Debian Bug report logs - #286372
eqn2graph: Vulnerable to symlink attack through temporary file

version graph

Package: groff; Maintainer for groff is Colin Watson <cjwatson@debian.org>; Source for groff is src:groff.

Reported by: Javier Fernández-Sanguino Peña <jfs@computer.org>

Date: Sun, 19 Dec 2004 22:33:03 UTC

Severity: grave

Tags: security

Found in version 1.18.1.1-3

Fixed in version groff/1.18.1.1-5

Done: Steve Langasek <vorlon@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Colin Watson <cjwatson@debian.org>:
Bug#286372; Package groff. Full text and rfc822 format available.

Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
New Bug report received and forwarded. Copy sent to Colin Watson <cjwatson@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: submit@bugs.debian.org
Subject: eqn2graph: Vulnerable to symlink attack through temporary file
Date: Sun, 19 Dec 2004 23:19:53 +0100
[Message part 1 (text/plain, inline)]
Package: groff
Version: 1.18.1.1-3
Priority: important
Tags: security

The eqn2graph script does not protect itself from temporary filename
attacks since it creates file in an insecure manner (the process PID
is not suffient to avoid and attack) and does not check
if the temporary file it uses exists before using them.

The attached patch fixes this behaviour.

Regards

Javier

PS: I initially reported this to the security team back in June,
but have not found time to follow up on this issue until today.
Security team, please check
Resent-Message-ID: <20040624124521.GA10101@dat.etsit.upm.es>
[eqn2graph.diff (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#286372; Package groff. Full text and rfc822 format available.

Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #10 received at 286372@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: Javier Fernández-Sanguino Peña <jfs@computer.org>, 286371@bugs.debian.org, 286372@bugs.debian.org
Subject: Re: Bug#286371: pic2graph: Vulnerable to symlink attack through temporary file
Date: Mon, 20 Dec 2004 15:20:40 +0000
On Sun, Dec 19, 2004 at 11:18:13PM +0100, Javier Fernández-Sanguino Peña wrote:
> Package: groff
> Version: 1.18.1.1-3
> Priority: important
> Tags: security
> 
> The pic2graph script does not protect itself from temporary filename
> attacks since it creates file in an insecure manner (the process PID
> is not suffient to avoid and attack) and does not check
> if the temporary file it uses exists before using them.
> 
> The attached patch fixes this behaviour.

Thanks. This and #286372 were both fixed upstream a while back in a
somewhat more elaborate way, so I'm taking their patch.

> PS: I initially reported this to the security team back in June,
> but have not found time to follow up on this issue until today.
> Security team, please check
> Resent-Message-ID: <20040624124521.GA10101@dat.etsit.upm.es>

groff in stable didn't have either pic2graph or eqn2graph; they were new
features in 1.18. The security team (as opposed to the nascent
secure-testing team) is therefore unlikely to be interested.

Cheers,

-- 
Colin Watson                                       [cjwatson@debian.org]



Severity set to `grave'. Request was from Colin Watson <cjwatson@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Colin Watson <cjwatson@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #17 received at 286372-close@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: 286372-close@bugs.debian.org
Subject: Bug#286372: fixed in groff 1.18.1.1-5
Date: Mon, 20 Dec 2004 10:32:47 -0500
Source: groff
Source-Version: 1.18.1.1-5

We believe that the bug you reported is fixed in the latest version of
groff, which is due to be installed in the Debian FTP archive:

groff-base_1.18.1.1-5_powerpc.deb
  to pool/main/g/groff/groff-base_1.18.1.1-5_powerpc.deb
groff_1.18.1.1-5.diff.gz
  to pool/main/g/groff/groff_1.18.1.1-5.diff.gz
groff_1.18.1.1-5.dsc
  to pool/main/g/groff/groff_1.18.1.1-5.dsc
groff_1.18.1.1-5_powerpc.deb
  to pool/main/g/groff/groff_1.18.1.1-5_powerpc.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 286372@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated groff package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 20 Dec 2004 14:26:25 +0000
Source: groff
Binary: groff-base groff
Architecture: source powerpc
Version: 1.18.1.1-5
Distribution: unstable
Urgency: high
Maintainer: Colin Watson <cjwatson@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 groff      - GNU troff text-formatting system
 groff-base - GNU troff text-formatting system (base system components)
Closes: 286371 286372
Changes: 
 groff (1.18.1.1-5) unstable; urgency=high
 .
   * Upstream fix for temporary file handling vulnerability in pic2graph
     (closes: #286371).
   * Upstream fix for temporary file handling vulnerability in eqn2graph
     (closes: #286372).
Files: 
 41ffe57c38bcc172195021b3900a4d38 761 text important groff_1.18.1.1-5.dsc
 60e74aa726e7f84b544bb901ab6985ac 126657 text important groff_1.18.1.1-5.diff.gz
 e19a659582671c3bb1ee22b693231c31 867968 text important groff-base_1.18.1.1-5_powerpc.deb
 67ca52267606bca4d4a31b2ae0796a4c 1885614 text optional groff_1.18.1.1-5_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iD8DBQFBxur19t0zAhD6TNERAnheAJwLzyQZtJnMWgUee44fB/afjrH4ngCcC+f2
LZVzkn+0gYduSq4tFGpOQA0=
=XSoM
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Colin Watson <cjwatson@debian.org>:
Bug#286372; Package groff. Full text and rfc822 format available.

Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Extra info received and forwarded to list. Copy sent to Colin Watson <cjwatson@debian.org>. Full text and rfc822 format available.

Message #22 received at 286372@bugs.debian.org (full text, mbox):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: Colin Watson <cjwatson@debian.org>
Cc: 286371@bugs.debian.org, 286372@bugs.debian.org
Subject: Re: Bug#286371: pic2graph: Vulnerable to symlink attack through temporary file
Date: Mon, 20 Dec 2004 19:48:26 +0100
On Mon, Dec 20, 2004 at 03:20:40PM +0000, Colin Watson wrote:
> > The attached patch fixes this behaviour.
> 
> Thanks. This and #286372 were both fixed upstream a while back in a
> somewhat more elaborate way, so I'm taking their patch.

No problem. I just wanted to get those out of my "PENDING" queue. I believe 
I checked the latest sources in Debian but might system might not have been 
fully up to date, sorry.

> > PS: I initially reported this to the security team back in June,
> > but have not found time to follow up on this issue until today.
> > Security team, please check
> > Resent-Message-ID: <20040624124521.GA10101@dat.etsit.upm.es>
> 
> groff in stable didn't have either pic2graph or eqn2graph; they were new
> features in 1.18. The security team (as opposed to the nascent
> secure-testing team) is therefore unlikely to be interested.

Actually, some of the scripts with insecure temporary handling were present
in stable but the fact is that these vulnerabilities were not deemed
sufficient for a DSA, and the Security Team asked me to follow up on the
BTS since there was no need to coordinate with other security teams or
produce a DSA. I've actually haven't made an effort to review whether some
of the bugs I've opened are present in stable. <shrug>

Regards

Javier



Information forwarded to debian-bugs-dist@lists.debian.org, Colin Watson <cjwatson@debian.org>:
Bug#286372; Package groff. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Colin Watson <cjwatson@debian.org>. Full text and rfc822 format available.

Message #27 received at 286372@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: 286371@bugs.debian.org, 286372@bugs.debian.org
Subject: Use CAN-2004-1296
Date: Wed, 22 Dec 2004 12:23:41 +0100
Please use CAN-2004-1296 when you refer to this vulnerability, i.e. in
the changelog of fixed packages.

Regards,

	Joey

-- 
All language designers are arrogant.  Goes with the territory...
	-- Larry Wall

Please always Cc to me when replying to me on the lists.



Bug reopened, originator not changed. Request was from Adrian Bunk <bunk@stusta.de> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: sarge Request was from Adrian Bunk <bunk@stusta.de> to control@bugs.debian.org. Full text and rfc822 format available.

Tags removed: sarge Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Steve Langasek <vorlon@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #38 received at 286372-done@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: 286371-done@bugs.debian.org, 286372-done@bugs.debian.org
Subject: groff update has reached testing
Date: Mon, 3 Jan 2005 21:36:38 -0800
[Message part 1 (text/plain, inline)]
tags 286371 -sarge
tags 286372 -sarge
thanks

The version of groff that is purported to fix these bugs has reached
testing, therefore I believe they can be closed.

Thanks,
-- 
Steve Langasek
postmodern programmer
[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 25 08:08:55 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.