TEMP-0612033-026F3E (conky)
Hi,
Conky currently has an open issue [1] on the security tracker for
stable and oldstable, but the security team has decided that it's not
important enough for a DSA, so I would like to ask if the release team
could upload fixed conky packages directly to stable/oldstable
instead. A patch cherry-picked from upstream git [2] fixes this issue
and applies cleanly to stable; the patch needs to be slightly modified
for oldstable (diffs are attached).
Background info on this issue can be found on the BTS [3], Launchpad
[4], and Secunia [5].
Thanks in advance!
Kind regards,
- Vincent Cheng
[1] http://security-tracker.debian.org/tracker/TEMP-0612033-026F3E
[2] http://git.omp.am/?p=conky.git;a=patch;h=70b6f35a846f7b85bd11e66c1f23feee6b369688
[3] http://bugs.debian.org/612033
[4] https://bugs.launchpad.net/bugs/607309
[5] http://secunia.com/advisories/43225
diff -Nru a/debian/changelog b/debian/changelog
--- a/debian/changelog 2011-07-16 16:23:58.000000000 -0700
+++ b/debian/changelog 2011-07-27 18:29:34.000000000 -0700
@@ -1,3 +1,10 @@
+conky (1.6.0-2+lenny1) oldstable; urgency=low
+
+ * Patch TEMP-0612033-026F3E: security issue in Conky's "eve" module, which
+ causes Conky to be vulnerable to rewriting any user file.
+
+ -- Vincent Cheng <Vincentc1208@gmail.com> Wed, 27 Jul 2011 18:29:12 -0700
+
conky (1.6.0-2) testing; urgency=low
* Backport of fixes from version 1.6.1-1.
diff -Nru a/debian/patches/fix-race-condition.patch b/debian/patches/fix-race-condition.patch
--- a/debian/patches/fix-race-condition.patch 1969-12-31 16:00:00.000000000 -0800
+++ b/debian/patches/fix-race-condition.patch 2011-07-27 18:28:51.000000000 -0700
@@ -0,0 +1,78 @@
+Description: Avoid rewriting an arbitrary user file
+ This patch fixes issue "TEMP-0612033-026F3E" in Debian's security tracker.
+Origin: upstream, http://git.omp.am/?p=conky.git;a=patch;h=70b6f35a846f7b85bd11e66c1f23feee6b369688
+Bug-Debian: http://bugs.debian.org/612033
+Bug-Ubuntu: https://launchpad.net/bugs/607309
+
+--- a/src/eve.c
++++ b/src/eve.c
+@@ -161,7 +161,7 @@
+ char *eve(char *userid, char *apikey, char *charid)
+ {
+ Character *chr = NULL;
+- const char *skillfile = "/tmp/.cesf";
++ char skillfile[] = "/tmp/.cesfXXXXXX";
+ int i = 0;
+ char *output = 0;
+ char *timel = 0;
+@@ -169,6 +169,7 @@
+ char *content = 0;
+ time_t now = 0;
+ char *error = 0;
++ int tmp_fd, old_umask;
+
+
+ for (i = 0; i < MAXCHARS; i++) {
+@@ -221,6 +222,14 @@
+
+ output = (char *)malloc(200 * sizeof(char));
+ timel = formatTime(&chr->ends);
++ old_umask = umask(0066);
++ tmp_fd = mkstemp(skillfile);
++ umask(old_umask);
++ if (tmp_fd == -1) {
++ error = strdup("Cannot create temporary file");
++ return error;
++ }
++ close(tmp_fd);
+ skill = getSkillname(skillfile, chr->skill);
+
+ chr->skillname = strdup(skill);
+@@ -294,19 +303,6 @@
+ return 1;
+ }
+
+-int file_exists(const char *filename)
+-{
+- struct stat fi;
+-
+- if ((stat(filename, &fi)) == 0) {
+- if (fi.st_size > 0)
+- return 1;
+- else
+- return 0;
+- } else
+- return 0;
+-}
+-
+ void writeSkilltree(char *content, const char *filename)
+ {
+ FILE *fp = fopen(filename, "w");
+@@ -322,13 +318,12 @@
+ xmlDocPtr doc = 0;
+ xmlNodePtr root = 0;
+
+- if (!file_exists(file)) {
+- skilltree = getXmlFromAPI(NULL, NULL, NULL, EVEURL_SKILLTREE);
+- writeSkilltree(skilltree, file);
+- free(skilltree);
+- }
++ skilltree = getXmlFromAPI(NULL, NULL, NULL, EVEURL_SKILLTREE);
++ writeSkilltree(skilltree, file);
++ free(skilltree);
+
+ doc = xmlReadFile(file, NULL, 0);
++ unlink(file);
+ if (!doc)
+ return NULL;
+
diff -Nru a/debian/patches/series b/debian/patches/series
--- a/debian/patches/series 2011-07-16 16:23:58.000000000 -0700
+++ b/debian/patches/series 2011-07-27 18:28:51.000000000 -0700
@@ -3,3 +3,4 @@
man_page_type_first_char
move_compile_end_man_page
fix_hyphen_man_page
+fix-race-condition.patch
diff -Nru a/debian/changelog b/debian/changelog
--- a/debian/changelog 2010-04-01 07:42:19.000000000 -0700
+++ b/debian/changelog 2011-07-27 18:25:07.000000000 -0700
@@ -1,3 +1,10 @@
+conky (1.8.0-1+squeeze1) stable; urgency=low
+
+ * Patch TEMP-0612033-026F3E: security issue in Conky's "eve" module, which
+ causes Conky to be vulnerable to rewriting any user file.
+
+ -- Vincent Cheng <Vincentc1208@gmail.com> Wed, 27 Jul 2011 18:21:50 -0700
+
conky (1.8.0-1) unstable; urgency=low
* New upstream release:
diff -Nru a/debian/patches/fix-race-condition.patch b/debian/patches/fix-race-condition.patch
--- a/debian/patches/fix-race-condition.patch 1969-12-31 16:00:00.000000000 -0800
+++ b/debian/patches/fix-race-condition.patch 2011-07-15 11:31:46.000000000 -0700
@@ -0,0 +1,80 @@
+Description: Avoid rewriting an arbitrary user file
+ This patch fixes issue "TEMP-0612033-026F3E" in Debian's security tracker.
+Origin: upstream, http://git.omp.am/?p=conky.git;a=patch;h=70b6f35a846f7b85bd11e66c1f23feee6b369688
+Bug-Debian: http://bugs.debian.org/612033
+Bug-Ubuntu: https://launchpad.net/bugs/607309
+
+Index: conky-1.8.0/src/eve.c
+===================================================================
+--- conky-1.8.0.orig/src/eve.c 2011-04-03 15:15:02.658500522 +0200
++++ conky-1.8.0/src/eve.c 2011-04-03 15:14:58.162500519 +0200
+@@ -252,19 +252,6 @@
+ }
+ }
+
+-static int file_exists(const char *filename)
+-{
+- struct stat fi;
+-
+- if ((stat(filename, &fi)) == 0) {
+- if (fi.st_size > 0)
+- return 1;
+- else
+- return 0;
+- } else
+- return 0;
+-}
+-
+ static void writeSkilltree(char *content, const char *filename)
+ {
+ FILE *fp = fopen(filename, "w");
+@@ -280,13 +267,12 @@
+ xmlDocPtr doc = 0;
+ xmlNodePtr root = 0;
+
+- if (!file_exists(file)) {
+- skilltree = getXmlFromAPI(NULL, NULL, NULL, EVEURL_SKILLTREE);
+- writeSkilltree(skilltree, file);
+- free(skilltree);
+- }
++ skilltree = getXmlFromAPI(NULL, NULL, NULL, EVEURL_SKILLTREE);
++ writeSkilltree(skilltree, file);
++ free(skilltree);
+
+ doc = xmlReadFile(file, NULL, 0);
++ unlink(file);
+ if (!doc)
+ return NULL;
+
+@@ -337,7 +323,7 @@
+ static char *eve(char *userid, char *apikey, char *charid)
+ {
+ Character *chr = NULL;
+- const char *skillfile = "/tmp/.cesf";
++ char skillfile[] = "/tmp/.cesfXXXXXX";
+ int i = 0;
+ char *output = 0;
+ char *timel = 0;
+@@ -345,6 +331,7 @@
+ char *content = 0;
+ time_t now = 0;
+ char *error = 0;
++ int tmp_fd, old_umask;
+
+
+ for (i = 0; i < MAXCHARS; i++) {
+@@ -397,6 +384,14 @@
+
+ output = (char *)malloc(200 * sizeof(char));
+ timel = formatTime(&chr->ends);
++ old_umask = umask(0066);
++ tmp_fd = mkstemp(skillfile);
++ umask(old_umask);
++ if (tmp_fd == -1) {
++ error = strdup("Cannot create temporary file");
++ return error;
++ }
++ close(tmp_fd);
+ skill = getSkillname(skillfile, chr->skill);
+
+ chr->skillname = strdup(skill);
diff -Nru a/debian/patches/series b/debian/patches/series
--- a/debian/patches/series 1969-12-31 16:00:00.000000000 -0800
+++ b/debian/patches/series 2011-07-16 16:27:34.000000000 -0700
@@ -0,0 +1 @@
+fix-race-condition.patch
Reply to: