Debian Bug report logs - #466382
wyrd: CVE-2008-0806 insecure tempfile creation allows symlink attack

version graph

Package: wyrd; Maintainer for wyrd is Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>; Source for wyrd is src:wyrd (PTS, buildd, popcon).

Reported by: Nico Golde <nion@debian.org>

Date: Mon, 18 Feb 2008 12:51:01 UTC

Severity: grave

Tags: security

Found in version wyrd/1.4.3b-3

Fixed in version wyrd/1.4.3b-4

Done: Kevin Coyner <kcoyner@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Kevin Coyner <kcoyner@debian.org>:
Bug#466382; Package wyrd. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Kevin Coyner <kcoyner@debian.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: wyrd: insecure tmpfile creation
Date: Mon, 18 Feb 2008 13:49:57 +0100
[Message part 1 (text/plain, inline)]
Package: wyrd
Version: 1.4.3b-3
Severity: grave
Tags: security

Hi,
while searching for a cool calendar software I tried out 
wyrd and noticed a wyrd file in /tmp that didn't look very 
random. Looking at the source code it turns out that wyrd 
dumps its configuration if you press ? (help) in the ui.
It then stores a file named wyrd-tmp.<userid> in /tmp.

rcfile.ml:
139 let tmpfile = "/tmp/wyrd-tmp." ^ (string_of_int (Unix.getuid ()))

An attacker only needs to look up the userid in /etc/passwd 
and create a symlink from /home/victim/someimportantfile /tmp/wyrd-tmp.uid
and this will overwrite the content with the wyrd 
configuration.

Unfortunately I have no idea about ML programming so I don't 
have a solution for this.

A CVE id for this is pending.
Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Kevin Coyner <kcoyner@debian.org>:
Bug#466382; Package wyrd. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Kevin Coyner <kcoyner@debian.org>. (full text, mbox, link).


Message #10 received at 466382@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: 466382@bugs.debian.org
Cc: control@bugs.debian.org
Subject: wyrd CVE id
Date: Tue, 19 Feb 2008 12:04:57 +0100
[Message part 1 (text/plain, inline)]
retitle 466382 wyrd: CVE-2008-0806 insecure tempfile creation allows symlink attack
thanks

Hi,
CVE-2008-0806 was assigned to this.
======================================================
Name: CVE-2008-0806
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0806
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=466382
Reference: BID:27848
Reference: URL:http://www.securityfocus.com/bid/27848
Reference: SECUNIA:29009
Reference: URL:http://secunia.com/advisories/29009

wyrd 1.4.3b allows local users to overwrite arbitrary files via a
symlink attack on the wyrd-tmp.[USERID] temporary file.


Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Changed Bug title to `wyrd: CVE-2008-0806 insecure tempfile creation allows symlink attack' from `wyrd: insecure tmpfile creation'. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Tue, 19 Feb 2008 11:06:03 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Kevin Coyner <kcoyner@debian.org>:
Bug#466382; Package wyrd. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Kevin Coyner <kcoyner@debian.org>. (full text, mbox, link).


Message #17 received at 466382@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: 466382@bugs.debian.org
Subject: intent to NMU
Date: Tue, 19 Feb 2008 22:39:09 +0100
[Message part 1 (text/plain, inline)]
tags 466382 + patch
thanks

Hi,
after Julien Cristau told me there is an open_temp_file 
function in Ocaml and a bit reading of the Ocaml documentation I 
can come up with a patch.

It will be also archived on:
http://people.debian.org/~nion/nmu-diff/wyrd-1.4.3b-3_1.4.3b-3.1.patch

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[wyrd-1.4.3b-3_1.4.3b-3.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Kevin Coyner <kcoyner@debian.org>:
Bug#466382; Package wyrd. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Kevin Coyner <kcoyner@debian.org>. (full text, mbox, link).


Message #22 received at 466382@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: 466382@bugs.debian.org
Subject: updated patch for CVE-2008-0806
Date: Wed, 20 Feb 2008 20:04:44 +0100
[Message part 1 (text/plain, inline)]
Hi,
attached is an updated patch.
It's as well archived on:
http://people.debian.org/~nion/nmu-diff/wyrd-1.4.3b-3_1.4.3b-3.1.patch

The problem with the first patch was that if you press help 
the second time you get Sys_error("Bad file descriptor").

The reason is that the original code only operates on the 
filename, opens it and thus always assigning a new file 
descriptor which gets closed afterwards. So after changing 
this to the global file descriptor to make sure that the 
file doesn't change in the meantime (race) the file 
descriptor was closed after calling help the first time.

Fixed this by moving the close part to the file removal on 
Quit and flushing the output after writing the content.

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[wyrd-1.4.3b-3_1.4.3b-3.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#466382; Package wyrd. (full text, mbox, link).


Acknowledgement sent to Kevin Coyner <kcoyner@debian.org>:
Extra info received and forwarded to list. (full text, mbox, link).


Message #27 received at 466382@bugs.debian.org (full text, mbox, reply):

From: Kevin Coyner <kcoyner@debian.org>
To: Nico Golde <nion@debian.org>
Cc: 466382@bugs.debian.org
Subject: Re: Bug#466382: updated patch for CVE-2008-0806
Date: Thu, 21 Feb 2008 21:11:26 -0500
[Message part 1 (text/plain, inline)]

On Wed, Feb 20, 2008 at 08:04:44PM +0100, Nico Golde wrote......

> Hi,
> attached is an updated patch.
> It's as well archived on:
> http://people.debian.org/~nion/nmu-diff/wyrd-1.4.3b-3_1.4.3b-3.1.patch
{snip}

Thanks much for the patch. I've incorporated it into an updated
version and have uploaded and am closing this bug.

I'll also forward the patch on to upstream.

Thanks again,
Kevin


-- 
Kevin Coyner  GnuPG key: 1024D/8CE11941
[signature.asc (application/pgp-signature, inline)]

Reply sent to Kevin Coyner <kcoyner@debian.org>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. (full text, mbox, link).


Message #32 received at 466382-close@bugs.debian.org (full text, mbox, reply):

From: Kevin Coyner <kcoyner@debian.org>
To: 466382-close@bugs.debian.org
Subject: Bug#466382: fixed in wyrd 1.4.3b-4
Date: Fri, 22 Feb 2008 02:17:06 +0000
Source: wyrd
Source-Version: 1.4.3b-4

We believe that the bug you reported is fixed in the latest version of
wyrd, which is due to be installed in the Debian FTP archive:

wyrd_1.4.3b-4.diff.gz
  to pool/main/w/wyrd/wyrd_1.4.3b-4.diff.gz
wyrd_1.4.3b-4.dsc
  to pool/main/w/wyrd/wyrd_1.4.3b-4.dsc
wyrd_1.4.3b-4_i386.deb
  to pool/main/w/wyrd/wyrd_1.4.3b-4_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 466382@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kevin Coyner <kcoyner@debian.org> (supplier of updated wyrd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 21 Feb 2008 17:57:30 -0500
Source: wyrd
Binary: wyrd
Architecture: source i386
Version: 1.4.3b-4
Distribution: unstable
Urgency: low
Maintainer: Kevin Coyner <kcoyner@debian.org>
Changed-By: Kevin Coyner <kcoyner@debian.org>
Description: 
 wyrd       - text-based calendar application
Closes: 466382
Changes: 
 wyrd (1.4.3b-4) unstable; urgency=low
 .
   * Patch from Nico Golde and the security team.
     This patch addresses the following issue:
     CVE-2008-0806: insecure temporary file creation that
     could lead to symlink attacks and thus data loss. Closes: #466382.
   * Bumped Standards-Version to 3.7.3. No changes.
   * Moved Homepage header out of extended description.
   * Removed unnecessary whitespace in doc-base file.
Files: 
 5eb1242697558f8fe3d6e5fb0a5cf497 672 utils optional wyrd_1.4.3b-4.dsc
 56dd09014d7f0ced22ae56f192ac9030 4919 utils optional wyrd_1.4.3b-4.diff.gz
 f2d375818b5efed296bcdadfa6505d8c 304746 utils optional wyrd_1.4.3b-4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHvi23qPceVIzhGUERAtTVAJ0WBg/659p7NjKerl/mixeOMULjIACeOo3p
qgzFLUMYq1fKEsN58qAXCIw=
=Fzq8
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 22 Mar 2008 07:36:01 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 13:04:32 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.