Bug#726654: release.debian.org: pu: package libguestfs/1:1.18.1-1+deb7u3
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
This package contains a fix for CVE 2013-4419 (insecure temporary
directory).
Cheers,
-Hilko
diff -Nru libguestfs-1.18.1/debian/changelog libguestfs-1.18.1/debian/changelog
--- libguestfs-1.18.1/debian/changelog 2013-03-16 15:56:53.000000000 +0100
+++ libguestfs-1.18.1/debian/changelog 2013-10-17 20:48:41.000000000 +0200
@@ -1,3 +1,10 @@
+libguestfs (1:1.18.1-1+deb7u3) testing; urgency=low
+
+ * Added fix for CVE-2013-4419: insecure temporary directory handling for
+ remote guestfish
+
+ -- Hilko Bengen <bengen@debian.org> Thu, 17 Oct 2013 20:48:24 +0200
+
libguestfs (1:1.18.1-1+deb7u2) testing; urgency=low
* Make sure that a build of the library that contains FUSE support is
diff -Nru libguestfs-1.18.1/debian/patches/0011-fish-CVE-2013-4419-Fix-insecure-temporary-directory-.patch libguestfs-1.18.1/debian/patches/0011-fish-CVE-2013-4419-Fix-insecure-temporary-directory-.patch
--- libguestfs-1.18.1/debian/patches/0011-fish-CVE-2013-4419-Fix-insecure-temporary-directory-.patch 1970-01-01 01:00:00.000000000 +0100
+++ libguestfs-1.18.1/debian/patches/0011-fish-CVE-2013-4419-Fix-insecure-temporary-directory-.patch 2013-10-17 20:44:54.000000000 +0200
@@ -0,0 +1,114 @@
+From: "Richard W.M. Jones" <rjones@redhat.com>
+Date: Wed, 9 Oct 2013 12:08:10 +0100
+Subject: fish: CVE-2013-4419: Fix insecure temporary directory handling for
+ remote guestfish (RHBZ#1016960).
+
+When using the guestfish --remote or guestfish --listen options,
+guestfish would create a socket in a known location
+(/tmp/.guestfish-$UID/socket-$PID).
+
+The location has to be a known one in order for both ends to
+communicate. However no checking was done that the containing
+directory (/tmp/.guestfish-$UID) is owned by the user. Thus another
+user could create this directory and potentially modify sockets owned
+by another user's guestfish client or server.
+
+This commit fixes the issue by creating the directory unconditionally,
+and then checking that the directory has the correct owner and
+permissions, thus preventing another user from creating the directory
+first.
+
+If guestfish sees a suspicious socket directory it will print an error
+like this and exit with an error status:
+
+ guestfish: '/tmp/.guestfish-1000' is not a directory or has insecure owner or permissions
+
+Thanks: Michael Scherer for discovering this issue.
+
+Version 2:
+ - Add assigned CVE number.
+ - Update documentation.
+
+Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
+
+(cherry picked from commit 54fb09e052d8cad50397f1085c1bdd346a13e659,
+without documentation updates.)
+---
+ fish/rc.c | 43 +++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 39 insertions(+), 4 deletions(-)
+
+diff --git a/fish/rc.c b/fish/rc.c
+index 14c9d59..69edefa 100644
+--- a/fish/rc.c
++++ b/fish/rc.c
+@@ -29,6 +29,7 @@
+ #include <sys/un.h>
+ #include <signal.h>
+ #include <sys/socket.h>
++#include <errno.h>
+
+ #include <rpc/types.h>
+ #include <rpc/xdr.h>
+@@ -36,17 +37,49 @@
+ #include "fish.h"
+ #include "rc_protocol.h"
+
++/* Because this is a Unix domain socket, the total path length must be
++ * under 108 bytes.
++ */
++#define SOCKET_DIR "/tmp/.guestfish-%d" /* euid */
++#define SOCKET_PATH "/tmp/.guestfish-%d/socket-%d" /* euid, pid */
++
++static void
++create_sockdir (void)
++{
++ uid_t euid = geteuid ();
++ char dir[128];
++ int r;
++ struct stat statbuf;
++
++ /* Create the directory, and ensure it is owned by the user. */
++ snprintf (dir, sizeof dir, SOCKET_DIR, euid);
++ r = mkdir (dir, 0700);
++ if (r == -1 && errno != EEXIST) {
++ error:
++ perror (dir);
++ exit (EXIT_FAILURE);
++ }
++ if (lstat (dir, &statbuf) == -1)
++ goto error;
++ if (!S_ISDIR (statbuf.st_mode) ||
++ (statbuf.st_mode & 0777) != 0700 ||
++ statbuf.st_uid != euid) {
++ fprintf (stderr,
++ _("guestfish: '%s' is not a directory or has insecure owner or permissions\n"),
++ dir);
++ exit (EXIT_FAILURE);
++ }
++}
++
+ static void
+ create_sockpath (pid_t pid, char *sockpath, size_t len,
+ struct sockaddr_un *addr)
+ {
+- char dir[128];
+ uid_t euid = geteuid ();
+
+- snprintf (dir, sizeof dir, "/tmp/.guestfish-%d", euid);
+- mkdir (dir, 0700);
++ create_sockdir ();
+
+- snprintf (sockpath, len, "/tmp/.guestfish-%d/socket-%d", euid, pid);
++ snprintf (sockpath, len, SOCKET_PATH, euid, pid);
+
+ addr->sun_family = AF_UNIX;
+ strcpy (addr->sun_path, sockpath);
+@@ -194,6 +227,8 @@ rc_listen (void)
+ memset (&hello, 0, sizeof hello);
+ memset (&call, 0, sizeof call);
+
++ create_sockdir ();
++
+ pid = fork ();
+ if (pid == -1) {
+ perror ("fork");
diff -Nru libguestfs-1.18.1/debian/patches/series libguestfs-1.18.1/debian/patches/series
--- libguestfs-1.18.1/debian/patches/series 2013-03-16 15:56:53.000000000 +0100
+++ libguestfs-1.18.1/debian/patches/series 2013-10-17 20:44:54.000000000 +0200
@@ -8,3 +8,4 @@
0008-autoreconf.patch
0009-The-package-containing-the-diff-binary-has-been-diff.patch
0010-gobject-bindtests-gjs-exception-behaviour-changed-fi.patch
+0011-fish-CVE-2013-4419-Fix-insecure-temporary-directory-.patch
Reply to: