Debian Bug report logs - #438540
libid3-3.8.3c2a: creates insecure temporary files

version graph

Package: libid3-3.8.3c2a; Maintainer for libid3-3.8.3c2a is Stefan Ott <stefan@ott.net>; Source for libid3-3.8.3c2a is src:id3lib3.8.3.

Reported by: Nikolaus Schulz <microschulz@web.de>

Date: Fri, 17 Aug 2007 16:57:01 UTC

Severity: grave

Tags: security

Found in version id3lib3.8.3/3.8.3-6

Fixed in version id3lib3.8.3/3.8.3-7

Done: Robert Woodcock <rcw@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Robert Woodcock <rcw@debian.org>:
Bug#438540; Package libid3-3.8.3c2a. Full text and rfc822 format available.

Acknowledgement sent to Nikolaus Schulz <microschulz@web.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Robert Woodcock <rcw@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nikolaus Schulz <microschulz@web.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libid3-3.8.3c2a: creates insecure temporary files
Date: Fri, 17 Aug 2007 18:51:24 +0200
Package: libid3-3.8.3c2a
Version: 3.8.3-6
Severity: grave
Tags: security
Justification: user security hole

Hi, 

when tagging file $foo, a temporary copy of the file is created, and for some
reason, libid3 doesn't use mkstemp but just creates $foo.XXXXXX literally,
without any checking.  
This would silently truncate and overwrite an existing $foo.XXXXXX. 

,----[ src/tag_file.cpp ]
| 233     String filename = tag.GetFileName();
| 234     String sTmpSuffix = ".XXXXXX";
| 235     if (filename.size() + sTmpSuffix.size() > ID3_PATH_LENGTH)
| 236     {
| 237       // log this
| 238       return 0;
| 239       //ID3_THROW_DESC(ID3E_NoFile, "filename too long");
| 240     }
| 241     char sTempFile[ID3_PATH_LENGTH];
| 242     strcpy(sTempFile, filename.c_str());
| 243     strcat(sTempFile, sTmpSuffix.c_str());
| 244 
| 245 #if ((defined(__GNUC__) && __GNUC__ >= 3  ) || !defined(HAVE_MKSTEMP))
| 246     // This section is for Windows folk && gcc 3.x folk
| 247     fstream tmpOut;
| 248     createFile(sTempFile, tmpOut);
`----

HAND, 
Nikolaus

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-5-k7
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15)

Versions of packages libid3-3.8.3c2a depends on:
ii  libc6                  2.3.6.ds1-13etch2 GNU C Library: Shared libraries
ii  libgcc1                1:4.1.1-21        GCC support library
ii  libstdc++6             4.1.1-21          The GNU Standard C++ Library v3
ii  zlib1g                 1:1.2.3-13        compression library - runtime

libid3-3.8.3c2a recommends no packages.

-- no debconf information



Reply sent to Robert Woodcock <rcw@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nikolaus Schulz <microschulz@web.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at 438540-close@bugs.debian.org (full text, mbox):

From: Robert Woodcock <rcw@debian.org>
To: 438540-close@bugs.debian.org
Subject: Bug#438540: fixed in id3lib3.8.3 3.8.3-7
Date: Sat, 18 Aug 2007 23:17:03 +0000
Source: id3lib3.8.3
Source-Version: 3.8.3-7

We believe that the bug you reported is fixed in the latest version of
id3lib3.8.3, which is due to be installed in the Debian FTP archive:

id3lib3.8.3_3.8.3-7.diff.gz
  to pool/main/i/id3lib3.8.3/id3lib3.8.3_3.8.3-7.diff.gz
id3lib3.8.3_3.8.3-7.dsc
  to pool/main/i/id3lib3.8.3/id3lib3.8.3_3.8.3-7.dsc
libid3-3.8.3-dev_3.8.3-7_i386.deb
  to pool/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-7_i386.deb
libid3-3.8.3c2a_3.8.3-7_i386.deb
  to pool/main/i/id3lib3.8.3/libid3-3.8.3c2a_3.8.3-7_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 438540@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Robert Woodcock <rcw@debian.org> (supplier of updated id3lib3.8.3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 18 Aug 2007 15:52:52 -0700
Source: id3lib3.8.3
Binary: libid3-3.8.3-dev libid3-3.8.3c2a
Architecture: source i386
Version: 3.8.3-7
Distribution: unstable
Urgency: high
Maintainer: Robert Woodcock <rcw@debian.org>
Changed-By: Robert Woodcock <rcw@debian.org>
Description: 
 libid3-3.8.3-dev - ID3 Tag Library: Development Libraries and Header Files.
 libid3-3.8.3c2a - Library for manipulating ID3v1 and ID3v2 tags.
Closes: 438540
Changes: 
 id3lib3.8.3 (3.8.3-7) unstable; urgency=high
 .
   * SECURITY: Change #ifdef logic to select mkstemp() code instead of
     insecure tempfile creation code, and fix mkstemp() code to work with g++
     3.x, closes: #438540
Files: 
 84eebc97a2d04bc41e1320bcae11c86a 642 libs optional id3lib3.8.3_3.8.3-7.dsc
 c13c3a9a179a5c6548475a3f5f748a9a 135421 libs optional id3lib3.8.3_3.8.3-7.diff.gz
 5cf02d4ecd80a3f4414857b4cd1b0e0f 263108 libdevel optional libid3-3.8.3-dev_3.8.3-7_i386.deb
 598bc63b80a935e7f1c94a5cb40a0e32 176814 libs optional libid3-3.8.3c2a_3.8.3-7_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGx3vc9c5o62/wq/IRAusYAKCN2ScPsZNhhntc5RLVAJ1UnqfE0gCeIlhq
SoFByPRyB3Oh/YMgkpZQC1I=
=lQ9K
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Robert Woodcock <rcw@debian.org>:
Bug#438540; Package libid3-3.8.3c2a. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to team@security.debian.org, Robert Woodcock <rcw@debian.org>. Full text and rfc822 format available.

Message #15 received at 438540@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Nikolaus Schulz <microschulz@web.de>
Cc: Debian Bug Tracking System <438540@bugs.debian.org>
Subject: Re: libid3-3.8.3c2a: creates insecure temporary files
Date: Wed, 22 Aug 2007 22:11:47 +0200
Nikolaus Schulz wrote:
> Package: libid3-3.8.3c2a
> Version: 3.8.3-6
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Hi, 
> 
> when tagging file $foo, a temporary copy of the file is created, and for some
> reason, libid3 doesn't use mkstemp but just creates $foo.XXXXXX literally,
> without any checking.  
> This would silently truncate and overwrite an existing $foo.XXXXXX. 

Please use CVE-2007-3912 for this.

Robert, please mention this id in the changelog when you upload a
new package (i.e. edit the current changelog entry when you're doing
another upload anyway).

Regards,

	Joey

-- 
Those who don't understand Unix are condemned to reinvent it, poorly.

Please always Cc to me when replying to me on the lists.



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Mar 2009 08:45:07 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 22:18:36 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.