Bug#174987: marked as done (tetex-bin: xdvi wrapper has a temporary file race condition (security hole))
Your message dated Sat, 04 Jan 2003 09:02:26 -0500
with message-id <E18Uosc-0006uu-00@auric.debian.org>
and subject line Bug#174987: fixed in tetex-bin 1.0.7+20021025-7
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 2 Jan 2003 04:24:42 +0000
>From ccshan@post.harvard.edu Wed Jan 01 22:24:41 2003
Return-path: <ccshan@post.harvard.edu>
Received: from kung-9.eecs.harvard.edu (proper.ptq.dyndns.org) [140.247.60.207]
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 18TwuP-0000ju-00; Wed, 01 Jan 2003 22:24:41 -0600
Received: by proper.ptq.dyndns.org (Postfix, from userid 1000)
id 7D6A5369CB; Wed, 1 Jan 2003 20:24:47 -0800 (PST)
Date: Wed, 1 Jan 2003 23:24:47 -0500
From: Chung-chieh Shan <ken@digitas.harvard.edu>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: tetex-bin: xdvi wrapper has a temporary file race condition (security hole)
Message-ID: <[🔎] 20030102042447.GA30711@proper.ptq.dyndns.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="qDbXVdCdHGoSgWSk"
Content-Disposition: inline
User-Agent: Mutt/1.4i
X-Reportbug-Version: 2.10
Organization: very far away from anywhere else
Delivered-To: submit@bugs.debian.org
X-Spam-Status: No, hits=-9.8 required=5.0
tests=NOSPAM_INC,PATCH_UNIFIED_DIFF,PGP_SIGNATURE_2,
SPAM_PHRASE_00_01,USER_AGENT,USER_AGENT_MUTT
version=2.41
X-Spam-Level:
--qDbXVdCdHGoSgWSk
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: tetex-bin
Version: 1.0.7+20021025-6
Severity: grave
Tags: patch sid
Justification: user security hole
Hello,
The new xdvi wrapper in /usr/bin has the following problems:
- The temporary file that compressed files are decompressed into is
created in the current working directory. This creates a race
condition and exploitable security hole.
- File names containing an apostrophe or a backslash are not handled
for decompression.
- If xdvi.bin terminates with a nonzero exit code, the exit code of
the xdvi wrapper is not the same exit code but 256 times that code.
- If gzip or bzip2 is killed by a signal or dumps core, the xdvi
wrapper still proceeds to invoke xdvi.bin.
The following patch should fix these problems.
Thanks,
Ken
--- /usr/bin/xdvi.orig 2003-01-02 03:25:38.000000000 +0000
+++ /usr/bin/xdvi 2003-01-02 04:11:35.000000000 +0000
@@ -24,7 +24,6 @@
=20
use strict;
use File::Basename;
-use File::Temp qw(tempfile);
=20
my @NAMEOPT;
if (@ARGV =3D=3D 1 and ($ARGV[0] eq '-help' or $ARGV[0] eq '-version')) {
@@ -56,31 +55,41 @@
my $status;
if (@ARGV) {
my $filename =3D pop @ARGV;
- my ($fh, $tempfile);
=20
if ($filename =3D~ /\.(gz|Z|bz2)$/) {
- ($fh, $tempfile) =3D tempfile("tetexXXXXXX", SUFFIX =3D> '.dvi');
- if ($filename =3D~ /\.(gz|Z)$/) {
- system("gzip -d -c '$filename' > $tempfile");
+ my @command =3D $1 eq 'bz2' ? qw(bzip2 -d -c) : qw(gzip -d -c);
+
+ require Fcntl;
+ open TEMP, "+>", undef
+ or die "xdvi: cannot create temporary file: $!\n";
+ fcntl TEMP, Fcntl::F_SETFD(), 0
+ or die "xdvi: disabling close-on-exec for temporary file: $!\n";
+
+ if (my $child =3D fork) {
+ 1 while wait !=3D $child;
+ if ($? & 255) {
+ die "xdvi: $command[0] terminated abnormally: $?\n";
+ } elsif ($?) {
+ my $code =3D $? >> 8;
+ die "xdvi: $command[0] terminated with exit code $code\n";
+ }
+ } elsif (defined $child) {
+ open STDOUT, ">&TEMP";
+ exec @command, $filename;
} else {
- system("bzip2 -d -c '$filename' > $tempfile");
- }
- if ($? >> 8 !=3D 0) {
- $status =3D $? >> 8;
- unlink $tempfile;
- exit $status;
+ die "xdvi: fork: $!\n";
}
-
- system('xdvi.bin', @NAMEOPT, @ARGV, $tempfile);
- $status =3D $?;
- unlink $tempfile;
+ $status =3D system('xdvi.bin', @NAMEOPT, @ARGV, "/dev/fd/".fileno(TEMP));
} else {
- system('xdvi.bin', @NAMEOPT, @ARGV, $filename);
- $status =3D $?;
+ $status =3D system('xdvi.bin', @NAMEOPT, @ARGV, $filename);
}
} else {
- system('xdvi.bin', @NAMEOPT);
- $status =3D $?;
+ $status =3D system('xdvi.bin', @NAMEOPT);
}
=20
-exit $status;
+if ($status & 255) {
+ die "xdvi: xdvi.bin terminated abnormally: $?\n";
+} else {
+ my $code =3D $? >> 8;
+ exit $code;
+}
-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux proper 2.4.20 #1 Sun Dec 22 19:40:03 EST 2002 i686
Locale: LANG=3DC, LC_CTYPE=3Den_US
Versions of packages tetex-bin depends on:
ii debconf 1.2.21 Debian configuration managemen=
t sy
ii debianutils 2.0.6 Miscellaneous utilities specif=
ic t
ii dpkg 1.10.9 Package maintenance system for=
Deb
ii ed 0.2-19 The classic unix line editor
ii libc6 2.3.1-8 GNU C Library: Shared librarie=
s an
ii libkpathsea3 1.0.7+20021025-6 shared libkpathsea for teTeX
ii libpng12-0 1.2.5-8 PNG library - runtime
ii libwww0 5.4.0-5 The W3C WWW library
ii libxaw7 4.2.1-4 X Athena widget set library
ii perl-tk 1:800.024-1.1 Perl module providing the Tk g=
raph
ii t1lib1 1.3.1-1 Type 1 font rasterizer library=
- r
ii tetex-base 1.0.2+20021025-3 basic teTeX library files
ii xlibs 4.2.1-4 X Window System client librari=
es
ii zlib1g 1:1.1.4-8 compression library - runtime
-- debconf information:
* tetex-bin/cnf_name:=20
* tetex-bin/userperm: false
* tetex-bin/groupname: users
* tetex-bin/groupperm: true
* tetex-bin/lsr-perms: true
--=20
Edit this signature at http://www.digitas.harvard.edu/cgi-bin/ken/sig
It is the army that finally makes a citizen of you; without it you still ha=
ve a
chance, however slim, to remain a human being.=20
-- Joseph Brodsky, Less Than One
--qDbXVdCdHGoSgWSk
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+E78PzjAc4f+uuBURAuF9AJ9lsvWCp9Rtqiz4ebldrdX2jhYQOgCaAt2/
gSrKy0mWyF70gLSk0juh7rE=
=IG96
-----END PGP SIGNATURE-----
--qDbXVdCdHGoSgWSk--
---------------------------------------
Received: (at 174987-close) by bugs.debian.org; 4 Jan 2003 14:05:37 +0000
>From katie@auric.debian.org Sat Jan 04 08:05:36 2003
Return-path: <katie@auric.debian.org>
Received: from auric.debian.org [206.246.226.45] (mail)
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 18Uovg-0003Qx-00; Sat, 04 Jan 2003 08:05:36 -0600
Received: from katie by auric.debian.org with local (Exim 3.35 1 (Debian))
id 18Uosc-0006uu-00; Sat, 04 Jan 2003 09:02:26 -0500
From: Atsuhito KOHDA <kohda@debian.org>
To: 174987-close@bugs.debian.org
X-Katie: $Revision: 1.29 $
Subject: Bug#174987: fixed in tetex-bin 1.0.7+20021025-7
Message-Id: <E18Uosc-0006uu-00@auric.debian.org>
Sender: Archive Administrator <katie@auric.debian.org>
Date: Sat, 04 Jan 2003 09:02:26 -0500
Delivered-To: 174987-close@bugs.debian.org
We believe that the bug you reported is fixed in the latest version of
tetex-bin, which is due to be installed in the Debian FTP archive:
libkpathsea-dev_1.0.7+20021025-7_i386.deb
to pool/main/t/tetex-bin/libkpathsea-dev_1.0.7+20021025-7_i386.deb
libkpathsea3_1.0.7+20021025-7_i386.deb
to pool/main/t/tetex-bin/libkpathsea3_1.0.7+20021025-7_i386.deb
tetex-bin_1.0.7+20021025-7.diff.gz
to pool/main/t/tetex-bin/tetex-bin_1.0.7+20021025-7.diff.gz
tetex-bin_1.0.7+20021025-7.dsc
to pool/main/t/tetex-bin/tetex-bin_1.0.7+20021025-7.dsc
tetex-bin_1.0.7+20021025-7_i386.deb
to pool/main/t/tetex-bin/tetex-bin_1.0.7+20021025-7_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 174987@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Atsuhito KOHDA <kohda@debian.org> (supplier of updated tetex-bin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 22 Dec 2002 21:44:56 +0900
Source: tetex-bin
Binary: libkpathsea3 tetex-bin libkpathsea-dev
Architecture: source i386
Version: 1.0.7+20021025-7
Distribution: unstable
Urgency: low
Maintainer: teTeX maintainers <debian-tetex-maint@lists.debian.org>
Changed-By: Atsuhito KOHDA <kohda@debian.org>
Description:
libkpathsea-dev - kpathsea.a and include files for teTeX
libkpathsea3 - shared libkpathsea for teTeX
tetex-bin - teTeX binary files
Closes: 121129 173691 174987
Changes:
tetex-bin (1.0.7+20021025-7) unstable; urgency=low
.
* Installed update-updmap and run it in postinst. Added explanation for
update-updmap in README.Debian. [kohda]
* Updated rules substantially. [kohda]
* Now moved libkpathsea-dev symlink in /usr/share/doc to point to
libkpathsea3, so we removed dependency on tetex-base of libkpathsea-dev.
[kohda] (Closes: #173691)
* Used debconf to suggest a user to remove old and harmful conffile
/etc/X11/Xresources/tetex-base [kohda] (Closes: #121129)
* Refined debian/xdvi-pl script. Thanks to Chung-chieh Shan
<ken@digitas.harvard.edu> [advised by jdg and done by kohda]
(Closes: #174987)
* Removed obsolete omaga.fmt and lambda.fmt would be removed with preinst.
[kohda]
* Added note for tetex maintainers about how to create orig.tar.gz
This is irrelevant for users but might be helpful for maintainers
cooperation. [kohda]
* Updated debian/shlibs.local [kohda]
Files:
0cb2302edb614681e5b7115120768247 979 tex optional tetex-bin_1.0.7+20021025-7.dsc
dd728a4afd6f21c917860b4109309142 48795 tex optional tetex-bin_1.0.7+20021025-7.diff.gz
c89de22de9dcf940798e7b8ef7b9e7d9 2784526 tex optional tetex-bin_1.0.7+20021025-7_i386.deb
10ba87ca2c38343d55a14ba809a33473 43744 libs optional libkpathsea3_1.0.7+20021025-7_i386.deb
cf2061d7cc47ec729f16b274339bccce 62670 devel optional libkpathsea-dev_1.0.7+20021025-7_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+FtlR1IXdL1v6kOwRAtH0AJ9AtVGBhPASW/Z6oqErZWRskQlQTgCeLmsh
oF75jaVjjYfAoGLIPPRt3K4=
=3r7a
-----END PGP SIGNATURE-----
Reply to: