Debian Bug report logs - #321501
inkscape: Unsafe temporary file handling in ps2epsi extension

version graph

Package: inkscape; Maintainer for inkscape is Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>; Source for inkscape is src:inkscape (PTS, buildd, popcon).

Reported by: Javier Fernández-Sanguino Peña <jfs@computer.org>

Date: Fri, 5 Aug 2005 21:48:02 UTC

Severity: normal

Tags: patch, sarge, security

Found in version inkscape/0.41-5

Done: Wolfram Quester <wolfi@mittelerde.physik.uni-konstanz.de>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Wolfram Quester <wolfi@mittelerde.physik.uni-konstanz.de>:
Bug#321501; Package inkscape. (full text, mbox, link).


Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
New Bug report received and forwarded. Copy sent to Wolfram Quester <wolfi@mittelerde.physik.uni-konstanz.de>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: submit@bugs.debian.org
Subject: inkscape: Unsafe temporary file handling in ps2epsi extension
Date: Fri, 5 Aug 2005 23:38:03 +0200
[Message part 1 (text/plain, inline)]
Package: inkscape
Version: 0.41-5
Priority: normal
Tags: patch security

The inkscape ps2epsi extension shell script uses hardcoded tempfile
definitions making it vulnerable to symlink attacks. The attached
patch fixes this issue. For consistency, I've used the code already
used by the dia2svg.sh extension.

Regards

Javier

PS: I'm not sure if using extensions is common to most users of Inkscape.
If it is, please consider raising the priority of this bug.
[inkscape_ps2epsi.diff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#321501; Package inkscape. (full text, mbox, link).


Acknowledgement sent to Wolfram Quester <wolfi@mittelerde.physik.uni-konstanz.de>:
Extra info received and forwarded to list. (full text, mbox, link).


Message #10 received at submit@bugs.debian.org (full text, mbox, reply):

From: Wolfram Quester <wolfi@mittelerde.physik.uni-konstanz.de>
To: Javier Fernández-Sanguino Peña <jfs@computer.org>, 321501@bugs.debian.org, control@bugs.debian.org
Cc: submit@bugs.debian.org
Subject: Re: Bug#321501: inkscape: Unsafe temporary file handling in ps2epsi extension
Date: Mon, 15 Aug 2005 12:30:50 +0200
[Message part 1 (text/plain, inline)]
tags 321501 sarge
Thanks

Hi Javier,

On Fri, Aug 05, 2005 at 11:38:03PM +0200, Javier Fernández-Sanguino Peña wrote:
> 
> Package: inkscape
> Version: 0.41-5
> Priority: normal
> Tags: patch security
> 
> The inkscape ps2epsi extension shell script uses hardcoded tempfile
> definitions making it vulnerable to symlink attacks. The attached
> patch fixes this issue. For consistency, I've used the code already
> used by the dia2svg.sh extension.

Thanks for pointing this out. This was fixed upstream a while ago and
version 0.42 of inkscape doesn't have this problem. It still applies to
the versions in sarge and testing, though. I'll contact the security
team to ask how to proceed with sarge.

Thanks,

Wolfi
> 
> Regards
> 
> Javier
> 
> PS: I'm not sure if using extensions is common to most users of Inkscape.
> If it is, please consider raising the priority of this bug.

> --- inkscape-0.41/share/extensions/ps2epsi.sh	2005-08-05 23:32:47.000000000 +0200
> +++ inkscape-0.41/share/extensions/ps2epsi.sh.orig	2005-08-05 23:30:55.000000000 +0200
> @@ -1,7 +1,6 @@
>  #!/bin/sh
>  
> -TMPDIR="${TMPDIR-/tmp}"
> -TEMPFILENAME=`mktemp -t 2>/dev/null || echo "$TMPDIR/tmpdiafile.svg"`
> +TEMPFILENAME=/tmp/tmpepsifile.epsi
>  
>  ps2epsi "$1" "${TEMPFILENAME}" &> /dev/null
>  cat ${TEMPFILENAME}



[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#321501; Package inkscape. (full text, mbox, link).


Acknowledgement sent to Wolfram Quester <wolfi@mittelerde.physik.uni-konstanz.de>:
Extra info received and forwarded to list. (full text, mbox, link).


Tags added: sarge Request was from Wolfram Quester <wolfi@mittelerde.physik.uni-konstanz.de> to control@bugs.debian.org. (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Wolfram Quester <wolfi@mittelerde.physik.uni-konstanz.de>:
Bug#321501; Package inkscape. (full text, mbox, link).


Acknowledgement sent to Geoff Crompton <geoff.crompton@strategicdata.com.au>:
Extra info received and forwarded to list. Copy sent to Wolfram Quester <wolfi@mittelerde.physik.uni-konstanz.de>. (full text, mbox, link).


Message #22 received at 321501@bugs.debian.org (full text, mbox, reply):

From: Geoff Crompton <geoff.crompton@strategicdata.com.au>
To: 321501@bugs.debian.org
Subject: is this bid 14522
Date: Thu, 18 Aug 2005 10:22:26 +1000
Hi,

Can you confirm if this bug is the same as at
http://www.securityfocus.com/bid/14522? 14522 talks about a Insecure
Temporary File Creation Vulnerability that was fixed in version 0.42.
Both 14522 and this debian bug were reported by Javier, so I'm guessing
they are the same thing.

Thanks!

--
Geoff Crompton
Debian System Administrator
Strategic Data
+61 3 9340 9000



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#321501; Package inkscape. (full text, mbox, link).


Acknowledgement sent to Wolfram Quester <wolfi@mittelerde.physik.uni-konstanz.de>:
Extra info received and forwarded to list. (full text, mbox, link).


Message #27 received at 321501@bugs.debian.org (full text, mbox, reply):

From: Wolfram Quester <wolfi@mittelerde.physik.uni-konstanz.de>
To: Geoff Crompton <geoff.crompton@strategicdata.com.au>, 321501@bugs.debian.org
Subject: Re: Bug#321501: is this bid 14522
Date: Thu, 18 Aug 2005 10:59:26 +0200
[Message part 1 (text/plain, inline)]
On Thu, Aug 18, 2005 at 10:22:26AM +1000, Geoff Crompton wrote:
> Hi,
> 
> Can you confirm if this bug is the same as at
> http://www.securityfocus.com/bid/14522? 14522 talks about a Insecure
> Temporary File Creation Vulnerability that was fixed in version 0.42.
> Both 14522 and this debian bug were reported by Javier, so I'm guessing
> they are the same thing.
> 
Yes, I had a quick check that this is the only occurence in 0.41. There
were more tempfile handlings like this, but they were all fixed during
the release cycle for 0.42.

With best regards,

Wolfi

> Thanks!
> 
> --
> Geoff Crompton
> Debian System Administrator
> Strategic Data
> +61 3 9340 9000
[signature.asc (application/pgp-signature, inline)]

Tags added: pending Request was from Wolfram Quester <wolfi@mittelerde.physik.uni-konstanz.de> to control@bugs.debian.org. (full text, mbox, link).


Bug closed, send any further explanations to Javier Fernández-Sanguino Peña <jfs@computer.org> Request was from Wolfram Quester <wolfi@mittelerde.physik.uni-konstanz.de> to control@bugs.debian.org. (full text, mbox, link).


Message sent on to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Bug#321501. (full text, mbox, link).


Message #34 received at 321501-submitter@bugs.debian.org (full text, mbox, reply):

From: Wolfram Quester <wolfi@mittelerde.physik.uni-konstanz.de>
To: 321501-submitter@bugs.debian.org
Subject: Closing 321501
Date: Sat, 7 Jan 2006 16:16:19 +0100
[Message part 1 (text/plain, inline)]
Hi,

I close this bug since it was fixed in the recent update to sarge, so all versions in debian
are clean now.

Happy new year,

Wolfi
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 16 Jun 2007 21:34:56 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 21:52:06 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.