Debian Bug report logs - #476321
cecilia: CVE-2008-1832 insecure tmp file usage

version graph

Package: cecilia; Maintainer for cecilia is Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>; Source for cecilia is src:cecilia (PTS, buildd, popcon).

Reported by: Felipe Sateler <fsateler@gmail.com>

Date: Tue, 15 Apr 2008 20:57:02 UTC

Severity: grave

Tags: patch, security

Found in version cecilia/2.0.5-2

Fixed in version cecilia/2.0.5-2.1

Done: Steffen Joeris <white@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Free Ekanayaka <free@agnula.org>:
Bug#476321; Package cecilia. (full text, mbox, link).


Acknowledgement sent to Felipe Sateler <fsateler@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Free Ekanayaka <free@agnula.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Felipe Sateler <fsateler@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: cecilia: Unsafe temp file
Date: Tue, 15 Apr 2008 16:53:44 -0400
Package: cecilia
Version: 2.0.5-2
Severity: grave
Tags: security
Justification: user security hole

lib/prefs.tcl does, at line 185:
	catch {exec $csound >& /tmp/csvers}
	set f [open /tmp/csvers r]

A malicious user could create /tmp/csvers as a symlink to another file,
and when cecilia is started, that data would get destroyed.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.24-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages cecilia depends on:
ii  csound                  1:5.08.0.dfsg2-1 powerful and versatile sound synth
ii  tk8.4                   8.4.18-1         Tk toolkit for Tcl and X11, v8.4 -

cecilia recommends no packages.

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, Free Ekanayaka <free@agnula.org>:
Bug#476321; Package cecilia. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Free Ekanayaka <free@agnula.org>. (full text, mbox, link).


Message #10 received at 476321@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: Felipe Sateler <fsateler@gmail.com>, 476321@bugs.debian.org
Subject: Re: [Secure-testing-team] Bug#476321: cecilia: Unsafe temp file
Date: Wed, 16 Apr 2008 00:20:38 +0200
[Message part 1 (text/plain, inline)]
Hi Felipe,
* Felipe Sateler <fsateler@gmail.com> [2008-04-15 23:01]:
[...] 
> lib/prefs.tcl does, at line 185:
> 	catch {exec $csound >& /tmp/csvers}
> 	set f [open /tmp/csvers r]

Confirmed, requested CVE id.
Thanks!
Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Free Ekanayaka <free@agnula.org>:
Bug#476321; Package cecilia. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Free Ekanayaka <free@agnula.org>. (full text, mbox, link).


Message #15 received at 476321@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: 476321@bugs.debian.org
Cc: control@bugs.debian.org
Subject: CVE id assigned
Date: Wed, 16 Apr 2008 17:28:05 +0200
[Message part 1 (text/plain, inline)]
retitle 476321 cecilia: CVE-2008-1832 insecure tmp file usage
thanks

Hi,
use CVE-2008-1832:
======================================================
Name: CVE-2008-1832
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1832
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=476321

lib/prefs.tcl in Cecilia  2.0.5 allows local users to overwrite
arbitrary files via a symlink attack on the csvers temporary file.


Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Changed Bug title to `cecilia: CVE-2008-1832 insecure tmp file usage' from `cecilia: Unsafe temp file'. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Wed, 16 Apr 2008 15:30:05 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Free Ekanayaka <free@agnula.org>:
Bug#476321; Package cecilia. (full text, mbox, link).


Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Free Ekanayaka <free@agnula.org>. (full text, mbox, link).


Message #22 received at 476321@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: 476321@bugs.debian.org
Cc: control@bugs.debian.org
Subject: add patch
Date: Tue, 6 May 2008 21:49:51 +1000
[Message part 1 (text/plain, inline)]
tags 476321 patch
thanks

Hi

I guess the attached patch should address the insecure tmp file. However, I 
seem to be unable to startup the application. The only thing that happens is 
that the window pops up and says "loading code: helpers.tcl".
Anyone able to use this application?

Cheers
Steffen
[CVE-2008-1832.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Tags added: patch Request was from Steffen Joeris <steffen.joeris@skolelinux.de> to control@bugs.debian.org. (Tue, 06 May 2008 11:54:03 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Free Ekanayaka <free@agnula.org>:
Bug#476321; Package cecilia. (full text, mbox, link).


Acknowledgement sent to Marcos Marado <marado@isp.novis.pt>:
Extra info received and forwarded to list. Copy sent to Free Ekanayaka <free@agnula.org>. (full text, mbox, link).


Message #29 received at 476321@bugs.debian.org (full text, mbox, reply):

From: Marcos Marado <marado@isp.novis.pt>
To: 476321@bugs.debian.org
Subject: testing patch
Date: Wed, 7 May 2008 19:16:22 +0100
Hi there,

The problem of you being "unable to startup the application", is, I guess, bug
#479995 and not related to this one. 

Regarding to this problem, I tried it and it doesn't cause any problem to the 
package, while fixing the security issue. As far as I see, the patch is ready 
to be included.

Best regards,
-- 
Marcos Marado




Reply sent to Steffen Joeris <white@debian.org>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Felipe Sateler <fsateler@gmail.com>:
Bug acknowledged by developer. (full text, mbox, link).


Message #34 received at 476321-close@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <white@debian.org>
To: 476321-close@bugs.debian.org
Subject: Bug#476321: fixed in cecilia 2.0.5-2.1
Date: Fri, 09 May 2008 12:02:02 +0000
Source: cecilia
Source-Version: 2.0.5-2.1

We believe that the bug you reported is fixed in the latest version of
cecilia, which is due to be installed in the Debian FTP archive:

cecilia_2.0.5-2.1.diff.gz
  to pool/main/c/cecilia/cecilia_2.0.5-2.1.diff.gz
cecilia_2.0.5-2.1.dsc
  to pool/main/c/cecilia/cecilia_2.0.5-2.1.dsc
cecilia_2.0.5-2.1_all.deb
  to pool/main/c/cecilia/cecilia_2.0.5-2.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 476321@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated cecilia package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 09 May 2008 11:47:07 +0000
Source: cecilia
Binary: cecilia
Architecture: source all
Version: 2.0.5-2.1
Distribution: unstable
Urgency: high
Maintainer: Free Ekanayaka <free@agnula.org>
Changed-By: Steffen Joeris <white@debian.org>
Description: 
 cecilia    - graphic user interface for CSound
Closes: 476321
Changes: 
 cecilia (2.0.5-2.1) unstable; urgency=high
 .
   * Non-maintainer upload by the security team
   * Include 13CVE-2008-1832.dpatch to fix insecure tmp file handling,
     which allows a symlink attack (Closes: #476321)
     Fixes: CVE-2008-1832
Checksums-Sha1: 
 40ee3ffde9ed450ed198041b854d4692971894bf 1023 cecilia_2.0.5-2.1.dsc
 4054cf14f8dd530825958ed993fa938a63c8ffa8 13397 cecilia_2.0.5-2.1.diff.gz
 f9518a463de806a428f6563fb64835db7e220534 1654124 cecilia_2.0.5-2.1_all.deb
Checksums-Sha256: 
 21b43c87f7f855fc454251677b130df9800e52b2e3bfc2c3e50ebce0027b2729 1023 cecilia_2.0.5-2.1.dsc
 67af098abfe27b2d0a04b9f8531e1656c07642943fef89240c3cddd9da0ad0a1 13397 cecilia_2.0.5-2.1.diff.gz
 c7240af8be18ca79621bcfb560a5dd2f46bd107084a0fca57455a7bd14f4d708 1654124 cecilia_2.0.5-2.1_all.deb
Files: 
 7adbf654c3055a6d0ca42739c4ca6679 1023 sound optional cecilia_2.0.5-2.1.dsc
 cb3a02fc51b07fb218b18405466657bd 13397 sound optional cecilia_2.0.5-2.1.diff.gz
 b6d6b071b6708f22cb218c42ecedaef3 1654124 sound optional cecilia_2.0.5-2.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIJDvU62zWxYk/rQcRAoSkAKC2ebqLKOt2rldCWTfcfWjpHGnQIACeKCgE
tiwhodasJnEi6GLSyu/nUaQ=
=BeHD
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Mar 2009 08:08:28 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 07:50:27 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.