Debian Bug report logs - #183525
catdoc: xlsview insecure /tmp use

version graph

Package: catdoc; Maintainer for catdoc is Nick Bane <nick@enomem.co.uk>; Source for catdoc is src:catdoc.

Reported by: Colin Phipps <cph@cph.demon.co.uk>

Date: Wed, 5 Mar 2003 14:33:08 UTC

Severity: grave

Tags: patch, security, woody

Found in version 0.91.5-1

Fixed in versions catdoc/0.91.5-2, catdoc/0.91.5-1.99woody.1

Done: Pawel Wiecek <coven@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Pawel Wiecek <coven@debian.org>, catdoc@packages.qa.debian.org:
Bug#183525; Package catdoc. Full text and rfc822 format available.

Acknowledgement sent to Colin Phipps <cph@cph.demon.co.uk>:
New Bug report received and forwarded. Copy sent to Pawel Wiecek <coven@debian.org>, catdoc@packages.qa.debian.org. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Colin Phipps <cph@cph.demon.co.uk>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: catdoc: xlsview insecure /tmp use
Date: Wed, 5 Mar 2003 14:32:26 +0000
Package: catdoc
Version: 0.91.5-1
Severity: normal
File: /usr/bin/xlsview
Tags: patch security

xlsview writes its output to a temporary file in /tmp. This file has a
predictable name and is opened without ensuring that it does not already
exist. This leaves xlsview open to possible symlink attacks.

The following patch uses tempfile(1) to choose a temporary filename and
create the file, ensuring that it is created safely.

--- msxlsview.sh	2003-03-05 14:09:15.000000000 +0000
+++ msxlsview.sh.new	2003-03-05 14:15:32.000000000 +0000
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-file=/tmp/word$$.html
+file=$(tempfile --prefix=xlsview --suffix=.html)
 
 cat << EOT >$file
 <HTML>

-- System Information
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux nausea 2.4.20 #1 Wed Dec 4 10:19:30 GMT 2002 i686
Locale: LANG=en_GB, LC_CTYPE=en_GB

Versions of packages catdoc depends on:
ii  libc6                         2.2.5-14.3 GNU C Library: Shared libraries an



Information forwarded to debian-bugs-dist@lists.debian.org, Pawel Wiecek <coven@debian.org>, catdoc@packages.qa.debian.org:
Bug#183525; Package catdoc. Full text and rfc822 format available.

Acknowledgement sent to Drew Scott Daniels <umdanie8@cc.UManitoba.CA>:
Extra info received and forwarded to list. Copy sent to Pawel Wiecek <coven@debian.org>, catdoc@packages.qa.debian.org. Full text and rfc822 format available.

Message #10 received at 183525@bugs.debian.org (full text, mbox):

From: Drew Scott Daniels <umdanie8@cc.UManitoba.CA>
To: 183525@bugs.debian.org, <control@bugs.debian.org>
Subject: Security team & tags
Date: Sat, 5 Apr 2003 10:26:09 -0600 (CST)
severity 183525 grave
tags 183525 +woody
thanks

Has team@security.debian.org been contacted regarding this bug?

I'm setting this bug to grave as this seems to be a real security issue.
I've set the woody tag so that this bug might get more attention. Sarge
and sid should also be effected as they are all the same version and so
the sarge and sid tags should likely be set later.

I don't see this package in potato, but I'm not sure if my methods of
looking are correct.

     Drew Daniels




Severity set to `grave'. Request was from Drew Scott Daniels <umdanie8@cc.UManitoba.CA> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: woody Request was from Drew Scott Daniels <umdanie8@cc.UManitoba.CA> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Pawel Wiecek <coven@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Colin Phipps <cph@cph.demon.co.uk>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #19 received at 183525-close@bugs.debian.org (full text, mbox):

From: Pawel Wiecek <coven@debian.org>
To: 183525-close@bugs.debian.org
Subject: Bug#183525: fixed in catdoc 0.91.5-2
Date: Wed, 23 Apr 2003 11:02:31 -0400
We believe that the bug you reported is fixed in the latest version of
catdoc, which is due to be installed in the Debian FTP archive:

catdoc_0.91.5-2.diff.gz
  to pool/main/c/catdoc/catdoc_0.91.5-2.diff.gz
catdoc_0.91.5-2.dsc
  to pool/main/c/catdoc/catdoc_0.91.5-2.dsc
catdoc_0.91.5-2_i386.deb
  to pool/main/c/catdoc/catdoc_0.91.5-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 183525@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pawel Wiecek <coven@debian.org> (supplier of updated catdoc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 23 Apr 2003 15:46:19 +0200
Source: catdoc
Binary: catdoc
Architecture: source i386
Version: 0.91.5-2
Distribution: unstable
Urgency: high
Maintainer: Pawel Wiecek <coven@debian.org>
Changed-By: Pawel Wiecek <coven@debian.org>
Description: 
 catdoc     - MS-Word to TeX or plain text converter
Closes: 183525
Changes: 
 catdoc (0.91.5-2) unstable; urgency=high
 .
   * Fixed insecure /tmp use (closes: #183525)
Files: 
 7285b82d6d3909a28a7dcf1cb379bd79 556 text optional catdoc_0.91.5-2.dsc
 33908e7278323795d1e4d4d8aeac9c10 14025 text optional catdoc_0.91.5-2.diff.gz
 6ccf74b56c1cc9f5cda069b5ba80020d 67044 text optional catdoc_0.91.5-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+ppq4BOdjEO/Bh3ARAladAJ4kd0bJqohAD8jyOGB4dKxifAgeRQCfad9h
0tZtVq1mC8IOTNjGwZMNaH8=
=yi3K
-----END PGP SIGNATURE-----




Message #20 received at 183525-close@bugs.debian.org (full text, mbox):

From: Pawel Wiecek <coven@debian.org>
To: 183525-close@bugs.debian.org
Subject: Bug#183525: fixed in catdoc 0.91.5-1.99woody.1
Date: Thu, 24 Apr 2003 14:47:11 -0400
We believe that the bug you reported is fixed in the latest version of
catdoc, which is due to be installed in the Debian FTP archive:

catdoc_0.91.5-1.99woody.1.diff.gz
  to pool/main/c/catdoc/catdoc_0.91.5-1.99woody.1.diff.gz
catdoc_0.91.5-1.99woody.1.dsc
  to pool/main/c/catdoc/catdoc_0.91.5-1.99woody.1.dsc
catdoc_0.91.5-1.99woody.1_i386.deb
  to pool/main/c/catdoc/catdoc_0.91.5-1.99woody.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 183525@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pawel Wiecek <coven@debian.org> (supplier of updated catdoc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 23 Apr 2003 15:46:19 +0200
Source: catdoc
Binary: catdoc
Architecture: source i386
Version: 0.91.5-1.99woody.1
Distribution: stable
Urgency: high
Maintainer: Pawel Wiecek <coven@debian.org>
Changed-By: Pawel Wiecek <coven@debian.org>
Description: 
 catdoc     - MS-Word to TeX or plain text converter
Closes: 183525
Changes: 
 catdoc (0.91.5-1.99woody.1) stable; urgency=high
 .
   * Fixed insecure /tmp use (closes: #183525)
   * Fix backported from 0.91.5-2 because it fixes a security problem.
Files: 
 3d57ff457da2bfa16597c2372f36c9e9 619 text optional catdoc_0.91.5-1.99woody.1.dsc
 2bd0981c9ec8c69e268965ecdcbd3b9d 14065 text optional catdoc_0.91.5-1.99woody.1.diff.gz
 25d4d6e030599202bad8ceb443db01bd 66672 text optional catdoc_0.91.5-1.99woody.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE+pqh5BOdjEO/Bh3ARAj7sAJ42eAfxMJBcwsbIC6e5vORt2/9trQCfWbSN
wRaPHpubUmpP/qSfOlxjlWU=
=K1n+
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 10:42:20 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.