Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
New Bug report received and forwarded. Copy sent to Wolfram Quester <wolfi@mittelerde.physik.uni-konstanz.de>.
(full text, mbox, link).
Package: inkscape
Version: 0.41-5
Priority: normal
Tags: patch security
The inkscape ps2epsi extension shell script uses hardcoded tempfile
definitions making it vulnerable to symlink attacks. The attached
patch fixes this issue. For consistency, I've used the code already
used by the dia2svg.sh extension.
Regards
Javier
PS: I'm not sure if using extensions is common to most users of Inkscape.
If it is, please consider raising the priority of this bug.
tags 321501 sarge
Thanks
Hi Javier,
On Fri, Aug 05, 2005 at 11:38:03PM +0200, Javier Fernández-Sanguino Peña wrote:
>
> Package: inkscape
> Version: 0.41-5
> Priority: normal
> Tags: patch security
>
> The inkscape ps2epsi extension shell script uses hardcoded tempfile
> definitions making it vulnerable to symlink attacks. The attached
> patch fixes this issue. For consistency, I've used the code already
> used by the dia2svg.sh extension.
Thanks for pointing this out. This was fixed upstream a while ago and
version 0.42 of inkscape doesn't have this problem. It still applies to
the versions in sarge and testing, though. I'll contact the security
team to ask how to proceed with sarge.
Thanks,
Wolfi
>
> Regards
>
> Javier
>
> PS: I'm not sure if using extensions is common to most users of Inkscape.
> If it is, please consider raising the priority of this bug.
> --- inkscape-0.41/share/extensions/ps2epsi.sh 2005-08-05 23:32:47.000000000 +0200
> +++ inkscape-0.41/share/extensions/ps2epsi.sh.orig 2005-08-05 23:30:55.000000000 +0200
> @@ -1,7 +1,6 @@
> #!/bin/sh
>
> -TMPDIR="${TMPDIR-/tmp}"
> -TEMPFILENAME=`mktemp -t 2>/dev/null || echo "$TMPDIR/tmpdiafile.svg"`
> +TEMPFILENAME=/tmp/tmpepsifile.epsi
>
> ps2epsi "$1" "${TEMPFILENAME}" &> /dev/null
> cat ${TEMPFILENAME}
Information forwarded to debian-bugs-dist@lists.debian.org: Bug#321501; Package inkscape.
(full text, mbox, link).
Acknowledgement sent to Wolfram Quester <wolfi@mittelerde.physik.uni-konstanz.de>:
Extra info received and forwarded to list.
(full text, mbox, link).
Tags added: sarge
Request was from Wolfram Quester <wolfi@mittelerde.physik.uni-konstanz.de>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Wolfram Quester <wolfi@mittelerde.physik.uni-konstanz.de>: Bug#321501; Package inkscape.
(full text, mbox, link).
Acknowledgement sent to Geoff Crompton <geoff.crompton@strategicdata.com.au>:
Extra info received and forwarded to list. Copy sent to Wolfram Quester <wolfi@mittelerde.physik.uni-konstanz.de>.
(full text, mbox, link).
Hi,
Can you confirm if this bug is the same as at
http://www.securityfocus.com/bid/14522? 14522 talks about a Insecure
Temporary File Creation Vulnerability that was fixed in version 0.42.
Both 14522 and this debian bug were reported by Javier, so I'm guessing
they are the same thing.
Thanks!
--
Geoff Crompton
Debian System Administrator
Strategic Data
+61 3 9340 9000
Information forwarded to debian-bugs-dist@lists.debian.org: Bug#321501; Package inkscape.
(full text, mbox, link).
Acknowledgement sent to Wolfram Quester <wolfi@mittelerde.physik.uni-konstanz.de>:
Extra info received and forwarded to list.
(full text, mbox, link).
On Thu, Aug 18, 2005 at 10:22:26AM +1000, Geoff Crompton wrote:
> Hi,
>
> Can you confirm if this bug is the same as at
> http://www.securityfocus.com/bid/14522? 14522 talks about a Insecure
> Temporary File Creation Vulnerability that was fixed in version 0.42.
> Both 14522 and this debian bug were reported by Javier, so I'm guessing
> they are the same thing.
>
Yes, I had a quick check that this is the only occurence in 0.41. There
were more tempfile handlings like this, but they were all fixed during
the release cycle for 0.42.
With best regards,
Wolfi
> Thanks!
>
> --
> Geoff Crompton
> Debian System Administrator
> Strategic Data
> +61 3 9340 9000
Tags added: pending
Request was from Wolfram Quester <wolfi@mittelerde.physik.uni-konstanz.de>
to control@bugs.debian.org.
(full text, mbox, link).
Bug closed, send any further explanations to Javier Fernández-Sanguino Peña <jfs@computer.org>
Request was from Wolfram Quester <wolfi@mittelerde.physik.uni-konstanz.de>
to control@bugs.debian.org.
(full text, mbox, link).
Message sent on to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Bug#321501.
(full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.