Debian Bug report logs - #278265
groffer uses temp files unsafely

version graph

Package: groff; Maintainer for groff is Colin Watson <cjwatson@debian.org>; Source for groff is src:groff.

Reported by: Joey Hess <joeyh@debian.org>

Date: Mon, 25 Oct 2004 20:18:05 UTC

Severity: grave

Tags: sarge, security

Found in version 1.18.1.1-1

Fixed in version groff/1.18.1.1-2

Done: Colin Watson <cjwatson@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Colin Watson <cjwatson@debian.org>:
Bug#278265; Package groff. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
New Bug report received and forwarded. Copy sent to Colin Watson <cjwatson@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: groffer uses temp files unsafely
Date: Mon, 25 Oct 2004 16:13:54 -0400
[Message part 1 (text/plain, inline)]
Package: groff
Version: 1.18.1.1-1
Severity: serious
Tags: security

CAN-2004-0969 reported that groffer used temporary files in an
explitable manner. This version of groff seems to be vulnerable. A patch
is here:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136313

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages groff depends on:
ii  groff-base                1.18.1.1-1     GNU troff text-formatting system (
ii  libc6                     2.3.2.ds1-18   GNU C Library: Shared libraries an
ii  libgcc1                   1:3.4.2-3      GCC support library
ii  libice6                   4.3.0.dfsg.1-8 Inter-Client Exchange library
ii  libsm6                    4.3.0.dfsg.1-8 X Window System Session Management
ii  libstdc++5                1:3.3.5-2      The GNU Standard C++ Library v3
ii  libx11-6                  4.3.0.dfsg.1-8 X Window System protocol client li
ii  libxaw7                   4.3.0.dfsg.1-8 X Athena widget set library
ii  libxext6                  4.3.0.dfsg.1-8 X Window System miscellaneous exte
ii  libxmu6                   4.3.0.dfsg.1-8 X Window System miscellaneous util
ii  libxpm4                   4.3.0.dfsg.1-8 X pixmap library
ii  libxt6                    4.3.0.dfsg.1-8 X Toolkit Intrinsics
ii  xlibs                     4.3.0.dfsg.1-8 X Window System client libraries m

-- no debconf information

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Severity set to `grave'. Request was from Colin Watson <cjwatson@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#278265; Package groff. Full text and rfc822 format available.

Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #12 received at 278265@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: Joey Hess <joeyh@debian.org>, 278265@bugs.debian.org
Cc: Werner Lemberg <wl@gnu.org>, Bernd Warken <groff-bernd.warken-72@web.de>, Martin Pitt <martin.pitt@canonical.com>
Subject: Re: Bug#278265: groffer uses temp files unsafely
Date: Wed, 27 Oct 2004 00:30:33 +0100
On Mon, Oct 25, 2004 at 04:13:54PM -0400, Joey Hess wrote:
> Package: groff
> Version: 1.18.1.1-1
> Severity: serious
> Tags: security
> 
> CAN-2004-0969 reported that groffer used temporary files in an
> explitable manner. This version of groff seems to be vulnerable. A patch
> is here:
> http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136313

I've backported this patch as follows:

--- groff-1.18.1.1.orig/debian/changelog
+++ groff-1.18.1.1/debian/changelog
@@ -1,3 +1,10 @@
+groff (1.18.1.1-2) unstable; urgency=high
+
+  * [SECURITY] Fix a race condition in groffer leading to a temporary file
+    handling vulnerability (closes: #278265).
+
+ -- Colin Watson <cjwatson@debian.org>  Tue, 26 Oct 2004 23:52:13 +0100
+
 groff (1.18.1.1-1) unstable; urgency=low
 
   * The "Death! Ride, ride to ruin and the world's ending!" release.
--- groff-1.18.1.1.orig/contrib/groffer/groffer.sh
+++ groff-1.18.1.1/contrib/groffer/groffer.sh
@@ -3228,17 +3228,12 @@
   do
     if is_not_empty "$d"; then
       if obj d is_dir && obj d is_writable; then
-        _TMP_DIR="${d}/${_PROGRAM_NAME}${_PROCESS_ID}";
-        if obj _TMP_DIR is_dir; then
-	  rm -f "${_TMP_DIR}"/*;
+        _TMP_DIR="$(mktemp -d "${d}/${_PROGRAM_NAME}.XXXXXX")"
+        if test $? = 0; then
           break;
         else
-          mkdir "${_TMP_DIR}";
-          if obj _TMP_DIR is_not_dir; then
-            _TMP_DIR='';
-	    continue;
-          fi;
-          break;
+          _TMP_DIR='';
+	  continue;
   	fi;
       fi;
       if obj _TMP_DIR is_not_writable; then

Werner, Bernd, I'm not sure if you've been informed of this, but the
current groff CVS still seems to be vulnerable. The referenced Trustix
advisory doesn't go into detail, but there are two problems that I see:

  * groffer accepts a temporary directory that already exists and simply
    removes its contents. This is very unwise, especially since it does
    not check the permissions of that directory to make sure that nobody
    else has write access to it. The usual secure approach is only to
    accept a temporary directory that you have just created, so that you
    can be sure of its permissions. Trying to check is too fragile, and
    unnecessary.

  * groffer does not check the exit code of mkdir. It should do so,
    otherwise even if the above hole is plugged an attacker can create a
    world-writable directory between the is_dir check and the mkdir;
    since process IDs are predictable on most systems, this race
    condition is easy to win.

Following the patch in Red Hat's Bugzilla, I've simply used 'mktemp -d'
to fix this, because I know that's correct; however, it isn't portable,
so I suspect the patch above would not be accepted into groffer
upstream. Removing the code that accepts an existing temporary directory
and removes its contents, and then checking the exit code of mkdir,
ought to be sufficient; but I haven't tried this, and somebody should
audit it.

Even checking mkdir will still allow a denial-of-service attack, so this
would seem like a very good application for a helper written in C or C++
if you're unwilling to use mktemp when it's available.

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]



Reply sent to Colin Watson <cjwatson@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Joey Hess <joeyh@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #17 received at 278265-close@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: 278265-close@bugs.debian.org
Subject: Bug#278265: fixed in groff 1.18.1.1-2
Date: Tue, 26 Oct 2004 19:32:10 -0400
Source: groff
Source-Version: 1.18.1.1-2

We believe that the bug you reported is fixed in the latest version of
groff, which is due to be installed in the Debian FTP archive:

groff-base_1.18.1.1-2_powerpc.deb
  to pool/main/g/groff/groff-base_1.18.1.1-2_powerpc.deb
groff_1.18.1.1-2.diff.gz
  to pool/main/g/groff/groff_1.18.1.1-2.diff.gz
groff_1.18.1.1-2.dsc
  to pool/main/g/groff/groff_1.18.1.1-2.dsc
groff_1.18.1.1-2_powerpc.deb
  to pool/main/g/groff/groff_1.18.1.1-2_powerpc.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 278265@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated groff package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 26 Oct 2004 23:52:13 +0100
Source: groff
Binary: groff-base groff
Architecture: source powerpc
Version: 1.18.1.1-2
Distribution: unstable
Urgency: high
Maintainer: Colin Watson <cjwatson@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 groff      - GNU troff text-formatting system
 groff-base - GNU troff text-formatting system (base system components)
Closes: 278265
Changes: 
 groff (1.18.1.1-2) unstable; urgency=high
 .
   * [SECURITY] Fix a race condition in groffer leading to a temporary file
     handling vulnerability (closes: #278265).
Files: 
 97346b285e2c0e85b0b0a6b3a9aa9aaa 761 text important groff_1.18.1.1-2.dsc
 f74f73e08483058021b665b3265f3096 118323 text important groff_1.18.1.1-2.diff.gz
 00e741276b666dd715282fe5d66364f5 860450 text important groff-base_1.18.1.1-2_powerpc.deb
 5c19e041ba3150726c8de67d0843de02 1885186 text optional groff_1.18.1.1-2_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iD8DBQFBftfk9t0zAhD6TNERArnBAJ9G4oykF36VAlAo80ukMtuyk2YT8ACeMUCe
5Tvw3ReQ8+MlWckOhMsvz1o=
=ATnd
-----END PGP SIGNATURE-----




Bug reopened, originator not changed. Request was from Colin Watson <cjwatson@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: sarge Request was from Colin Watson <cjwatson@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Colin Watson <cjwatson@debian.org>:
Bug#278265; Package groff. Full text and rfc822 format available.

Acknowledgement sent to Werner LEMBERG <wl@gnu.org>:
Extra info received and forwarded to list. Copy sent to Colin Watson <cjwatson@debian.org>. Full text and rfc822 format available.

Message #26 received at 278265@bugs.debian.org (full text, mbox):

From: Werner LEMBERG <wl@gnu.org>
To: cjwatson@debian.org
Cc: joeyh@debian.org, 278265@bugs.debian.org, groff-bernd.warken-72@web.de, martin.pitt@canonical.com
Subject: Re: Bug#278265: groffer uses temp files unsafely
Date: Tue, 16 Nov 2004 08:36:50 +0100 (CET)
> > Package: groff
> > Version: 1.18.1.1-1
> > Severity: serious
> > Tags: security
> > 
> > CAN-2004-0969 reported that groffer used temporary files in an
> > explitable manner. This version of groff seems to be vulnerable. A
> > patch is here:
> > http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136313

Bernd has fixed this differently; his solution is now in the CVS (see
http://savannah.gnu.org/cvs/?group=groff).  Please test!  If you can
verify that everything is OK I'll release a new groff version.


    Werner



Reply sent to Colin Watson <cjwatson@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Joey Hess <joeyh@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #31 received at 278265-done@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: 278265-done@bugs.debian.org
Subject: Re: Processed: security => reopen until fixed in sarge
Date: Wed, 17 Nov 2004 18:35:53 +0000
On Wed, Oct 27, 2004 at 12:18:13AM -0700, Debian Bug Tracking System wrote:
> Processing commands for control@bugs.debian.org:
> 
> > reopen 278265
> Bug#278265: groffer uses temp files unsafely
> Bug reopened, originator not changed.
> 
> > tags 278265 sarge
> Bug#278265: groffer uses temp files unsafely
> Tags were: security
> Tags added: sarge

The fixed version has been promoted to sarge.

-- 
Colin Watson                                       [cjwatson@debian.org]



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 08:07:23 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.