Debian Bug report logs - #286370
xdvizilla: Vulnerable to symlink attack in temporary directory

version graph

Package: tetex-bin; Maintainer for tetex-bin is (unknown);

Reported by: Javier Fernández-Sanguino Peña <jfs@computer.org>

Date: Sun, 19 Dec 2004 22:18:05 UTC

Severity: important

Tags: security

Found in version 2.0.2-24

Fixed in version tetex-bin/2.0.2-25

Done: Frank Küster <frank@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#286370; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
New Bug report received and forwarded. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: submit@bugs.debian.org
Subject: xdvizilla: Vulnerable to symlink attack in temporary directory
Date: Sun, 19 Dec 2004 23:14:20 +0100
[Message part 1 (text/plain, inline)]
Package: tetex-bin
Version: 2.0.2-24
Priority: important
Tags: security

The xdvizilla script does not protect itself from temporary filename
attacks since it creates file in an insecure manner (using the
process PID to try to protect its creation) and does not check
wether files (or directories) exist prior to using them.

The attached patch fixes this behaviour.

Regards

Javier

PS: I initially reported this to the security team back in June,
but have not found time to follow up on this issue until today.
Security team, please check
Resent-Message-ID: <20040624124521.GA10101@dat.etsit.upm.es>

[xdvizilla.diff (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#286370; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Frank Küster <frank@debian.org>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #10 received at 286370@bugs.debian.org (full text, mbox):

From: Frank Küster <frank@debian.org>
To: Javier Fernández-Sanguino Peña <jfs@computer.org>
Cc: 286370@bugs.debian.org
Subject: Re: Bug#286370: xdvizilla: Vulnerable to symlink attack in temporary directory
Date: Mon, 20 Dec 2004 13:10:24 +0100
tags 286370 pending
stop

Javier Fernández-Sanguino Peña <jfs@computer.org> schrieb:

> The attached patch fixes this behaviour.

Thanks, fixed in our CVS.

Regards, Frank
-- 
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer




Tags added: pending Request was from Frank Küster <frank@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#286370; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Hilmar Preusse <hille42@web.de>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #17 received at 286370@bugs.debian.org (full text, mbox):

From: Hilmar Preusse <hille42@web.de>
To: Stefan Ulrich <stefanulrich@users.sourceforge.net>, 286370@bugs.debian.org
Subject: (fwd) Bug#286370: xdvizilla: Vulnerable to symlink attack in temporary directory
Date: Tue, 21 Dec 2004 17:51:55 +0100
Hi,

Just FYI. I've checked xdvizilla of teTeX beta too, but I'm not sure,
if it has the same bug. At a first glance this is the case.

Regards,
  Hilmar

----- Forwarded message from Javier Fernández-Sanguino Peña <jfs@computer.org> -----

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
Reply-To: Javier Fernández-Sanguino Peña <jfs@computer.org>,
	286370@bugs.debian.org
To: submit@bugs.debian.org
Subject: Bug#286370: xdvizilla: Vulnerable to symlink attack in temporary directory
Date: Sun, 19 Dec 2004 23:14:20 +0100
Message-ID: <20041219221420.GA8825@silicio>
User-Agent: Mutt/1.5.6+20040907i
X-Mailing-List: <debian-tetex-maint@lists.debian.org> archive/latest/10068

Package: tetex-bin
Version: 2.0.2-24
Priority: important
Tags: security

The xdvizilla script does not protect itself from temporary filename
attacks since it creates file in an insecure manner (using the
process PID to try to protect its creation) and does not check
wether files (or directories) exist prior to using them.

The attached patch fixes this behaviour.

Regards

Javier

PS: I initially reported this to the security team back in June,
but have not found time to follow up on this issue until today.
Security team, please check
Resent-Message-ID: <20040624124521.GA10101@dat.etsit.upm.es>


--- xdvizilla.orig	2004-12-19 22:57:08.000000000 +0100
+++ xdvizilla	2004-12-19 23:13:03.000000000 +0100
@@ -33,7 +33,7 @@
 case "$FILETYPE" in
 
   *"gzip compressed data"*)
-    FILE=/tmp/xdvizilla$$
+    FILE=`mktemp -t xdvizilla.XXXXXX` || { echo "$0: Cannot create temporary file"; exit 1 }
     gunzip -c "$1" > $FILE
     [ -n "$NO_RM" ] || rm -f -- "$1"
     NO_RM=
@@ -41,7 +41,7 @@
     ;;
 
   *"compressed data"* | *"compress'd data"*)
-    FILE=/tmp/xdvizilla$$
+    FILE=`mktemp -t xdvizilla.XXXXXX` || { echo "$0: Cannot create temporary file"; exit 1 }
     uncompress -c "$1" > $FILE
     [ -n "$NO_RM" ] || rm -f -- "$1"
     NO_RM=
@@ -60,7 +60,7 @@
 case "$FILETYPE" in
 
   *" tar archive")
-    TARDIR=/tmp/xdvitar$$
+    TARDIR=`mktemp -t -d xdvitar.XXXXXX` || { echo "$0: Cannot create temporary directory"; exit 1 }
     mkdir $TARDIR
     cat "$FILE" | (cd $TARDIR; tar xf -)
     DVINAME=`tar tf "$FILE" | grep '\.dvi$' | head -1`


----- End forwarded message -----
-- 
http://www.hilmar-preusse.de.vu/



Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#286370; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Stefan Ulrich <stefanulrich@users.sourceforge.net>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #22 received at 286370@bugs.debian.org (full text, mbox):

From: Stefan Ulrich <stefanulrich@users.sourceforge.net>
To: Hilmar Preusse <hille42@web.de>
Cc: 286370@bugs.debian.org
Subject: Re: (fwd) Bug#286370: xdvizilla: Vulnerable to symlink attack in temporary directory
Date: Tue, 21 Dec 2004 18:31:59 +0000
Hilmar Preusse <hille42@web.de> writes:

> Just FYI. I've checked xdvizilla of teTeX beta too, but I'm not sure,
> if it has the same bug. At a first glance this is the case.

No, this has been fixed some time ago; see:
http://sourceforge.net/tracker/?group_id=23164&atid=377580&func=detail&aid=812600
http://cvs.sourceforge.net/viewcvs.py/xdvi/xdvik/texk/xdvik/xdvizilla?rev=1.3&view=markup

Best,
Stefan



Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#286370; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Frank Küster <frank@debian.org>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #27 received at 286370@bugs.debian.org (full text, mbox):

From: Frank Küster <frank@debian.org>
To: Stefan Ulrich <stefanulrich@users.sourceforge.net>
Cc: 286370@bugs.debian.org, Hilmar Preusse <hille42@web.de>
Subject: Re: Bug#286370: (fwd) Bug#286370: xdvizilla: Vulnerable to symlink attack in temporary directory
Date: Thu, 23 Dec 2004 11:26:57 +0100
Stefan Ulrich <stefanulrich@users.sourceforge.net> schrieb:

> Hilmar Preusse <hille42@web.de> writes:
>
>> Just FYI. I've checked xdvizilla of teTeX beta too, but I'm not sure,
>> if it has the same bug. At a first glance this is the case.
>
> No, this has been fixed some time ago; see:
> http://sourceforge.net/tracker/?group_id=23164&atid=377580&func=detail&aid=812600

Well, yes and no. The way Thomas Esser does it is probably the best
solution for teTeX, where portability is of high importance. For Linux
distributions, there exist better ways. In Debian, we usually use
mktemp(1) which is said to be safer than tempfile(1), but I don't know
which of these exist in other distributions. Well, a short google search
gives many hits on "mktemp(1)" with suse and redhat, but only suspicious
hits with tempfile(1).

On Debian, we will patch xdvizilla to use mktemp always, because we know
that it will be there; you could also _try_ to use it, similar to

tmpfile=`mktemp 2>/dev/null` || true
test -n "$tmpfile" || ...old code


Regards, Frank

P.S. Dou you know for which derivatives of mozilla xdvizilla is
necessary and/or useful?
-- 
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer




Reply sent to Frank Küster <frank@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #32 received at 286370-close@bugs.debian.org (full text, mbox):

From: Frank Küster <frank@debian.org>
To: 286370-close@bugs.debian.org
Subject: Bug#286370: fixed in tetex-bin 2.0.2-25
Date: Thu, 23 Dec 2004 12:02:30 -0500
Source: tetex-bin
Source-Version: 2.0.2-25

We believe that the bug you reported is fixed in the latest version of
tetex-bin, which is due to be installed in the Debian FTP archive:

libkpathsea-dev_2.0.2-25_i386.deb
  to pool/main/t/tetex-bin/libkpathsea-dev_2.0.2-25_i386.deb
libkpathsea3_2.0.2-25_i386.deb
  to pool/main/t/tetex-bin/libkpathsea3_2.0.2-25_i386.deb
tetex-bin_2.0.2-25.diff.gz
  to pool/main/t/tetex-bin/tetex-bin_2.0.2-25.diff.gz
tetex-bin_2.0.2-25.dsc
  to pool/main/t/tetex-bin/tetex-bin_2.0.2-25.dsc
tetex-bin_2.0.2-25_i386.deb
  to pool/main/t/tetex-bin/tetex-bin_2.0.2-25_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 286370@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Frank K�ster <frank@debian.org> (supplier of updated tetex-bin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 23 Dec 2004 16:31:38 +0100
Source: tetex-bin
Binary: libkpathsea3 tetex-bin libkpathsea-dev
Architecture: source i386
Version: 2.0.2-25
Distribution: unstable
Urgency: high
Maintainer: teTeX maintainers <debian-tetex-maint@lists.debian.org>
Changed-By: Frank K�ster <frank@debian.org>
Description: 
 libkpathsea-dev - path search library for teTeX (devel part)
 libkpathsea3 - path search library for teTeX (runtime part)
 tetex-bin  - The teTeX binary files
Closes: 196987 286370 286984
Changes: 
 tetex-bin (2.0.2-25) unstable; urgency=high
 .
   * SECURITY UPDATE:
     - Added debian/patches/patch-CAN-2004-1125 to fix a buffer overflow in
       PDF reading code that was taken from xpdf (closes: #286984). Thanks to
       Martin Pitt <martin.pitt@canonical.com>, see
       http://www.idefense.com/application/poi/display?id=172 [frank]
     - Fixed insecure tempfile creation, thanks to Javier
       Fernández-Sanguino Peña <jfs@computer.org> (closes: #286370) [frank]
   * Fixed clean target, again providing clean sources [frank]
   * Added Suggests: rubber; together with lacheck this (closes: #196987)
     [frank]
Files: 
 c0c67fb28b68a60e3fb4919c98dc63de 1044 tex optional tetex-bin_2.0.2-25.dsc
 22234075b7454394cb95b40dcf393988 183001 tex optional tetex-bin_2.0.2-25.diff.gz
 579513f95eb9ca5ff56fa653be3ca3e9 3934886 tex optional tetex-bin_2.0.2-25_i386.deb
 312583a749bf035cf6386d1831c9859e 58066 libs optional libkpathsea3_2.0.2-25_i386.deb
 8fba153ada4da2fcc994baa435928223 66208 libdevel optional libkpathsea-dev_2.0.2-25_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFByvXw+xs9YyJS+hoRAmuLAKCcIBS3Pz9GfaC+0kDjJTuu/Y8ePwCfVqy+
cLlZTys6TjtpkkNWFYNFWuo=
=AFY5
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 08:14:27 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.