Debian Bug report logs - #261386
/usr/lib/libkdeinit_dcopserver.so: not using mkstemp, creating temp file unsafely

version graph

Package: kdelibs-bin; Maintainer for kdelibs-bin is Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>; Source for kdelibs-bin is src:kde4libs.

Reported by: Colin Phipps <cph@cph.demon.co.uk>

Date: Sun, 25 Jul 2004 18:03:02 UTC

Severity: grave

Tags: patch, security

Found in version 4:3.2.3-2

Fixed in version kdelibs/4:3.2.3-4

Done: Christopher L Cheney <ccheney@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#261386; Package kdelibs-bin. Full text and rfc822 format available.

Acknowledgement sent to Colin Phipps <cph@cph.demon.co.uk>:
New Bug report received and forwarded. Copy sent to Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Colin Phipps <cph@cph.demon.co.uk>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: /usr/lib/libkdeinit_dcopserver.so: not using mkstemp, creating temp file unsafely
Date: Sun, 25 Jul 2004 18:55:50 +0100
Package: kdelibs-bin
Version: 4:3.2.3-2
Severity: grave
File: /usr/lib/libkdeinit_dcopserver.so
Tags: security patch
Justification: user security hole

dcop/dcopserver.cpp creates a temporary file /tmp/dcopXXXXXX. This file
should be created using mkstemp(3), to avoid /tmp symlink races/attacks.
However, due to a build file oversight, the configure script does not
test for the availability of mkstemp, so HAVE_MKSTEMP is not defined,
and dcopserver.cpp falls back on the insecure tempnam(3) instead.

So every time the dcopserver is started, it creates its temporary file
unsafely, making it potentially vulnerable to symlink attacks. As the
file in question is passed to iceauth, this could expose local
authentication data, or be used to submit mischevious commands to
iceauth.

% nm -D /usr/lib/libkdeinit_dcopserver.so|egrep 'tempnam|mkstemp'
        U tempnam

The patch below should correct (I haven't the nerve to rebuild the whole
of kdelibs :-), but have checked that the individual source file
recompiles correctly) the build scripts to detect mkstemp, enabling the
safe code path in dcopserver.cpp. Of course, in addition to the patch
below, configure.in, configure & config.h.in must be regenerated in the
normal way. This should result in a config.h that defined HAVE_MKSTEMP,
and libkdeinit_dcopserver.so should then use mkstemp instead.

diff -pru kdelibs-3.2.3/acinclude.m4 ../kdelibs-3.2.3/acinclude.m4
--- kdelibs-3.2.3/acinclude.m4	2004-07-25 18:08:43.000000000 +0100
+++ ../kdelibs-3.2.3/acinclude.m4	2004-07-25 18:14:05.000000000 +0100
@@ -2302,6 +2302,19 @@ mkstemps("/tmp/aaaXXXXXX", 6);
 	[MKSTEMPS])
 ])
 
+AC_DEFUN([AC_CHECK_MKSTEMP],
+[
+	KDE_CHECK_FUNC_EXT(mkstemp, [
+#include <stdlib.h>
+#include <unistd.h>
+],
+	[
+mkstemp("/tmp/aaaXXXXXX");
+],
+	[int mkstemp(char *, int)],
+	[MKSTEMP])
+])
+
 AC_DEFUN([AC_CHECK_MKDTEMP],
 [
 	KDE_CHECK_FUNC_EXT(mkdtemp, [
diff -pru kdelibs-3.2.3/configure.in.in ../kdelibs-3.2.3/configure.in.in
--- kdelibs-3.2.3/configure.in.in	2004-01-19 13:01:23.000000000 +0000
+++ ../kdelibs-3.2.3/configure.in.in	2004-07-25 18:03:36.000000000 +0100
@@ -111,6 +113,7 @@ AC_CHECK_SETENV
 AC_CHECK_UNSETENV
 AC_CHECK_RANDOM
 AC_CHECK_MKSTEMPS
+AC_CHECK_MKSTEMP
 AC_CHECK_MKDTEMP
 AC_CHECK_FUNCS(strtoll socket seteuid setegid strfmon stpcpy gettimeofday)
 

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.22
Locale: LANG=en_GB, LC_CTYPE=en_GB

Versions of packages kdelibs-bin depends on:
ii  kdelibs4       4:3.2.3-2                 KDE core libraries
ii  libart-2.0-2   2.3.16-5                  Library of functions for 2D graphi
ii  libbz2-1.0     1.0.2-1                   A high-quality block-sorting file 
ii  libc6          2.3.2.ds1-13              GNU C Library: Shared libraries an
ii  libcupsys2-gnu 1.1.20final+cvs20040330-4 Common UNIX Printing System(tm) - 
ii  libfam0c102    2.7.0-5                   client library to control the FAM 
ii  libgcc1        1:3.3.4-3                 GCC support library
ii  libice6        4.3.0.dfsg.1-4            Inter-Client Exchange library
ii  libpng12-0     1.2.5.0-6                 PNG library - runtime
ii  libqt3c102-mt  3:3.2.3-4                 Qt GUI Library (Threaded runtime v
ii  libsm6         4.3.0.dfsg.1-4            X Window System Session Management
ii  libstdc++5     1:3.3.4-3                 The GNU Standard C++ Library v3
ii  libx11-6       4.3.0.dfsg.1-4            X Window System protocol client li
ii  libxext6       4.3.0.dfsg.1-4            X Window System miscellaneous exte
ii  libxml2        2.6.10-3                  GNOME XML library
ii  libxrender1    0.8.3-7                   X Rendering Extension client libra
ii  libxslt1.1     1.1.7-1                   XSLT processing library - runtime 
ii  menu-xdg       0.1                       freedesktop.org menu compliant win
ii  netpbm         2:10.0-4                  Graphics conversion tools
ii  python         2.3.4-1                   An interactive high-level object-o
ii  xlibs          4.3.0.dfsg.1-4            X Window System client libraries m
ii  zlib1g         1:1.2.1.1-3               compression library - runtime

-- no debconf information

-- 
Colin Phipps <cph@cph.demon.co.uk>



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#261386; Package kdelibs-bin. Full text and rfc822 format available.

Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>. Full text and rfc822 format available.

Message #10 received at 261386@bugs.debian.org (full text, mbox):

From: Matt Zimmerman <mdz@debian.org>
To: 261386@bugs.debian.org
Subject: Re: Bug#261386: /usr/lib/libkdeinit_dcopserver.so: not using mkstemp, creating temp file unsafely
Date: Sun, 25 Jul 2004 13:03:00 -0700
Please contact the security team if this is an issue which affects stable.

-- 
 - mdz



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#261386; Package kdelibs-bin. Full text and rfc822 format available.

Acknowledgement sent to Alejandro Exojo <suy@badopi.org>:
Extra info received and forwarded to list. Copy sent to Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>. Full text and rfc822 format available.

Message #15 received at 261386@bugs.debian.org (full text, mbox):

From: Alejandro Exojo <suy@badopi.org>
To: Colin Phipps <cph@cph.demon.co.uk>, 261386@bugs.debian.org
Subject: Re: Bug#261386: /usr/lib/libkdeinit_dcopserver.so: not using mkstemp, creating temp file unsafely
Date: Mon, 26 Jul 2004 00:29:33 +0200
El Domingo, 25 de Julio de 2004 19:55, Colin Phipps escribió:
> diff -pru kdelibs-3.2.3/acinclude.m4 ../kdelibs-3.2.3/acinclude.m4
> --- kdelibs-3.2.3/acinclude.m4  2004-07-25 18:08:43.000000000 +0100
> +++ ../kdelibs-3.2.3/acinclude.m4       2004-07-25 18:14:05.000000000 +0100

FWIW, note that this should be applied to $(kde-common)/admin/acinclude.m4, 
because the acinclude.m4 in the top source directory, is generated from the 
admin dir.

-- 
Alex (a.k.a. suy) - GPG ID 0x0B8B0BC2
http://darkshines.net/ - Jabber ID: suy@bulmalug.net



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#261386; Package kdelibs-bin. Full text and rfc822 format available.

Acknowledgement sent to Mark J Cox <mjc@redhat.com>:
Extra info received and forwarded to list. Copy sent to Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>. Full text and rfc822 format available.

Message #20 received at 261386@bugs.debian.org (full text, mbox):

From: Mark J Cox <mjc@redhat.com>
To: 261386@bugs.debian.org
Subject: CVE allocation
Date: Mon, 26 Jul 2004 11:38:33 +0100 (BST)
On request from the KDE team I allocated CAN-2004-0690 for this issue.

Cheers, Mark



Reply sent to Christopher L Cheney <ccheney@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Colin Phipps <cph@cph.demon.co.uk>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #25 received at 261386-close@bugs.debian.org (full text, mbox):

From: Christopher L Cheney <ccheney@debian.org>
To: 261386-close@bugs.debian.org
Subject: Bug#261386: fixed in kdelibs 4:3.2.3-4
Date: Tue, 03 Aug 2004 00:47:16 -0400
Source: kdelibs
Source-Version: 4:3.2.3-4

We believe that the bug you reported is fixed in the latest version of
kdelibs, which is due to be installed in the Debian FTP archive:

kdelibs-bin_3.2.3-4_i386.deb
  to pool/main/k/kdelibs/kdelibs-bin_3.2.3-4_i386.deb
kdelibs-data_3.2.3-4_all.deb
  to pool/main/k/kdelibs/kdelibs-data_3.2.3-4_all.deb
kdelibs4-dev_3.2.3-4_i386.deb
  to pool/main/k/kdelibs/kdelibs4-dev_3.2.3-4_i386.deb
kdelibs4-doc_3.2.3-4_all.deb
  to pool/main/k/kdelibs/kdelibs4-doc_3.2.3-4_all.deb
kdelibs4_3.2.3-4_i386.deb
  to pool/main/k/kdelibs/kdelibs4_3.2.3-4_i386.deb
kdelibs_3.2.3-4.diff.gz
  to pool/main/k/kdelibs/kdelibs_3.2.3-4.diff.gz
kdelibs_3.2.3-4.dsc
  to pool/main/k/kdelibs/kdelibs_3.2.3-4.dsc
kdelibs_3.2.3-4_all.deb
  to pool/main/k/kdelibs/kdelibs_3.2.3-4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 261386@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christopher L Cheney <ccheney@debian.org> (supplier of updated kdelibs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon,  2 Aug 2004 22:00:00 -0500
Source: kdelibs
Binary: kdelibs4 kdelibs-bin kdelibs kdelibs4-doc kdelibs-data kdelibs4-dev
Architecture: source i386 all
Version: 4:3.2.3-4
Distribution: unstable
Urgency: high
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Christopher L Cheney <ccheney@debian.org>
Description: 
 kdelibs    - KDE core libraries metapackage
 kdelibs-bin - KDE core binaries
 kdelibs-data - KDE core shared data
 kdelibs4   - KDE core libraries
 kdelibs4-dev - KDE core libraries (development files)
 kdelibs4-doc - KDE core library documentation
Closes: 261386 262589 262832
Changes: 
 kdelibs (4:3.2.3-4) unstable; urgency=high
 .
   * KDE_3_2_BRANCH Update.
   * Apply patch for mktemp security issue. (Closes: #261386)
   * Build-Depends: libtiff4-dev. (Closes: #262589, #262832)
Files: 
 109efad62ca6541b69b9e30009e3bf24 1086 libs optional kdelibs_3.2.3-4.dsc
 982c57a6ef80af0a638572289b7c8ef0 120036 libs optional kdelibs_3.2.3-4.diff.gz
 73ec9cc182290540a30ed2ed3a725bb8 837718 libs optional kdelibs-bin_3.2.3-4_i386.deb
 b2e44181732d5baf5ae04deede754445 7600792 libs optional kdelibs4_3.2.3-4_i386.deb
 81b01172dbd8c8747bf5d7020b4a2c3b 1132562 libdevel optional kdelibs4-dev_3.2.3-4_i386.deb
 23baa9681023462e1ac1cea13f2fb09e 16228 kde optional kdelibs_3.2.3-4_all.deb
 82a218799afb7dfcd2c583ef89c83de9 6392016 libs optional kdelibs-data_3.2.3-4_all.deb
 e9d9d0bba292147676bab226dd657228 11615116 doc optional kdelibs4-doc_3.2.3-4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBDwzi0QZas444SvIRAtCWAKCIjNo/v39qjWiDsQyHb/Vf//zJjwCgw4Ya
u/kbUXxsQA8ViDxvvxmAAEk=
=dYk5
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 08:41:16 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.