Debian Bug report logs - #448319
CVE-2007-5718 insecure temporary file handling

version graph

Package: vobcopy; Maintainer for vobcopy is Stephen Birch <sgbirch@imsmail.org>; Source for vobcopy is src:vobcopy.

Reported by: Joey Hess <joeyh@debian.org>

Date: Sun, 28 Oct 2007 02:33:02 UTC

Severity: important

Tags: security

Found in version vobcopy/0.5.14-2

Fixed in version vobcopy/1.0.2-1

Done: Stephen Birch <sgbirch@imsmail.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Stephen Birch <sgbirch@imsmail.org>:
Bug#448319; Package vobcopy. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
New Bug report received and forwarded. Copy sent to Stephen Birch <sgbirch@imsmail.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: opens /tmp/vobcopy.bla insecurely, symlink attack
Date: Sat, 27 Oct 2007 22:25:27 -0400
[Message part 1 (text/plain, inline)]
Package: vobcopy
Version: 0.5.14-2
Severity: important
Tags: security

vobcopy -q opens /tmp/vobcopy.bla insecurely:

open("/tmp/vobcopy.bla", O_WRONLY|O_CREAT|O_APPEND|O_LARGEFILE, 0666) = 2

Similarly, vopbcopy -v -v opens /tmp/vobcopy_0.5.14.log insecurely:

open("/tmp/vobcopy_0.5.14.log", O_WRONLY|O_CREAT|O_APPEND|O_LARGEFILE, 0666) = 2

Since there's no O_EXCL /tmp/vobcopy.bla can already exist as a symlink
and will be followed, appending to an arbitrary file. Thankfully it is
an append, so there's no direct data loss. The log files also tend to be
empty so the best attack I can think of ATM is that If vobvopy is run as
root, it can at be used to create /etc/nologin.

The fix is simply to open the file with O_EXCL, or better, to use
a standard, safe temp file function. (Which would have the benefit of
also making it respect the TMPDIR environment variable.)

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.22-2-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages vobcopy depends on:
ii  libc6                         2.6.1-6    GNU C Library: Shared libraries
ii  libdvdread3                   0.9.7-3    library for reading DVDs

vobcopy recommends no packages.

-- no debconf information

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Changed Bug title to `CVE-2007-5718 insecure temporary file handling' from `opens /tmp/vobcopy.bla insecurely, symlink attack'. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Wed, 31 Oct 2007 17:27:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Stephen Birch <sgbirch@imsmail.org>:
Bug#448319; Package vobcopy. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Stephen Birch <sgbirch@imsmail.org>. Full text and rfc822 format available.

Message #12 received at 448319@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 448319@bugs.debian.org
Subject: Re: opens /tmp/vobcopy.bla insecurely, symlink attack
Date: Wed, 31 Oct 2007 18:27:13 +0100
[Message part 1 (text/plain, inline)]
Hi,
CVE-2007-5718 has been assigned to this bug.
Please include the CVE id in your changelog.
Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Stephen Birch <sgbirch@imsmail.org>:
Bug#448319; Package vobcopy. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Stephen Birch <sgbirch@imsmail.org>. Full text and rfc822 format available.

Message #17 received at 448319@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: 448319@bugs.debian.org, Joey Hess <joeyh@debian.org>
Subject: vobcopy: CVE-2007-5718 insecure temporary file handling
Date: Fri, 7 Dec 2007 19:15:34 +0100
[Message part 1 (text/plain, inline)]
Hi

Any update on this?

Cheers
Steffen
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Stephen Birch <sgbirch@imsmail.org>:
Bug#448319; Package vobcopy. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <debian-security+ml@ngolde.de>:
Extra info received and forwarded to list. Copy sent to Stephen Birch <sgbirch@imsmail.org>. Full text and rfc822 format available.

Message #22 received at 448319@bugs.debian.org (full text, mbox):

From: Nico Golde <debian-security+ml@ngolde.de>
To: debian-bugs-dist@lists.debian.org
Subject: Re: Bug#448319: vobcopy: CVE-2007-5718 insecure temporary file handling
Date: Fri, 7 Dec 2007 19:35:34 +0100
[Message part 1 (text/plain, inline)]
Hi Steffen,
* Steffen Joeris <steffen.joeris@skolelinux.de> [2007-12-07 19:29]:
> Any update on this?

Nope. I had not yet the time to look into a prospective 
patch. A quick look at the source revealed that the code is 
pretty bad and it would be some work to integrate this in a 
clean way. I contacted the upstream author a while ago and 
it seemed like he fails to see that this is a security bug, 
so I guess we have to really write a patch on our own.
Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Stephen Birch <sgbirch@imsmail.org>:
Bug#448319; Package vobcopy. Full text and rfc822 format available.

Acknowledgement sent to Robos <robos@muon.de>:
Extra info received and forwarded to list. Copy sent to Stephen Birch <sgbirch@imsmail.org>. Full text and rfc822 format available.

Message #27 received at 448319@bugs.debian.org (full text, mbox):

From: Robos <robos@muon.de>
To: Steffen Joeris <steffen.joeris@skolelinux.de>, 448319@bugs.debian.org
Subject: Re: Bug#448319: vobcopy: CVE-2007-5718 insecure temporary file handling
Date: Sat, 8 Dec 2007 23:02:24 +0100
On Fri, 07.12.07, Steffen Joeris <steffen.joeris@skolelinux.de> wrote:
> Hi

Hi

> Any update on this?

I'm working on it. Time is short though so it might take another week.
I think about moving the place of the logfiles to the home of the calling user,
are there any objections agains this?
Cheers
Robos

> Cheers
> Steffen



-- 
Robos - 
gpg --recv-keys --keyserver blackhole.pca.dfn.de 6EEADA09





Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#448319; Package vobcopy. Full text and rfc822 format available.

Acknowledgement sent to Stephen Birch <sgbirch@imsmail.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #32 received at 448319@bugs.debian.org (full text, mbox):

From: Stephen Birch <sgbirch@imsmail.org>
To: Robos <robos@muon.de>, 448319@bugs.debian.org
Subject: Re: Bug#448319: vobcopy: CVE-2007-5718 insecure temporary file handling
Date: Sun, 9 Dec 2007 11:40:09 -0800
Robos(robos@muon.de)@2007-12-08 23:02:
> I'm working on it. Time is short though so it might take another week.

Maybe I should upload 1.0.2, at least to get it into the debian system.
I want to get the bugs closed in their system!

> I think about moving the place of the logfiles to the home of the calling user,
> are there any objections agains this?

Cant the log files just be placed in the current working directory?
Either way, it sounds good.

Steve





Information forwarded to debian-bugs-dist@lists.debian.org, Stephen Birch <sgbirch@imsmail.org>:
Bug#448319; Package vobcopy. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nico@ngolde.de>:
Extra info received and forwarded to list. Copy sent to Stephen Birch <sgbirch@imsmail.org>. Full text and rfc822 format available.

Message #37 received at 448319@bugs.debian.org (full text, mbox):

From: Nico Golde <nico@ngolde.de>
To: 448319@bugs.debian.org
Subject: Re: Bug#448319: vobcopy: CVE-2007-5718 insecure temporary file handling
Date: Sun, 9 Dec 2007 21:18:49 +0100
[Message part 1 (text/plain, inline)]
Hi Stephen,
* Stephen Birch <sgbirch@imsmail.org> [2007-12-09 21:13]:
> Robos(robos@muon.de)@2007-12-08 23:02:
[...] 
> > I think about moving the place of the logfiles to the home of the calling user,
> > are there any objections agains this?
> 
> Cant the log files just be placed in the current working directory?
> Either way, it sounds good.

That would be the same problem if you call vobcopy in a 
world-writable directory. Checking if the file already 
exists and creating a unique name using mkstemp or opening the 
file with O_EXCL should be enough. Of course its also an 
option to place them in the users home directory.
Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#448319; Package vobcopy. Full text and rfc822 format available.

Acknowledgement sent to Stephen Birch <sgbirch@imsmail.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #42 received at 448319@bugs.debian.org (full text, mbox):

From: Stephen Birch <sgbirch@imsmail.org>
To: Nico Golde <nico@ngolde.de>, 448319@bugs.debian.org, robos@muon.de
Subject: Re: Bug#448319: vobcopy: CVE-2007-5718 insecure temporary file handling
Date: Sun, 9 Dec 2007 12:41:54 -0800
Nico Golde(nico@ngolde.de)@2007-12-09 21:18:
> > Cant the log files just be placed in the current working directory?
> > Either way, it sounds good.
> 
> That would be the same problem if you call vobcopy in a 
> world-writable directory. Checking if the file already 
> exists and creating a unique name using mkstemp or opening the 
> file with O_EXCL should be enough. Of course its also an 
> option to place them in the users home directory.
> Kind regards

Point taken.  Let me ask this, is there any real value in either -q or
-v -v opening a log file at all?  Does it serve any useful purpose
since it is so easy to redirect stderr from the command line.

Perhaps the simple solution is just to remove these features from
vobcopy?

Robos ... what do you think?

Steve





Information forwarded to debian-bugs-dist@lists.debian.org, Stephen Birch <sgbirch@imsmail.org>:
Bug#448319; Package vobcopy. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Stephen Birch <sgbirch@imsmail.org>. Full text and rfc822 format available.

Message #47 received at 448319@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Stephen Birch <sgbirch@imsmail.org>, 448319@bugs.debian.org
Subject: Re: Bug#448319: vobcopy: CVE-2007-5718 insecure temporary file handling
Date: Mon, 10 Dec 2007 00:03:51 +0100
[Message part 1 (text/plain, inline)]
Hi Stephen,
* Stephen Birch <sgbirch@imsmail.org> [2007-12-09 22:09]:
> Nico Golde(nico@ngolde.de)@2007-12-09 21:18:
> > > Cant the log files just be placed in the current working directory?
> > > Either way, it sounds good.
[...] 
> 
> Point taken.  Let me ask this, is there any real value in either -q or
> -v -v opening a log file at all?  Does it serve any useful purpose
> since it is so easy to redirect stderr from the command line.
> 
> Perhaps the simple solution is just to remove these features from
> vobcopy?

This does not seem like an option to me too because vobcopy 
is using stderr and stdout, I doubt the average user can 
redirect those streams in the shell.
Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#448319; Package vobcopy. Full text and rfc822 format available.

Acknowledgement sent to Stephen Birch <sgbirch@imsmail.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #52 received at 448319@bugs.debian.org (full text, mbox):

From: Stephen Birch <sgbirch@imsmail.org>
To: Nico Golde <nion@debian.org>, 448319@bugs.debian.org
Subject: Re: Bug#448319: vobcopy: CVE-2007-5718 insecure temporary file handling
Date: Sun, 9 Dec 2007 15:59:15 -0800
Nico Golde(nion@debian.org)@2007-12-10 00:03:
> This does not seem like an option to me too because vobcopy 
> is using stderr and stdout, I doubt the average user can 
> redirect those streams in the shell.

hmmm .. its not difficult to redirect (1>filea 2>fileb) or to combine
(2>&1).  But would the *average* user be collecting this information in
the first place?

Another option would be to send error data to stdout instead of stderr.
Does a two output stream (stdout/stderr) have any use with vobcopy?

Warm regards,

Steve





Information forwarded to debian-bugs-dist@lists.debian.org, Stephen Birch <sgbirch@imsmail.org>:
Bug#448319; Package vobcopy. Full text and rfc822 format available.

Acknowledgement sent to Robos <robos@muon.de>:
Extra info received and forwarded to list. Copy sent to Stephen Birch <sgbirch@imsmail.org>. Full text and rfc822 format available.

Message #57 received at 448319@bugs.debian.org (full text, mbox):

From: Robos <robos@muon.de>
To: Stephen Birch <sgbirch@imsmail.org>
Cc: Nico Golde <nico@ngolde.de>, 448319@bugs.debian.org
Subject: Re: Bug#448319: vobcopy: CVE-2007-5718 insecure temporary file handling
Date: Mon, 10 Dec 2007 19:38:54 +0100
On Sun, 09.12.07, Stephen Birch <sgbirch@imsmail.org> wrote:
> Nico Golde(nico@ngolde.de)@2007-12-09 21:18:
> > > Cant the log files just be placed in the current working directory?
> > > Either way, it sounds good.
> > 
> > That would be the same problem if you call vobcopy in a 
> > world-writable directory. Checking if the file already 
> > exists and creating a unique name using mkstemp or opening the 
> > file with O_EXCL should be enough. 

From my short read of the man pages I got the impression that O_EXCL was not
a posix feature. If so, it would limit vobcopy from running on not-posix
conformant platforms (whatever they may be...)

> > Of course its also an 
> > option to place them in the users home directory.
> > Kind regards
> 
> Point taken.  Let me ask this, is there any real value in either -q or
> -v -v opening a log file at all?  Does it serve any useful purpose
> since it is so easy to redirect stderr from the command line.
>
> Perhaps the simple solution is just to remove these features from
> vobcopy?

Bad idea, especially with -q. Vobcopy let's you redirect the output to
stdout, in order to pipe it to e.g. mplayer or bbtools. It would be kind of
bad if the progress bar also ended up in mplayer, don't you think :)

And -v -v is there for the convenience of the bug-reporter. I got emails
from people that simply said "your program told me to send you this, here
you go". I doubt that they could have redirected stdout or err...

> Robos ... what do you think?

Loosing those options is not possible IMHO.
Cheers
Robos

> Steve
> 
> 

-- 
Robos - 
gpg --recv-keys --keyserver blackhole.pca.dfn.de 6EEADA09





Information forwarded to debian-bugs-dist@lists.debian.org, Stephen Birch <sgbirch@imsmail.org>:
Bug#448319; Package vobcopy. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Stephen Birch <sgbirch@imsmail.org>. Full text and rfc822 format available.

Message #62 received at 448319@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Robos <robos@muon.de>
Cc: Stephen Birch <sgbirch@imsmail.org>, 448319@bugs.debian.org
Subject: Re: Bug#448319: vobcopy: CVE-2007-5718 insecure temporary file handling
Date: Mon, 10 Dec 2007 19:47:48 +0100
[Message part 1 (text/plain, inline)]
Hi Robos,
* Robos <robos@muon.de> [2007-12-10 19:39]:
> On Sun, 09.12.07, Stephen Birch <sgbirch@imsmail.org> wrote:
> > Nico Golde(nico@ngolde.de)@2007-12-09 21:18:
> > > > Cant the log files just be placed in the current working directory?
> > > > Either way, it sounds good.
> > > 
> > > That would be the same problem if you call vobcopy in a 
> > > world-writable directory. Checking if the file already 
> > > exists and creating a unique name using mkstemp or opening the 
> > > file with O_EXCL should be enough. 
> 
> From my short read of the man pages I got the impression that O_EXCL was not
> a posix feature. If so, it would limit vobcopy from running on not-posix
> conformant platforms (whatever they may be...)
[...] 
Where did you read this cause it is of course valid in 
POSIX. Just have a look at man 3p open.
Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Stephen Birch <sgbirch@imsmail.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Joey Hess <joeyh@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #67 received at 448319-close@bugs.debian.org (full text, mbox):

From: Stephen Birch <sgbirch@imsmail.org>
To: 448319-close@bugs.debian.org
Subject: Bug#448319: fixed in vobcopy 1.0.2-1
Date: Sun, 16 Dec 2007 19:32:05 +0000
Source: vobcopy
Source-Version: 1.0.2-1

We believe that the bug you reported is fixed in the latest version of
vobcopy, which is due to be installed in the Debian FTP archive:

vobcopy_1.0.2-1.diff.gz
  to pool/main/v/vobcopy/vobcopy_1.0.2-1.diff.gz
vobcopy_1.0.2-1.dsc
  to pool/main/v/vobcopy/vobcopy_1.0.2-1.dsc
vobcopy_1.0.2-1_i386.deb
  to pool/main/v/vobcopy/vobcopy_1.0.2-1_i386.deb
vobcopy_1.0.2.orig.tar.gz
  to pool/main/v/vobcopy/vobcopy_1.0.2.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 448319@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stephen Birch <sgbirch@imsmail.org> (supplier of updated vobcopy package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 14 Dec 2007 16:23:25 +0000
Source: vobcopy
Binary: vobcopy
Architecture: source i386
Version: 1.0.2-1
Distribution: unstable
Urgency: low
Maintainer: Stephen Birch <sgbirch@imsmail.org>
Changed-By: Stephen Birch <sgbirch@imsmail.org>
Description: 
 vobcopy    - A tool to copy DVD VOBs to hard disk
Closes: 319721 341734 341735 341742 345324 345326 349682 367142 381553 448319 449534 451144 451145
Changes: 
 vobcopy (1.0.2-1) unstable; urgency=low
 .
   * Fix possible symlink attack caused by insecure temporary file
     handling by using mkstemp (CVE-2007-5718; closes: #448319).
   * Bump standards Version to 3.7.3, no changes needed
   * Build dependency from "libdvdread3-dev | libdvdread2-dev" to libdvdread-dev
   * Fix man page typo s/pipeing/piping/ (closes: #367142)
   * Add upstream TODO file to docs
   * Add upstream Release-Notes to docs
   * Change to debhelper compatibility level 5
   * Tidy up rules file
   * New upstream release (closes: #381553, #449534)
     - wrong device name from /etc/fstab instead of /etc/mtab (closes: #345324)
     - -L option documented in man page (closes: #451144)
     - -F produces files that are too big (closes: #349682)
     - inconsistent regarding default of -n (closes: #341742)
     - checks for free space but it doesn't warn (closes: #341734)
     - vobcopy: German manual page corrections (closes: #345326)
     - -m and -n mutually exclusive (closes: #341735)
     - Off by one error fixed (closes: #451145)
     - Fix error when filenames end with ;? (closes: #319721)
Files: 
 c7c523b1d64cfef08108cde99ec44452 574 utils optional vobcopy_1.0.2-1.dsc
 9fcac3e1f143a236e1e5593e61a37bc8 47504 utils optional vobcopy_1.0.2.orig.tar.gz
 38ef618a13e94e468f0a797006177110 5990 utils optional vobcopy_1.0.2-1.diff.gz
 bdce2123c583a72bd91196b558311203 35720 utils optional vobcopy_1.0.2-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHZXsnHYflSXNkfP8RAu9LAJ99nwVFsk5vil4Kap1qkJSjqM1UAQCgrRP2
Ur9rd4oBsn9SfgD+VVWxdk8=
=R0Vc
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 20 Jan 2008 07:26:23 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 21:58:47 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.