Report forwarded to debian-bugs-dist@lists.debian.org, Kevin Coyner <kcoyner@debian.org>: Bug#466382; Package wyrd.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Kevin Coyner <kcoyner@debian.org>.
(full text, mbox, link).
Package: wyrd
Version: 1.4.3b-3
Severity: grave
Tags: security
Hi,
while searching for a cool calendar software I tried out
wyrd and noticed a wyrd file in /tmp that didn't look very
random. Looking at the source code it turns out that wyrd
dumps its configuration if you press ? (help) in the ui.
It then stores a file named wyrd-tmp.<userid> in /tmp.
rcfile.ml:
139 let tmpfile = "/tmp/wyrd-tmp." ^ (string_of_int (Unix.getuid ()))
An attacker only needs to look up the userid in /etc/passwd
and create a symlink from /home/victim/someimportantfile /tmp/wyrd-tmp.uid
and this will overwrite the content with the wyrd
configuration.
Unfortunately I have no idea about ML programming so I don't
have a solution for this.
A CVE id for this is pending.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Information forwarded to debian-bugs-dist@lists.debian.org, Kevin Coyner <kcoyner@debian.org>: Bug#466382; Package wyrd.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Kevin Coyner <kcoyner@debian.org>.
(full text, mbox, link).
Changed Bug title to `wyrd: CVE-2008-0806 insecure tempfile creation allows symlink attack' from `wyrd: insecure tmpfile creation'.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Tue, 19 Feb 2008 11:06:03 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Kevin Coyner <kcoyner@debian.org>: Bug#466382; Package wyrd.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Kevin Coyner <kcoyner@debian.org>.
(full text, mbox, link).
tags 466382 + patch
thanks
Hi,
after Julien Cristau told me there is an open_temp_file
function in Ocaml and a bit reading of the Ocaml documentation I
can come up with a patch.
It will be also archived on:
http://people.debian.org/~nion/nmu-diff/wyrd-1.4.3b-3_1.4.3b-3.1.patch
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Information forwarded to debian-bugs-dist@lists.debian.org, Kevin Coyner <kcoyner@debian.org>: Bug#466382; Package wyrd.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Kevin Coyner <kcoyner@debian.org>.
(full text, mbox, link).
Hi,
attached is an updated patch.
It's as well archived on:
http://people.debian.org/~nion/nmu-diff/wyrd-1.4.3b-3_1.4.3b-3.1.patch
The problem with the first patch was that if you press help
the second time you get Sys_error("Bad file descriptor").
The reason is that the original code only operates on the
filename, opens it and thus always assigning a new file
descriptor which gets closed afterwards. So after changing
this to the global file descriptor to make sure that the
file doesn't change in the meantime (race) the file
descriptor was closed after calling help the first time.
Fixed this by moving the close part to the file removal on
Quit and flushing the output after writing the content.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
On Wed, Feb 20, 2008 at 08:04:44PM +0100, Nico Golde wrote......
> Hi,
> attached is an updated patch.
> It's as well archived on:
> http://people.debian.org/~nion/nmu-diff/wyrd-1.4.3b-3_1.4.3b-3.1.patch
{snip}
Thanks much for the patch. I've incorporated it into an updated
version and have uploaded and am closing this bug.
I'll also forward the patch on to upstream.
Thanks again,
Kevin
--
Kevin Coyner GnuPG key: 1024D/8CE11941
Source: wyrd
Source-Version: 1.4.3b-4
We believe that the bug you reported is fixed in the latest version of
wyrd, which is due to be installed in the Debian FTP archive:
wyrd_1.4.3b-4.diff.gz
to pool/main/w/wyrd/wyrd_1.4.3b-4.diff.gz
wyrd_1.4.3b-4.dsc
to pool/main/w/wyrd/wyrd_1.4.3b-4.dsc
wyrd_1.4.3b-4_i386.deb
to pool/main/w/wyrd/wyrd_1.4.3b-4_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 466382@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kevin Coyner <kcoyner@debian.org> (supplier of updated wyrd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 21 Feb 2008 17:57:30 -0500
Source: wyrd
Binary: wyrd
Architecture: source i386
Version: 1.4.3b-4
Distribution: unstable
Urgency: low
Maintainer: Kevin Coyner <kcoyner@debian.org>
Changed-By: Kevin Coyner <kcoyner@debian.org>
Description:
wyrd - text-based calendar application
Closes: 466382
Changes:
wyrd (1.4.3b-4) unstable; urgency=low
.
* Patch from Nico Golde and the security team.
This patch addresses the following issue:
CVE-2008-0806: insecure temporary file creation that
could lead to symlink attacks and thus data loss. Closes: #466382.
* Bumped Standards-Version to 3.7.3. No changes.
* Moved Homepage header out of extended description.
* Removed unnecessary whitespace in doc-base file.
Files:
5eb1242697558f8fe3d6e5fb0a5cf497 672 utils optional wyrd_1.4.3b-4.dsc
56dd09014d7f0ced22ae56f192ac9030 4919 utils optional wyrd_1.4.3b-4.diff.gz
f2d375818b5efed296bcdadfa6505d8c 304746 utils optional wyrd_1.4.3b-4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHvi23qPceVIzhGUERAtTVAJ0WBg/659p7NjKerl/mixeOMULjIACeOo3p
qgzFLUMYq1fKEsN58qAXCIw=
=Fzq8
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 22 Mar 2008 07:36:01 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.