Debian Bug report logs - #289560
vim: Race conditions and symlink attacks in vim (tcltags and vimspell)

version graph

Package: vim; Maintainer for vim is Debian Vim Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>; Source for vim is src:vim.

Reported by: Javier Fernández-Sanguino Peña <jfs@computer.org>

Date: Sun, 9 Jan 2005 20:18:03 UTC

Severity: minor

Tags: patch, security, woody

Merged with 291125

Found in versions 1:6.3-046+1, 1:6.3-054+1

Fixed in versions vim/1:6.3-058+1, vim/6.1.018-1woody1

Done: Norbert Tretkowski <nobse@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Norbert Tretkowski <nobse@debian.org>:
Bug#289560; Package vim. Full text and rfc822 format available.

Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
New Bug report received and forwarded. Copy sent to Norbert Tretkowski <nobse@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: submit@bugs.debian.org
Cc: Bram Moolenaar <Bram@vim.org>
Subject: vim: Race conditions and symlink attacks in vim (tcltags and vimspell)
Date: Sun, 9 Jan 2005 21:05:26 +0100
[Message part 1 (text/plain, inline)]
Package: vim
Version: 1:6.3-046+1
Severity: minor
Tags: patch security sid woody sarge

Hi there,

Reviewing vim as part of the security audit the Audit team [1] is 
conducting I've found what I believe are some race conditions and symlink 
attacks through temporary files in vim. They appear in two scripts which 
are not installed in Debian in binary locations (they are installed under
/usr/share/doc/vim/tools/) but are provided with execute permissions.

That's mainly why I'm opening this bug up in Debian's BTS and not 
contacting the security team directly although the code is present in all 
vim releases in Debian.

These appear in:

1.- the tcltags script (runtime/tools/tcltags):
    (...)
    11 tmp_tagfile=/tmp/${program_name}.$$
    (...)
    130         sed -e "/^!_TAG_FILE_SORTED/s/  [01]    /       $sorted /" 
\
    131             -e "/^!_TAG_FILE_FORMAT/s/  1       /       $format /" 
\
    132             $tagfile > $tmp_tagfile


2.- the vimspell script (runtime/tools/vimspell.sh)

     16 OUTFILE=/tmp/vimspell.$$
     17 # if you have "tempfile", use the following line
     18 #OUTFILE=`tempfile`
(...)
     30 spell $SPELL_ARGS $INFILE | sort -u |
     31 awk '
     32       {
     33         printf "syntax match SpellErrors \"\\<%s\\>\"\n", $0 ;
     34       }
     35
     36 END   {
     37         printf "highlight link SpellErrors ErrorMsg\n\n" ;
     38       }
     39 ' > $OUTFILE
     40 echo "!rm $OUTFILE" >> $OUTFILE
     41 echo $OUTFILE

Since these are tools that are run from vim, an attacker can get a 
good-enough approximation of the PIDs that will be used in these temporary 
files and can conduct a symlink attack if these tools are used.

The attached patch should fix both of these issues, I've taken the 
approach implemented in vimtutor, but modified it slightly for vimspell as 
the temporary file cannot be removed by the script (vim removes it) when 
mktemp and tempfile are not avilable, there will still be a race condition 
in the script. Since most GNU/Linux and UNIX  operating systems seem to 
have either one I don't think it's a big issue, however.

Best regards

Javier
[vim-6.3.diff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Norbert Tretkowski <nobse@debian.org>:
Bug#289560; Package vim. Full text and rfc822 format available.

Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Extra info received and forwarded to list. Copy sent to Norbert Tretkowski <nobse@debian.org>. Full text and rfc822 format available.

Message #10 received at 289560@bugs.debian.org (full text, mbox):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: Bram Moolenaar <Bram@moolenaar.net>
Cc: 289560@bugs.debian.org
Subject: Re: vim: Race conditions and symlink attacks in vim (tcltags and vimspell)
Date: Sun, 9 Jan 2005 22:24:11 +0100
[Message part 1 (text/plain, inline)]
On Sun, Jan 09, 2005 at 10:02:35PM +0100, Bram Moolenaar wrote:
> 
> Javier -
> 
> > Reviewing vim as part of the security audit the Audit team [1] is 
> > conducting I've found what I believe are some race conditions and symlink 
> > attacks through temporary files in vim. They appear in two scripts which 
> > are not installed in Debian in binary locations (they are installed under
> > /usr/share/doc/vim/tools/) but are provided with execute permissions.
> 
> Thanks for looking into this and providing patches.
> 
> Did you contact the original authors, Darren Hiebert and Neil
> Schemenauer?

No, I didn't. I was not sure if they were still active. Do you want me to 
forward this?

> I wonder if there isn't a shorter method.  The handling of the temp file
> becomes more than half the script this way.

Actually, there is, you could remove the lines that try to use a temporary
file in a temporary directory (below the comments) and just abort with a 
"Cannot create temporary file" message if tmp_tagfile (or OUTFILE) are 
'none'.

Regards

Javier
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Norbert Tretkowski <nobse@debian.org>:
Bug#289560; Package vim. Full text and rfc822 format available.

Acknowledgement sent to Bram Moolenaar <Bram@moolenaar.net>:
Extra info received and forwarded to list. Copy sent to Norbert Tretkowski <nobse@debian.org>. Full text and rfc822 format available.

Message #15 received at 289560@bugs.debian.org (full text, mbox):

From: Bram Moolenaar <Bram@moolenaar.net>
To: Javier Fernández-Sanguino Peña <jfs@computer.org>
Cc: 289560@bugs.debian.org
Subject: Re: vim: Race conditions and symlink attacks in vim (tcltags and vimspell)
Date: Mon, 10 Jan 2005 10:33:00 +0100
Javier -

> > Did you contact the original authors, Darren Hiebert and Neil
> > Schemenauer?
> 
> No, I didn't. I was not sure if they were still active. Do you want me to 
> forward this?

Yes.  They are the authors, thus I hesitate to change their work without
at least trying to contact them.

> > I wonder if there isn't a shorter method.  The handling of the temp file
> > becomes more than half the script this way.
> 
> Actually, there is, you could remove the lines that try to use a temporary
> file in a temporary directory (below the comments) and just abort with a 
> "Cannot create temporary file" message if tmp_tagfile (or OUTFILE) are 
> 'none'.

So there would be a few (old?) systems where the script won't work?

-- 
GALAHAD: No. Look, I can tackle this lot single-handed!
GIRLS:   Yes, yes, let him Tackle us single-handed!
                 "Monty Python and the Holy Grail" PYTHON (MONTY) PICTURES LTD

 /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net   \\\
///        Sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\              Project leader for A-A-P -- http://www.A-A-P.org        ///
 \\\     Buy LOTR 3 and help AIDS victims -- http://ICCF.nl/lotr.html   ///



Information forwarded to debian-bugs-dist@lists.debian.org, Norbert Tretkowski <nobse@debian.org>:
Bug#289560; Package vim. Full text and rfc822 format available.

Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Extra info received and forwarded to list. Copy sent to Norbert Tretkowski <nobse@debian.org>. Full text and rfc822 format available.

Message #20 received at 289560@bugs.debian.org (full text, mbox):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: Bram Moolenaar <Bram@moolenaar.net>
Cc: 289560@bugs.debian.org
Subject: Re: vim: Race conditions and symlink attacks in vim (tcltags and vimspell)
Date: Mon, 10 Jan 2005 10:56:21 +0100
[Message part 1 (text/plain, inline)]
On Mon, Jan 10, 2005 at 10:33:00AM +0100, Bram Moolenaar wrote:
> > > Did you contact the original authors, Darren Hiebert and Neil
> > > Schemenauer?
> > 
> > No, I didn't. I was not sure if they were still active. Do you want me to 
> > forward this?
> 
> Yes.  They are the authors, thus I hesitate to change their work without
> at least trying to contact them.

Ok. Will do.

> 
> > > I wonder if there isn't a shorter method.  The handling of the temp file
> > > becomes more than half the script this way.
> > 
> > Actually, there is, you could remove the lines that try to use a temporary
> > file in a temporary directory (below the comments) and just abort with a 
> > "Cannot create temporary file" message if tmp_tagfile (or OUTFILE) are 
> > 'none'.
> 
> So there would be a few (old?) systems where the script won't work?

Correct. Those that don't have mktemp or tempfile. These should be 
available in most Linux distributions but I'm not sure about their 
availability in other UNIX systems (I believe mktemp is available in 
Solaris, in HP-UX and in Tru64 but not in AIX, for example)

Regards

Javier


[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Norbert Tretkowski <nobse@debian.org>:
Bug#289560; Package vim. Full text and rfc822 format available.

Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Extra info received and forwarded to list. Copy sent to Norbert Tretkowski <nobse@debian.org>. Full text and rfc822 format available.

Message #25 received at 289560@bugs.debian.org (full text, mbox):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: Bram Moolenaar <Bram@moolenaar.net>
Cc: 289560@bugs.debian.org
Subject: Re: vim: Race conditions and symlink attacks in vim (tcltags and vimspell)
Date: Mon, 10 Jan 2005 11:01:57 +0100
[Message part 1 (text/plain, inline)]
On Mon, Jan 10, 2005 at 10:33:00AM +0100, Bram Moolenaar wrote:
> 
> Javier -
> 
> > > Did you contact the original authors, Darren Hiebert and Neil
> > > Schemenauer?
> > 
> > No, I didn't. I was not sure if they were still active. Do you want me to 
> > forward this?
> 
> Yes.  They are the authors, thus I hesitate to change their work without
> at least trying to contact them.

At least one of the mail addresses (darren@hiebert.com) bounces.

Regards

Javier
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Norbert Tretkowski <nobse@debian.org>:
Bug#289560; Package vim. Full text and rfc822 format available.

Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Extra info received and forwarded to list. Copy sent to Norbert Tretkowski <nobse@debian.org>. Full text and rfc822 format available.

Message #30 received at 289560@bugs.debian.org (full text, mbox):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: Bram Moolenaar <Bram@moolenaar.net>
Cc: 289560@bugs.debian.org
Subject: Re: vim: Race conditions and symlink attacks in vim (tcltags and vimspell)
Date: Mon, 10 Jan 2005 11:43:10 +0100
[Message part 1 (text/plain, inline)]
On Mon, Jan 10, 2005 at 11:01:57AM +0100, Javier Fernández-Sanguino Peña wrote:
> At least one of the mail addresses (darren@hiebert.com) bounces.

The other author address (nascheme@ucalgary.ca) bounces too.

Regards

Javier
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Norbert Tretkowski <nobse@debian.org>:
Bug#289560; Package vim. Full text and rfc822 format available.

Acknowledgement sent to Mark J Cox <mjc@redhat.com>:
Extra info received and forwarded to list. Copy sent to Norbert Tretkowski <nobse@debian.org>. Full text and rfc822 format available.

Message #35 received at 289560@bugs.debian.org (full text, mbox):

From: Mark J Cox <mjc@redhat.com>
To: 289560@bugs.debian.org
Subject: [coley@mitre.org: Re: CVE request] (fwd
Date: Fri, 14 Jan 2005 12:30:15 +0000 (GMT)
This is CAN-2005-0069.



Information forwarded to debian-bugs-dist@lists.debian.org, Norbert Tretkowski <nobse@debian.org>:
Bug#289560; Package vim. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Norbert Tretkowski <nobse@debian.org>. Full text and rfc822 format available.

Message #40 received at 289560@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: 289560@bugs.debian.org
Subject: cve id
Date: Fri, 14 Jan 2005 14:16:06 +0100
Please use CAN-2005-0069.

Regards,

	Joey

-- 
The MS-DOS filesystem is nice for removable media.  -- H. Peter Anvin

Please always Cc to me when replying to me on the lists.



Tags added: pending Request was from Norbert Tretkowski <nobse@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `grave'. Request was from Norbert Tretkowski <nobse@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Merged 289560 291125. Request was from Norbert Tretkowski <nobse@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Norbert Tretkowski <nobse@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #51 received at 289560-close@bugs.debian.org (full text, mbox):

From: Norbert Tretkowski <nobse@debian.org>
To: 289560-close@bugs.debian.org
Subject: Bug#289560: fixed in vim 1:6.3-058+1
Date: Wed, 19 Jan 2005 02:17:20 -0500
Source: vim
Source-Version: 1:6.3-058+1

We believe that the bug you reported is fixed in the latest version of
vim, which is due to be installed in the Debian FTP archive:

kvim-perl_6.3-058+1_alpha.deb
  to pool/main/v/vim/kvim-perl_6.3-058+1_alpha.deb
kvim-python_6.3-058+1_alpha.deb
  to pool/main/v/vim/kvim-python_6.3-058+1_alpha.deb
kvim-ruby_6.3-058+1_alpha.deb
  to pool/main/v/vim/kvim-ruby_6.3-058+1_alpha.deb
kvim-tcl_6.3-058+1_alpha.deb
  to pool/main/v/vim/kvim-tcl_6.3-058+1_alpha.deb
kvim_6.3-058+1_alpha.deb
  to pool/main/v/vim/kvim_6.3-058+1_alpha.deb
vim-common_6.3-058+1_all.deb
  to pool/main/v/vim/vim-common_6.3-058+1_all.deb
vim-doc_6.3-058+1_all.deb
  to pool/main/v/vim/vim-doc_6.3-058+1_all.deb
vim-gnome_6.3-058+1_alpha.deb
  to pool/main/v/vim/vim-gnome_6.3-058+1_alpha.deb
vim-gtk_6.3-058+1_alpha.deb
  to pool/main/v/vim/vim-gtk_6.3-058+1_alpha.deb
vim-lesstif_6.3-058+1_alpha.deb
  to pool/main/v/vim/vim-lesstif_6.3-058+1_alpha.deb
vim-perl_6.3-058+1_alpha.deb
  to pool/main/v/vim/vim-perl_6.3-058+1_alpha.deb
vim-python_6.3-058+1_alpha.deb
  to pool/main/v/vim/vim-python_6.3-058+1_alpha.deb
vim-ruby_6.3-058+1_alpha.deb
  to pool/main/v/vim/vim-ruby_6.3-058+1_alpha.deb
vim-tcl_6.3-058+1_alpha.deb
  to pool/main/v/vim/vim-tcl_6.3-058+1_alpha.deb
vim_6.3-058+1.diff.gz
  to pool/main/v/vim/vim_6.3-058+1.diff.gz
vim_6.3-058+1.dsc
  to pool/main/v/vim/vim_6.3-058+1.dsc
vim_6.3-058+1_alpha.deb
  to pool/main/v/vim/vim_6.3-058+1_alpha.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 289560@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Norbert Tretkowski <nobse@debian.org> (supplier of updated vim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 18 Jan 2005 20:12:25 +0100
Source: vim
Binary: vim-lesstif vim-common vim-doc vim-gnome kvim-ruby vim vim-gtk kvim-perl vim-perl kvim-tcl vim-tiny vim-ruby vim-python vim-tcl kvim-python kvim
Architecture: source alpha all
Version: 1:6.3-058+1
Distribution: unstable
Urgency: high
Maintainer: Norbert Tretkowski <nobse@debian.org>
Changed-By: Norbert Tretkowski <nobse@debian.org>
Description: 
 kvim       - Vi IMproved - KDE 3.x version
 kvim-perl  - Vi IMproved - KDE 3.x version with Perl scripting support
 kvim-python - Vi IMproved - KDE 3.x version with Python scripting support
 kvim-ruby  - Vi IMproved - KDE 3.x version with Ruby scripting support
 kvim-tcl   - Vi IMproved - KDE 3.x version with TCL scripting support
 vim        - Vi IMproved - enhanced vi editor
 vim-common - Vi IMproved - Common files
 vim-doc    - Vi IMproved - Documentation files
 vim-gnome  - Vi IMproved - GNOME2 Version
 vim-gtk    - Vi IMproved - GTK2 Version
 vim-lesstif - Vi IMproved - LessTif Version
 vim-perl   - Vi IMproved, with perl scripting support
 vim-python - Vi IMproved, with python scripting support
 vim-ruby   - Vi IMproved, with ruby scripting support
 vim-tcl    - Vi IMproved, with tcl scripting support
Closes: 289560
Changes: 
 vim (1:6.3-058+1) unstable; urgency=high
 .
   * new upstream patches (055 to 058), see README.gz for details
   * added a new patch (stolen from Ubuntu) which modifies vimspell.sh and
     tcltags.sh so they use mktemp instead of insecure $$ construction to
     create temporary files (CAN-2005-0069) (closes: #289560)
Files: 
 40905ece508f1000b53e1cb0b1a0b679 1114 editors optional vim_6.3-058+1.dsc
 2a764ada0d4dd2892216d998ee424257 459960 editors optional vim_6.3-058+1.diff.gz
 3be4f39ae87c85af51774b43842f852a 1599902 editors optional vim-doc_6.3-058+1_all.deb
 aa8f4256bcea255a870d42f41095f54f 3422002 editors extra vim-common_6.3-058+1_all.deb
 f98fcfb0ac9f26668d2b9c50c8b8b431 899984 editors optional vim_6.3-058+1_alpha.deb
 57c868841b4003df54d6f987c4bbdac4 1071112 editors extra kvim-perl_6.3-058+1_alpha.deb
 05337f051d46820de859772559c78139 958048 editors extra vim-perl_6.3-058+1_alpha.deb
 de1bd16ca6ec536da4957e12101a2970 1065922 editors extra kvim-python_6.3-058+1_alpha.deb
 104772252250acd9e35eb16e1b46e395 952474 editors extra vim-python_6.3-058+1_alpha.deb
 f035d0ca05939a17677acfa333e48fb4 1059382 editors extra kvim-ruby_6.3-058+1_alpha.deb
 f4d69d869fda4e6fd655b9d4229fd792 947204 editors extra vim-ruby_6.3-058+1_alpha.deb
 7ab3e529cbd43991d48c8dda291116a8 1023598 editors extra kvim-tcl_6.3-058+1_alpha.deb
 5dc0fafa0034556186a396c14a99274a 952276 editors extra vim-tcl_6.3-058+1_alpha.deb
 bc9d36d4e37c120fa30b37ef5f6a66ba 941254 editors extra vim-gtk_6.3-058+1_alpha.deb
 f32726f0b47e5c361b2aa21f16f2e118 881260 editors extra vim-lesstif_6.3-058+1_alpha.deb
 d0c6f0b0576fc1861f5f8cc92e63bd19 944624 editors extra vim-gnome_6.3-058+1_alpha.deb
 c6c1d71c24df7a1aeea026905a3e09d5 1013734 editors extra kvim_6.3-058+1_alpha.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB7gZvr/RnCw96jQERAhWYAJ9UkUmPjUQDlvNVCfJSKDP03U7JxQCgoqhG
mJk6cJVq2LlVKW2RgSZ/NrM=
=djsk
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Norbert Tretkowski <nobse@debian.org>:
Bug#289560; Package vim. Full text and rfc822 format available.

Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Extra info received and forwarded to list. Copy sent to Norbert Tretkowski <nobse@debian.org>. Full text and rfc822 format available.

Message #56 received at 289560@bugs.debian.org (full text, mbox):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: 289560@bugs.debian.org
Cc: Javier Fernández-Sanguino Peña <jfs@computer.org>
Subject: Re: Bug#289560 acknowledged by developer (Bug#289560: fixed in vim 1:6.3-058+1)
Date: Wed, 19 Jan 2005 09:08:38 +0100
[Message part 1 (text/plain, inline)]
>    * added a new patch (stolen from Ubuntu) which modifies vimspell.sh and
>      tcltags.sh so they use mktemp instead of insecure $$ construction to
>      create temporary files (CAN-2005-0069) (closes: #289560)

A few comments and questions regarding this entry:

- the scripts seem to be ancient and no longer supported by either their 
authors nor vim maintainer and have been removed upstream.

- I understand that Ubuntu's patch might be simpler, but I actually wrote 
the patch based on what's done in vim's tcltutor script. There were some 
reasons I wrote it which have been disregarded (mostly compatibility 
reasons for things that don't have mktemp/tempfile)
(I can't find it in Ubuntu's bugzilla 5633 but found it in our BTS #291125)

- no credit is given to me, which I would have appreciated

- Ubuntu's patch for tcltags will remove the temporary file *twice* (once
on exit, once after the trap is called) as the last line of the script has
not been removed (rm $tmp_tagfile) as I did in my patch.

Regards


Javier
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Norbert Tretkowski <nobse@debian.org>:
Bug#289560; Package vim. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to Norbert Tretkowski <nobse@debian.org>. Full text and rfc822 format available.

Message #61 received at 289560@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: Javier Fernández-Sanguino Peña <jfs@computer.org>, 289560@bugs.debian.org
Subject: Re: Bug#289560: acknowledged by developer (Bug#289560: fixed in vim 1:6.3-058+1)
Date: Wed, 19 Jan 2005 10:24:20 +0100
[Message part 1 (text/plain, inline)]
Hi Javier!

Javier Fernández-Sanguino Peña [2005-01-19  9:08 +0100]:
> >    * added a new patch (stolen from Ubuntu) which modifies vimspell.sh and
> >      tcltags.sh so they use mktemp instead of insecure $$ construction to
> >      create temporary files (CAN-2005-0069) (closes: #289560)
> 
> A few comments and questions regarding this entry:
> 
> - the scripts seem to be ancient and no longer supported by either their 
> authors nor vim maintainer and have been removed upstream.

Maybe, but still we ship them in our stable release, so we must fix
it.

> - I understand that Ubuntu's patch might be simpler, but I actually wrote 
> the patch based on what's done in vim's tcltutor script. There were some 
> reasons I wrote it which have been disregarded (mostly compatibility 
> reasons for things that don't have mktemp/tempfile)
> (I can't find it in Ubuntu's bugzilla 5633 but found it in our BTS #291125)

I read your patch, but I deliberately wrote my own very simple
version, because:

- I wanted to avoid the tempfile race in any case, so if mktemp is not
  available, the script should rather fail than be vulnerable. mktemp
  is shipped in a required package, so we can assume it is there.

- A security update must be as simple and unintrusive as possible. I
  do not care about the widest possible upstream portability in
  security updates, the solution only needs to work on the platforms
  we support.

> - no credit is given to me, which I would have appreciated

I credited you in the announcement [1] since you found the bug.
However, since I did not take your patch, but wrote my own, I did not
credit you for the patch (so if it's broken, it is seen as my fault
and not yours :-) ).

[1] http://www.ubuntulinux.org/support/documentation/usn/usn-61-1

> - Ubuntu's patch for tcltags will remove the temporary file *twice* (once
> on exit, once after the trap is called) as the last line of the script has
> not been removed (rm $tmp_tagfile) as I did in my patch.

Right, thanks for that hint. It would be nice to fix that in Sid and
our development release.

Have a nice day!

Martin

-- 
Martin Pitt                       http://www.piware.de
Ubuntu Developer            http://www.ubuntulinux.org
Debian GNU/Linux Developer       http://www.debian.org
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Norbert Tretkowski <nobse@debian.org>:
Bug#289560; Package vim. Full text and rfc822 format available.

Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Extra info received and forwarded to list. Copy sent to Norbert Tretkowski <nobse@debian.org>. Full text and rfc822 format available.

Message #66 received at 289560@bugs.debian.org (full text, mbox):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: Martin Pitt <mpitt@debian.org>
Cc: 289560@bugs.debian.org
Subject: Re: Bug#289560: acknowledged by developer (Bug#289560: fixed in vim 1:6.3-058+1)
Date: Wed, 19 Jan 2005 11:40:47 +0100
[Message part 1 (text/plain, inline)]
On Wed, Jan 19, 2005 at 10:24:20AM +0100, Martin Pitt wrote:
> I read your patch, but I deliberately wrote my own very simple
> version, because:

Martin, just to get things straight, my comments are not directed 
towards you, but towards the vim maintainer.

> 
> - I wanted to avoid the tempfile race in any case, so if mktemp is not
>   available, the script should rather fail than be vulnerable. mktemp
>   is shipped in a required package, so we can assume it is there.

It would be best if instead of 

tmp_tagfile=`mktemp -t tcltagXXXXXX` || exit 1 

you had used

tmp_tagfile=`mktemp -t tcltagXXXXXX` || { echo "$0: error creating the 
temporary file" >&2; exit 1 ;}

IMHO

> - A security update must be as simple and unintrusive as possible. I
>   do not care about the widest possible upstream portability in
>   security updates, the solution only needs to work on the platforms
>   we support.

Well, in the Debian case (not Ubuntu's) the patch was not intented to be
used as a DSA (since even if the code is in stable, it's in
/usr/share/doc).  I wasn't complaining about the Ubuntu update, but about
the use of Ubuntu's patch in Debian when mine could be used instead for the
sid upload (and would've been more consistent with upstream source)

> > - no credit is given to me, which I would have appreciated
> 
> I credited you in the announcement [1] since you found the bug.

I was mentioning Debian's changelog, not Ubuntu's advisory.
Actually, all my statements are with how this bug has been handled by the 
Debian maintainer, which takes no action until an Ubuntu advisory is 
released.

In any case, no use in arguing this when there is so many things to work on 
(and so many similar security bugs to report)

Regards

Javier
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Norbert Tretkowski <nobse@debian.org>:
Bug#289560; Package vim. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to Norbert Tretkowski <nobse@debian.org>. Full text and rfc822 format available.

Message #71 received at 289560@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: Javier Fernández-Sanguino Peña <jfs@computer.org>
Cc: 289560@bugs.debian.org
Subject: Re: Bug#289560: acknowledged by developer (Bug#289560: fixed in vim 1:6.3-058+1)
Date: Wed, 19 Jan 2005 12:04:06 +0100
[Message part 1 (text/plain, inline)]
Hi Javier!

Javier Fernández-Sanguino Peña [2005-01-19 11:40 +0100]:
> It would be best if instead of 
> 
> tmp_tagfile=`mktemp -t tcltagXXXXXX` || exit 1 
> 
> you had used
> 
> tmp_tagfile=`mktemp -t tcltagXXXXXX` || { echo "$0: error creating the 
> temporary file" >&2; exit 1 ;}
> 
> IMHO

There is no need for this. mktemp generates an error message on its
own, so this would only write two messages.

> In any case, no use in arguing this when there is so many things to work on 
> (and so many similar security bugs to report)

Right, I just wanted to point out above mktemp behavior, since this
seems to be a common misconception.

Thanks for your great work and have a nice day!

Martin
-- 
Martin Pitt                       http://www.piware.de
Ubuntu Developer            http://www.ubuntulinux.org
Debian GNU/Linux Developer       http://www.debian.org
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Norbert Tretkowski <nobse@debian.org>:
Bug#289560; Package vim. Full text and rfc822 format available.

Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Extra info received and forwarded to list. Copy sent to Norbert Tretkowski <nobse@debian.org>. Full text and rfc822 format available.

Message #76 received at 289560@bugs.debian.org (full text, mbox):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: Martin Pitt <mpitt@debian.org>
Cc: 289560@bugs.debian.org
Subject: Re: Bug#289560: acknowledged by developer (Bug#289560: fixed in vim 1:6.3-058+1)
Date: Wed, 19 Jan 2005 13:20:29 +0100
[Message part 1 (text/plain, inline)]
On Wed, Jan 19, 2005 at 12:04:06PM +0100, Martin Pitt wrote:
> > IMHO
> 
> There is no need for this. mktemp generates an error message on its
> own, so this would only write two messages.

Mktemp might not be available. The || test would actually check wether 
mktemp fails (not common) and wether it's available. My message is 
associated with the later.

> 
> > In any case, no use in arguing this when there is so many things to work on 
> > (and so many similar security bugs to report)
> 
> Right, I just wanted to point out above mktemp behavior, since this
> seems to be a common misconception.

Understood, but you don't cover the event of mktemp not being available. 
The bash would output a message but an unknowledgeable user wouldn't know 
what's amiss.

> 
> Thanks for your great work and have a nice day!

Thank you for your work.

Regards

Javier
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#289560; Package vim. Full text and rfc822 format available.

Acknowledgement sent to Norbert Tretkowski <nobse@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #81 received at 289560@bugs.debian.org (full text, mbox):

From: Norbert Tretkowski <nobse@debian.org>
To: Javier Fernández-Sanguino Peña <jfs@computer.org>, 289560@bugs.debian.org
Subject: Re: Bug#289560: acknowledged by developer (Bug#289560: fixed in vim 1:6.3-058+1)
Date: Wed, 19 Jan 2005 21:23:26 +0100
Oh well... looks like I did anything wrong what can be done wrong with
this bugreport... 

* Javier Fernández-Sanguino Peña wrote:
> >    * added a new patch (stolen from Ubuntu) which modifies vimspell.sh and
> >      tcltags.sh so they use mktemp instead of insecure $$ construction to
> >      create temporary files (CAN-2005-0069) (closes: #289560)
> 
> A few comments and questions regarding this entry:
> 
> - the scripts seem to be ancient and no longer supported by either their 
> authors nor vim maintainer and have been removed upstream.

You're right, it's better to remove those scripts.

> - no credit is given to me, which I would have appreciated

You're right again, sorry that I forgot that.

So, my plans for the next upload...

- remove vimspell.sh and tcltags.sh
- remove the Ubuntu patch
- notice in the changelog that you discovered these problems

I hope I'll find time next weekend for a new upload.

Regards, Norbert



Information forwarded to debian-bugs-dist@lists.debian.org, Norbert Tretkowski <nobse@debian.org>:
Bug#289560; Package vim. Full text and rfc822 format available.

Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Extra info received and forwarded to list. Copy sent to Norbert Tretkowski <nobse@debian.org>. Full text and rfc822 format available.

Message #86 received at 289560@bugs.debian.org (full text, mbox):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: Norbert Tretkowski <nobse@debian.org>
Cc: 289560@bugs.debian.org
Subject: Re: Bug#289560: acknowledged by developer (Bug#289560: fixed in vim 1:6.3-058+1)
Date: Thu, 20 Jan 2005 01:20:07 +0100
> I hope I'll find time next weekend for a new upload.

There's no hurry, take your time, these scripts have been in Debian for 
ages. You can even wait until the next upstream version is released, no 
sense in making two uploads to fix these.

Regards

Javier



Information forwarded to debian-bugs-dist@lists.debian.org, Norbert Tretkowski <nobse@debian.org>:
Bug#289560; Package vim. Full text and rfc822 format available.

Acknowledgement sent to Helge Kreutzmann <kreutzm@itp.uni-hannover.de>:
Extra info received and forwarded to list. Copy sent to Norbert Tretkowski <nobse@debian.org>. Full text and rfc822 format available.

Message #91 received at 289560@bugs.debian.org (full text, mbox):

From: Helge Kreutzmann <kreutzm@itp.uni-hannover.de>
To: 289560@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Woody still vulnerable (or at least no entry in non-vulns-list)
Date: Thu, 20 Jan 2005 10:24:34 +0100
reopen 289560
thanks

At least woody is not fixed. I just checked, there is also no entry in
http://www.debian.org/security/nonvulns-woody
for this issue. Either one (the first preferably) needs to be handled.

Greetings

          Helge
-- 
Helge Kreutzmann, Dipl.-Phys.               Helge.Kreutzmann@itp.uni-hannover.de
                       gpg signed mail preferred 
    64bit GNU powered                  http://www.itp.uni-hannover.de/~kreutzm
       Help keep free software "libre": http://www.freepatents.org/



Bug reopened, originator not changed. Request was from Helge Kreutzmann <kreutzm@itp.uni-hannover.de> to control@bugs.debian.org. Full text and rfc822 format available.

Tags removed: sid Request was from Frank Lichtenheld <djpig@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags removed: sarge Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Norbert Tretkowski <nobse@debian.org>:
Bug#289560; Package vim. Full text and rfc822 format available.

Acknowledgement sent to Norbert Tretkowski <tretkowski@inittab.de>:
Extra info received and forwarded to list. Copy sent to Norbert Tretkowski <nobse@debian.org>. Full text and rfc822 format available.

Message #102 received at 289560@bugs.debian.org (full text, mbox):

From: Norbert Tretkowski <tretkowski@inittab.de>
To: Helge Kreutzmann <kreutzm@itp.uni-hannover.de>, 289560@bugs.debian.org, 291125@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#289560: Woody still vulnerable (or at least no entry in non-vulns-list)
Date: Sun, 20 Feb 2005 18:07:23 +0100
severity 289560 minor
severity 291125 minor
thanks

* Helge Kreutzmann wrote:
> At least woody is not fixed. I just checked, there is also no entry in
> http://www.debian.org/security/nonvulns-woody
> for this issue. Either one (the first preferably) needs to be handled.

No DSA, statement from security team was: "problem is not in active
code".

I'll try to prepare an update and upload it to woody-proposed-updates
so it gets into 3.0r5.

Norbert



Severity set to `minor'. Request was from Norbert Tretkowski <tretkowski@inittab.de> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `minor'. Request was from Norbert Tretkowski <tretkowski@inittab.de> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: woody Request was from "Pierre Habouzit <Debian VIM Maintainers" <pkg-vim-maintainers@lists.alioth.debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Norbert Tretkowski <nobse@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #113 received at 289560-close@bugs.debian.org (full text, mbox):

From: Norbert Tretkowski <nobse@debian.org>
To: 289560-close@bugs.debian.org
Subject: Bug#289560: fixed in vim 6.1.018-1woody1
Date: Sun, 03 Apr 2005 08:32:09 -0400
Source: vim
Source-Version: 6.1.018-1woody1

We believe that the bug you reported is fixed in the latest version of
vim, which is due to be installed in the Debian FTP archive:

vim-gtk_6.1.018-1woody1_i386.deb
  to pool/main/v/vim/vim-gtk_6.1.018-1woody1_i386.deb
vim-perl_6.1.018-1woody1_i386.deb
  to pool/main/v/vim/vim-perl_6.1.018-1woody1_i386.deb
vim-python_6.1.018-1woody1_i386.deb
  to pool/main/v/vim/vim-python_6.1.018-1woody1_i386.deb
vim-ruby_6.1.018-1woody1_i386.deb
  to pool/main/v/vim/vim-ruby_6.1.018-1woody1_i386.deb
vim-tcl_6.1.018-1woody1_i386.deb
  to pool/main/v/vim/vim-tcl_6.1.018-1woody1_i386.deb
vim_6.1.018-1woody1.diff.gz
  to pool/main/v/vim/vim_6.1.018-1woody1.diff.gz
vim_6.1.018-1woody1.dsc
  to pool/main/v/vim/vim_6.1.018-1woody1.dsc
vim_6.1.018-1woody1_i386.deb
  to pool/main/v/vim/vim_6.1.018-1woody1_i386.deb
vim_6.1.018.orig.tar.gz
  to pool/main/v/vim/vim_6.1.018.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 289560@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Norbert Tretkowski <nobse@debian.org> (supplier of updated vim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun,  3 Apr 2005 12:35:25 +0200
Source: vim
Binary: vim-python vim-gtk vim-ruby vim vim-tcl vim-perl
Architecture: source i386
Version: 6.1.018-1woody1
Distribution: stable
Urgency: medium
Maintainer: Debian VIM Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>
Changed-By: Norbert Tretkowski <nobse@debian.org>
Description: 
 vim        - Vi IMproved - enhanced vi editor
 vim-gtk    - Vi IMproved - GTK version
 vim-perl   - Vi IMproved, with perl scripting support
 vim-python - Vi IMproved, with python scripting support
 vim-ruby   - Vi IMproved, with ruby scripting support
 vim-tcl    - Vi IMproved, with tcl scripting support
Closes: 286223 289560 291125
Changes: 
 vim (6.1.018-1woody1) stable; urgency=medium
 .
   * CAN-2004-1138: Backported and applied patch 6.3.045 which fixes several
     vulnerabilities related to the use of options in modelines.
     (closes: #286223)
   * CAN-2005-0069: Use mktemp instead of insecure $$ construction to create
     temporary files in vimspell.sh and tcltags. (closes: #289560, #291125)
   * Set maintainer address to project mailinglist on alioth and added myself to
     uploaders.
Files: 
 1cfdd09715be69c8df993ad9e662b92f 804 editors optional vim_6.1.018-1woody1.dsc
 a72ece837a192262ef9daf29566fd6c1 4430373 editors optional vim_6.1.018.orig.tar.gz
 776f9a74f34ba52f9d4040323657d7df 30282 editors optional vim_6.1.018-1woody1.diff.gz
 e7e1230281e4d71f7e6c51011ea6a426 3751082 editors optional vim_6.1.018-1woody1_i386.deb
 fb8c979819a1699b50b12840d2ddb243 552054 editors optional vim-gtk_6.1.018-1woody1_i386.deb
 992e0ee6c3ad8156a35a8767b9fb354e 562010 editors optional vim-perl_6.1.018-1woody1_i386.deb
 f58e67bf101ae8aa3139f30c7948ff56 559472 editors optional vim-python_6.1.018-1woody1_i386.deb
 b45ce4151f0877ad52c7f65dd38d622a 556476 editors optional vim-ruby_6.1.018-1woody1_i386.deb
 5692dbb7cdf79c4e9f346c72d605c76d 559632 editors optional vim-tcl_6.1.018-1woody1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCT99Cr/RnCw96jQERArr/AJ0WFx40y2sGLzF6eSat3Ta/PS5adgCgik7T
MjjF6BRIAGXVK1fxNnCqtPg=
=ZUIQ
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 16:20:10 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.