Debian Bug report logs - #501959
chm2pdf: Major security (temporary dirs) problems

version graph

Package: chm2pdf; Maintainer for chm2pdf is Steve Stalcup <vorian@ubuntu.com>; Source for chm2pdf is src:chm2pdf (PTS, buildd, popcon).

Reported by: Karol Lewandowski <lmctlx@gmail.com>

Date: Sat, 11 Oct 2008 23:48:01 UTC

Severity: grave

Tags: patch, security

Found in version chm2pdf/0.9-2

Fixed in version chm2pdf/0.9.1-1.1

Done: Raphael Geissert <atomo64@gmail.com>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Steve Stalcup <vorian@ubuntu.com>:
Bug#501959; Package chm2pdf. (Sat, 11 Oct 2008 23:48:03 GMT) (full text, mbox, link).


Acknowledgement sent to Karol Lewandowski <lmctlx@gmail.com>:
New Bug report received and forwarded. Copy sent to Steve Stalcup <vorian@ubuntu.com>. (Sat, 11 Oct 2008 23:48:03 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Karol Lewandowski <lmctlx@gmail.com>
To: submit@bugs.debian.org
Subject: chm2pdf: Major security (temporary dirs) problems
Date: Sun, 12 Oct 2008 01:43:00 +0200
Package: chm2pdf
Version: 0.9-2
Severity: grave
Justification: causes non-serious data loss

There are several problems with this package:

1. chm2pdf creates /tmp/chm2pdf/{orig,work}/X directories.  
   (Where X is file basename, foo for foo.chm).

   This makes script unusable for other users, i.e. userA runs chm2pdf
   which creates /tmp/chm2pdf with userA owner, userB has no chance to
   create files there


2. Malicious user could prepare directory structure which upon chm2pdf
   execution could cause serious data loss.

from /usr/bin/chm2pdf:

     CHM2PDF_TEMP_WORK_DIR='/tmp/chm2pdf/work' 
     CHM2PDF_TEMP_ORIG_DIR='/tmp/chm2pdf/orig'
...
     CHM2PDF_WORK_DIR = CHM2PDF_TEMP_WORK_DIR + os.sep + basename
     CHM2PDF_ORIG_DIR = CHM2PDF_TEMP_ORIG_DIR + os.sep + basename
...
     os.system('rm -r '+CHM2PDF_ORIG_DIR+'/*')
     os.system('rm -r '+CHM2PDF_WORK_DIR+'/*')
.

Malicious user could do e.g.

malicious$ mkdir /tmp/chm2pdf/{orig,work}
malicious$ cd /tmp/chm2pdf/orig
malicious$ for f in `find /home/victim/ -iname \*.chm -print`; do
> ln -s /home/victim/ `basename ${f%%.chm}`
> done

And ask user victim to convert any of his own .chm files.


Thanks.

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.27-rc7
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages chm2pdf depends on:
ii  htmldoc                     1.8.27-3     HTML processor that generates inde
ii  libchm-bin                  2:0.39-9     library for dealing with Microsoft
ii  python                      2.5.2-2      An interactive high-level object-o
ii  python-chm                  0.8.4-0.1+b1 Python binding for CHMLIB
ii  python-support              0.8.4        automated rebuilding support for P

chm2pdf recommends no packages.

chm2pdf suggests no packages.

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, Steve Stalcup <vorian@ubuntu.com>:
Bug#501959; Package chm2pdf. (Sun, 12 Oct 2008 00:03:03 GMT) (full text, mbox, link).


Acknowledgement sent to Steve Stalcup <stalcups@gmail.com>:
Extra info received and forwarded to list. Copy sent to Steve Stalcup <vorian@ubuntu.com>. (Sun, 12 Oct 2008 00:03:03 GMT) (full text, mbox, link).


Message #10 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steve Stalcup <stalcups@gmail.com>
To: Karol Lewandowski <lmctlx@gmail.com>, "501959@bugs.debian.org" <501959@bugs.debian.org>
Cc: "submit@bugs.debian.org" <submit@bugs.debian.org>
Subject: Re: Bug#501959: chm2pdf: Major security (temporary dirs) problems
Date: Sat, 11 Oct 2008 20:01:40 -0400
Thanks for the report

-Steve

On Oct 11, 2008, at 7:43 PM, Karol Lewandowski <lmctlx@gmail.com> wrote:

> Package: chm2pdf
> Version: 0.9-2
> Severity: grave
> Justification: causes non-serious data loss
>
> There are several problems with this package:
>
> 1. chm2pdf creates /tmp/chm2pdf/{orig,work}/X directories.
>   (Where X is file basename, foo for foo.chm).
>
>   This makes script unusable for other users, i.e. userA runs chm2pdf
>   which creates /tmp/chm2pdf with userA owner, userB has no chance to
>   create files there
>
>
> 2. Malicious user could prepare directory structure which upon chm2pdf
>   execution could cause serious data loss.
>
> from /usr/bin/chm2pdf:
>
>     CHM2PDF_TEMP_WORK_DIR='/tmp/chm2pdf/work'
>     CHM2PDF_TEMP_ORIG_DIR='/tmp/chm2pdf/orig'
> ...
>     CHM2PDF_WORK_DIR = CHM2PDF_TEMP_WORK_DIR + os.sep + basename
>     CHM2PDF_ORIG_DIR = CHM2PDF_TEMP_ORIG_DIR + os.sep + basename
> ...
>     os.system('rm -r '+CHM2PDF_ORIG_DIR+'/*')
>     os.system('rm -r '+CHM2PDF_WORK_DIR+'/*')
> .
>
> Malicious user could do e.g.
>
> malicious$ mkdir /tmp/chm2pdf/{orig,work}
> malicious$ cd /tmp/chm2pdf/orig
> malicious$ for f in `find /home/victim/ -iname \*.chm -print`; do
>> ln -s /home/victim/ `basename ${f%%.chm}`
>> done
>
> And ask user victim to convert any of his own .chm files.
>
>
> Thanks.
>
> -- System Information:
> Debian Release: lenny/sid
>  APT prefers testing
>  APT policy: (500, 'testing')
> Architecture: i386 (i686)
>
> Kernel: Linux 2.6.27-rc7
> Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
> Shell: /bin/sh linked to /bin/dash
>
> Versions of packages chm2pdf depends on:
> ii  htmldoc                     1.8.27-3     HTML processor that  
> generates inde
> ii  libchm-bin                  2:0.39-9     library for dealing  
> with Microsoft
> ii  python                      2.5.2-2      An interactive high- 
> level object-o
> ii  python-chm                  0.8.4-0.1+b1 Python binding for CHMLIB
> ii  python-support              0.8.4        automated rebuilding  
> support for P
>
> chm2pdf recommends no packages.
>
> chm2pdf suggests no packages.
>
> -- no debconf information
>
>




Information forwarded to debian-bugs-dist@lists.debian.org, Steve Stalcup <vorian@ubuntu.com>:
Bug#501959; Package chm2pdf. (Sun, 12 Oct 2008 00:03:04 GMT) (full text, mbox, link).


Acknowledgement sent to Steve Stalcup <stalcups@gmail.com>:
Extra info received and forwarded to list. Copy sent to Steve Stalcup <vorian@ubuntu.com>. (Sun, 12 Oct 2008 00:03:04 GMT) (full text, mbox, link).


Tags added: security Request was from Tobias Klauser <tklauser@distanz.ch> to control@bugs.debian.org. (Sun, 12 Oct 2008 09:27:03 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Steve Stalcup <vorian@ubuntu.com>:
Bug#501959; Package chm2pdf. (Mon, 13 Oct 2008 00:33:02 GMT) (full text, mbox, link).


Message #20 received at 501959@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <atomo64@gmail.com>
To: 502044@bugs.debian.org, 501959@bugs.debian.org
Cc: control@bugs.debian.org
Subject: chm2pdf: proposed NMU
Date: Sun, 12 Oct 2008 19:25:12 -0500
[Message part 1 (text/plain, inline)]
tag 502044 patch
tag 501959 patch
thanks

Hi,

Attached is the diff for my proposed NMU. The new package version has NOT been 
uploaded to give you the opportunity to make a better upload to address those 
issues.

Note that a separate upload is required for lenny.

Kind regards,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
[chm2pdf_nmu.diff (text/x-diff, inline)]
diff -u chm2pdf-0.9.1/debian/rules chm2pdf-0.9.1/debian/rules
--- chm2pdf-0.9.1/debian/rules
+++ chm2pdf-0.9.1/debian/rules
@@ -3,6 +3,7 @@
 DEB_PYTHON_SYSTEM=pysupport
 
 include /usr/share/cdbs/1/rules/debhelper.mk
+include /usr/share/cdbs/1/rules/patchsys-quilt.mk
 # include /usr/share/cdbs/1/rules/simple-patchsys.mk
 include /usr/share/cdbs/1/class/python-distutils.mk
 
diff -u chm2pdf-0.9.1/debian/changelog chm2pdf-0.9.1/debian/changelog
--- chm2pdf-0.9.1/debian/changelog
+++ chm2pdf-0.9.1/debian/changelog
@@ -1,3 +1,14 @@
+chm2pdf (0.9.1-1.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * debian/control, debian/rules: use quilt to manage patches
+  * insecure_temp_dirs.diff (Closes: #501959):
+    - Don't use static names to create temp dirs.
+    - Commented out --dontextract from usage info, as it is not very useful now
+  * bashisms.diff: fix bashism in chm2pdf (Closes: #502044).
+
+ -- Raphael Geissert <atomo64@gmail.com>  Sun, 12 Oct 2008 17:54:24 -0500
+
 chm2pdf (0.9.1-1) unstable; urgency=low
 
   * New upstream release
diff -u chm2pdf-0.9.1/debian/control chm2pdf-0.9.1/debian/control
--- chm2pdf-0.9.1/debian/control
+++ chm2pdf-0.9.1/debian/control
@@ -5,7 +5,8 @@
 Build-Depends: cdbs (>= 0.4.49), 
  debhelper (>= 5), 
  python, 
- python-support (>= 0.6.4)
+ python-support (>= 0.6.4),
+ quilt
 Standards-Version: 3.8.0
 
 Package: chm2pdf
only in patch2:
unchanged:
--- chm2pdf-0.9.1.orig/debian/patches/bashisms.diff
+++ chm2pdf-0.9.1/debian/patches/bashisms.diff
@@ -0,0 +1,13 @@
+Index: chm2pdf-0.9.1/chm2pdf
+===================================================================
+--- chm2pdf-0.9.1.orig/chm2pdf
++++ chm2pdf-0.9.1/chm2pdf
+@@ -1087,7 +1087,7 @@ def main(argv):
+         if options['verbose'] == '--verbose' and options['verbositylevel'] == 'high':
+             os.system('extract_chmLib ' + filename + ' ' + CHM2PDF_ORIG_DIR)
+         else:
+-            os.system('extract_chmLib ' + filename + ' ' + CHM2PDF_ORIG_DIR + '&> /dev/null')
++            os.system('extract_chmLib ' + filename + ' ' + CHM2PDF_ORIG_DIR + '> /dev/null 2>&1')
+     
+     convert_to_pdf(cfile, filename, outputfilename, options)
+     shutil.rmtree(CHM2PDF_TEMP_WORK_DIR)
only in patch2:
unchanged:
--- chm2pdf-0.9.1.orig/debian/patches/insecure_temp_dirs.diff
+++ chm2pdf-0.9.1/debian/patches/insecure_temp_dirs.diff
@@ -0,0 +1,73 @@
+Index: chm2pdf-0.9.1/chm2pdf
+===================================================================
+--- chm2pdf-0.9.1.orig/chm2pdf
++++ chm2pdf-0.9.1/chm2pdf
+@@ -27,6 +27,8 @@ import sgmllib
+ import os, os.path
+ import re, glob
+ import getopt
++import tempfile
++import shutil
+ # from BeautifulSoup import BeautifulSoup
+ 
+ global version
+@@ -39,8 +41,8 @@ global CHM2PDF_ORIG_DIR
+ global filename #the input filename
+ 
+ version = '0.9.1'
+-CHM2PDF_TEMP_WORK_DIR='/tmp/chm2pdf/work' 
+-CHM2PDF_TEMP_ORIG_DIR='/tmp/chm2pdf/orig'
++CHM2PDF_TEMP_WORK_DIR=tempfile.mkdtemp()
++CHM2PDF_TEMP_ORIG_DIR=tempfile.mkdtemp()
+ 
+ 
+ 
+@@ -299,16 +301,6 @@ def convert_to_pdf(cfile, filename, outp
+     # ########################### File extraction and correction: START ############################
+     #
+     if options['dontextract'] == '':
+-    
+-        try:
+-            os.mkdir(CHM2PDF_TEMP_WORK_DIR)
+-        except OSError: # The directory already exists.
+-            pass
+-        
+-        try:
+-            os.mkdir(CHM2PDF_TEMP_ORIG_DIR)
+-        except OSError: # The directory already exists.
+-            pass
+         
+         try:
+             os.mkdir(CHM2PDF_ORIG_DIR)
+@@ -620,7 +612,7 @@ def usage (name):
+     print '\t--continuous\n\t\tSpecifies  that  the  HTML  sources are unstructured (plain web pages).\n\t\tNo page breaks are inserted between each file or URL in the output.'
+     print '\t--cookies \'name="value with space"; name=value\'\n\t\t'
+     print '\t--datadir directory\n\t\tSpecifies the  location  of  the  HTMLDOC  data  files,  usually  /usr/share/htmldoc  or  C:\Program Files\HTMLDOC '
+-    print "\t--dontextract \n\t\tIf given, %s will not extract the HTML files from the given CHM file, but will use previously extracted copies from the temporary directory " %name + '(i.e. ' + CHM2PDF_TEMP_ORIG_DIR + ' and ' + CHM2PDF_TEMP_WORK_DIR + '). Usually you will use this option after you have used the \'--extract-only\' option to extract the files in order to correct them manually (in ' + CHM2PDF_TEMP_WORK_DIR + '). After the correction, a call with \'--dontextract\' will not overwrite your changes, but will use the corrected files instead.'
++#    print "\t--dontextract \n\t\tIf given, %s will not extract the HTML files from the given CHM file, but will use previously extracted copies from the temporary directory " %name + '(i.e. ' + CHM2PDF_TEMP_ORIG_DIR + ' and ' + CHM2PDF_TEMP_WORK_DIR + '). Usually you will use this option after you have used the \'--extract-only\' option to extract the files in order to correct them manually (in ' + CHM2PDF_TEMP_WORK_DIR + '). After the correction, a call with \'--dontextract\' will not overwrite your changes, but will use the corrected files instead.'
+     print '\t--duplex\n\t\tSpecifies that the output should be formatted for double-sided printing.'
+     print '\t--effectduration {0.1..10.0}\n\t\tSpecifies the duration in seconds of PDF page transition effects.'
+     print '\t--embedfonts\n\t\tSpecifies that fonts should be embedded in PDF output.'
+@@ -1084,13 +1076,6 @@ def main(argv):
+         print 'CHM file "' + filename + '" not found!'
+         return
+     
+-    #remove temporary files
+-    if options['dontextract'] == '':
+-        if options['verbose']=='--verbose' and options['verbositylevel']=='high':
+-            print 'Removing any previous temporary files...'
+-        os.system('rm -r '+CHM2PDF_ORIG_DIR+'/*')
+-        os.system('rm -r '+CHM2PDF_WORK_DIR+'/*')
+-    
+     cfile = chm.CHMFile()
+     cfile.LoadCHM(filename)
+ 
+@@ -1105,6 +1090,8 @@ def main(argv):
+             os.system('extract_chmLib ' + filename + ' ' + CHM2PDF_ORIG_DIR + '&> /dev/null')
+     
+     convert_to_pdf(cfile, filename, outputfilename, options)
++    shutil.rmtree(CHM2PDF_TEMP_WORK_DIR)
++    shutil.rmtree(CHM2PDF_TEMP_ORIG_DIR)
+ 
+ 
+ if __name__ == '__main__':
only in patch2:
unchanged:
--- chm2pdf-0.9.1.orig/debian/patches/series
+++ chm2pdf-0.9.1/debian/patches/series
@@ -0,0 +1,2 @@
+insecure_temp_dirs.diff
+bashisms.diff

Tags added: patch Request was from Raphael Geissert <atomo64@gmail.com> to control@bugs.debian.org. (Mon, 13 Oct 2008 00:33:05 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Steve Stalcup <vorian@ubuntu.com>:
Bug#501959; Package chm2pdf. (Mon, 13 Oct 2008 00:48:07 GMT) (full text, mbox, link).


Acknowledgement sent to "Steve Stalcup" <vorian@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Steve Stalcup <vorian@ubuntu.com>. (Mon, 13 Oct 2008 00:48:07 GMT) (full text, mbox, link).


Message #27 received at 501959@bugs.debian.org (full text, mbox, reply):

From: "Steve Stalcup" <vorian@ubuntu.com>
To: "Raphael Geissert" <atomo64@gmail.com>, 501959@bugs.debian.org
Subject: Re: Bug#501959: chm2pdf: proposed NMU
Date: Sun, 12 Oct 2008 20:40:19 -0400
Thanks very much for the quick work on this patch.

-Steve

On Sun, Oct 12, 2008 at 8:25 PM, Raphael Geissert <atomo64@gmail.com> wrote:
> tag 502044 patch
> tag 501959 patch
> thanks
>
> Hi,
>
> Attached is the diff for my proposed NMU. The new package version has NOT been
> uploaded to give you the opportunity to make a better upload to address those
> issues.
>
> Note that a separate upload is required for lenny.
>
> Kind regards,




Information forwarded to debian-bugs-dist@lists.debian.org, Steve Stalcup <vorian@ubuntu.com>:
Bug#501959; Package chm2pdf. (Sat, 01 Nov 2008 13:33:02 GMT) (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Steve Stalcup <vorian@ubuntu.com>. (Sat, 01 Nov 2008 13:33:03 GMT) (full text, mbox, link).


Message #32 received at 501959@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: Steve Stalcup <stalcups@gmail.com>, 501959@bugs.debian.org
Subject: Re: Bug#501959: chm2pdf: Major security (temporary dirs) problems
Date: Sat, 1 Nov 2008 14:30:36 +0100
[Message part 1 (text/plain, inline)]
Hi Steve,
any reason this hasn't yet been uploaded?

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Steve Stalcup <vorian@ubuntu.com>:
Bug#501959; Package chm2pdf. (Sat, 01 Nov 2008 13:51:06 GMT) (full text, mbox, link).


Acknowledgement sent to Steve Stalcup <stalcups@gmail.com>:
Extra info received and forwarded to list. Copy sent to Steve Stalcup <vorian@ubuntu.com>. (Sat, 01 Nov 2008 13:51:06 GMT) (full text, mbox, link).


Message #37 received at 501959@bugs.debian.org (full text, mbox, reply):

From: Steve Stalcup <stalcups@gmail.com>
To: Nico Golde <nion@debian.org>
Cc: "501959@bugs.debian.org" <501959@bugs.debian.org>
Subject: Re: Bug#501959: chm2pdf: Major security (temporary dirs) problems
Date: Sat, 1 Nov 2008 09:50:25 -0400
Hi Nico,

I'm just waiting for a sponsor upload.  I have uploaded the fix into  
ubuntu 8.10

Steve




Information forwarded to debian-bugs-dist@lists.debian.org, Steve Stalcup <vorian@ubuntu.com>:
Bug#501959; Package chm2pdf. (Sat, 01 Nov 2008 14:00:04 GMT) (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Steve Stalcup <vorian@ubuntu.com>. (Sat, 01 Nov 2008 14:00:04 GMT) (full text, mbox, link).


Message #42 received at 501959@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: Steve Stalcup <stalcups@gmail.com>
Cc: "501959@bugs.debian.org" <501959@bugs.debian.org>
Subject: Re: Bug#501959: chm2pdf: Major security (temporary dirs) problems
Date: Sat, 1 Nov 2008 14:57:58 +0100
[Message part 1 (text/plain, inline)]
Hi Steve,
* Steve Stalcup <stalcups@gmail.com> [2008-11-01 14:55]:
> I'm just waiting for a sponsor upload.  I have uploaded the fix into ubuntu 
> 8.10

I can sponsor the upload if you want.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Raphael Geissert <atomo64@gmail.com>:
You have taken responsibility. (Mon, 03 Nov 2008 13:54:07 GMT) (full text, mbox, link).


Notification sent to Karol Lewandowski <lmctlx@gmail.com>:
Bug acknowledged by developer. (Mon, 03 Nov 2008 13:54:08 GMT) (full text, mbox, link).


Message #47 received at 501959-close@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <atomo64@gmail.com>
To: 501959-close@bugs.debian.org
Subject: Bug#501959: fixed in chm2pdf 0.9.1-1.1
Date: Mon, 03 Nov 2008 13:47:03 +0000
Source: chm2pdf
Source-Version: 0.9.1-1.1

We believe that the bug you reported is fixed in the latest version of
chm2pdf, which is due to be installed in the Debian FTP archive:

chm2pdf_0.9.1-1.1.diff.gz
  to pool/main/c/chm2pdf/chm2pdf_0.9.1-1.1.diff.gz
chm2pdf_0.9.1-1.1.dsc
  to pool/main/c/chm2pdf/chm2pdf_0.9.1-1.1.dsc
chm2pdf_0.9.1-1.1_all.deb
  to pool/main/c/chm2pdf/chm2pdf_0.9.1-1.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 501959@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raphael Geissert <atomo64@gmail.com> (supplier of updated chm2pdf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 12 Oct 2008 17:54:24 -0500
Source: chm2pdf
Binary: chm2pdf
Architecture: source all
Version: 0.9.1-1.1
Distribution: unstable
Urgency: low
Maintainer: Steve Stalcup <vorian@ubuntu.com>
Changed-By: Raphael Geissert <atomo64@gmail.com>
Description: 
 chm2pdf    - A Python script that converts CHM files into PDF files
Closes: 501959 502044
Changes: 
 chm2pdf (0.9.1-1.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * debian/control, debian/rules: use quilt to manage patches
   * insecure_temp_dirs.diff (Closes: #501959):
     - Don't use static names to create temp dirs.
     - Commented out --dontextract from usage info, as it is not very useful now
   * bashisms.diff: fix bashism in chm2pdf (Closes: #502044).
Checksums-Sha1: 
 bc27be813d2c52de105ed7c46c80c3671cfbdc3b 1006 chm2pdf_0.9.1-1.1.dsc
 3b5d20e12effb7a11a1984d865d95a64909a65f4 5488 chm2pdf_0.9.1-1.1.diff.gz
 a1e1d22538773cdd05b211160e045b5c1d4c849c 19540 chm2pdf_0.9.1-1.1_all.deb
Checksums-Sha256: 
 b92a2332fffc21dd015248d0e572426301efe3877b9f1c2c5bea0f9a615c58a0 1006 chm2pdf_0.9.1-1.1.dsc
 6cc8e720ceebef98b167c0c8b3bcf6f9ec7a90fc5eab72146462ae09870453ad 5488 chm2pdf_0.9.1-1.1.diff.gz
 1aa4c43f42cea1c2facf05555d4e3b1ec3b92477783a3c34e962684a4335864c 19540 chm2pdf_0.9.1-1.1_all.deb
Files: 
 a19c6124bfdd0190424e6c94a7d80159 1006 text extra chm2pdf_0.9.1-1.1.dsc
 f6804b55be429c16ffd14955f4c9366f 5488 text extra chm2pdf_0.9.1-1.1.diff.gz
 bccf8392547c9c9d1286675f9c12683e 19540 text extra chm2pdf_0.9.1-1.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkO/scACgkQHYflSXNkfP/pogCbBRYnC4tD0sHSZf/LdfPiaZYH
PWsAoJlEhkWFXs2zv2SIkA4z3vCXvGiD
=2Yeo
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Steve Stalcup <vorian@ubuntu.com>:
Bug#501959; Package chm2pdf. (Tue, 25 Nov 2008 09:42:07 GMT) (full text, mbox, link).


Acknowledgement sent to Chris Karakas <chris@karakas-online.de>:
Extra info received and forwarded to list. Copy sent to Steve Stalcup <vorian@ubuntu.com>. (Tue, 25 Nov 2008 09:42:08 GMT) (full text, mbox, link).


Message #52 received at 501959@bugs.debian.org (full text, mbox, reply):

From: Chris Karakas <chris@karakas-online.de>
To: 501959@bugs.debian.org
Subject: Re: chm2pdf: Major security (temporary dirs) problems
Date: Tue, 25 Nov 2008 10:39:23 +0100
Hello all,

I definitely oppose the proposed patch and will NOT accept it in chm2pdf (I am one of the two authors)!

Reasons:

1) There are easier ways to avoid the security risks.
2) It destroys the "--dontextract" option which is a *very* useful one!


Let me propose an alternative:

It all has to do with using "tmp" in these 2 lines, right?

CHM2PDF_TEMP_WORK_DIR='/tmp/chm2pdf/work'
CHM2PDF_TEMP_ORIG_DIR='/tmp/chm2pdf/orig'

So, what would you say if I changed "tmp"  to $HOME in the above two lines? Any security concerns here? This way, we keep sane names for the directories, we don't touch tmp, the user and only the user has full control of the directories created - and we can keep the --dontextract option!

Any objections - or suggestions :-) - before I start coding? 

PS.: Before you kill me about the use of tmp, bear in mind that this tool was created with the "normal user" in mind (me! :-)))), i.e. for a system where 99% of the time only one user is using it. That user was assumed to (be able to) change the value of the CHM2PDF_TEMP_* variables to whatever fits him - that's why the variables were actually created. Now people start complaining about "malicious users". Oh well...you are all so right - but notice what: we have already stopped talking about how to make the program do its actual job better - we are talking about "cross-cutting concerns"! That is, we now concentrate our energy *not* on the problem we originally had to solve (CHM to PDF conversion), but on things like "where to put the working dir, in /tmp, in $HOME or elsewhere...". :roll:

-- 
Regards

Chris Karakas
http://www.karakas-online.de




Information forwarded to debian-bugs-dist@lists.debian.org, Steve Stalcup <vorian@ubuntu.com>:
Bug#501959; Package chm2pdf. (Thu, 27 Nov 2008 14:12:15 GMT) (full text, mbox, link).


Acknowledgement sent to Gunnar Wolf <gwolf@gwolf.org>:
Extra info received and forwarded to list. Copy sent to Steve Stalcup <vorian@ubuntu.com>. (Thu, 27 Nov 2008 14:12:15 GMT) (full text, mbox, link).


Message #57 received at 501959@bugs.debian.org (full text, mbox, reply):

From: Gunnar Wolf <gwolf@gwolf.org>
To: Chris Karakas <chris@karakas-online.de>, 501959@bugs.debian.org
Subject: Re: Bug#501959: chm2pdf: Major security (temporary dirs) problems
Date: Thu, 27 Nov 2008 08:10:03 -0600
Chris Karakas dijo [Tue, Nov 25, 2008 at 10:39:23AM +0100]:
> Hello all,
> 
> I definitely oppose the proposed patch and will NOT accept it in chm2pdf (I am one of the two authors)!
> 
> Reasons:
> 
> 1) There are easier ways to avoid the security risks.
> 2) It destroys the "--dontextract" option which is a *very* useful one!
> 
> Let me propose an alternative:
> 
> It all has to do with using "tmp" in these 2 lines, right?
> 
> CHM2PDF_TEMP_WORK_DIR='/tmp/chm2pdf/work'
> CHM2PDF_TEMP_ORIG_DIR='/tmp/chm2pdf/orig'
> 
> So, what would you say if I changed "tmp" to $HOME in the above two
> lines? Any security concerns here? This way, we keep sane names for
> the directories, we don't touch tmp, the user and only the user has
> full control of the directories created - and we can keep the
> --dontextract option!
> 
> Any objections - or suggestions :-) - before I start coding? 

Umh... I don't think that will do in many scenarios. I am not familiar
with your code (I only stumbled upon this bug report), but please keep
in mind that programs such as this one might often be called by a user
with no writable home directory - Say, web-based processes.

Most authors agree to use secure, unpredictable tempdir functions,
available basically on every language, such as the one suggested by
Raphael. I would recommend you to:

- Default to Raphael's suggestion
- Include a command line switch, so that the user can specify the
  tempdir (or PDF build dir, or whatever nomenclature you find
  suitable). 

> PS.: Before you kill me about the use of tmp, bear in mind that this
> tool was created with the "normal user" in mind (me! :-)))),
> i.e. for a system where 99% of the time only one user is using
> it. That user was assumed to (be able to) change the value of the
> CHM2PDF_TEMP_* variables to whatever fits him - that's why the
> variables were actually created. Now people start complaining about
> "malicious users". Oh well...you are all so right - but notice what:
> we have already stopped talking about how to make the program do its
> actual job better - we are talking about "cross-cutting concerns"!
> That is, we now concentrate our energy *not* on the problem we
> originally had to solve (CHM to PDF conversion), but on things like
> "where to put the working dir, in /tmp, in $HOME or
> elsewhere...". :roll:

Well... That's the role of a distribution's QA, isn't it? ;-) We trust
you to be the best person to implement the hard logic and little
details behind it all, but please trust us when advicing on how most
users install their software, at least in Debian settings.

Why so much insistence? First, because if the software is shipped as
part of Debian, a user cannot modify the variables (i.e. the program
will be installed in /usr/bin, owned by root, and not writable by any
system user). Second, most users (and the proportion is growing!) are
not proficient in Python, nor interested in learning how to program,
and, even if I don't like the idea, will just be scared at the idea of
opening a program source in a text editor.

Yes, I know many of those users will have a single-user system. But
still, Linux distributions _still_ have (and will continue to) large
numbers of multi-user settings (i.e. school/university labs, or
company-wide managed terminals, and a very large etcetera - Even a
household with several different users!)

As a distribution, it is our task to ensure all the user cases are
satisfiable the best way possible... even if that's not what you
originally intended. Of course, you are free not to incorporate a
patch in your sources - but that will only mean we will keep it as a
patch (and behaviour difference) in our packaging.

-- 
Gunnar Wolf - gwolf@gwolf.org - (+52-55)5623-0154 / 1451-2244
PGP key 1024D/8BB527AF 2001-10-23
Fingerprint: 0C79 D2D1 2C4E 9CE4 5973  F800 D80E F35A 8BB5 27AF




Information forwarded to debian-bugs-dist@lists.debian.org, Steve Stalcup <vorian@ubuntu.com>:
Bug#501959; Package chm2pdf. (Mon, 01 Dec 2008 15:18:06 GMT) (full text, mbox, link).


Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Steve Stalcup <vorian@ubuntu.com>. (Mon, 01 Dec 2008 15:18:07 GMT) (full text, mbox, link).


Message #62 received at 501959@bugs.debian.org (full text, mbox, reply):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: 501959@bugs.debian.org
Subject: this is CVE-2008-529[89]
Date: Mon, 1 Dec 2008 16:13:43 +0100 (CET)
Hi,

This is CVE-2008-5298 (issue 1) and CVE-2008-5299 (issue 2). Please
mention them retroactively in the changelog for the version that fixed it.


cheers,
Thijs





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 30 Dec 2008 07:29:24 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 10:01:11 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.