Debian Bug report logs - #263282
insecure temp files

version graph

Package: dgen; Maintainer for dgen is Edgar Antonio Palma de la Cruz <xbytemx@gmail.com>; Source for dgen is src:dgen (PTS, buildd, popcon).

Reported by: Joey Hess <joeyh@debian.org>

Date: Tue, 3 Aug 2004 17:03:03 UTC

Severity: grave

Tags: security

Found in version 1.23-5

Fixed in version dgen/1.23-6

Done: Joey Hess <joeyh@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org:
Bug#263282; Package dgen. (full text, mbox, link).


Acknowledgement sent to Joey Hess <joeyh@debian.org>:
New Bug report received and forwarded. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Joey Hess <joeyh@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: insecure temp files
Date: Tue, 3 Aug 2004 12:52:40 -0400
[Message part 1 (text/plain, inline)]
Package: dgen
Version: 1.23-5
Severity: grave
Tags: security

The nasty code for decompressing gzip and bzipped roms on the fly uses
files in /tmp insecurely. Fixing this right (no temp files) would
require rewriting several functions. A quick fix is this untested patch.
Untseted because automake nastiness keeps me from being able to compile
the package right now.

Index: romload.c
===================================================================
--- romload.c	(revision 10593)
+++ romload.c	(working copy)
@@ -127,12 +127,34 @@
      (magicbuf[0] == 'P' && magicbuf[1] == 'K'))    /* ZIP        (.zip ;) */
     {
       char temp[0x100], temp2[0x80];
-      srand(time(NULL));
+      int f;
       /* Run it through gzip (I know this is cheap ;) */
-      sprintf(temp2, "/tmp/dgenrom_%d_%d", rand(), rand());
-      sprintf(temp, "gzip -S \"\" -cdq %s > %s", name, temp2);
-      /* If gzip returned an error, stop */
-      if(system(temp)) { remove(temp2); return -1; };
+      temp2 = strdup("/tmp/dgenrom_XXXXXX");
+      f = mkstemp(temp2)
+      if (f == -1) {
+	      fprintf(stderr, "failed to create temp file\n");
+	      return -1
+      }
+      close(f);
+      if (! fork()) {
+	      f = open(name, O_RDONLY);
+	      if (f == -1) {
+		      exit(1);
+	      }
+	      dup2(f, 0);
+              sprintf(temp, "zcat > %s", temp2);
+              if (system(temp)) {
+		      exit(1);
+              }
+	      exit(0);
+      }
+      else {
+	      int status;
+	      wait(&status);
+	      if (WIFEXITED(status) && WEXITSTATUS(status) != 0) {
+		      return -1;
+	      }
+      }
       /* Recurse with the new file */
       len = load_rom_into(temp2, into);
       remove(temp2);
@@ -142,14 +164,35 @@
   /* Do bzip2 also */
   if(magicbuf[0] == 'B' && magicbuf[1] == 'Z' && magicbuf[2] == 'h')
     {
+      char temp[0x100], temp2[0x80];
+      int f;
       /* Damn, this looks almost like the gzip stuff above. *lol* :) */
-      char temp[0x100], temp2[0x80];
-      srand(time(NULL));
-      /* Go through bzip2 */
-      sprintf(temp2, "/tmp/dgenrom_%d_%d", rand(), rand());
-      sprintf(temp, "bzip2 -cd %s > %s", name, temp2);
-      /* If we got an error, stop */
-      if(system(temp)) { remove(temp2); return -1; };
+      temp2 = strdup("/tmp/dgenrom_XXXXXX");
+      f = mkstemp(temp2)
+      if (f == -1) {
+	      fprintf(stderr, "failed to create temp file\n");
+	      return -1
+      }
+      close(f);
+      if (! fork()) {
+	      f = open(name, O_RDONLY);
+	      if (f == -1) {
+		      exit(1);
+	      }
+	      dup2(f, 0);
+              sprintf(temp, "bzcat > %s", temp2);
+              if (system(temp)) {
+		      exit(1);
+              }
+	      exit(0);
+      }
+      else {
+	      int status;
+	      wait(&status);
+	      if (WIFEXITED(status) && WEXITSTATUS(status) != 0) {
+		      return -1;
+	      }
+      }
       /* Recurse with the uncompressed file */
       len = load_rom_into(temp2, into);
       remove(temp2);

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.4.26
Locale: LANG=en_US, LC_CTYPE=en_US

Versions of packages dgen depends on:
ii  libc6                     2.3.2.ds1-13   GNU C Library: Shared libraries an
ii  libgcc1                   1:3.4.1-4      GCC support library
ii  libsdl1.2debian           1.2.7-7        Simple DirectMedia Layer
ii  libstdc++5                1:3.3.4-6      The GNU Standard C++ Library v3
ii  xlibmesa-gl [libgl1]      4.3.0.dfsg.1-6 Mesa 3D graphics library [XFree86]

-- no debconf information

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Reply sent to Joey Hess <joeyh@debian.org>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Joey Hess <joeyh@debian.org>:
Bug acknowledged by developer. (full text, mbox, link).


Message #10 received at 263282-close@bugs.debian.org (full text, mbox, reply):

From: Joey Hess <joeyh@debian.org>
To: 263282-close@bugs.debian.org
Subject: Bug#263282: fixed in dgen 1.23-6
Date: Tue, 03 Aug 2004 14:02:06 -0400
Source: dgen
Source-Version: 1.23-6

We believe that the bug you reported is fixed in the latest version of
dgen, which is due to be installed in the Debian FTP archive:

dgen_1.23-6.diff.gz
  to pool/non-free/d/dgen/dgen_1.23-6.diff.gz
dgen_1.23-6.dsc
  to pool/non-free/d/dgen/dgen_1.23-6.dsc
dgen_1.23-6_i386.deb
  to pool/non-free/d/dgen/dgen_1.23-6_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 263282@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Joey Hess <joeyh@debian.org> (supplier of updated dgen package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue,  3 Aug 2004 12:11:26 -0400
Source: dgen
Binary: dgen
Architecture: source i386
Version: 1.23-6
Distribution: unstable
Urgency: medium
Maintainer: Joey Hess <joeyh@debian.org>
Changed-By: Joey Hess <joeyh@debian.org>
Description: 
 dgen       - Sega Genesis/MegaDrive emulator
Closes: 263158 263282
Changes: 
 dgen (1.23-6) unstable; urgency=medium
 .
   * Fix file-in-tmp security hole in gzip/bzip rom extraction code.
     Closes: #263282
   * Rewrite gzip/bzipped file code to not use unsafe system calls.
     Closes: #263158
   * Put in a hack to avoid automake being run, since current versions won't
     work.
Files: 
 342b75701a689207216b6ca9422f6cda 619 non-free/otherosfs optional dgen_1.23-6.dsc
 8c1fa56d574c800524f5bde3b782f1ed 4999 non-free/otherosfs optional dgen_1.23-6.diff.gz
 ae7fa7afe506d3f0517837eb7a66827a 253804 non-free/otherosfs optional dgen_1.23-6_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBD9At2tp5zXiKP0wRAgyQAJ43jM8tmmd+ZnW+17p+oMsR3ZEw8gCeJOYp
xijAQeJfJLNmIb+4V/0uTlI=
=8fG9
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Joey Hess <joeyh@debian.org>:
Bug#263282; Package dgen. (full text, mbox, link).


Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Joey Hess <joeyh@debian.org>. (full text, mbox, link).


Message #15 received at 263282@bugs.debian.org (full text, mbox, reply):

From: Matt Zimmerman <mdz@debian.org>
To: Joey Hess <joeyh@debian.org>, 263282@bugs.debian.org
Cc: "Steven M. Christey" <coley@mitre.org>
Subject: Re: Bug#263282: insecure temp files
Date: Tue, 3 Aug 2004 12:01:42 -0700
Forwarding to Mitre for a CVE assignment.

On Tue, Aug 03, 2004 at 12:52:40PM -0400, Joey Hess wrote:

> Package: dgen
> Version: 1.23-5
> Severity: grave
> Tags: security
> 
> The nasty code for decompressing gzip and bzipped roms on the fly uses
> files in /tmp insecurely. Fixing this right (no temp files) would
> require rewriting several functions. A quick fix is this untested patch.
> Untseted because automake nastiness keeps me from being able to compile
> the package right now.
> 
> Index: romload.c
> ===================================================================
> --- romload.c	(revision 10593)
> +++ romload.c	(working copy)
> @@ -127,12 +127,34 @@
>       (magicbuf[0] == 'P' && magicbuf[1] == 'K'))    /* ZIP        (.zip ;) */
>      {
>        char temp[0x100], temp2[0x80];
> -      srand(time(NULL));
> +      int f;
>        /* Run it through gzip (I know this is cheap ;) */
> -      sprintf(temp2, "/tmp/dgenrom_%d_%d", rand(), rand());
> -      sprintf(temp, "gzip -S \"\" -cdq %s > %s", name, temp2);
> -      /* If gzip returned an error, stop */
> -      if(system(temp)) { remove(temp2); return -1; };
> +      temp2 = strdup("/tmp/dgenrom_XXXXXX");
> +      f = mkstemp(temp2)
> +      if (f == -1) {
> +	      fprintf(stderr, "failed to create temp file\n");
> +	      return -1
> +      }
> +      close(f);
> +      if (! fork()) {
> +	      f = open(name, O_RDONLY);
> +	      if (f == -1) {
> +		      exit(1);
> +	      }
> +	      dup2(f, 0);
> +              sprintf(temp, "zcat > %s", temp2);
> +              if (system(temp)) {
> +		      exit(1);
> +              }
> +	      exit(0);
> +      }
> +      else {
> +	      int status;
> +	      wait(&status);
> +	      if (WIFEXITED(status) && WEXITSTATUS(status) != 0) {
> +		      return -1;
> +	      }
> +      }
>        /* Recurse with the new file */
>        len = load_rom_into(temp2, into);
>        remove(temp2);
> @@ -142,14 +164,35 @@
>    /* Do bzip2 also */
>    if(magicbuf[0] == 'B' && magicbuf[1] == 'Z' && magicbuf[2] == 'h')
>      {
> +      char temp[0x100], temp2[0x80];
> +      int f;
>        /* Damn, this looks almost like the gzip stuff above. *lol* :) */
> -      char temp[0x100], temp2[0x80];
> -      srand(time(NULL));
> -      /* Go through bzip2 */
> -      sprintf(temp2, "/tmp/dgenrom_%d_%d", rand(), rand());
> -      sprintf(temp, "bzip2 -cd %s > %s", name, temp2);
> -      /* If we got an error, stop */
> -      if(system(temp)) { remove(temp2); return -1; };
> +      temp2 = strdup("/tmp/dgenrom_XXXXXX");
> +      f = mkstemp(temp2)
> +      if (f == -1) {
> +	      fprintf(stderr, "failed to create temp file\n");
> +	      return -1
> +      }
> +      close(f);
> +      if (! fork()) {
> +	      f = open(name, O_RDONLY);
> +	      if (f == -1) {
> +		      exit(1);
> +	      }
> +	      dup2(f, 0);
> +              sprintf(temp, "bzcat > %s", temp2);
> +              if (system(temp)) {
> +		      exit(1);
> +              }
> +	      exit(0);
> +      }
> +      else {
> +	      int status;
> +	      wait(&status);
> +	      if (WIFEXITED(status) && WEXITSTATUS(status) != 0) {
> +		      return -1;
> +	      }
> +      }
>        /* Recurse with the uncompressed file */
>        len = load_rom_into(temp2, into);
>        remove(temp2);
> 
> -- System Information:
> Debian Release: 3.1
>   APT prefers unstable
>   APT policy: (500, 'unstable'), (1, 'experimental')
> Architecture: i386 (i686)
> Kernel: Linux 2.4.26
> Locale: LANG=en_US, LC_CTYPE=en_US
> 
> Versions of packages dgen depends on:
> ii  libc6                     2.3.2.ds1-13   GNU C Library: Shared libraries an
> ii  libgcc1                   1:3.4.1-4      GCC support library
> ii  libsdl1.2debian           1.2.7-7        Simple DirectMedia Layer
> ii  libstdc++5                1:3.3.4-6      The GNU Standard C++ Library v3
> ii  xlibmesa-gl [libgl1]      4.3.0.dfsg.1-6 Mesa 3D graphics library [XFree86]
> 
> -- no debconf information
> 
> -- 
> see shy jo



-- 
 - mdz



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#263282; Package dgen. (full text, mbox, link).


Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. (full text, mbox, link).


Message #20 received at 263282@bugs.debian.org (full text, mbox, reply):

From: Joey Hess <joeyh@debian.org>
To: Matt Zimmerman <mdz@debian.org>
Cc: 263282@bugs.debian.org, "Steven M. Christey" <coley@mitre.org>
Subject: Re: Bug#263282: insecure temp files
Date: Tue, 3 Aug 2004 15:44:15 -0400
[Message part 1 (text/plain, inline)]
Matt Zimmerman wrote:
> Forwarding to Mitre for a CVE assignment.

Note that my patch in Matt's mail bites, but I can send a working one if
needed. The package in Debian (non-free) has been fixed.

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Joey Hess <joeyh@debian.org>:
Bug#263282; Package dgen. (full text, mbox, link).


Acknowledgement sent to "Steven M. Christey" <coley@mitre.org>:
Extra info received and forwarded to list. Copy sent to Joey Hess <joeyh@debian.org>. (full text, mbox, link).


Message #25 received at 263282@bugs.debian.org (full text, mbox, reply):

From: "Steven M. Christey" <coley@mitre.org>
To: joeyh@debian.org, mdz@debian.org
Cc: 263282@bugs.debian.org, "Steven M. Christey" <coley@mitre.org>
Subject: Re: Bug#263282: insecure temp files
Date: Tue, 3 Aug 2004 16:27:30 -0400 (EDT)
> The nasty code for decompressing gzip and bzipped roms on the fly uses
> files in /tmp insecurely.
>
>...
>> --- romload.c	(revision 10593)
>> +++ romload.c	(working copy)


Use CAN-2004-0770.


- Steve



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 12:11:25 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.