Bug#286370: (fwd) Bug#286370: xdvizilla: Vulnerable to symlink attack in temporary directory

To: Stefan Ulrich <stefanulrich@users.sourceforge.net>, 286370@bugs.debian.org
Subject: Bug#286370: (fwd) Bug#286370: xdvizilla: Vulnerable to symlink attack in temporary directory
From: Hilmar Preusse <hille42@web.de>
Date: Tue, 21 Dec 2004 17:51:55 +0100
Message-id: <[🔎] 20041221165155.GA1784@preusse>
Reply-to: Hilmar Preusse <hille42@web.de>, 286370@bugs.debian.org

Hi,

Just FYI. I've checked xdvizilla of teTeX beta too, but I'm not sure,
if it has the same bug. At a first glance this is the case.

Regards,
  Hilmar

----- Forwarded message from Javier Fernández-Sanguino Peña <jfs@computer.org> -----

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
Reply-To: Javier Fernández-Sanguino Peña <jfs@computer.org>,
	286370@bugs.debian.org
To: submit@bugs.debian.org
Subject: Bug#286370: xdvizilla: Vulnerable to symlink attack in temporary directory
Date: Sun, 19 Dec 2004 23:14:20 +0100
Message-ID: <[🔎] 20041219221420.GA8825@silicio>
User-Agent: Mutt/1.5.6+20040907i
X-Mailing-List: <debian-tetex-maint@lists.debian.org> archive/latest/10068

Package: tetex-bin
Version: 2.0.2-24
Priority: important
Tags: security

The xdvizilla script does not protect itself from temporary filename
attacks since it creates file in an insecure manner (using the
process PID to try to protect its creation) and does not check
wether files (or directories) exist prior to using them.

The attached patch fixes this behaviour.

Regards

Javier

PS: I initially reported this to the security team back in June,
but have not found time to follow up on this issue until today.
Security team, please check
Resent-Message-ID: <20040624124521.GA10101@dat.etsit.upm.es>


--- xdvizilla.orig	2004-12-19 22:57:08.000000000 +0100
+++ xdvizilla	2004-12-19 23:13:03.000000000 +0100
@@ -33,7 +33,7 @@
 case "$FILETYPE" in
 
   *"gzip compressed data"*)
-    FILE=/tmp/xdvizilla$$
+    FILE=`mktemp -t xdvizilla.XXXXXX` || { echo "$0: Cannot create temporary file"; exit 1 }
     gunzip -c "$1" > $FILE
     [ -n "$NO_RM" ] || rm -f -- "$1"
     NO_RM=
@@ -41,7 +41,7 @@
     ;;
 
   *"compressed data"* | *"compress'd data"*)
-    FILE=/tmp/xdvizilla$$
+    FILE=`mktemp -t xdvizilla.XXXXXX` || { echo "$0: Cannot create temporary file"; exit 1 }
     uncompress -c "$1" > $FILE
     [ -n "$NO_RM" ] || rm -f -- "$1"
     NO_RM=
@@ -60,7 +60,7 @@
 case "$FILETYPE" in
 
   *" tar archive")
-    TARDIR=/tmp/xdvitar$$
+    TARDIR=`mktemp -t -d xdvitar.XXXXXX` || { echo "$0: Cannot create temporary directory"; exit 1 }
     mkdir $TARDIR
     cat "$FILE" | (cd $TARDIR; tar xf -)
     DVINAME=`tar tf "$FILE" | grep '\.dvi$' | head -1`


----- End forwarded message -----
-- 
http://www.hilmar-preusse.de.vu/

Reply to:

Follow-Ups:
- Bug#286370: (fwd) Bug#286370: xdvizilla: Vulnerable to symlink attack in temporary directory
  - From: Stefan Ulrich <stefanulrich@users.sourceforge.net>

Prev by Date: Bug#286686: tetex-base: Division by zero when rotating eps file with \includegraphics
Next by Date: Re: Another way to deal with the Font Map Problem
Previous by thread: Bug#286686: tetex-base: Division by zero when rotating eps file with \includegraphics
Next by thread: Bug#286370: (fwd) Bug#286370: xdvizilla: Vulnerable to symlink attack in temporary directory
Index(es):
- Date
- Thread