Package: tetex-bin Version: 1.0.7+20021025-6 Severity: grave Tags: patch sid Justification: user security hole Hello, The new xdvi wrapper in /usr/bin has the following problems: - The temporary file that compressed files are decompressed into is created in the current working directory. This creates a race condition and exploitable security hole. - File names containing an apostrophe or a backslash are not handled for decompression. - If xdvi.bin terminates with a nonzero exit code, the exit code of the xdvi wrapper is not the same exit code but 256 times that code. - If gzip or bzip2 is killed by a signal or dumps core, the xdvi wrapper still proceeds to invoke xdvi.bin. The following patch should fix these problems. Thanks, Ken --- /usr/bin/xdvi.orig 2003-01-02 03:25:38.000000000 +0000 +++ /usr/bin/xdvi 2003-01-02 04:11:35.000000000 +0000 @@ -24,7 +24,6 @@ use strict; use File::Basename; -use File::Temp qw(tempfile); my @NAMEOPT; if (@ARGV == 1 and ($ARGV[0] eq '-help' or $ARGV[0] eq '-version')) { @@ -56,31 +55,41 @@ my $status; if (@ARGV) { my $filename = pop @ARGV; - my ($fh, $tempfile); if ($filename =~ /\.(gz|Z|bz2)$/) { - ($fh, $tempfile) = tempfile("tetexXXXXXX", SUFFIX => '.dvi'); - if ($filename =~ /\.(gz|Z)$/) { - system("gzip -d -c '$filename' > $tempfile"); + my @command = $1 eq 'bz2' ? qw(bzip2 -d -c) : qw(gzip -d -c); + + require Fcntl; + open TEMP, "+>", undef + or die "xdvi: cannot create temporary file: $!\n"; + fcntl TEMP, Fcntl::F_SETFD(), 0 + or die "xdvi: disabling close-on-exec for temporary file: $!\n"; + + if (my $child = fork) { + 1 while wait != $child; + if ($? & 255) { + die "xdvi: $command[0] terminated abnormally: $?\n"; + } elsif ($?) { + my $code = $? >> 8; + die "xdvi: $command[0] terminated with exit code $code\n"; + } + } elsif (defined $child) { + open STDOUT, ">&TEMP"; + exec @command, $filename; } else { - system("bzip2 -d -c '$filename' > $tempfile"); - } - if ($? >> 8 != 0) { - $status = $? >> 8; - unlink $tempfile; - exit $status; + die "xdvi: fork: $!\n"; } - - system('xdvi.bin', @NAMEOPT, @ARGV, $tempfile); - $status = $?; - unlink $tempfile; + $status = system('xdvi.bin', @NAMEOPT, @ARGV, "/dev/fd/".fileno(TEMP)); } else { - system('xdvi.bin', @NAMEOPT, @ARGV, $filename); - $status = $?; + $status = system('xdvi.bin', @NAMEOPT, @ARGV, $filename); } } else { - system('xdvi.bin', @NAMEOPT); - $status = $?; + $status = system('xdvi.bin', @NAMEOPT); } -exit $status; +if ($status & 255) { + die "xdvi: xdvi.bin terminated abnormally: $?\n"; +} else { + my $code = $? >> 8; + exit $code; +} -- System Information: Debian Release: testing/unstable Architecture: i386 Kernel: Linux proper 2.4.20 #1 Sun Dec 22 19:40:03 EST 2002 i686 Locale: LANG=C, LC_CTYPE=en_US Versions of packages tetex-bin depends on: ii debconf 1.2.21 Debian configuration management sy ii debianutils 2.0.6 Miscellaneous utilities specific t ii dpkg 1.10.9 Package maintenance system for Deb ii ed 0.2-19 The classic unix line editor ii libc6 2.3.1-8 GNU C Library: Shared libraries an ii libkpathsea3 1.0.7+20021025-6 shared libkpathsea for teTeX ii libpng12-0 1.2.5-8 PNG library - runtime ii libwww0 5.4.0-5 The W3C WWW library ii libxaw7 4.2.1-4 X Athena widget set library ii perl-tk 1:800.024-1.1 Perl module providing the Tk graph ii t1lib1 1.3.1-1 Type 1 font rasterizer library - r ii tetex-base 1.0.2+20021025-3 basic teTeX library files ii xlibs 4.2.1-4 X Window System client libraries ii zlib1g 1:1.1.4-8 compression library - runtime -- debconf information: * tetex-bin/cnf_name: * tetex-bin/userperm: false * tetex-bin/groupname: users * tetex-bin/groupperm: true * tetex-bin/lsr-perms: true -- Edit this signature at http://www.digitas.harvard.edu/cgi-bin/ken/sig It is the army that finally makes a citizen of you; without it you still have a chance, however slim, to remain a human being. -- Joseph Brodsky, Less Than One
Attachment:
pgpF_xFxGrt4s.pgp
Description: PGP signature