Debian Bug report logs - #361370
fbgs: uses insecure tempfiles

version graph

Package: fbi; Maintainer for fbi is Moritz Muehlenhoff <jmm@debian.org>; Source for fbi is src:fbi.

Reported by: Jan Braun <janbraun@gmx.net>

Date: Sat, 8 Apr 2006 10:03:07 UTC

Severity: important

Tags: patch, security

Found in version fbi/2.01-1.4

Fixed in version fbi/2.05-1

Done: Moritz Muehlenhoff <jmm@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Gerd Knorr <kraxel@debian.org>:
Bug#361370; Package fbi. Full text and rfc822 format available.

Acknowledgement sent to Jan Braun <janbraun@gmx.net>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Gerd Knorr <kraxel@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Jan Braun <janbraun@gmx.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: fbgs: uses insecure tempfiles
Date: Sat, 08 Apr 2006 11:58:05 +0200
[Message part 1 (text/plain, inline)]
Package: fbi
Version: 2.01-1.4
Severity: important
Tags: security patch

Hi,
the fbgs script uses an unsafe way to create its tempdir:
mkdir -p /var/tmp/fbps-$$
and proceeds to write to fixed filenames in this folder.
This can be raced to overwrite arbitrary files of the user running fbgs.
A patch is attached.
regards,
    Jan

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (990, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/dash
Kernel: Linux 2.6.15-1-k7
Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1)

Versions of packages fbi depends on:
ii  libc6                         2.3.6-3    GNU C Library: Shared libraries an
ii  libcurl3                      7.15.3-1   Multi-protocol file transfer libra
ii  libexif12                     0.6.13-4   library to parse EXIF files
ii  libfontconfig1                2.3.2-1.1  generic font configuration library
ii  libfreetype6                  2.1.10-1   FreeType 2 font engine, shared lib
ii  libjpeg62                     6b-12      The Independent JPEG Group's JPEG 
ii  libpcd2                       1.0.1      A library for reading PhotoCD imag
ii  libpng12-0                    1.2.8rel-5 PNG library - runtime
ii  libtiff4                      3.8.0-3    Tag Image File Format (TIFF) libra
ii  libungif4g                    4.1.4-2    shared library for GIF images (run
ii  zlib1g                        1:1.2.3-11 compression library - runtime

fbi recommends no packages.

-- no debconf information
[fbgs.mktemp.patch (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Gerd Knorr <kraxel@debian.org>:
Bug#361370; Package fbi. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Gerd Knorr <kraxel@debian.org>. Full text and rfc822 format available.

Message #10 received at 361370@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Jan Braun <janbraun@gmx.net>
Cc: 361370@bugs.debian.org
Subject: Re: Bug#361370: fbgs: uses insecure tempfiles
Date: Sun, 09 Apr 2006 10:07:29 +0200
* Jan Braun:

>  # tmp dir
> -DIR="${TMPDIR-/var/tmp}/fbps-$$"
> -mkdir -p $DIR	|| exit 1
> +DIR=`mktemp -dtp /var/tmp fbgs-XXXXXX`
> +[ -d $DIR ]  || exit 1

I think you should use /tmp.  /var/tmp is not cleared on reboot.



Information forwarded to debian-bugs-dist@lists.debian.org, Gerd Knorr <kraxel@debian.org>:
Bug#361370; Package fbi. Full text and rfc822 format available.

Acknowledgement sent to Jan Braun <janbraun@gmx.de>:
Extra info received and forwarded to list. Copy sent to Gerd Knorr <kraxel@debian.org>. Full text and rfc822 format available.

Message #15 received at 361370@bugs.debian.org (full text, mbox):

From: Jan Braun <janbraun@gmx.de>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: 361370@bugs.debian.org
Subject: Re: Bug#361370: fbgs: uses insecure tempfiles
Date: Sun, 09 Apr 2006 21:28:11 +0200
Florian Weimer schrob:
> * Jan Braun:
> 
> >  # tmp dir
> > -DIR="${TMPDIR-/var/tmp}/fbps-$$"
> > -mkdir -p $DIR	|| exit 1
> > +DIR=`mktemp -dtp /var/tmp fbgs-XXXXXX`
> > +[ -d $DIR ]  || exit 1
> 
> I think you should use /tmp.  /var/tmp is not cleared on reboot.

You are right. I just kept the original location without thinking about
it.

    Jan





Information forwarded to debian-bugs-dist@lists.debian.org, Gerd Knorr <kraxel@debian.org>:
Bug#361370; Package fbi. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Gerd Knorr <kraxel@debian.org>. Full text and rfc822 format available.

Message #20 received at 361370@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Jan Braun <janbraun@gmx.net>, 361370@bugs.debian.org
Subject: Re: Bug#361370: fbgs: uses insecure tempfiles
Date: Mon, 15 May 2006 04:42:04 +0200
Jan Braun wrote:
> Package: fbi
> Version: 2.01-1.4
> Severity: important
> Tags: security patch

Sorry for the late reply, an update is in preparation.

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Gerd Knorr <kraxel@debian.org>:
Bug#361370; Package fbi. Full text and rfc822 format available.

Acknowledgement sent to Jan Braun <janbraun@gmx.net>:
Extra info received and forwarded to list. Copy sent to Gerd Knorr <kraxel@debian.org>. Full text and rfc822 format available.

Message #25 received at 361370@bugs.debian.org (full text, mbox):

From: Jan Braun <janbraun@gmx.net>
To: 361370@bugs.debian.org
Subject: Re: Bug#361370: fbgs: uses insecure tempfiles
Date: Mon, 19 Jun 2006 01:46:56 +0200
[Message part 1 (text/plain, inline)]
Hi again,
I'm sorry, my previous patch didn't check mktemp's return value, and if
mktemp fails, DIR is empty and [ -d $DIR ] succeeds (for whatever
reason). So this is still exploitable if fbgs is executed in a dir the
attacker has write access to.

Attached a new version which might be correct. :/

    Jan
[fbgs.mktemp.patch (text/plain, attachment)]

Reply sent to Moritz Muehlenhoff <jmm@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Jan Braun <janbraun@gmx.net>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #30 received at 361370-close@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@debian.org>
To: 361370-close@bugs.debian.org
Subject: Bug#361370: fixed in fbi 2.05-1
Date: Sun, 06 Aug 2006 10:02:11 -0700
Source: fbi
Source-Version: 2.05-1

We believe that the bug you reported is fixed in the latest version of
fbi, which is due to be installed in the Debian FTP archive:

exiftran_2.05-1_i386.deb
  to pool/main/f/fbi/exiftran_2.05-1_i386.deb
fbi_2.05-1.dsc
  to pool/main/f/fbi/fbi_2.05-1.dsc
fbi_2.05-1.tar.gz
  to pool/main/f/fbi/fbi_2.05-1.tar.gz
fbi_2.05-1_i386.deb
  to pool/main/f/fbi/fbi_2.05-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 361370@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Moritz Muehlenhoff <jmm@debian.org> (supplier of updated fbi package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 23 Jul 2006 14:31:21 +0200
Source: fbi
Binary: fbi exiftran
Architecture: source i386
Version: 2.05-1
Distribution: unstable
Urgency: low
Maintainer: Moritz Muehlenhoff <jmm@debian.org>
Changed-By: Moritz Muehlenhoff <jmm@debian.org>
Description: 
 exiftran   - transform digital camera jpeg images
 fbi        - Linux frame buffer image viewer
Closes: 262805 266811 279566 282890 311226 320057 320058 322236 346726 356897 361370 361383 361388 367344 369049 379047 379250
Changes: 
 fbi (2.05-1) unstable; urgency=low
 .
   * New maintainer, thanks Gerd. (Closes: #379250)
   * New upstream release 2.05. (Closes: #367344)
     - Includes fix for insecure temp file usage in fbgs
       [CVE-2006-1695, DSA-1068] (Closes: #361370)
     - Includes fix for correct Postscript sanitising
       [CVE-2006-3119, DSA-1124]
     - Includes spelling fixes by A. Costa (Closes: #311226)
     - Includes support for color display in fbgs with the new
       -c option, based on patch by Jan Braun (Closes: #279566)
     - Fix pointer arithmetic (Closes: #369049)
     - Document zooming with "s" and fix rounding of zoom factor,
       patch by Jan Braun (Closes: #361383)
     - fbi now maintains zoom levels between multiple images
       (Closes: #361388)
   * Acknowledge NMUs. (Closes: #262805, #282890, #346726, #322236)
   * Add dependency on gs-gpl for fbgs. (Closes: #356897)
   * Correct build dependency on libcurl. (Closes: #320057, #320058)
   * Gerd has changed his name with his marriage, update copyright
     file.
   * Update upstream download location (Closes: #379047)
   * Bump debhelper level to 5
   * Mention fbgs in package description (Closes: #266811)
Files: 
 9bdc4883a5bb765972bbb0b171bb01cb 723 graphics optional fbi_2.05-1.dsc
 30b44920c314d3498b20199fbe057bac 212377 graphics optional fbi_2.05-1.tar.gz
 d0eda4b22ab8b5b71e50184a9e238566 54106 graphics optional fbi_2.05-1_i386.deb
 f68e65aad16d5b3323cf0da984e4be75 24414 graphics optional exiftran_2.05-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFE1hzmXm3vHE4uyloRAssMAKCfDPlUatUWk2e+UZmjxmureUrEdACg6uqG
vQwYOtZwPNj6u6BCWEDfe8M=
=doZO
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 10:24:26 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 22:24:32 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.