Debian Bug report logs - #480972
CVE-2008-2266 vulnerable to symlink attacks

version graph

Package: libuu-dev; Maintainer for libuu-dev is Chris Hanson <cph@debian.org>; Source for libuu-dev is src:uudeview.

Reported by: Marco d'Itri <md@linux.it>

Date: Mon, 12 May 2008 23:24:10 UTC

Severity: critical

Tags: patch, security, upstream

Found in version uudeview/0.5.20-3

Fixed in version uudeview/0.5.20-3.1

Done: Marco d'Itri <md@linux.it>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, md@linux.it, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Chris Hanson <cph@debian.org>:
Bug#480972; Package libuu-dev. Full text and rfc822 format available.

Acknowledgement sent to Marco d'Itri <md@linux.it>:
New Bug report received and forwarded. Copy sent to md@linux.it, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Chris Hanson <cph@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Marco d'Itri <md@linux.it>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: vulnerable to symlink attacks
Date: Tue, 13 May 2008 01:19:19 +0200
[Message part 1 (text/plain, inline)]
Package: libuu-dev
Version: 0.5.20-3
Severity: critical
Tags: security upstream

Security team: libuu-dev is a static-only library (see #216593).
klibido, nget and slrn build-depend on libuu-dev, while
libconvert-uulib-perl and kde (I don't know exactly which package,
look in the kdesupport directory) contain an embedded copy.

Pan has an embedded copy too, but it's modified and does not contain
this code.

This code in uulib/uunconc.c is vulnerable to symlink attacks.

  if ((data->binfile = tempnam (NULL, "uu")) == NULL) {
    UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
               uustring (S_NO_TEMP_NAME));
    return UURET_NOMEM;
  } 
  
  if ((dataout = fopen (data->binfile, mode)) == NULL) {

-- 
ciao,
Marco
[signature.asc (application/pgp-signature, inline)]

Bug 480972 cloned as bug 481048. Request was from Marco d'Itri <md@linux.it> to control@bugs.debian.org. (Tue, 13 May 2008 12:03:05 GMT) Full text and rfc822 format available.

Changed Bug title to `CVE-2008-2266 vulnerable to symlink attacks' from `vulnerable to symlink attacks'. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Sun, 18 May 2008 11:39:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Chris Hanson <cph@debian.org>:
Bug#480972; Package libuu-dev. Full text and rfc822 format available.

Acknowledgement sent to md@Linux.IT (Marco d'Itri):
Extra info received and forwarded to list. Copy sent to Chris Hanson <cph@debian.org>. Full text and rfc822 format available.

Message #14 received at 480972@bugs.debian.org (full text, mbox):

From: md@Linux.IT (Marco d'Itri)
To: 480972@bugs.debian.org
Subject: Re: Bug#480972: vulnerable to symlink attacks
Date: Sun, 18 May 2008 14:15:26 +0200
[Message part 1 (text/plain, inline)]
Do you have any objections to me making a NMU to fix this bug AND to
make the package generate a proper shared library?

-- 
ciao,
Marco
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Chris Hanson <cph@debian.org>:
Bug#480972; Package libuu-dev. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Chris Hanson <cph@debian.org>. Full text and rfc822 format available.

Message #19 received at 480972@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 480972@bugs.debian.org
Subject: patch for uudeview
Date: Sun, 18 May 2008 14:13:01 +0200
[Message part 1 (text/plain, inline)]
tags 480972 + patch
thanks

Hi,
I wrote a patch to fix this. I have no idea how to test this 
specific functionality so it would be nice if someone could 
do this before uploading it.

Patch attached.

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[uudeview.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Tags added: patch Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Sun, 18 May 2008 12:21:11 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Chris Hanson <cph@debian.org>:
Bug#480972; Package libuu-dev. Full text and rfc822 format available.

Acknowledgement sent to gregor herrmann <gregoa@debian.org>:
Extra info received and forwarded to list. Copy sent to Chris Hanson <cph@debian.org>. Full text and rfc822 format available.

Message #26 received at 480972@bugs.debian.org (full text, mbox):

From: gregor herrmann <gregoa@debian.org>
To: Marco d'Itri <md@linux.it>, 480972@bugs.debian.org, Nico Golde <nion@debian.org>
Subject: Re: Bug#480972: vulnerable to symlink attacks
Date: Sun, 18 May 2008 15:36:03 +0200
[Message part 1 (text/plain, inline)]
On Tue, 13 May 2008 01:19:19 +0200, Marco d'Itri wrote:

> Security team: libuu-dev is a static-only library (see #216593).
> klibido, nget and slrn build-depend on libuu-dev, while
> libconvert-uulib-perl and kde (I don't know exactly which package,
> look in the kdesupport directory) contain an embedded copy.
> 
> This code in uulib/uunconc.c is vulnerable to symlink attacks.
> 
>   if ((data->binfile = tempnam (NULL, "uu")) == NULL) {
>     UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
>                uustring (S_NO_TEMP_NAME));
>     return UURET_NOMEM;
>   } 
>   
>   if ((dataout = fopen (data->binfile, mode)) == NULL) {

I took a look at uulib/uunconc.c in libconvert-uulib-perl and I have
the impression that it's not vulnerable because it uses mkstemp
instead of tempnam if available.

This was also already mentioned in
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=320541#30

Still I'd appreciate if someone who speaks better C than me could
take a look to verify.

Cheers,
gregor 
 
-- 
 .''`.   http://info.comodo.priv.at/ | gpg key ID: 0x00F3CFE4
 : :' :  debian gnu/linux user, admin & developer - http://www.debian.org/
 `. `'   member of https://www.vibe.at/ | how to reply: http://got.to/quote/
   `-    NP: Tom Waits: Make It Rain
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Chris Hanson <cph@debian.org>:
Bug#480972; Package libuu-dev. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Chris Hanson <cph@debian.org>. Full text and rfc822 format available.

Message #31 received at 480972@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: gregor herrmann <gregoa@debian.org>
Cc: Marco d'Itri <md@linux.it>, 480972@bugs.debian.org, 481048-done@bugs.debian.org
Subject: Re: Bug#480972: vulnerable to symlink attacks
Date: Sun, 18 May 2008 16:23:26 +0200
[Message part 1 (text/plain, inline)]
Hi Gregor,
* gregor herrmann <gregoa@debian.org> [2008-05-18 15:40]:
> On Tue, 13 May 2008 01:19:19 +0200, Marco d'Itri wrote:
> > Security team: libuu-dev is a static-only library (see #216593).
> > klibido, nget and slrn build-depend on libuu-dev, while
> > libconvert-uulib-perl and kde (I don't know exactly which package,
> > look in the kdesupport directory) contain an embedded copy.
> > 
> > This code in uulib/uunconc.c is vulnerable to symlink attacks.
> > 
> >   if ((data->binfile = tempnam (NULL, "uu")) == NULL) {
> >     UUMessage (uunconc_id, __LINE__, UUMSG_ERROR,
> >                uustring (S_NO_TEMP_NAME));
> >     return UURET_NOMEM;
> >   } 
> >   
> >   if ((dataout = fopen (data->binfile, mode)) == NULL) {
> 
> I took a look at uulib/uunconc.c in libconvert-uulib-perl and I have
> the impression that it's not vulnerable because it uses mkstemp
> instead of tempnam if available.
> 
> This was also already mentioned in
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=320541#30
> 
> Still I'd appreciate if someone who speaks better C than me could
> take a look to verify.

Confirmed, the version of uunconc.c in libconvert-uulib-perl 
is not vulnerable. Added this to the security tracker. 
Thanks for checking!

Attached is an updated patch which ports the changes made in 
libconvert-uulib-perlĀ·to uudeview. Please use this patch 
instead of the other one as the first one misses the second 
tempnam call.

Kind regards
Nico
P.S. closing 481048

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[uudeview.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Chris Hanson <cph@debian.org>:
Bug#480972; Package libuu-dev. Full text and rfc822 format available.

Acknowledgement sent to Sune Vuorela <Sune@vuorela.dk>:
Extra info received and forwarded to list. Copy sent to Chris Hanson <cph@debian.org>. Full text and rfc822 format available.

Message #36 received at 480972@bugs.debian.org (full text, mbox):

From: Sune Vuorela <Sune@vuorela.dk>
To: debian-qt-kde@lists.debian.org, 480972@bugs.debian.org
Cc: "Marco d'Itri" <md@linux.it>
Subject: Re: Bug#480972: vulnerable to symlink attacks
Date: Sun, 18 May 2008 21:06:41 +0200
[Message part 1 (text/plain, inline)]
On Tuesday 13 May 2008, Marco d'Itri wrote:

> Security team: libuu-dev is a static-only library (see #216593).
> klibido, nget and slrn build-depend on libuu-dev, while
> libconvert-uulib-perl and kde (I don't know exactly which package,
> look in the kdesupport directory) contain an embedded copy.

I tried locating it in kde (kdesupport directory). I could find it thru google 
code search in a  ancient (probably kde 1) tarball on some openbsd mirrors.

But I couldn't find it in neither kde3 or kde4.

(I looked for the file mentioned ..)

/Sune
-- 
I'm not able to forward from a USB file, how does it work?

You must install the clock for logging on a system to a directory.
[signature.asc (application/pgp-signature, inline)]

Tags added: pending Request was from Marco d'Itri <md@linux.it> to control@bugs.debian.org. (Tue, 20 May 2008 23:51:01 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Chris Hanson <cph@debian.org>:
Bug#480972; Package libuu-dev. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Chris Hanson <cph@debian.org>. Full text and rfc822 format available.

Message #43 received at 480972@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Sune Vuorela <Sune@vuorela.dk>, 480972@bugs.debian.org
Cc: debian-qt-kde@lists.debian.org, Marco d'Itri <md@linux.it>
Subject: Re: Bug#480972: vulnerable to symlink attacks
Date: Thu, 22 May 2008 00:23:23 +0200
[Message part 1 (text/plain, inline)]
Hi Sune,
* Sune Vuorela <Sune@vuorela.dk> [2008-05-18 21:35]:
> On Tuesday 13 May 2008, Marco d'Itri wrote:
> > Security team: libuu-dev is a static-only library (see #216593).
> > klibido, nget and slrn build-depend on libuu-dev, while
> > libconvert-uulib-perl and kde (I don't know exactly which package,
> > look in the kdesupport directory) contain an embedded copy.
> 
> I tried locating it in kde (kdesupport directory). I could find it thru google 
> code search in a  ancient (probably kde 1) tarball on some openbsd mirrors.
> 
> But I couldn't find it in neither kde3 or kde4.
> 
> (I looked for the file mentioned ..)

Yes, same here. Looks like some deprecated package for kde 
libs. I couldn't find that either in current source 
packages. Marco, where did you get this information?

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Chris Hanson <cph@debian.org>:
Bug#480972; Package libuu-dev. Full text and rfc822 format available.

Acknowledgement sent to Sune Vuorela <Sune@vuorela.dk>:
Extra info received and forwarded to list. Copy sent to Chris Hanson <cph@debian.org>. Full text and rfc822 format available.

Message #48 received at 480972@bugs.debian.org (full text, mbox):

From: Sune Vuorela <Sune@vuorela.dk>
To: debian-qt-kde@lists.debian.org
Cc: Nico Golde <nion@debian.org>, 480972@bugs.debian.org, Marco d'Itri <md@linux.it>
Subject: Re: Bug#480972: vulnerable to symlink attacks
Date: Thu, 22 May 2008 00:31:12 +0200
[Message part 1 (text/plain, inline)]
On Thursday 22 May 2008, Nico Golde wrote:

> Yes, same here. Looks like some deprecated package for kde
> libs. I couldn't find that either in current source
> packages. Marco, where did you get this information?

Marco told me he got it from google code search.

/Sune
-- 
Man, do you know how could I open the line to the editor on the head of a 
terminale?

You can never forward to the ethernet microkernel for installing the 3-bit 
mousepad.
[signature.asc (application/pgp-signature, inline)]

Reply sent to Marco d'Itri <md@linux.it>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Marco d'Itri <md@linux.it>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #53 received at 480972-close@bugs.debian.org (full text, mbox):

From: Marco d'Itri <md@linux.it>
To: 480972-close@bugs.debian.org
Subject: Bug#480972: fixed in uudeview 0.5.20-3.1
Date: Fri, 23 May 2008 15:44:06 +0000
Source: uudeview
Source-Version: 0.5.20-3.1

We believe that the bug you reported is fixed in the latest version of
uudeview, which is due to be installed in the Debian FTP archive:

libuu-dev_0.5.20-3.1_i386.deb
  to pool/main/u/uudeview/libuu-dev_0.5.20-3.1_i386.deb
libuu0_0.5.20-3.1_i386.deb
  to pool/main/u/uudeview/libuu0_0.5.20-3.1_i386.deb
uudeview_0.5.20-3.1.diff.gz
  to pool/main/u/uudeview/uudeview_0.5.20-3.1.diff.gz
uudeview_0.5.20-3.1.dsc
  to pool/main/u/uudeview/uudeview_0.5.20-3.1.dsc
uudeview_0.5.20-3.1_i386.deb
  to pool/main/u/uudeview/uudeview_0.5.20-3.1_i386.deb
xdeview_0.5.20-3.1_i386.deb
  to pool/main/u/uudeview/xdeview_0.5.20-3.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 480972@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Marco d'Itri <md@linux.it> (supplier of updated uudeview package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 21 May 2008 01:34:35 +0200
Source: uudeview
Binary: uudeview xdeview libuu0 libuu-dev
Architecture: source i386
Version: 0.5.20-3.1
Distribution: unstable
Urgency: high
Maintainer: Chris Hanson <cph@debian.org>
Changed-By: Marco d'Itri <md@linux.it>
Description: 
 libuu-dev  - Library for decoding/encoding several popular file encodings
 libuu0     - Library for decoding/encoding several popular file encodings
 uudeview   - Smart multi-file multi-part decoder (command line)
 xdeview    - Smart multi-file multi-part decoder (X11 GUI)
Closes: 216593 480972
Changes: 
 uudeview (0.5.20-3.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Fixed a classical tempfile symlink attack vulnerability in libuu.
     Thanks to Nico Golde for the patch. (Closes: #480972)
   * Added a shared library package. (Closes: #216593)
   * Added support for dpkg-buildpackage setting $CFLAGS.
   * Removed no-op maintainer scripts.
   * Replaced the deprecated tetex dependencies with texlive-latex-base.
Checksums-Sha1: 
 fa0cf5bf1ad09145f69736fafb3891ca48fbd3f1 1047 uudeview_0.5.20-3.1.dsc
 016f87232e3b47252075730a833507517f612e17 57188 uudeview_0.5.20-3.1.diff.gz
 4727d8a362a109ee89f2c4ee4362acea6caadfef 49050 uudeview_0.5.20-3.1_i386.deb
 4bf840729df56bbe40da8ef4c0b669eeebbce1fc 68000 xdeview_0.5.20-3.1_i386.deb
 f6ca1ed3696ddcade6552f826d578672bcd3d9af 72150 libuu0_0.5.20-3.1_i386.deb
 27019009cd56b411196f0dd634fad078ea8d2186 64518 libuu-dev_0.5.20-3.1_i386.deb
Checksums-Sha256: 
 dc8686916966b4852219d3d34c8df5fa799ad3331bfb96df4a57f0722fd1e860 1047 uudeview_0.5.20-3.1.dsc
 26078a2358d2826b3f8a47f3e9315f6f3efa7b5f7f78b1c9efe4754d2d725df6 57188 uudeview_0.5.20-3.1.diff.gz
 d65f8dc7670d0861766c7215cd776e3a519937710e61e6b691b644b8f647da31 49050 uudeview_0.5.20-3.1_i386.deb
 43b82282757a870d80e461ce604e8cfb96e185d7149db7d16493f1cacf5c732d 68000 xdeview_0.5.20-3.1_i386.deb
 49b0e8ddc9fa20011be14e7e553a7601a96fa2edb6acdf5af72f844c487a3296 72150 libuu0_0.5.20-3.1_i386.deb
 08cb676dc9ebe1925a3615556ad93f44681b1c1324f735baa450125ad4aa2ee7 64518 libuu-dev_0.5.20-3.1_i386.deb
Files: 
 6c26dce1c2f047f75a8ca03c7a1c045b 1047 utils optional uudeview_0.5.20-3.1.dsc
 5078a3a430b91fb498ba50d8b58a8b29 57188 utils optional uudeview_0.5.20-3.1.diff.gz
 f50771d820e2af5d2c2795563a7f97b8 49050 utils optional uudeview_0.5.20-3.1_i386.deb
 728a0a56a56b7794c2a80e972b63e0c0 68000 utils optional xdeview_0.5.20-3.1_i386.deb
 a2cd7008e6a84d8b0ef4fc6a88575517 72150 libs optional libuu0_0.5.20-3.1_i386.deb
 2e4af9564dc8d96cb8a225e4db3601db 64518 libdevel optional libuu-dev_0.5.20-3.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIM+9IFGfw2OHuP7ERAlmbAJ4tRmegsSSc1OJNruj4CkxoXpQ4wQCaAz4k
0jfGrUkO4jiGFH00X7jsfr4=
=vN9u
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Mar 2009 09:55:44 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 11:06:31 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.