Acknowledgement sent
to Kees Cook <kees@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Sat, 05 Feb 2011 00:57:14 GMT) (full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: vulnerability: rewrite arbitrary user file
Date: Fri, 04 Feb 2011 16:54:14 -0800
Package: feh
Version: 1.10-1
Severity: grave
Tags: security
Justification: user security hole
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu natty
This bug report was also filed in Ubuntu and can be found at
http://launchpad.net/bugs/607328
The description, from segooon, follows:
Binary package hint: feh
Hi, I've just discovered that feh is vulnerable to rewriting any user file:
tmpname_timestamper =
estrjoin("", "/tmp/feh_", cppid, "_", basename, NULL);
....
execlp("wget", "wget", "-N", "-O", tmpname_timestamper, newurl,
quiet, (char*) NULL);
If attacker knows PID of feh and knows the URL, it can create the link to any user file. wget would overwrite it.
Thanks.
-- System Information:
Debian Release: squeeze/sid
APT prefers natty
APT policy: (500, 'natty')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.37-12-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Bug Marked as found in versions feh/1.3.4.dfsg.1-1.
Request was from Jonathan Wiltshire <jmw@debian.org>
to control@bugs.debian.org.
(Wed, 09 Feb 2011 23:09:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>: Bug#612035; Package feh.
(Sun, 13 Mar 2011 06:03:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Friesel <derf@finalrewind.org>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Sun, 13 Mar 2011 06:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Francesco Poli <invernomuto@paranoici.org>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Fri, 15 Apr 2011 20:21:07 GMT) (full text, mbox, link).
On Sun, 13 Mar 2011 06:52:24 +0100 Daniel Friesel wrote:
> Hi,
>
> feh 1.12 has just been released, which fixes this bug by switching from wget
> to mkstemp + libcurl.
>
> <http://feh.finalrewind.org/changelog>
> <http://feh.finalrewind.org/feh-1.12.tar.bz2>
Hi, if the security team confirms that the vulnerability is really
fixed in feh version 1.12, I think that this bug report should be
closed as fixed in feh/1.12-1 ...
Or am I wrong?
--
http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
New GnuPG key, see the transition document!
..................................................... Francesco Poli .
GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE
Hi,
as Francesco correctly pointed out this bug should be closed (just
forgot to mention it in the changelog). Thanks for the hint
Andreas.
----- Forwarded message from Francesco Poli <invernomuto@paranoici.org> -----
X-Debian-PR-Message: followup 612035
X-Debian-PR-Package: feh
X-Debian-PR-Keywords: security
X-Debian-PR-Source: feh
Date: Fri, 15 Apr 2011 22:08:22 +0200
From: Francesco Poli <invernomuto@paranoici.org>
To: 612035@bugs.debian.org
Cc: Daniel Friesel <derf@finalrewind.org>
Subject: [Pkg-phototools-devel] Bug#612035: Fixed in 1.12
On Sun, 13 Mar 2011 06:52:24 +0100 Daniel Friesel wrote:
> Hi,
>
> feh 1.12 has just been released, which fixes this bug by switching from wget
> to mkstemp + libcurl.
>
> <http://feh.finalrewind.org/changelog>
> <http://feh.finalrewind.org/feh-1.12.tar.bz2>
Hi, if the security team confirms that the vulnerability is really
fixed in feh version 1.12, I think that this bug report should be
closed as fixed in feh/1.12-1 ...
Or am I wrong?
----- End forwarded message -----
--
http://fam-tille.de
Acknowledgement sent
to Francesco Poli <invernomuto@paranoici.org>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Mon, 18 Apr 2011 16:42:06 GMT) (full text, mbox, link).
fixed 612035 feh/1.12-1
thanks
On Mon, 18 Apr 2011 08:35:55 +0200 Andreas Tille wrote:
> Hi,
>
> as Francesco correctly pointed out this bug should be closed (just
> forgot to mention it in the changelog).
OK, I am therefore marking version 1.12-1 as fixed.
> Thanks for the hint
You are welcome!
Bye.
--
http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
New GnuPG key, see the transition document!
..................................................... Francesco Poli .
GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE
Bug Marked as fixed in versions feh/1.12-1.
Request was from Francesco Poli <invernomuto@paranoici.org>
to control@bugs.debian.org.
(Mon, 18 Apr 2011 16:42:47 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Wed, 06 Jul 2011 19:24:06 GMT) (full text, mbox, link).
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
lenny (5.0.9)
squeeze (6.0.2)
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help or lack time. Please keep me in CC at all times so I can
track the progress of this request.
For details of this process and the rationale, please see the original
announcement [1] and my blog post [2].
0: debian-release@lists.debian.org
1: <201101232332.11736.thijs@debian.org>
2: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Acknowledgement sent
to Andreas Tille <tille@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Fri, 08 Jul 2011 14:12:03 GMT) (full text, mbox, link).
Hi,
I attached two debdiff files which should fullfill the requirement of a
"smallest possible patch". Here I'm quoting the upstream author for a
description of the patch (which is included in the quilt based packaging
of 1.8 in the patch description as well):
<snip>
The original fix for this was switching from wget to libcurl, which (I
presume) is not possible in this case. Because of that, I changed feh to
create a temporary directory inside /tmp for its files.
mkdir itself will fail if the directory already exists (or is a
symlink). Thanks to the mode of 0700, if mkdir succeeds, we can be
certain that the directory is empty and completely under our control.
wget, when callled by feh, will save its files inside that directory, so
there should be no way for an attacker to make wget save to symlinks.
There are no Backwards Compatibility problems: While I did change the
location of the temporary files, these are removed once feh exits
anyways.
If the user tells feh to keep its temporary files, they are saved in the
current working directory by default; that behaviour is not affected by
this patch.
</snip>
Feel free to upload this directly whereever it belongs to because I
will not be able to do this over the weekend. Moreover I do not have
accordig Lenny / Squeeze chroots to build the packages in and thus
I'd prefer if somebody else could do the upload.
Kind regards
Andreas.
On Wed, Jul 06, 2011 at 08:21:03PM +0100, Jonathan Wiltshire wrote:
> Dear maintainer,
>
> Recently you fixed one or more security problems and as a result you closed
> this bug. These problems were not serious enough for a Debian Security
> Advisory, so they are now on my radar for fixing in the following suites
> through point releases:
>
> lenny (5.0.9)
> squeeze (6.0.2)
>
> Please prepare a minimal-changes upload targetting each of these suites,
> and submit a debdiff to the Release Team [0] for consideration. They will
> offer additional guidance or instruct you to upload your package.
>
> I will happily assist you at any stage if the patch is straightforward and
> you need help or lack time. Please keep me in CC at all times so I can
> track the progress of this request.
>
> For details of this process and the rationale, please see the original
> announcement [1] and my blog post [2].
>
> 0: debian-release@lists.debian.org
> 1: <201101232332.11736.thijs@debian.org>
> 2: http://deb.li/prsc
>
> Thanks,
>
> with his security hat on:
> --
> Jonathan Wiltshire jmw@debian.org
> Debian Developer http://people.debian.org/~jmw
>
> 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
> _______________________________________________
> Pkg-phototools-devel mailing list
> Pkg-phototools-devel@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-phototools-devel
--
http://fam-tille.de
Acknowledgement sent
to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Fri, 08 Jul 2011 18:09:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>: Bug#612035; Package feh.
(Thu, 19 Jan 2012 12:54:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Thu, 19 Jan 2012 12:54:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>: Bug#612035; Package feh.
(Fri, 03 Feb 2012 14:36:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Friesel <derf@finalrewind.org>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Fri, 03 Feb 2012 14:36:07 GMT) (full text, mbox, link).
Hi,
On Thu, Jan 19, 2012 at 12:47:06PM +0000, Jonathan Wiltshire wrote:
> On Fri, Jul 08, 2011 at 08:06:17PM +0200, Julien Cristau wrote:
> > [...]
> > ick. mkdtemp(3), please.
> Any news on this?
the attached patches (created against the unpatched 1.3.4.dfsg.1-1 / 1.8-1
packages) use mkdtemp for the fix.
I removed the --cache 0 wget argument because my system's wget does not support
it anymore, if the wget in oldstable still has it it's safe to put that back in.
--Daniel
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Sun, 08 Jul 2012 22:15:07 GMT) (full text, mbox, link).
Subject: Re: vulnerability: rewrite arbitrary user file
Date: Sun, 08 Jul 2012 15:24:49 -0000
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.6) - use target "stable"
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.
For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].
0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/612035/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>.
(Mon, 09 Jul 2012 00:12:04 GMT) (full text, mbox, link).
Subject: Re: vulnerability: rewrite arbitrary user file
Date: Sun, 08 Jul 2012 17:38:31 -0000
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.6) - use target "stable"
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.
For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].
0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/612035/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 05 May 2013 07:40:13 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.