TEMP-0612033-026F3E (conky)

To: jmw@debian.org, debian-release@lists.debian.org
Subject: TEMP-0612033-026F3E (conky)
From: Vincent Cheng <vincentc1208@gmail.com>
Date: Wed, 27 Jul 2011 19:50:53 -0700
Message-id: <[🔎] CACZd_tC8EgZgGJdtZ8AOYU=jrESLmhSffKot2YrAdE93ceJ84Q@mail.gmail.com>
In-reply-to: <20110727173800.GJ12537@lupin.home.powdarrmonkey.net>
References: <CACZd_tCHCC97M=xFemARv61JkwwSMVQ3waAOkyRRjsF_2iieEA@mail.gmail.com> <20110727173800.GJ12537@lupin.home.powdarrmonkey.net>

Hi,

Conky currently has an open issue [1] on the security tracker for
stable and oldstable, but the security team has decided that it's not
important enough for a DSA, so I would like to ask if the release team
could upload fixed conky packages directly to stable/oldstable
instead. A patch cherry-picked from upstream git [2] fixes this issue
and applies cleanly to stable; the patch needs to be slightly modified
for oldstable (diffs are attached).

Background info on this issue can be found on the BTS [3], Launchpad
[4], and Secunia [5].

Thanks in advance!

Kind regards,
- Vincent Cheng

[1] http://security-tracker.debian.org/tracker/TEMP-0612033-026F3E
[2] http://git.omp.am/?p=conky.git;a=patch;h=70b6f35a846f7b85bd11e66c1f23feee6b369688
[3] http://bugs.debian.org/612033
[4] https://bugs.launchpad.net/bugs/607309
[5] http://secunia.com/advisories/43225

diff -Nru a/debian/changelog b/debian/changelog
--- a/debian/changelog	2011-07-16 16:23:58.000000000 -0700
+++ b/debian/changelog	2011-07-27 18:29:34.000000000 -0700
@@ -1,3 +1,10 @@
+conky (1.6.0-2+lenny1) oldstable; urgency=low
+
+  * Patch TEMP-0612033-026F3E: security issue in Conky's "eve" module, which
+    causes Conky to be vulnerable to rewriting any user file.
+
+ -- Vincent Cheng <Vincentc1208@gmail.com>  Wed, 27 Jul 2011 18:29:12 -0700
+
 conky (1.6.0-2) testing; urgency=low
 
   * Backport of fixes from version 1.6.1-1.
diff -Nru a/debian/patches/fix-race-condition.patch b/debian/patches/fix-race-condition.patch
--- a/debian/patches/fix-race-condition.patch	1969-12-31 16:00:00.000000000 -0800
+++ b/debian/patches/fix-race-condition.patch	2011-07-27 18:28:51.000000000 -0700
@@ -0,0 +1,78 @@
+Description: Avoid rewriting an arbitrary user file
+ This patch fixes issue "TEMP-0612033-026F3E" in Debian's security tracker.
+Origin: upstream, http://git.omp.am/?p=conky.git;a=patch;h=70b6f35a846f7b85bd11e66c1f23feee6b369688
+Bug-Debian: http://bugs.debian.org/612033
+Bug-Ubuntu: https://launchpad.net/bugs/607309
+
+--- a/src/eve.c
++++ b/src/eve.c
+@@ -161,7 +161,7 @@
+ char *eve(char *userid, char *apikey, char *charid)
+ {
+ 	Character *chr = NULL;
+-	const char *skillfile = "/tmp/.cesf";
++	char skillfile[] = "/tmp/.cesfXXXXXX";
+ 	int i = 0;
+ 	char *output = 0;
+ 	char *timel = 0;
+@@ -169,6 +169,7 @@
+ 	char *content = 0;
+ 	time_t now = 0;
+ 	char *error = 0;
++	int tmp_fd, old_umask;
+ 
+ 
+ 	for (i = 0; i < MAXCHARS; i++) {
+@@ -221,6 +222,14 @@
+ 
+ 		output = (char *)malloc(200 * sizeof(char));
+ 		timel = formatTime(&chr->ends);
++		old_umask = umask(0066);
++		tmp_fd = mkstemp(skillfile);
++		umask(old_umask);
++		if (tmp_fd == -1) {
++			error = strdup("Cannot create temporary file");
++			return error;
++		}
++		close(tmp_fd);
+ 		skill = getSkillname(skillfile, chr->skill);
+ 
+ 		chr->skillname = strdup(skill);
+@@ -294,19 +303,6 @@
+ 		return 1;
+ }
+ 
+-int file_exists(const char *filename)
+-{
+-	struct stat fi;
+-
+-	if ((stat(filename, &fi)) == 0) {
+-		if (fi.st_size > 0)
+-			return 1;
+-		else
+-			return 0;
+-	} else
+-		return 0;
+-}
+-
+ void writeSkilltree(char *content, const char *filename)
+ {
+ 	FILE *fp = fopen(filename, "w");
+@@ -322,13 +318,12 @@
+ 	xmlDocPtr doc = 0;
+ 	xmlNodePtr root = 0;
+ 
+-	if (!file_exists(file)) {
+-		skilltree = getXmlFromAPI(NULL, NULL, NULL, EVEURL_SKILLTREE);
+-		writeSkilltree(skilltree, file);
+-		free(skilltree);
+-	}
++	skilltree = getXmlFromAPI(NULL, NULL, NULL, EVEURL_SKILLTREE);
++	writeSkilltree(skilltree, file);
++	free(skilltree);
+ 
+ 	doc = xmlReadFile(file, NULL, 0);
++	unlink(file);
+ 	if (!doc)
+ 		return NULL;
+ 
diff -Nru a/debian/patches/series b/debian/patches/series
--- a/debian/patches/series	2011-07-16 16:23:58.000000000 -0700
+++ b/debian/patches/series	2011-07-27 18:28:51.000000000 -0700
@@ -3,3 +3,4 @@
 man_page_type_first_char
 move_compile_end_man_page
 fix_hyphen_man_page
+fix-race-condition.patch

diff -Nru a/debian/changelog b/debian/changelog
--- a/debian/changelog	2010-04-01 07:42:19.000000000 -0700
+++ b/debian/changelog	2011-07-27 18:25:07.000000000 -0700
@@ -1,3 +1,10 @@
+conky (1.8.0-1+squeeze1) stable; urgency=low
+
+  * Patch TEMP-0612033-026F3E: security issue in Conky's "eve" module, which
+    causes Conky to be vulnerable to rewriting any user file.
+
+ -- Vincent Cheng <Vincentc1208@gmail.com>  Wed, 27 Jul 2011 18:21:50 -0700
+
 conky (1.8.0-1) unstable; urgency=low
 
   * New upstream release:
diff -Nru a/debian/patches/fix-race-condition.patch b/debian/patches/fix-race-condition.patch
--- a/debian/patches/fix-race-condition.patch	1969-12-31 16:00:00.000000000 -0800
+++ b/debian/patches/fix-race-condition.patch	2011-07-15 11:31:46.000000000 -0700
@@ -0,0 +1,80 @@
+Description: Avoid rewriting an arbitrary user file
+ This patch fixes issue "TEMP-0612033-026F3E" in Debian's security tracker.
+Origin: upstream, http://git.omp.am/?p=conky.git;a=patch;h=70b6f35a846f7b85bd11e66c1f23feee6b369688
+Bug-Debian: http://bugs.debian.org/612033
+Bug-Ubuntu: https://launchpad.net/bugs/607309
+
+Index: conky-1.8.0/src/eve.c
+===================================================================
+--- conky-1.8.0.orig/src/eve.c	2011-04-03 15:15:02.658500522 +0200
++++ conky-1.8.0/src/eve.c	2011-04-03 15:14:58.162500519 +0200
+@@ -252,19 +252,6 @@
+ 	}
+ }
+ 
+-static int file_exists(const char *filename)
+-{
+-	struct stat fi;
+-
+-	if ((stat(filename, &fi)) == 0) {
+-		if (fi.st_size > 0)
+-			return 1;
+-		else
+-			return 0;
+-	} else
+-		return 0;
+-}
+-
+ static void writeSkilltree(char *content, const char *filename)
+ {
+ 	FILE *fp = fopen(filename, "w");
+@@ -280,13 +267,12 @@
+ 	xmlDocPtr doc = 0;
+ 	xmlNodePtr root = 0;
+ 
+-	if (!file_exists(file)) {
+-		skilltree = getXmlFromAPI(NULL, NULL, NULL, EVEURL_SKILLTREE);
+-		writeSkilltree(skilltree, file);
+-		free(skilltree);
+-	}
++	skilltree = getXmlFromAPI(NULL, NULL, NULL, EVEURL_SKILLTREE);
++	writeSkilltree(skilltree, file);
++	free(skilltree);
+ 
+ 	doc = xmlReadFile(file, NULL, 0);
++	unlink(file);
+ 	if (!doc)
+ 		return NULL;
+ 
+@@ -337,7 +323,7 @@
+ static char *eve(char *userid, char *apikey, char *charid)
+ {
+ 	Character *chr = NULL;
+-	const char *skillfile = "/tmp/.cesf";
++	char skillfile[] = "/tmp/.cesfXXXXXX";
+ 	int i = 0;
+ 	char *output = 0;
+ 	char *timel = 0;
+@@ -345,6 +331,7 @@
+ 	char *content = 0;
+ 	time_t now = 0;
+ 	char *error = 0;
++	int tmp_fd, old_umask;
+ 
+ 
+ 	for (i = 0; i < MAXCHARS; i++) {
+@@ -397,6 +384,14 @@
+ 
+ 		output = (char *)malloc(200 * sizeof(char));
+ 		timel = formatTime(&chr->ends);
++		old_umask = umask(0066);
++		tmp_fd = mkstemp(skillfile);
++		umask(old_umask);
++		if (tmp_fd == -1) {
++			error = strdup("Cannot create temporary file");
++			return error;
++		}
++		close(tmp_fd);
+ 		skill = getSkillname(skillfile, chr->skill);
+ 
+ 		chr->skillname = strdup(skill);
diff -Nru a/debian/patches/series b/debian/patches/series
--- a/debian/patches/series	1969-12-31 16:00:00.000000000 -0800
+++ b/debian/patches/series	2011-07-16 16:27:34.000000000 -0700
@@ -0,0 +1 @@
+fix-race-condition.patch

Reply to:

Follow-Ups:
- Re: TEMP-0612033-026F3E (conky)
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Re: Bug#635382: latex-unicode sources and licensing
Next by Date: Bug#631019: Time to starti HDF5 transitioning?
Previous by thread: Re: Migration of geogebra
Next by thread: Re: TEMP-0612033-026F3E (conky)
Index(es):
- Date
- Thread