Bug#286370: marked as done (xdvizilla: Vulnerable to symlink attack in temporary directory)
Your message dated Thu, 23 Dec 2004 12:02:30 -0500
with message-id <E1ChWMA-0003ey-00@newraff.debian.org>
and subject line Bug#286370: fixed in tetex-bin 2.0.2-25
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 19 Dec 2004 22:14:23 +0000
>From jfs@computer.org Sun Dec 19 14:14:23 2004
Return-path: <jfs@computer.org>
Received: from 148.red-213-96-98.pooles.rima-tde.net (silicio) [213.96.98.148] (Debian-exim)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Cg9Jn-0002lp-00; Sun, 19 Dec 2004 14:14:23 -0800
Received: from jfs by silicio with local (Exim 4.34)
id 1Cg9Jk-0002Vg-Ob; Sun, 19 Dec 2004 23:14:20 +0100
Date: Sun, 19 Dec 2004 23:14:20 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <jfs@computer.org>
To: submit@bugs.debian.org
Subject: xdvizilla: Vulnerable to symlink attack in temporary directory
Message-ID: <[🔎] 20041219221420.GA8825@silicio>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="FL5UXtIhxfXey3p5"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
--FL5UXtIhxfXey3p5
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Package: tetex-bin
Version: 2.0.2-24
Priority: important
Tags: security
The xdvizilla script does not protect itself from temporary filename
attacks since it creates file in an insecure manner (using the
process PID to try to protect its creation) and does not check
wether files (or directories) exist prior to using them.
The attached patch fixes this behaviour.
Regards
Javier
PS: I initially reported this to the security team back in June,
but have not found time to follow up on this issue until today.
Security team, please check
Resent-Message-ID: <20040624124521.GA10101@dat.etsit.upm.es>
--FL5UXtIhxfXey3p5
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="xdvizilla.diff"
--- xdvizilla.orig 2004-12-19 22:57:08.000000000 +0100
+++ xdvizilla 2004-12-19 23:13:03.000000000 +0100
@@ -33,7 +33,7 @@
case "$FILETYPE" in
*"gzip compressed data"*)
- FILE=/tmp/xdvizilla$$
+ FILE=`mktemp -t xdvizilla.XXXXXX` || { echo "$0: Cannot create temporary file"; exit 1 }
gunzip -c "$1" > $FILE
[ -n "$NO_RM" ] || rm -f -- "$1"
NO_RM=
@@ -41,7 +41,7 @@
;;
*"compressed data"* | *"compress'd data"*)
- FILE=/tmp/xdvizilla$$
+ FILE=`mktemp -t xdvizilla.XXXXXX` || { echo "$0: Cannot create temporary file"; exit 1 }
uncompress -c "$1" > $FILE
[ -n "$NO_RM" ] || rm -f -- "$1"
NO_RM=
@@ -60,7 +60,7 @@
case "$FILETYPE" in
*" tar archive")
- TARDIR=/tmp/xdvitar$$
+ TARDIR=`mktemp -t -d xdvitar.XXXXXX` || { echo "$0: Cannot create temporary directory"; exit 1 }
mkdir $TARDIR
cat "$FILE" | (cd $TARDIR; tar xf -)
DVINAME=`tar tf "$FILE" | grep '\.dvi$' | head -1`
--FL5UXtIhxfXey3p5--
---------------------------------------
Received: (at 286370-close) by bugs.debian.org; 23 Dec 2004 17:08:03 +0000
>From katie@ftp-master.debian.org Thu Dec 23 09:08:02 2004
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1ChWRW-0006fG-00; Thu, 23 Dec 2004 09:08:02 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1ChWMA-0003ey-00; Thu, 23 Dec 2004 12:02:30 -0500
From: =?iso-8859-1?q?Frank_K=FCster?= <frank@debian.org>
To: 286370-close@bugs.debian.org
X-Katie: $Revision: 1.54 $
Subject: Bug#286370: fixed in tetex-bin 2.0.2-25
Message-Id: <E1ChWMA-0003ey-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Thu, 23 Dec 2004 12:02:30 -0500
Delivered-To: 286370-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
X-CrossAssassin-Score: 2
Source: tetex-bin
Source-Version: 2.0.2-25
We believe that the bug you reported is fixed in the latest version of
tetex-bin, which is due to be installed in the Debian FTP archive:
libkpathsea-dev_2.0.2-25_i386.deb
to pool/main/t/tetex-bin/libkpathsea-dev_2.0.2-25_i386.deb
libkpathsea3_2.0.2-25_i386.deb
to pool/main/t/tetex-bin/libkpathsea3_2.0.2-25_i386.deb
tetex-bin_2.0.2-25.diff.gz
to pool/main/t/tetex-bin/tetex-bin_2.0.2-25.diff.gz
tetex-bin_2.0.2-25.dsc
to pool/main/t/tetex-bin/tetex-bin_2.0.2-25.dsc
tetex-bin_2.0.2-25_i386.deb
to pool/main/t/tetex-bin/tetex-bin_2.0.2-25_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 286370@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Frank Küster <frank@debian.org> (supplier of updated tetex-bin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 23 Dec 2004 16:31:38 +0100
Source: tetex-bin
Binary: libkpathsea3 tetex-bin libkpathsea-dev
Architecture: source i386
Version: 2.0.2-25
Distribution: unstable
Urgency: high
Maintainer: teTeX maintainers <debian-tetex-maint@lists.debian.org>
Changed-By: Frank Küster <frank@debian.org>
Description:
libkpathsea-dev - path search library for teTeX (devel part)
libkpathsea3 - path search library for teTeX (runtime part)
tetex-bin - The teTeX binary files
Closes: 196987 286370 286984
Changes:
tetex-bin (2.0.2-25) unstable; urgency=high
.
* SECURITY UPDATE:
- Added debian/patches/patch-CAN-2004-1125 to fix a buffer overflow in
PDF reading code that was taken from xpdf (closes: #286984). Thanks to
Martin Pitt <martin.pitt@canonical.com>, see
http://www.idefense.com/application/poi/display?id=172 [frank]
- Fixed insecure tempfile creation, thanks to Javier
Fernández-Sanguino Peña <jfs@computer.org> (closes: #286370) [frank]
* Fixed clean target, again providing clean sources [frank]
* Added Suggests: rubber; together with lacheck this (closes: #196987)
[frank]
Files:
c0c67fb28b68a60e3fb4919c98dc63de 1044 tex optional tetex-bin_2.0.2-25.dsc
22234075b7454394cb95b40dcf393988 183001 tex optional tetex-bin_2.0.2-25.diff.gz
579513f95eb9ca5ff56fa653be3ca3e9 3934886 tex optional tetex-bin_2.0.2-25_i386.deb
312583a749bf035cf6386d1831c9859e 58066 libs optional libkpathsea3_2.0.2-25_i386.deb
8fba153ada4da2fcc994baa435928223 66208 libdevel optional libkpathsea-dev_2.0.2-25_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFByvXw+xs9YyJS+hoRAmuLAKCcIBS3Pz9GfaC+0kDjJTuu/Y8ePwCfVqy+
cLlZTys6TjtpkkNWFYNFWuo=
=AFY5
-----END PGP SIGNATURE-----
Reply to: