closes: #500611) + * Set Maintainer to Debian Games Team, add Francois Marier and + myself as Uploaders (same as in unstable) + + -- Ansgar Burchardt <ansgar@43-1.org> Wed, 01 Oct 2008 16:50:05 +0200 + jumpnbump (1.50-6) unstable; urgency=low * Add the AI keyboard shortcuts to the manpage (closes: #369498) diff -u jumpnbump-1.50/jumpnbump_menu/jumpnbump_menu.py jumpnbump-1.50/jumpnbump_menu/jumpnbump_menu.py --- jumpnbump-1.50/jumpnbump_menu/jumpnbump_menu.py +++ jumpnbump-1.50/jumpnbump_menu/jumpnbump_menu.py @@ -13,6 +13,8 @@ import gtk.gdk import gobject import os +import tempfile +import shutil RESOURCE_DIR='/usr/share/games/jumpnbump' BINARY_DIR='/usr/games' @@ -80,15 +82,19 @@ model, iter = treeview.get_selection().get_selected() global choosen_level choosen_level = '%s/%s' % (RESOURCE_DIR, model.get_value (iter, 0)) + unpackdir = None try: - os.chdir ('/tmp') + unpackdir = tempfile.mkdtemp ("", "jumpnbump-menu-") + os.chdir (unpackdir) os.spawnlp (os.P_WAIT, 'jumpnbump-unpack', 'jumpnbump', choosen_level) os.spawnlp (os.P_WAIT, 'convert', 'convert', '-scale', '50%', 'level.pcx', 'level_scaled.pcx') os.spawnlp (os.P_WAIT, 'convert', 'convert', 'level_scaled.pcx', 'level.png') + image.set_from_file ('level.png') except Exception, err: print err + if unpackdir != None: + shutil.rmtree (unpackdir) - image.set_from_file ('/tmp/level.png') image.show() def about (widget): only in patch2: unchanged: --- jumpnbump-1.50.orig/modify/jnbunpack.c +++ jumpnbump-1.50/modify/jnbunpack.c @@ -23,6 +23,7 @@ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ +#include <errno.h> #include <stdio.h> #include <stdlib.h> #include <fcntl.h> @@ -83,8 +84,13 @@ memset(filename, 0, sizeof(filename)); strncpy(filename, datafile[i].filename, 12); printf("Extracting %s ", filename); + fflush(stdout); - outfd = open(filename, O_RDWR | O_CREAT | O_BINARY, 0644); + if (unlink(filename) == -1 && errno != ENOENT) { + perror("cannot unlink file"); + exit(1); + } + outfd = open(filename, O_RDWR | O_CREAT | O_EXCL | O_BINARY, 0644); if (!outfd) { perror("cant open file"); exit(1); only in patch2: unchanged: --- jumpnbump-1.50.orig/sdl/sound.c +++ jumpnbump-1.50/sdl/sound.c @@ -23,6 +23,8 @@ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ +#include <stdlib.h> +#include <string.h> #include "globals.h" #include <limits.h> #ifndef _MSC_VER @@ -463,11 +465,8 @@ { #ifndef NO_SDL_MIXER FILE *tmp; -# if ((defined _MSC_VER) || (defined __MINGW32__)) - char filename[] = "jnb.tmpmusic.mod"; -# else - char filename[] = "/tmp/jnb.tmpmusic.mod"; -# endif + int tmp_fd; + char* filename; unsigned char *fp; int len; @@ -506,15 +505,24 @@ return 0; } - tmp = fopen(filename, "wb"); - if (tmp) { - fwrite(fp, len, 1, tmp); - fflush(tmp); - fclose(tmp); + filename = strdup("/tmp/jumpnbump.mod.XXXXXX"); + tmp_fd = mkstemp(filename); + if (tmp_fd == -1) { + free(filename); + return 0; + } + tmp = fdopen(tmp_fd, "wb"); + if (!tmp) { + free(filename); + return 0; } + fwrite(fp, len, 1, tmp); + fflush(tmp); + fclose(tmp); current_music = Mix_LoadMUS(filename); unlink(filename); + free(filename); if (current_music == NULL) { fprintf(stderr, "Couldn't load music: %s\n", SDL_GetError()); return 0;
Attachment:
signature.asc
Description: Digital signature