Report forwarded
to debian-bugs-dist@lists.debian.org, Steve Stalcup <vorian@ubuntu.com>: Bug#501959; Package chm2pdf.
(Sat, 11 Oct 2008 23:48:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Karol Lewandowski <lmctlx@gmail.com>:
New Bug report received and forwarded. Copy sent to Steve Stalcup <vorian@ubuntu.com>.
(Sat, 11 Oct 2008 23:48:03 GMT) (full text, mbox, link).
Subject: chm2pdf: Major security (temporary dirs) problems
Date: Sun, 12 Oct 2008 01:43:00 +0200
Package: chm2pdf
Version: 0.9-2
Severity: grave
Justification: causes non-serious data loss
There are several problems with this package:
1. chm2pdf creates /tmp/chm2pdf/{orig,work}/X directories.
(Where X is file basename, foo for foo.chm).
This makes script unusable for other users, i.e. userA runs chm2pdf
which creates /tmp/chm2pdf with userA owner, userB has no chance to
create files there
2. Malicious user could prepare directory structure which upon chm2pdf
execution could cause serious data loss.
from /usr/bin/chm2pdf:
CHM2PDF_TEMP_WORK_DIR='/tmp/chm2pdf/work'
CHM2PDF_TEMP_ORIG_DIR='/tmp/chm2pdf/orig'
...
CHM2PDF_WORK_DIR = CHM2PDF_TEMP_WORK_DIR + os.sep + basename
CHM2PDF_ORIG_DIR = CHM2PDF_TEMP_ORIG_DIR + os.sep + basename
...
os.system('rm -r '+CHM2PDF_ORIG_DIR+'/*')
os.system('rm -r '+CHM2PDF_WORK_DIR+'/*')
.
Malicious user could do e.g.
malicious$ mkdir /tmp/chm2pdf/{orig,work}
malicious$ cd /tmp/chm2pdf/orig
malicious$ for f in `find /home/victim/ -iname \*.chm -print`; do
> ln -s /home/victim/ `basename ${f%%.chm}`
> done
And ask user victim to convert any of his own .chm files.
Thanks.
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.27-rc7
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Versions of packages chm2pdf depends on:
ii htmldoc 1.8.27-3 HTML processor that generates inde
ii libchm-bin 2:0.39-9 library for dealing with Microsoft
ii python 2.5.2-2 An interactive high-level object-o
ii python-chm 0.8.4-0.1+b1 Python binding for CHMLIB
ii python-support 0.8.4 automated rebuilding support for P
chm2pdf recommends no packages.
chm2pdf suggests no packages.
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Steve Stalcup <vorian@ubuntu.com>: Bug#501959; Package chm2pdf.
(Sun, 12 Oct 2008 00:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Steve Stalcup <stalcups@gmail.com>:
Extra info received and forwarded to list. Copy sent to Steve Stalcup <vorian@ubuntu.com>.
(Sun, 12 Oct 2008 00:03:03 GMT) (full text, mbox, link).
Subject: Re: Bug#501959: chm2pdf: Major security (temporary dirs) problems
Date: Sat, 11 Oct 2008 20:01:40 -0400
Thanks for the report
-Steve
On Oct 11, 2008, at 7:43 PM, Karol Lewandowski <lmctlx@gmail.com> wrote:
> Package: chm2pdf
> Version: 0.9-2
> Severity: grave
> Justification: causes non-serious data loss
>
> There are several problems with this package:
>
> 1. chm2pdf creates /tmp/chm2pdf/{orig,work}/X directories.
> (Where X is file basename, foo for foo.chm).
>
> This makes script unusable for other users, i.e. userA runs chm2pdf
> which creates /tmp/chm2pdf with userA owner, userB has no chance to
> create files there
>
>
> 2. Malicious user could prepare directory structure which upon chm2pdf
> execution could cause serious data loss.
>
> from /usr/bin/chm2pdf:
>
> CHM2PDF_TEMP_WORK_DIR='/tmp/chm2pdf/work'
> CHM2PDF_TEMP_ORIG_DIR='/tmp/chm2pdf/orig'
> ...
> CHM2PDF_WORK_DIR = CHM2PDF_TEMP_WORK_DIR + os.sep + basename
> CHM2PDF_ORIG_DIR = CHM2PDF_TEMP_ORIG_DIR + os.sep + basename
> ...
> os.system('rm -r '+CHM2PDF_ORIG_DIR+'/*')
> os.system('rm -r '+CHM2PDF_WORK_DIR+'/*')
> .
>
> Malicious user could do e.g.
>
> malicious$ mkdir /tmp/chm2pdf/{orig,work}
> malicious$ cd /tmp/chm2pdf/orig
> malicious$ for f in `find /home/victim/ -iname \*.chm -print`; do
>> ln -s /home/victim/ `basename ${f%%.chm}`
>> done
>
> And ask user victim to convert any of his own .chm files.
>
>
> Thanks.
>
> -- System Information:
> Debian Release: lenny/sid
> APT prefers testing
> APT policy: (500, 'testing')
> Architecture: i386 (i686)
>
> Kernel: Linux 2.6.27-rc7
> Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
> Shell: /bin/sh linked to /bin/dash
>
> Versions of packages chm2pdf depends on:
> ii htmldoc 1.8.27-3 HTML processor that
> generates inde
> ii libchm-bin 2:0.39-9 library for dealing
> with Microsoft
> ii python 2.5.2-2 An interactive high-
> level object-o
> ii python-chm 0.8.4-0.1+b1 Python binding for CHMLIB
> ii python-support 0.8.4 automated rebuilding
> support for P
>
> chm2pdf recommends no packages.
>
> chm2pdf suggests no packages.
>
> -- no debconf information
>
>
Information forwarded
to debian-bugs-dist@lists.debian.org, Steve Stalcup <vorian@ubuntu.com>: Bug#501959; Package chm2pdf.
(Sun, 12 Oct 2008 00:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Steve Stalcup <stalcups@gmail.com>:
Extra info received and forwarded to list. Copy sent to Steve Stalcup <vorian@ubuntu.com>.
(Sun, 12 Oct 2008 00:03:04 GMT) (full text, mbox, link).
Tags added: security
Request was from Tobias Klauser <tklauser@distanz.ch>
to control@bugs.debian.org.
(Sun, 12 Oct 2008 09:27:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Steve Stalcup <vorian@ubuntu.com>: Bug#501959; Package chm2pdf.
(Mon, 13 Oct 2008 00:33:02 GMT) (full text, mbox, link).
tag 502044 patch
tag 501959 patch
thanks
Hi,
Attached is the diff for my proposed NMU. The new package version has NOT been
uploaded to give you the opportunity to make a better upload to address those
issues.
Note that a separate upload is required for lenny.
Kind regards,
--
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
diff -u chm2pdf-0.9.1/debian/rules chm2pdf-0.9.1/debian/rules
--- chm2pdf-0.9.1/debian/rules
+++ chm2pdf-0.9.1/debian/rules
@@ -3,6 +3,7 @@
DEB_PYTHON_SYSTEM=pysupport
include /usr/share/cdbs/1/rules/debhelper.mk
+include /usr/share/cdbs/1/rules/patchsys-quilt.mk
# include /usr/share/cdbs/1/rules/simple-patchsys.mk
include /usr/share/cdbs/1/class/python-distutils.mk
diff -u chm2pdf-0.9.1/debian/changelog chm2pdf-0.9.1/debian/changelog
--- chm2pdf-0.9.1/debian/changelog
+++ chm2pdf-0.9.1/debian/changelog
@@ -1,3 +1,14 @@
+chm2pdf (0.9.1-1.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * debian/control, debian/rules: use quilt to manage patches
+ * insecure_temp_dirs.diff (Closes: #501959):
+ - Don't use static names to create temp dirs.
+ - Commented out --dontextract from usage info, as it is not very useful now
+ * bashisms.diff: fix bashism in chm2pdf (Closes: #502044).
+
+ -- Raphael Geissert <atomo64@gmail.com> Sun, 12 Oct 2008 17:54:24 -0500
+
chm2pdf (0.9.1-1) unstable; urgency=low
* New upstream release
diff -u chm2pdf-0.9.1/debian/control chm2pdf-0.9.1/debian/control
--- chm2pdf-0.9.1/debian/control
+++ chm2pdf-0.9.1/debian/control
@@ -5,7 +5,8 @@
Build-Depends: cdbs (>= 0.4.49),
debhelper (>= 5),
python,
- python-support (>= 0.6.4)
+ python-support (>= 0.6.4),
+ quilt
Standards-Version: 3.8.0
Package: chm2pdf
only in patch2:
unchanged:
--- chm2pdf-0.9.1.orig/debian/patches/bashisms.diff
+++ chm2pdf-0.9.1/debian/patches/bashisms.diff
@@ -0,0 +1,13 @@
+Index: chm2pdf-0.9.1/chm2pdf
+===================================================================
+--- chm2pdf-0.9.1.orig/chm2pdf
++++ chm2pdf-0.9.1/chm2pdf
+@@ -1087,7 +1087,7 @@ def main(argv):
+ if options['verbose'] == '--verbose' and options['verbositylevel'] == 'high':
+ os.system('extract_chmLib ' + filename + ' ' + CHM2PDF_ORIG_DIR)
+ else:
+- os.system('extract_chmLib ' + filename + ' ' + CHM2PDF_ORIG_DIR + '&> /dev/null')
++ os.system('extract_chmLib ' + filename + ' ' + CHM2PDF_ORIG_DIR + '> /dev/null 2>&1')
+
+ convert_to_pdf(cfile, filename, outputfilename, options)
+ shutil.rmtree(CHM2PDF_TEMP_WORK_DIR)
only in patch2:
unchanged:
--- chm2pdf-0.9.1.orig/debian/patches/insecure_temp_dirs.diff
+++ chm2pdf-0.9.1/debian/patches/insecure_temp_dirs.diff
@@ -0,0 +1,73 @@
+Index: chm2pdf-0.9.1/chm2pdf
+===================================================================
+--- chm2pdf-0.9.1.orig/chm2pdf
++++ chm2pdf-0.9.1/chm2pdf
+@@ -27,6 +27,8 @@ import sgmllib
+ import os, os.path
+ import re, glob
+ import getopt
++import tempfile
++import shutil
+ # from BeautifulSoup import BeautifulSoup
+
+ global version
+@@ -39,8 +41,8 @@ global CHM2PDF_ORIG_DIR
+ global filename #the input filename
+
+ version = '0.9.1'
+-CHM2PDF_TEMP_WORK_DIR='/tmp/chm2pdf/work'
+-CHM2PDF_TEMP_ORIG_DIR='/tmp/chm2pdf/orig'
++CHM2PDF_TEMP_WORK_DIR=tempfile.mkdtemp()
++CHM2PDF_TEMP_ORIG_DIR=tempfile.mkdtemp()
+
+
+
+@@ -299,16 +301,6 @@ def convert_to_pdf(cfile, filename, outp
+ # ########################### File extraction and correction: START ############################
+ #
+ if options['dontextract'] == '':
+-
+- try:
+- os.mkdir(CHM2PDF_TEMP_WORK_DIR)
+- except OSError: # The directory already exists.
+- pass
+-
+- try:
+- os.mkdir(CHM2PDF_TEMP_ORIG_DIR)
+- except OSError: # The directory already exists.
+- pass
+
+ try:
+ os.mkdir(CHM2PDF_ORIG_DIR)
+@@ -620,7 +612,7 @@ def usage (name):
+ print '\t--continuous\n\t\tSpecifies that the HTML sources are unstructured (plain web pages).\n\t\tNo page breaks are inserted between each file or URL in the output.'
+ print '\t--cookies \'name="value with space"; name=value\'\n\t\t'
+ print '\t--datadir directory\n\t\tSpecifies the location of the HTMLDOC data files, usually /usr/share/htmldoc or C:\Program Files\HTMLDOC '
+- print "\t--dontextract \n\t\tIf given, %s will not extract the HTML files from the given CHM file, but will use previously extracted copies from the temporary directory " %name + '(i.e. ' + CHM2PDF_TEMP_ORIG_DIR + ' and ' + CHM2PDF_TEMP_WORK_DIR + '). Usually you will use this option after you have used the \'--extract-only\' option to extract the files in order to correct them manually (in ' + CHM2PDF_TEMP_WORK_DIR + '). After the correction, a call with \'--dontextract\' will not overwrite your changes, but will use the corrected files instead.'
++# print "\t--dontextract \n\t\tIf given, %s will not extract the HTML files from the given CHM file, but will use previously extracted copies from the temporary directory " %name + '(i.e. ' + CHM2PDF_TEMP_ORIG_DIR + ' and ' + CHM2PDF_TEMP_WORK_DIR + '). Usually you will use this option after you have used the \'--extract-only\' option to extract the files in order to correct them manually (in ' + CHM2PDF_TEMP_WORK_DIR + '). After the correction, a call with \'--dontextract\' will not overwrite your changes, but will use the corrected files instead.'
+ print '\t--duplex\n\t\tSpecifies that the output should be formatted for double-sided printing.'
+ print '\t--effectduration {0.1..10.0}\n\t\tSpecifies the duration in seconds of PDF page transition effects.'
+ print '\t--embedfonts\n\t\tSpecifies that fonts should be embedded in PDF output.'
+@@ -1084,13 +1076,6 @@ def main(argv):
+ print 'CHM file "' + filename + '" not found!'
+ return
+
+- #remove temporary files
+- if options['dontextract'] == '':
+- if options['verbose']=='--verbose' and options['verbositylevel']=='high':
+- print 'Removing any previous temporary files...'
+- os.system('rm -r '+CHM2PDF_ORIG_DIR+'/*')
+- os.system('rm -r '+CHM2PDF_WORK_DIR+'/*')
+-
+ cfile = chm.CHMFile()
+ cfile.LoadCHM(filename)
+
+@@ -1105,6 +1090,8 @@ def main(argv):
+ os.system('extract_chmLib ' + filename + ' ' + CHM2PDF_ORIG_DIR + '&> /dev/null')
+
+ convert_to_pdf(cfile, filename, outputfilename, options)
++ shutil.rmtree(CHM2PDF_TEMP_WORK_DIR)
++ shutil.rmtree(CHM2PDF_TEMP_ORIG_DIR)
+
+
+ if __name__ == '__main__':
only in patch2:
unchanged:
--- chm2pdf-0.9.1.orig/debian/patches/series
+++ chm2pdf-0.9.1/debian/patches/series
@@ -0,0 +1,2 @@
+insecure_temp_dirs.diff
+bashisms.diff
Tags added: patch
Request was from Raphael Geissert <atomo64@gmail.com>
to control@bugs.debian.org.
(Mon, 13 Oct 2008 00:33:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Steve Stalcup <vorian@ubuntu.com>: Bug#501959; Package chm2pdf.
(Mon, 13 Oct 2008 00:48:07 GMT) (full text, mbox, link).
Acknowledgement sent
to "Steve Stalcup" <vorian@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Steve Stalcup <vorian@ubuntu.com>.
(Mon, 13 Oct 2008 00:48:07 GMT) (full text, mbox, link).
To: "Raphael Geissert" <atomo64@gmail.com>, 501959@bugs.debian.org
Subject: Re: Bug#501959: chm2pdf: proposed NMU
Date: Sun, 12 Oct 2008 20:40:19 -0400
Thanks very much for the quick work on this patch.
-Steve
On Sun, Oct 12, 2008 at 8:25 PM, Raphael Geissert <atomo64@gmail.com> wrote:
> tag 502044 patch
> tag 501959 patch
> thanks
>
> Hi,
>
> Attached is the diff for my proposed NMU. The new package version has NOT been
> uploaded to give you the opportunity to make a better upload to address those
> issues.
>
> Note that a separate upload is required for lenny.
>
> Kind regards,
Information forwarded
to debian-bugs-dist@lists.debian.org, Steve Stalcup <vorian@ubuntu.com>: Bug#501959; Package chm2pdf.
(Sat, 01 Nov 2008 13:33:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Steve Stalcup <vorian@ubuntu.com>.
(Sat, 01 Nov 2008 13:33:03 GMT) (full text, mbox, link).
Hi Steve,
any reason this hasn't yet been uploaded?
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Information forwarded
to debian-bugs-dist@lists.debian.org, Steve Stalcup <vorian@ubuntu.com>: Bug#501959; Package chm2pdf.
(Sat, 01 Nov 2008 13:51:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Steve Stalcup <stalcups@gmail.com>:
Extra info received and forwarded to list. Copy sent to Steve Stalcup <vorian@ubuntu.com>.
(Sat, 01 Nov 2008 13:51:06 GMT) (full text, mbox, link).
Subject: Re: Bug#501959: chm2pdf: Major security (temporary dirs) problems
Date: Sat, 1 Nov 2008 09:50:25 -0400
Hi Nico,
I'm just waiting for a sponsor upload. I have uploaded the fix into
ubuntu 8.10
Steve
Information forwarded
to debian-bugs-dist@lists.debian.org, Steve Stalcup <vorian@ubuntu.com>: Bug#501959; Package chm2pdf.
(Sat, 01 Nov 2008 14:00:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Steve Stalcup <vorian@ubuntu.com>.
(Sat, 01 Nov 2008 14:00:04 GMT) (full text, mbox, link).
Hi Steve,
* Steve Stalcup <stalcups@gmail.com> [2008-11-01 14:55]:
> I'm just waiting for a sponsor upload. I have uploaded the fix into ubuntu
> 8.10
I can sponsor the upload if you want.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Source: chm2pdf
Source-Version: 0.9.1-1.1
We believe that the bug you reported is fixed in the latest version of
chm2pdf, which is due to be installed in the Debian FTP archive:
chm2pdf_0.9.1-1.1.diff.gz
to pool/main/c/chm2pdf/chm2pdf_0.9.1-1.1.diff.gz
chm2pdf_0.9.1-1.1.dsc
to pool/main/c/chm2pdf/chm2pdf_0.9.1-1.1.dsc
chm2pdf_0.9.1-1.1_all.deb
to pool/main/c/chm2pdf/chm2pdf_0.9.1-1.1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 501959@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Raphael Geissert <atomo64@gmail.com> (supplier of updated chm2pdf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 12 Oct 2008 17:54:24 -0500
Source: chm2pdf
Binary: chm2pdf
Architecture: source all
Version: 0.9.1-1.1
Distribution: unstable
Urgency: low
Maintainer: Steve Stalcup <vorian@ubuntu.com>
Changed-By: Raphael Geissert <atomo64@gmail.com>
Description:
chm2pdf - A Python script that converts CHM files into PDF files
Closes: 501959502044
Changes:
chm2pdf (0.9.1-1.1) unstable; urgency=low
.
* Non-maintainer upload.
* debian/control, debian/rules: use quilt to manage patches
* insecure_temp_dirs.diff (Closes: #501959):
- Don't use static names to create temp dirs.
- Commented out --dontextract from usage info, as it is not very useful now
* bashisms.diff: fix bashism in chm2pdf (Closes: #502044).
Checksums-Sha1:
bc27be813d2c52de105ed7c46c80c3671cfbdc3b 1006 chm2pdf_0.9.1-1.1.dsc
3b5d20e12effb7a11a1984d865d95a64909a65f4 5488 chm2pdf_0.9.1-1.1.diff.gz
a1e1d22538773cdd05b211160e045b5c1d4c849c 19540 chm2pdf_0.9.1-1.1_all.deb
Checksums-Sha256:
b92a2332fffc21dd015248d0e572426301efe3877b9f1c2c5bea0f9a615c58a0 1006 chm2pdf_0.9.1-1.1.dsc
6cc8e720ceebef98b167c0c8b3bcf6f9ec7a90fc5eab72146462ae09870453ad 5488 chm2pdf_0.9.1-1.1.diff.gz
1aa4c43f42cea1c2facf05555d4e3b1ec3b92477783a3c34e962684a4335864c 19540 chm2pdf_0.9.1-1.1_all.deb
Files:
a19c6124bfdd0190424e6c94a7d80159 1006 text extra chm2pdf_0.9.1-1.1.dsc
f6804b55be429c16ffd14955f4c9366f 5488 text extra chm2pdf_0.9.1-1.1.diff.gz
bccf8392547c9c9d1286675f9c12683e 19540 text extra chm2pdf_0.9.1-1.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkO/scACgkQHYflSXNkfP/pogCbBRYnC4tD0sHSZf/LdfPiaZYH
PWsAoJlEhkWFXs2zv2SIkA4z3vCXvGiD
=2Yeo
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Steve Stalcup <vorian@ubuntu.com>: Bug#501959; Package chm2pdf.
(Tue, 25 Nov 2008 09:42:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Karakas <chris@karakas-online.de>:
Extra info received and forwarded to list. Copy sent to Steve Stalcup <vorian@ubuntu.com>.
(Tue, 25 Nov 2008 09:42:08 GMT) (full text, mbox, link).
Subject: Re: chm2pdf: Major security (temporary dirs) problems
Date: Tue, 25 Nov 2008 10:39:23 +0100
Hello all,
I definitely oppose the proposed patch and will NOT accept it in chm2pdf (I am one of the two authors)!
Reasons:
1) There are easier ways to avoid the security risks.
2) It destroys the "--dontextract" option which is a *very* useful one!
Let me propose an alternative:
It all has to do with using "tmp" in these 2 lines, right?
CHM2PDF_TEMP_WORK_DIR='/tmp/chm2pdf/work'
CHM2PDF_TEMP_ORIG_DIR='/tmp/chm2pdf/orig'
So, what would you say if I changed "tmp" to $HOME in the above two lines? Any security concerns here? This way, we keep sane names for the directories, we don't touch tmp, the user and only the user has full control of the directories created - and we can keep the --dontextract option!
Any objections - or suggestions :-) - before I start coding?
PS.: Before you kill me about the use of tmp, bear in mind that this tool was created with the "normal user" in mind (me! :-)))), i.e. for a system where 99% of the time only one user is using it. That user was assumed to (be able to) change the value of the CHM2PDF_TEMP_* variables to whatever fits him - that's why the variables were actually created. Now people start complaining about "malicious users". Oh well...you are all so right - but notice what: we have already stopped talking about how to make the program do its actual job better - we are talking about "cross-cutting concerns"! That is, we now concentrate our energy *not* on the problem we originally had to solve (CHM to PDF conversion), but on things like "where to put the working dir, in /tmp, in $HOME or elsewhere...". :roll:
--
Regards
Chris Karakas
http://www.karakas-online.de
Information forwarded
to debian-bugs-dist@lists.debian.org, Steve Stalcup <vorian@ubuntu.com>: Bug#501959; Package chm2pdf.
(Thu, 27 Nov 2008 14:12:15 GMT) (full text, mbox, link).
Acknowledgement sent
to Gunnar Wolf <gwolf@gwolf.org>:
Extra info received and forwarded to list. Copy sent to Steve Stalcup <vorian@ubuntu.com>.
(Thu, 27 Nov 2008 14:12:15 GMT) (full text, mbox, link).
To: Chris Karakas <chris@karakas-online.de>, 501959@bugs.debian.org
Subject: Re: Bug#501959: chm2pdf: Major security (temporary dirs) problems
Date: Thu, 27 Nov 2008 08:10:03 -0600
Chris Karakas dijo [Tue, Nov 25, 2008 at 10:39:23AM +0100]:
> Hello all,
>
> I definitely oppose the proposed patch and will NOT accept it in chm2pdf (I am one of the two authors)!
>
> Reasons:
>
> 1) There are easier ways to avoid the security risks.
> 2) It destroys the "--dontextract" option which is a *very* useful one!
>
> Let me propose an alternative:
>
> It all has to do with using "tmp" in these 2 lines, right?
>
> CHM2PDF_TEMP_WORK_DIR='/tmp/chm2pdf/work'
> CHM2PDF_TEMP_ORIG_DIR='/tmp/chm2pdf/orig'
>
> So, what would you say if I changed "tmp" to $HOME in the above two
> lines? Any security concerns here? This way, we keep sane names for
> the directories, we don't touch tmp, the user and only the user has
> full control of the directories created - and we can keep the
> --dontextract option!
>
> Any objections - or suggestions :-) - before I start coding?
Umh... I don't think that will do in many scenarios. I am not familiar
with your code (I only stumbled upon this bug report), but please keep
in mind that programs such as this one might often be called by a user
with no writable home directory - Say, web-based processes.
Most authors agree to use secure, unpredictable tempdir functions,
available basically on every language, such as the one suggested by
Raphael. I would recommend you to:
- Default to Raphael's suggestion
- Include a command line switch, so that the user can specify the
tempdir (or PDF build dir, or whatever nomenclature you find
suitable).
> PS.: Before you kill me about the use of tmp, bear in mind that this
> tool was created with the "normal user" in mind (me! :-)))),
> i.e. for a system where 99% of the time only one user is using
> it. That user was assumed to (be able to) change the value of the
> CHM2PDF_TEMP_* variables to whatever fits him - that's why the
> variables were actually created. Now people start complaining about
> "malicious users". Oh well...you are all so right - but notice what:
> we have already stopped talking about how to make the program do its
> actual job better - we are talking about "cross-cutting concerns"!
> That is, we now concentrate our energy *not* on the problem we
> originally had to solve (CHM to PDF conversion), but on things like
> "where to put the working dir, in /tmp, in $HOME or
> elsewhere...". :roll:
Well... That's the role of a distribution's QA, isn't it? ;-) We trust
you to be the best person to implement the hard logic and little
details behind it all, but please trust us when advicing on how most
users install their software, at least in Debian settings.
Why so much insistence? First, because if the software is shipped as
part of Debian, a user cannot modify the variables (i.e. the program
will be installed in /usr/bin, owned by root, and not writable by any
system user). Second, most users (and the proportion is growing!) are
not proficient in Python, nor interested in learning how to program,
and, even if I don't like the idea, will just be scared at the idea of
opening a program source in a text editor.
Yes, I know many of those users will have a single-user system. But
still, Linux distributions _still_ have (and will continue to) large
numbers of multi-user settings (i.e. school/university labs, or
company-wide managed terminals, and a very large etcetera - Even a
household with several different users!)
As a distribution, it is our task to ensure all the user cases are
satisfiable the best way possible... even if that's not what you
originally intended. Of course, you are free not to incorporate a
patch in your sources - but that will only mean we will keep it as a
patch (and behaviour difference) in our packaging.
--
Gunnar Wolf - gwolf@gwolf.org - (+52-55)5623-0154 / 1451-2244
PGP key 1024D/8BB527AF 2001-10-23
Fingerprint: 0C79 D2D1 2C4E 9CE4 5973 F800 D80E F35A 8BB5 27AF
Information forwarded
to debian-bugs-dist@lists.debian.org, Steve Stalcup <vorian@ubuntu.com>: Bug#501959; Package chm2pdf.
(Mon, 01 Dec 2008 15:18:06 GMT) (full text, mbox, link).
Acknowledgement sent
to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Steve Stalcup <vorian@ubuntu.com>.
(Mon, 01 Dec 2008 15:18:07 GMT) (full text, mbox, link).
Hi,
This is CVE-2008-5298 (issue 1) and CVE-2008-5299 (issue 2). Please
mention them retroactively in the changelog for the version that fixed it.
cheers,
Thijs
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 30 Dec 2008 07:29:24 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.