Debian Bug report logs - #60852
glimpse: full of temp races

version graph

Package: glimpse; Maintainer for glimpse is (unknown);

Reported by: Joey Hess <joey@kitenet.net>

Date: Tue, 21 Mar 2000 07:03:08 UTC

Severity: grave

Tags: security

Found in version 4.1-2

Done: Jose Carlos Garcia Sogo <jsogo@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Marco Budde <Budde@tu-harburg.de>:
Bug#60852; Package glimpse. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joey@kitenet.net>:
New Bug report received and forwarded. Copy sent to Marco Budde <Budde@tu-harburg.de>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Joey Hess <joey@kitenet.net>
To: submit@bugs.debian.org
Subject: glimpse: full of temp races
Date: 21 Mar 2000 07:00:53 -0000
Package: glimpse
Version: 4.1-2
Severity: grave

A brief look at glimpse's source finds numerous /tmp races that can be used
to delete files belonging to users of glimpse via the standard symlink
attack.

In index/glimpse.c:

        sprintf(S, "exec whereis sync > /tmp/zz.%d", getpid());
        system(S);
...
	sprintf(s, "exec %s -l .glimpse_* > /tmp/%d\n", SYSTEM_LS, pid);
        system(s);

There are others in compress/tbuild.c.

main.c builds up a tempfile name:

        sprintf(tempfile, "%s/.glimpse_tmp.%d", TEMP_DIR, getpid());
	
TEMP_DIR defaults to /tmp, which is insecure. 

	if ((tmpfp = fopen(tempfile, "w")) == NULL) {

I've verified that this leads to /tmp/.glimpse_tmp.<pid> files under normal
user of glimpse without -T.

-- System Information
Debian Release: 2.2
Kernel Version: Linux kite 2.2.14 #1 Mon Jan 10 21:43:42 PST 2000 i686 unknown

Versions of the packages glimpse depends on:
ii  libc6          2.1.3-7        GNU C Library: Shared libraries and Timezone


Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#60852; Package glimpse. Full text and rfc822 format available.

Acknowledgement sent to Marco Budde <Budde@tu-harburg.de>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #10 received at 60852@bugs.debian.org (full text, mbox):

From: Marco Budde <Budde@tu-harburg.de>
To: Joey Hess <joey@kitenet.net>, 60852@bugs.debian.org
Subject: Re: Bug#60852: glimpse: full of temp races
Date: Tue, 21 Mar 2000 09:25:41 +0000
Joey Hess wrote:

> A brief look at glimpse's source finds numerous /tmp races that can be used
> to delete files belonging to users of glimpse via the standard symlink
> attack.

What fix would you suggest. How can I create a file in /tmp without
a security problem in a C program? Is ANSI C's tmpname() safe?

cu, Marco

-- 
   -- Linux HOWTOs: Die besten Lösungen der Linuxgemeinde --
                      ISBN 3-8266-0498-9

Uni: Budde@tu-harburg.de           Fido: 2:240/6298.5
Mailbox: mbudde@sms.antar.com      http://www.tu-harburg.de/~semb2204/


Information forwarded to debian-bugs-dist@lists.debian.org, Marco Budde <Budde@tu-harburg.de>:
Bug#60852; Package glimpse. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to Marco Budde <Budde@tu-harburg.de>. Full text and rfc822 format available.

Message #15 received at 60852@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: Marco Budde <Budde@tu-harburg.de>
Cc: 60852@bugs.debian.org
Subject: Re: Bug#60852: glimpse: full of temp races
Date: Tue, 21 Mar 2000 16:19:08 -0800
Marco Budde wrote:
> Joey Hess wrote:
> 
> > A brief look at glimpse's source finds numerous /tmp races that can be used
> > to delete files belonging to users of glimpse via the standard symlink
> > attack.
> 
> What fix would you suggest. How can I create a file in /tmp without
> a security problem in a C program? Is ANSI C's tmpname() safe?

Good lord no. Use tmpfile() or something.

-- 
see shy jo


Tags added: security Request was from Tommi Virtanen <tv-nospam-5f1a41@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Marco Budde <Budde@tu-harburg.de>:
Bug#60852; Package glimpse. Full text and rfc822 format available.

Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Copy sent to Marco Budde <Budde@tu-harburg.de>. Full text and rfc822 format available.

Message #22 received at 60852@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: debian-qa@lists.debian.org
Cc: 60852@bugs.debian.org
Subject: Re: fhs transition update
Date: Wed, 15 Aug 2001 05:18:57 -0500
On Thu, Aug 09, 2001 at 11:20:25AM +0100, Colin Watson wrote:
> On Thu, Aug 09, 2001 at 12:12:18PM +0200, Josip Rodin wrote:
> > On Wed, Aug 08, 2001 at 12:48:31PM -0500, Colin Watson wrote:
> > > >  7. glimpse
> > > >     Marco Budde <Budde@tu-harburg.de>
> > > > 
> > > > Has a grave security bug files now for almost 1.5 years (/tmp races).
> > > > Probably won't make it into woody anyway. Is the maintainer MIA?
> > > 
> > > We currently need it for the lists archives, as far as I can remember.
> > 
> > Yes, but if glimpse can't be fixed, it doesn't matter. lists-archives'
> > dependency on it doesn't have to be Depends:.
> 
> Oh, OK. Having looked at it last night, it's probably fixable, but since
> some of the problems are practically design flaws it's quite a big job
> for a non-free package.

(Cc'd to the maintainer)

So, can we remove glimpse? There hasn't been an upload for almost three
years, and not having it doesn't seem to have particularly damaged the
last stable release.

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]



Bug closed, send any further explanations to Joey Hess <joey@kitenet.net> Request was from Jose Carlos Garcia Sogo <jsogo@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 00:51:07 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.