[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#174987: tetex-bin: xdvi wrapper has a temporary file race condition (security hole)



Package: tetex-bin
Version: 1.0.7+20021025-6
Severity: grave
Tags: patch sid
Justification: user security hole

Hello,

The new xdvi wrapper in /usr/bin has the following problems:

  - The temporary file that compressed files are decompressed into is
    created in the current working directory.  This creates a race
    condition and exploitable security hole.

  - File names containing an apostrophe or a backslash are not handled
    for decompression.

  - If xdvi.bin terminates with a nonzero exit code, the exit code of
    the xdvi wrapper is not the same exit code but 256 times that code.

  - If gzip or bzip2 is killed by a signal or dumps core, the xdvi
    wrapper still proceeds to invoke xdvi.bin.

The following patch should fix these problems.

Thanks,
	Ken

--- /usr/bin/xdvi.orig	2003-01-02 03:25:38.000000000 +0000
+++ /usr/bin/xdvi	2003-01-02 04:11:35.000000000 +0000
@@ -24,7 +24,6 @@
 
 use strict;
 use File::Basename;
-use File::Temp qw(tempfile);
 
 my @NAMEOPT;
 if (@ARGV == 1 and ($ARGV[0] eq '-help' or $ARGV[0] eq '-version')) {
@@ -56,31 +55,41 @@
 my $status;
 if (@ARGV) {
     my $filename = pop @ARGV;
-    my ($fh, $tempfile);
 
     if ($filename =~ /\.(gz|Z|bz2)$/) {
-	($fh, $tempfile) = tempfile("tetexXXXXXX", SUFFIX => '.dvi');
-	if ($filename =~ /\.(gz|Z)$/) {
-	    system("gzip -d -c '$filename' > $tempfile");
+	my @command = $1 eq 'bz2' ? qw(bzip2 -d -c) : qw(gzip -d -c);
+
+	require Fcntl;
+	open TEMP, "+>", undef
+	    or die "xdvi: cannot create temporary file: $!\n";
+	fcntl TEMP, Fcntl::F_SETFD(), 0
+	    or die "xdvi: disabling close-on-exec for temporary file: $!\n";
+
+	if (my $child = fork) {
+	    1 while wait != $child;
+	    if ($? & 255) {
+		die "xdvi: $command[0] terminated abnormally: $?\n";
+	    } elsif ($?) {
+		my $code = $? >> 8;
+		die "xdvi: $command[0] terminated with exit code $code\n";
+	    }
+	} elsif (defined $child) {
+	    open STDOUT, ">&TEMP";
+	    exec @command, $filename;
 	} else {
-	    system("bzip2 -d -c '$filename' > $tempfile");
-	}
-	if ($? >> 8 != 0) {
-	    $status = $? >> 8;
-	    unlink $tempfile;
-	    exit $status;
+	    die "xdvi: fork: $!\n";
 	}
-
-	system('xdvi.bin', @NAMEOPT, @ARGV, $tempfile);
-	$status = $?;
-	unlink $tempfile;
+	$status = system('xdvi.bin', @NAMEOPT, @ARGV, "/dev/fd/".fileno(TEMP));
     } else {
-	system('xdvi.bin', @NAMEOPT, @ARGV, $filename);
-	$status = $?;
+	$status = system('xdvi.bin', @NAMEOPT, @ARGV, $filename);
     }
 } else {
-    system('xdvi.bin', @NAMEOPT);
-    $status = $?;
+    $status = system('xdvi.bin', @NAMEOPT);
 }
 
-exit $status;
+if ($status & 255) {
+    die "xdvi: xdvi.bin terminated abnormally: $?\n";
+} else {
+    my $code = $? >> 8;
+    exit $code;
+}

-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux proper 2.4.20 #1 Sun Dec 22 19:40:03 EST 2002 i686
Locale: LANG=C, LC_CTYPE=en_US

Versions of packages tetex-bin depends on:
ii  debconf                 1.2.21           Debian configuration management sy
ii  debianutils             2.0.6            Miscellaneous utilities specific t
ii  dpkg                    1.10.9           Package maintenance system for Deb
ii  ed                      0.2-19           The classic unix line editor
ii  libc6                   2.3.1-8          GNU C Library: Shared libraries an
ii  libkpathsea3            1.0.7+20021025-6 shared libkpathsea for teTeX
ii  libpng12-0              1.2.5-8          PNG library - runtime
ii  libwww0                 5.4.0-5          The W3C WWW library
ii  libxaw7                 4.2.1-4          X Athena widget set library
ii  perl-tk                 1:800.024-1.1    Perl module providing the Tk graph
ii  t1lib1                  1.3.1-1          Type 1 font rasterizer library - r
ii  tetex-base              1.0.2+20021025-3 basic teTeX library files
ii  xlibs                   4.2.1-4          X Window System client libraries
ii  zlib1g                  1:1.1.4-8        compression library - runtime

-- debconf information:
* tetex-bin/cnf_name: 
* tetex-bin/userperm: false
* tetex-bin/groupname: users
* tetex-bin/groupperm: true
* tetex-bin/lsr-perms: true


-- 
Edit this signature at http://www.digitas.harvard.edu/cgi-bin/ken/sig
It is the army that finally makes a citizen of you; without it you still have a
chance, however slim, to remain a human being. 
-- Joseph Brodsky, Less Than One

Attachment: pgpF_xFxGrt4s.pgp
Description: PGP signature


Reply to: