Debian Bug report logs - #659296
surf: world-readable cookie jar

version graph

Package: surf; Maintainer for surf is Vasudev Kamath <kamathvasudev@gmail.com>; Source for surf is src:surf.

Reported by: Jakub Wilk <jwilk@debian.org>

Date: Thu, 9 Feb 2012 23:09:02 UTC

Severity: grave

Tags: security

Found in version surf/0.4.1-4.1

Fixed in version surf/0.4.1-6

Done: Vasudev Kamath <kamathvasudev@gmail.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, jwilk@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#659296; Package surf. (Thu, 09 Feb 2012 23:09:05 GMT) Full text and rfc822 format available.

Message #3 received at submit@bugs.debian.org (full text, mbox):

From: Jakub Wilk <jwilk@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: surf: world-readable cookie jar
Date: Fri, 10 Feb 2012 00:05:41 +0100
Package: surf
Version: 0.4.1-4.1
Severity: grave
Tags: security
Justification: user security hole

$ ls -ld ~/.surf/{,cookies.txt}
drwxr-xr-x 2 user users 4096 Feb  9 22:59 /home/user/.surf/
-rw-r--r-- 1 user users  406 Feb  9 22:59 /home/user/.surf/cookies.txt

This allows local users to steal cookies.


-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages surf depends on:
ii  libatk1.0-0         2.2.0-2
ii  libc6               2.13-26
ii  libcairo2           1.10.2-6.2
ii  libfontconfig1      2.8.0-3.1
ii  libfreetype6        2.4.8-1
ii  libgdk-pixbuf2.0-0  2.24.0-2
ii  libglib2.0-0        2.30.2-6
ii  libgtk2.0-0         2.24.8-3
ii  libpango1.0-0       1.29.4-2
ii  libsoup2.4-1        2.34.3-1
ii  libwebkitgtk-1.0-0  1.6.1-5+b1
ii  libx11-6            2:1.4.4-4
ii  suckless-tools      38-1
ii  wget                1.13.4-2
ii  x11-utils           7.6+4
ii  xterm               276-2

-- 
Jakub Wilk




Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#659296; Package surf. (Fri, 10 Feb 2012 15:51:03 GMT) Full text and rfc822 format available.

Message #6 received at 659296@bugs.debian.org (full text, mbox):

From: Jakub Wilk <jwilk@debian.org>
To: 659296@bugs.debian.org
Subject: Re: Bug#659296: surf: world-readable cookie jar
Date: Fri, 10 Feb 2012 16:46:03 +0100
* Jakub Wilk <jwilk@debian.org>, 2012-02-10, 00:05:
>$ ls -ld ~/.surf/{,cookies.txt}
>drwxr-xr-x 2 user users 4096 Feb  9 22:59 /home/user/.surf/
>-rw-r--r-- 1 user users  406 Feb  9 22:59 /home/user/.surf/cookies.txt

CVE-2012-0842 was assigned to this bug.

-- 
Jakub Wilk




Added tag(s) pending. Request was from Jakub Wilk <jwilk@debian.org> to control@bugs.debian.org. (Fri, 10 Feb 2012 17:57:05 GMT) Full text and rfc822 format available.

Reply sent to Vasudev Kamath <kamathvasudev@gmail.com>:
You have taken responsibility. (Fri, 10 Feb 2012 19:57:03 GMT) Full text and rfc822 format available.

Notification sent to Jakub Wilk <jwilk@debian.org>:
Bug acknowledged by developer. (Fri, 10 Feb 2012 19:57:03 GMT) Full text and rfc822 format available.

Message #13 received at 659296-close@bugs.debian.org (full text, mbox):

From: Vasudev Kamath <kamathvasudev@gmail.com>
To: 659296-close@bugs.debian.org
Subject: Bug#659296: fixed in surf 0.4.1-6
Date: Fri, 10 Feb 2012 19:54:36 +0000
Source: surf
Source-Version: 0.4.1-6

We believe that the bug you reported is fixed in the latest version of
surf, which is due to be installed in the Debian FTP archive:

surf_0.4.1-6.debian.tar.gz
  to main/s/surf/surf_0.4.1-6.debian.tar.gz
surf_0.4.1-6.dsc
  to main/s/surf/surf_0.4.1-6.dsc
surf_0.4.1-6_i386.deb
  to main/s/surf/surf_0.4.1-6_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 659296@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Vasudev Kamath <kamathvasudev@gmail.com> (supplier of updated surf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 11 Feb 2012 00:01:08 +0530
Source: surf
Binary: surf
Architecture: source i386
Version: 0.4.1-6
Distribution: unstable
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Vasudev Kamath <kamathvasudev@gmail.com>
Description: 
 surf       - simple web browser
Closes: 659296
Changes: 
 surf (0.4.1-6) unstable; urgency=high
 .
   * QA upload.
   * debian/patches:
     + Added fix-insecure-permissions.patch to fix world readable cookie jar
       vulnerability CVE-2012-0842. (Closes: #659296)
Checksums-Sha1: 
 c372b6ba750a605cb6bc9e7fb02a6a73e5dbfdea 1865 surf_0.4.1-6.dsc
 29ae3decd5c4a1e949f2debed376e99019c1eb31 5493 surf_0.4.1-6.debian.tar.gz
 08120b72914928288419d6e1069af7e688a33cf0 17142 surf_0.4.1-6_i386.deb
Checksums-Sha256: 
 71eea67330450b0fa6b0d333eff7f422917acd9df4dd43cd54bc20ade7406361 1865 surf_0.4.1-6.dsc
 7aea612298a88d794f96e3cd05f93a59b41c8a35a7d894926d898a5650e3aca0 5493 surf_0.4.1-6.debian.tar.gz
 a1b3ace2176919524e0680d7dd9f00177b54e913c292760bd598f8aa5eb85175 17142 surf_0.4.1-6_i386.deb
Files: 
 279e6d93c41d429588a60b8b923a294b 1865 web optional surf_0.4.1-6.dsc
 7020fd99ef37a42142e986e88f68fb6c 5493 web optional surf_0.4.1-6.debian.tar.gz
 ea364b04ade303a9c451e4a7b2906932 17142 web optional surf_0.4.1-6_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJPNXIuAAoJEC1Os6YBVHX1zmoP/1OSyHELw6cCYOA8CNOXQleV
zFTf7ozd7vv0KtMLgYvbWAqmzvgvCW58aMyw/YlWPrOTSUh2IR7ad9yE5lZfwh6k
oA85WEAErgPqjTthvz3tCwFfwWYhQH9nlYRUeVXuCa+a2KUHpzqvbEikAHkqx/G5
K6kUUI3ZBRdNqFNENSq6tuvV3S8nb5uVkx4NEXN5RAEEo43ADOEqTGI+p14IllIR
lUUBqnIGBYZL//AcilnveLih/jWJkabbGdTRvitLpN3xHnMWsqueaVpGgZPdhSsj
/SBLbJJy7xJPHd5a6Km8a540oDyt0pksr0uQjrrw+6o1unHzp6CPs63h+rtboRXV
uUwavisKoXyLRiZUoTyXTly38LqHrqbpYTaw/aeInw4Q4p3PCkxCVqnCZA+QCwpK
Fe50CFIwuFJANPuHLdy9LDB+nA0DWTK15UiWZ8kAepdthsjtzQzrScd7lqKVdOh8
Mj4pJeWslF8EiSJKifUl/Xwo5XTWY/2+vdMznmqpu/+Ih7ZFXnDfcp3J9XEs7YaE
yAyFLcbFJ4ZV/qhCZl4SgVTZMQu/mEmEBLhw+vVPYaPv0QtVof3vsW1bOvOwXU8R
Ko00xpk6AdLdBGpVcmYub0ba0HKFDtBXf4LS9+s/YN8m/6ZPqmEjiE0t9Nlsw3+g
hmHFrO6q86LGXRrIwdAj
=rkF/
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#659296; Package surf. (Mon, 13 Feb 2012 15:36:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>. (Mon, 13 Feb 2012 15:36:08 GMT) Full text and rfc822 format available.

Message #18 received at 659296@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: 659296@bugs.debian.org
Subject: Comments on the 0.4.1-6 upload
Date: Mon, 13 Feb 2012 16:32:26 +0100
Vasudev Kamath asked me to include this information in the bug report.

From: Florian Weimer <fw@deneb.enyo.de>
Subject: Re: Accepted surf 0.4.1-6 (source i386)
To: Vasudev Kamath <kamathvasudev@gmail.com>
Date: Fri, 10 Feb 2012 23:18:36 +0100
Message-ID: <87vcnemiwz.fsf@mid.deneb.enyo.de>

* Vasudev Kamath:

>  surf (0.4.1-6) unstable; urgency=high
>  .
>    * QA upload.
>    * debian/patches:
>      + Added fix-insecure-permissions.patch to fix world readable cookie jar
>        vulnerability CVE-2012-0842. (Closes: #659296)

-               g_mkdir_with_parents(apath, 0755);
+               g_mkdir_with_parents(apath, 0700);

I think you should also downgrade the permissions from 0755 if the
directory exists (in case we want to keep the package alive, which I doubt).

[Addendum: It is sufficient to do this with just one component of the
path.]




Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#659296; Package surf. (Mon, 13 Feb 2012 16:45:07 GMT) Full text and rfc822 format available.

Message #21 received at 659296@bugs.debian.org (full text, mbox):

From: Jakub Wilk <jwilk@debian.org>
To: Florian Weimer <fw@deneb.enyo.de>, 659296@bugs.debian.org
Subject: Re: Bug#659296: Comments on the 0.4.1-6 upload
Date: Mon, 13 Feb 2012 17:44:21 +0100
* Florian Weimer <fw@deneb.enyo.de>, 2012-02-13, 16:32:
>>  surf (0.4.1-6) unstable; urgency=high
>>  .
>>    * QA upload.
>>    * debian/patches:
>>      + Added fix-insecure-permissions.patch to fix world readable cookie jar
>>        vulnerability CVE-2012-0842. (Closes: #659296)
>
>-               g_mkdir_with_parents(apath, 0755);
>+               g_mkdir_with_parents(apath, 0700);
>
>I think you should also downgrade the permissions from 0755 if the 
>directory exists (in case we want to keep the package alive, which I 
>doubt).

I'm not a fan of software changing permissions of existing files (after 
all it might be user who decided to make them more liberal that usual). 
As the sponsor of this upload I didn't insist on chmod'ing 
automatically; instead we limited ourselves to add a NEWS note asking to 
change permissions manually.

That said, following the upstream changes, the next version _will_ 
fix existing permissions.

>[Addendum: It is sufficient to do this with just one component of the 
>path.]

If we decided to revoke existing permissions, then we should not confine 
ourselves to the directory, but also chmod the files. This is because an 
attacker could have made hardlinks to the files when they were still 
accessible.

However, even chmod'ing files won't help if the attacker is keeping (one 
of) them open. You'd have to truncate the files and unlink them. 
Implementing this would be probably overkill, though.

-- 
Jakub Wilk




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 13 Mar 2012 07:36:36 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 19:24:14 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.