Acknowledgement sent
to "brian m. carlson" <sandals@crustytoothpaste.ath.cx>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Colin Watson <cjwatson@debian.org>.
(Fri, 24 Jul 2009 21:21:05 GMT) (full text, mbox, link).
Package: groff
Version: 1.20.1-4
Severity: grave
File: /usr/bin/pdfroff
Tags: security
According to pdfroff(1) (and my inspection of the source code), pdfroff
uses $$ (the current pid) to create temporary files. This is extremely
easy to predict, and thus, insecure.
Please fix both the code and the documentation so that they securely
generate (or reference) temporary files.
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/zsh4
Versions of packages groff depends on:
ii groff-base 1.20.1-4 GNU troff text-formatting system (
ii libc6 2.9-21 GNU C Library: Shared libraries
ii libgcc1 1:4.4.1-1 GCC support library
ii libice6 2:1.0.5-1 X11 Inter-Client Exchange library
ii libsm6 2:1.1.0-2 X11 Session Management library
ii libstdc++6 4.4.1-1 The GNU Standard C++ Library v3
ii libx11-6 2:1.2.2-1 X11 client-side library
ii libxaw7 2:1.0.5-2 X11 Athena Widget library
ii libxmu6 2:1.0.4-1 X11 miscellaneous utility library
ii libxt6 1:1.0.5-3 X11 toolkit intrinsics library
Versions of packages groff recommends:
ii ghostscript 8.64~dfsg-13 The GPL Ghostscript PostScript/PDF
ii imagemagick 7:6.5.1.0-1.1 image manipulation programs
ii libpaper1 1.1.23+nmu1 library for handling paper charact
ii netpbm 2:10.0-12 Graphics conversion tools
ii psutils 1.17-26 A collection of PostScript documen
groff suggests no packages.
-- no debconf information
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only
OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
See attached report; this is indeed a standard anti-pattern resulting in
security vulnerabilities. In Debian I'd be rather tempted to use 'mktemp
-d' to fix this. What do you think?
--
Colin Watson [cjwatson@debian.org]
Package: groff
Version: 1.20.1-4
Severity: grave
File: /usr/bin/pdfroff
Tags: security
According to pdfroff(1) (and my inspection of the source code), pdfroff
uses $$ (the current pid) to create temporary files. This is extremely
easy to predict, and thus, insecure.
Please fix both the code and the documentation so that they securely
generate (or reference) temporary files.
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/zsh4
Versions of packages groff depends on:
ii groff-base 1.20.1-4 GNU troff text-formatting system (
ii libc6 2.9-21 GNU C Library: Shared libraries
ii libgcc1 1:4.4.1-1 GCC support library
ii libice6 2:1.0.5-1 X11 Inter-Client Exchange library
ii libsm6 2:1.1.0-2 X11 Session Management library
ii libstdc++6 4.4.1-1 The GNU Standard C++ Library v3
ii libx11-6 2:1.2.2-1 X11 client-side library
ii libxaw7 2:1.0.5-2 X11 Athena Widget library
ii libxmu6 2:1.0.4-1 X11 miscellaneous utility library
ii libxt6 1:1.0.5-3 X11 toolkit intrinsics library
Versions of packages groff recommends:
ii ghostscript 8.64~dfsg-13 The GPL Ghostscript PostScript/PDF
ii imagemagick 7:6.5.1.0-1.1 image manipulation programs
ii libpaper1 1.1.23+nmu1 library for handling paper charact
ii netpbm 2:10.0-12 Graphics conversion tools
ii psutils 1.17-26 A collection of PostScript documen
groff suggests no packages.
-- no debconf information
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only
OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
Information forwarded
to debian-bugs-dist@lists.debian.org, Colin Watson <cjwatson@debian.org>: Bug#538330; Package groff.
(Sun, 09 Aug 2009 14:18:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Colin Watson <cjwatson@debian.org>.
(Sun, 09 Aug 2009 14:18:02 GMT) (full text, mbox, link).
Hi,
patch attached.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
Added tag(s) patch.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Sun, 09 Aug 2009 14:18:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Colin Watson <cjwatson@debian.org>: Bug#538330; Package groff.
(Fri, 14 Aug 2009 18:12:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Colin Watson <cjwatson@debian.org>.
(Fri, 14 Aug 2009 18:12:03 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Colin Watson <cjwatson@debian.org>
to control@bugs.debian.org.
(Sat, 15 Aug 2009 08:00:17 GMT) (full text, mbox, link).
On Sat, Jul 25, 2009 at 09:30:18AM +0100, Colin Watson wrote:
> See attached report; this is indeed a standard anti-pattern resulting in
> security vulnerabilities. In Debian I'd be rather tempted to use 'mktemp
> -d' to fix this. What do you think?
Nico Golde points out that Openwall have a patch for this. I'm applying
this to the Debian package:
curl -s 'http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/groff/groff-1.20.1-owl-tmp.diff' | filterdiff -i '*pdfroff*'
Thanks,
--
Colin Watson [cjwatson@debian.org]
Reply sent
to Colin Watson <cjwatson@debian.org>:
You have taken responsibility.
(Sat, 15 Aug 2009 10:30:07 GMT) (full text, mbox, link).
Notification sent
to "brian m. carlson" <sandals@crustytoothpaste.ath.cx>:
Bug acknowledged by developer.
(Sat, 15 Aug 2009 10:30:07 GMT) (full text, mbox, link).
Source: groff
Source-Version: 1.20.1-5
We believe that the bug you reported is fixed in the latest version of
groff, which is due to be installed in the Debian FTP archive:
groff-base_1.20.1-5_i386.deb
to pool/main/g/groff/groff-base_1.20.1-5_i386.deb
groff_1.20.1-5.diff.gz
to pool/main/g/groff/groff_1.20.1-5.diff.gz
groff_1.20.1-5.dsc
to pool/main/g/groff/groff_1.20.1-5.dsc
groff_1.20.1-5_i386.deb
to pool/main/g/groff/groff_1.20.1-5_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 538330@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated groff package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 15 Aug 2009 09:01:47 +0100
Source: groff
Binary: groff-base groff
Architecture: source i386
Version: 1.20.1-5
Distribution: unstable
Urgency: low
Maintainer: Colin Watson <cjwatson@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
groff - GNU troff text-formatting system
groff-base - GNU troff text-formatting system (base system components)
Closes: 538330538338541019541621
Changes:
groff (1.20.1-5) unstable; urgency=low
.
* Upgrade to debhelper v7. (There's still lots of complexity here, so no
dh(1).)
* Remove Fumitoshi UKAI from Uploaders, with thanks for his previous work.
Just shout if you want to be added back (closes: #541019).
* Unset IFS at nroff startup (closes: #541621).
* Patch from Openwall to fix temporary file handling vulnerabilities in
pdfroff (closes: #538330).
* Use -dSAFER when calling gs from pdfroff (thanks, brian m. carlson;
closes: #538338).
Checksums-Sha1:
07d34cdf3f9a41ac8f80e7b38861afd2a4332bc1 1258 groff_1.20.1-5.dsc
afc572adbb7f9c762c50048ad3eec5cd1952f3ef 41184 groff_1.20.1-5.diff.gz
89ee0590a202dca5c08415edafad39d7224a4375 1103698 groff-base_1.20.1-5_i386.deb
d0a0c97b9156d9be0ae0d19af004ecf08cd95601 3512134 groff_1.20.1-5_i386.deb
Checksums-Sha256:
6d7fe33055e63798e631cbb0208f57be1affd53616cd525644263c7bd0270a9d 1258 groff_1.20.1-5.dsc
ab37002d146cb29d907ad8097c2620e1e63c699aaed1f394bd032b7ab8625fa6 41184 groff_1.20.1-5.diff.gz
01003d22439094286fdcf1c5ef036ba2a825215ef816e9939a2f944aa9301c6e 1103698 groff-base_1.20.1-5_i386.deb
0b0b8fec29f42590ef2bb1f90e36fe1db18974152abe1f68824ac40ea5c254db 3512134 groff_1.20.1-5_i386.deb
Files:
db341bf62664c0afefd71016c9cc3888 1258 text important groff_1.20.1-5.dsc
3bfaace1000bf8687ec8d6c02c84b1e6 41184 text important groff_1.20.1-5.diff.gz
a93b5459d35d5bb1c522642a18bca234 1103698 text important groff-base_1.20.1-5_i386.deb
e4558537f026c6d0db872a5c8efa6a95 3512134 text optional groff_1.20.1-5_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer
iD8DBQFKhm6T9t0zAhD6TNERAmwQAJ4uNNVsSBiTzKXdhJ5OPU/LXbqSWwCbBbJn
XTXdB9uhIGw+9ivXuNSpnIA=
=fTmN
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 16 Sep 2009 07:32:57 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.