Your message dated Tue, 11 Sep 2012 17:11:37 +0200 with message-id <20120911151137.GA6517@inutil.org> and subject line Re: xbase-clients: Insecure usage of temporary files in x11perfcomp and other security issues has caused the Debian Bug report #321447, regarding xbase-clients: Insecure usage of temporary files in x11perfcomp and other security issues to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 321447: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=321447 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: xbase-clients: Insecure usage of temporary files in x11perfcomp and other security issues
- From: Javier Fernández-Sanguino Peña <jfs@computer.org>
- Date: Fri, 5 Aug 2005 17:49:59 +0200
- Message-id: <20050805154959.GB2670@silicio>
Package: xbase-clients Version: 4.3.0.dfsg.1-14 Priority: normal Tags: security The x11perfcomp script in xbase-clients holds two different race conditions that might be exploitable against users running the script if the user is using unsafe umasks: 1.- The script creates a directory without properly setting an umask for the temporary directory is created, since the files created within the directory are predictable (numbers) an attacker could introduce symlink attacks after the directory was created. 2.- The script removes the temporary directory twice if it runs succesfully, once at the end of the script and another when the 'trap 0' code gets executed. Finally, it sets the PATH directory to '.' prepending all other PATHs which might be unsafe if the script is run in directories which other users have write access to (i.e. tmp). The attached patch tries to fix all these issues, I've decided to remove the '.' in PATH since it does not seem to be necessary. I've necessary, it should be added to the end of the PATH definition (instead of the beginning). Regards Javier PS: Since only users with problematic umasks can be targeted I'm setting this security bug with normal severity.--- x11perfcomp.orig 2005-08-05 17:38:32.000000000 +0200 +++ x11perfcomp 2005-08-05 17:46:08.000000000 +0200 @@ -21,13 +21,13 @@ # # $Xorg: x11pcomp.cpp,v 1.3 2000/08/17 19:54:10 cpqbld Exp $ -PATH=/usr/X11R6/lib/X11/x11perfcomp:.:$PATH +PATH=/usr/X11R6/lib/X11/x11perfcomp:$PATH export PATH set -e tmp=${TMPDIR-/tmp}/rates.$$ -trap "rm -rf $tmp" 0 1 2 15 -mkdir $tmp || exit 1 +trap "[ -d $tmp ] && rm -rf $tmp" 0 1 2 15 +(umask 0077; mkdir $tmp) || exit 1 mkdir $tmp/rates ratio= allfiles= @@ -92,4 +92,5 @@ echo '' (echo Operation; echo '---------'; cat $tmp/labels) | paste $allfiles - | sed 's/ / /g' | $ratio -rm -rf $tmp + +exit 0Attachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: Javier Fernández-Sanguino Peña <jfs@computer.org>
- Cc: 321447-done@bugs.debian.org
- Subject: Re: xbase-clients: Insecure usage of temporary files in x11perfcomp and other security issues
- From: Moritz Muehlenhoff <jmm@inutil.org>
- Date: Tue, 11 Sep 2012 17:11:37 +0200
- Message-id: <20120911151137.GA6517@inutil.org>
- In-reply-to: <20050805154959.GB2670@silicio>
- References: <20050805154959.GB2670@silicio>
Version: 7.7~1 On Fri, Aug 05, 2005 at 05:49:59PM +0200, Javier Fernández-Sanguino Peña wrote: > > Package: xbase-clients > Version: 4.3.0.dfsg.1-14 > Priority: normal > Tags: security > > The x11perfcomp script in xbase-clients holds two different race > conditions that might be exploitable against users running the script > if the user is using unsafe umasks: Fixed in x11-apps (7.7~1) via the update to x11perf 1.5.4. Cheers, Moritz
--- End Message ---