Debian Bug report logs - #659379
uzbl: world-readable (and writable!) cookie jar

version graph

Package: uzbl; Maintainer for uzbl is Luca Bruno <lucab@debian.org>; Source for uzbl is src:uzbl.

Reported by: Jakub Wilk <jwilk@debian.org>

Date: Fri, 10 Feb 2012 16:12:01 UTC

Severity: grave

Tags: security

Found in versions uzbl/0.0.0~git.20111128-1, uzbl/0.0.0~git.20100403-3

Fixed in version uzbl/0.0.0~git.20111128-2

Done: Luca Bruno <lucab@debian.org>

Bug is archived. No further changes may be made.

Forwarded to http://www.uzbl.org/bugs/index.php?do=details&task_id=291&project=1

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, jwilk@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Luca Bruno <lucab@debian.org>:
Bug#659379; Package uzbl. (Fri, 10 Feb 2012 16:12:04 GMT) Full text and rfc822 format available.

Message #3 received at submit@bugs.debian.org (full text, mbox):

From: Jakub Wilk <jwilk@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: uzbl: world-readable (and writable!) cookie jar
Date: Fri, 10 Feb 2012 17:09:13 +0100
Package: uzbl
Version: 0.0.0~git.20100403-3
Severity: grave
Tags: security
Justification: user security hole

$ ls -ld ~/.local/{,share/{,uzbl/{,cookies.txt}}}
drwxr-xr-x 3 user users 4096 Feb  9 23:29 /home/user/.local/
drwxr-xr-x 4 user users 4096 Feb  9 23:29 /home/user/.local/share/
drwxr-xr-x 2 user users 4096 Feb  9 23:29 /home/user/.local/share/uzbl/
-rw-rw-rw- 1 user users  732 Feb  9 23:29 /home/user/.local/share/uzbl/cookies.txt

This allows local users to steal cookies (and tamper with them).

-- 
Jakub Wilk




Bug Marked as found in versions uzbl/0.0.0~git.20111128-1. Request was from Jakub Wilk <jwilk@debian.org> to control@bugs.debian.org. (Fri, 10 Feb 2012 16:33:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Luca Bruno <lucab@debian.org>:
Bug#659379; Package uzbl. (Sat, 11 Feb 2012 12:27:55 GMT) Full text and rfc822 format available.

Message #8 received at 659379@bugs.debian.org (full text, mbox):

From: Jakub Wilk <jwilk@debian.org>
To: 659379@bugs.debian.org, Henri Salo <henri@nerv.fi>
Subject: Re: Bug#659379: uzbl: world-readable (and writable!) cookie jar
Date: Sat, 11 Feb 2012 13:25:18 +0100
* Henri Salo <henri@nerv.fi>, 2012-02-11, 14:11:
>>$ ls -ld ~/.local/{,share/{,uzbl/{,cookies.txt}}}
>>drwxr-xr-x 3 user users 4096 Feb  9 23:29 /home/user/.local/
>>drwxr-xr-x 4 user users 4096 Feb  9 23:29 /home/user/.local/share/
>>drwxr-xr-x 2 user users 4096 Feb  9 23:29 /home/user/.local/share/uzbl/
>>-rw-rw-rw- 1 user users  732 Feb  9 23:29 /home/user/.local/share/uzbl/cookies.txt
>>
>>This allows local users to steal cookies (and tamper with them).
>
>Does this security-issue have CVE-identifier? I can request one from 
>oss-security mailing list if ID hasn't been assigned.

It's been already requested, but not assigned yet AFAICS:
http://seclists.org/oss-sec/2012/q1/406

-- 
Jakub Wilk




Information forwarded to debian-bugs-dist@lists.debian.org, Luca Bruno <lucab@debian.org>:
Bug#659379; Package uzbl. (Sat, 11 Feb 2012 12:36:14 GMT) Full text and rfc822 format available.

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
Extra info received and forwarded to list. Copy sent to Luca Bruno <lucab@debian.org>. (Sat, 11 Feb 2012 12:36:14 GMT) Full text and rfc822 format available.

Message #13 received at 659379@bugs.debian.org (full text, mbox):

From: Henri Salo <henri@nerv.fi>
To: Jakub Wilk <jwilk@debian.org>
Cc: 659379@bugs.debian.org
Subject: Re: Bug#659379: uzbl: world-readable (and writable!) cookie jar
Date: Sat, 11 Feb 2012 14:28:19 +0200
On Sat, Feb 11, 2012 at 01:25:18PM +0100, Jakub Wilk wrote:
> * Henri Salo <henri@nerv.fi>, 2012-02-11, 14:11:
> >>$ ls -ld ~/.local/{,share/{,uzbl/{,cookies.txt}}}
> >>drwxr-xr-x 3 user users 4096 Feb  9 23:29 /home/user/.local/
> >>drwxr-xr-x 4 user users 4096 Feb  9 23:29 /home/user/.local/share/
> >>drwxr-xr-x 2 user users 4096 Feb  9 23:29 /home/user/.local/share/uzbl/
> >>-rw-rw-rw- 1 user users  732 Feb  9 23:29 /home/user/.local/share/uzbl/cookies.txt
> >>
> >>This allows local users to steal cookies (and tamper with them).
> >
> >Does this security-issue have CVE-identifier? I can request one
> >from oss-security mailing list if ID hasn't been assigned.
> 
> It's been already requested, but not assigned yet AFAICS:
> http://seclists.org/oss-sec/2012/q1/406
> 
> -- 
> Jakub Wilk

Ok. Thank you for fast reply. Please contact me if you need testing or other help.

- Henri Salo




Information forwarded to debian-bugs-dist@lists.debian.org, Luca Bruno <lucab@debian.org>:
Bug#659379; Package uzbl. (Sat, 11 Feb 2012 12:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
Extra info received and forwarded to list. Copy sent to Luca Bruno <lucab@debian.org>. (Sat, 11 Feb 2012 12:51:04 GMT) Full text and rfc822 format available.

Message #18 received at 659379@bugs.debian.org (full text, mbox):

From: Henri Salo <henri@nerv.fi>
To: Jakub Wilk <jwilk@debian.org>, 659379@bugs.debian.org
Subject: Re: [Secure-testing-team] Bug#659379: uzbl: world-readable (and writable!) cookie jar
Date: Sat, 11 Feb 2012 14:11:22 +0200
On Fri, Feb 10, 2012 at 05:09:13PM +0100, Jakub Wilk wrote:
> Package: uzbl
> Version: 0.0.0~git.20100403-3
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> $ ls -ld ~/.local/{,share/{,uzbl/{,cookies.txt}}}
> drwxr-xr-x 3 user users 4096 Feb  9 23:29 /home/user/.local/
> drwxr-xr-x 4 user users 4096 Feb  9 23:29 /home/user/.local/share/
> drwxr-xr-x 2 user users 4096 Feb  9 23:29 /home/user/.local/share/uzbl/
> -rw-rw-rw- 1 user users  732 Feb  9 23:29 /home/user/.local/share/uzbl/cookies.txt
> 
> This allows local users to steal cookies (and tamper with them).
> 
> -- 
> Jakub Wilk

Does this security-issue have CVE-identifier? I can request one from oss-security mailing list if ID hasn't been assigned.

- Henri Salo




Information forwarded to debian-bugs-dist@lists.debian.org, Luca Bruno <lucab@debian.org>:
Bug#659379; Package uzbl. (Sat, 11 Feb 2012 14:45:38 GMT) Full text and rfc822 format available.

Acknowledgement sent to Luca BRUNO <lucab@debian.org>:
Extra info received and forwarded to list. Copy sent to Luca Bruno <lucab@debian.org>. (Sat, 11 Feb 2012 14:45:38 GMT) Full text and rfc822 format available.

Message #23 received at 659379@bugs.debian.org (full text, mbox):

From: Luca BRUNO <lucab@debian.org>
To: Henri Salo <henri@nerv.fi>, 659379@bugs.debian.org
Cc: Jakub Wilk <jwilk@debian.org>
Subject: Re: Bug#659379: uzbl: world-readable (and writable!) cookie jar
Date: Sat, 11 Feb 2012 15:33:40 +0100
[Message part 1 (text/plain, inline)]
forwarded 659379 http://www.uzbl.org/bugs/index.php?do=details&task_id=291&project=1
thanks

Henri Salo scrisse:

> > >>This allows local users to steal cookies (and tamper with them).
> > >
> > >Does this security-issue have CVE-identifier? I can request one
> > >from oss-security mailing list if ID hasn't been assigned.
> > 
> > It's been already requested, but not assigned yet AFAICS:
> > http://seclists.org/oss-sec/2012/q1/406
> 
> Ok. Thank you for fast reply. Please contact me if you need testing
> or other help.

Forwarded to upstream bugtracker and noticed on IRC, I'm waiting for
comments on that side. Here's the report:
http://www.uzbl.org/bugs/index.php?do=details&task_id=291&project=1

While waiting for the proper CVE-id, attached here is a tentative patch
for the cookie plugin. Just umask setting and chmod on existing jar if any.
Reviews appreciated as I'm not a great pythonista...

Cheers, Luca

-- 
 .''`.  ** Debian GNU/Linux **  | Luca Bruno (kaeso)
: :'  :   The Universal O.S.    | lucab (AT) debian.org
`. `'`  			| GPG Key ID: 3BFB9FB3
  `-     http://www.debian.org 	| Debian GNU/Linux Developer
[uzbl-cookie-umask.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, attachment)]

Set Bug forwarded-to-address to 'http://www.uzbl.org/bugs/index.php?do=details&task_id=291&project=1'. Request was from Luca BRUNO <lucab@debian.org> to control@bugs.debian.org. (Sat, 11 Feb 2012 14:45:49 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Luca Bruno <lucab@debian.org>:
Bug#659379; Package uzbl. (Sat, 11 Feb 2012 15:21:07 GMT) Full text and rfc822 format available.

Message #28 received at 659379@bugs.debian.org (full text, mbox):

From: Jakub Wilk <jwilk@debian.org>
To: 659379@bugs.debian.org
Cc: Henri Salo <henri@nerv.fi>
Subject: Re: Bug#659379: uzbl: world-readable (and writable!) cookie jar
Date: Sat, 11 Feb 2012 16:16:23 +0100
* Luca BRUNO <lucab@debian.org>, 2012-02-11, 15:33:
>+        try:
>+          # make sure the cookie jar is not world-open
>+          perm_mode = os.stat(self.filename).st_mode
>+          if (perm_mode & (stat.S_IROTH | stat.S_IWOTH | stat.S_IXOTH)) > 0:
>+              os.chmod(self.filename, (stat.S_IMODE(perm_mode) >> 3) << 3)
>+        except OSError:
>+            pass

I'm not sure it's appropriate to change permissions of existing files. I 
certainly don't like when software do that. (On the other hand, it's not 
much different than removing a file and then recreating it.)

What I did for another browser with similar vulnerability, was to leave 
permissions of existing files, and to ask (in NEWS.Debian) sysadmin to 
fix them manually. YMMV.

I find "((... >> 3) << 3" expression difficult to understand. I'm sure 
it could expressed in terms of S_* constants in a more readable way.

>+        # restrict umask before creating the cookie jar
>+        curmask=os.umask(0)
>+        print (curmask|(stat.S_IROTH | stat.S_IWOTH | stat.S_IXOTH))
>+        os.umask(curmask|(stat.S_IROTH | stat.S_IWOTH | stat.S_IXOTH))

"stat.S_IROTH | stat.S_IWOTH | stat.S_IXOTH" could be written as 
"stat.S_IRWXO".

You revoke only read permissions for other, but having your cookie jar 
readable by group might be as bad.

It's probably a good idea to restore umask to the original value once 
the private files have been opened.

(The above remarks apply to other hunks as well.)

-- 
Jakub Wilk




Information forwarded to debian-bugs-dist@lists.debian.org, Luca Bruno <lucab@debian.org>:
Bug#659379; Package uzbl. (Sat, 11 Feb 2012 23:12:21 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Seifried <kseifried@redhat.com>:
Extra info received and forwarded to list. Copy sent to Luca Bruno <lucab@debian.org>. (Sat, 11 Feb 2012 23:12:21 GMT) Full text and rfc822 format available.

Message #33 received at 659379@bugs.debian.org (full text, mbox):

From: Kurt Seifried <kseifried@redhat.com>
To: 659379@bugs.debian.org
Subject: Please use CVE-2012-0843 for this issue.
Date: Sat, 11 Feb 2012 16:11:23 -0700
Please use CVE-2012-0843 for this issue.

www.openwall.com/lists/oss-security/2012/02/11/3


-- 
Kurt Seifried Red Hat Security Response Team (SRT)




Reply sent to Luca Bruno <lucab@debian.org>:
You have taken responsibility. (Tue, 14 Feb 2012 18:03:09 GMT) Full text and rfc822 format available.

Notification sent to Jakub Wilk <jwilk@debian.org>:
Bug acknowledged by developer. (Tue, 14 Feb 2012 18:03:09 GMT) Full text and rfc822 format available.

Message #38 received at 659379-close@bugs.debian.org (full text, mbox):

From: Luca Bruno <lucab@debian.org>
To: 659379-close@bugs.debian.org
Subject: Bug#659379: fixed in uzbl 0.0.0~git.20111128-2
Date: Tue, 14 Feb 2012 18:02:34 +0000
Source: uzbl
Source-Version: 0.0.0~git.20111128-2

We believe that the bug you reported is fixed in the latest version of
uzbl, which is due to be installed in the Debian FTP archive:

uzbl_0.0.0~git.20111128-2.diff.gz
  to main/u/uzbl/uzbl_0.0.0~git.20111128-2.diff.gz
uzbl_0.0.0~git.20111128-2.dsc
  to main/u/uzbl/uzbl_0.0.0~git.20111128-2.dsc
uzbl_0.0.0~git.20111128-2_amd64.deb
  to main/u/uzbl/uzbl_0.0.0~git.20111128-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 659379@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luca Bruno <lucab@debian.org> (supplier of updated uzbl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 14 Feb 2012 18:14:55 +0100
Source: uzbl
Binary: uzbl
Architecture: source amd64
Version: 0.0.0~git.20111128-2
Distribution: unstable
Urgency: high
Maintainer: Luca Bruno <lucab@debian.org>
Changed-By: Luca Bruno <lucab@debian.org>
Description: 
 uzbl       - Lightweight Webkit browser following the UNIX philosophy
Closes: 659379
Changes: 
 uzbl (0.0.0~git.20111128-2) unstable; urgency=high
 .
   * Security fix for CVE-2012-0843
     + Restrict third-party access to cookie jar (Closes: #659379)
Checksums-Sha1: 
 33c7b9cf9f7a08655e427a9a20a7693db2b90793 1345 uzbl_0.0.0~git.20111128-2.dsc
 6750935ba9d919de99c3c3361fe2fbef5c47e849 9590 uzbl_0.0.0~git.20111128-2.diff.gz
 b1885be729003d047b510a5e077c3f18e53bcf60 141720 uzbl_0.0.0~git.20111128-2_amd64.deb
Checksums-Sha256: 
 3e8df6fb81a7d26b86de40f862a9321a8b612490f9dc14567bf3cc1d80ab0f16 1345 uzbl_0.0.0~git.20111128-2.dsc
 5064ba3b87617a61b5ccff10c2a775765ce2f426b022c32ae0e19273f637872f 9590 uzbl_0.0.0~git.20111128-2.diff.gz
 4266c4737ff0b591d9d3c8e4bd95a2d60aa1375d875c1889c9c20e381ebfa733 141720 uzbl_0.0.0~git.20111128-2_amd64.deb
Files: 
 913cd41d21c75283be13a1d2d1ea8a82 1345 web extra uzbl_0.0.0~git.20111128-2.dsc
 1061447b3dfbe0244c10ae118a0ca093 9590 web extra uzbl_0.0.0~git.20111128-2.diff.gz
 794833c6e92718b0c13a88df82f48bea 141720 web extra uzbl_0.0.0~git.20111128-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk86nhoACgkQRqobajv7n7P1pQCaA9Jv3CmjJbJsaMNfNYSvPqC0
9GIAoK8h6RTnXvpIVLWiZSsIy/+IUVe/
=0LAX
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Luca Bruno <lucab@debian.org>:
Bug#659379; Package uzbl. (Sun, 08 Jul 2012 22:24:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Luca Bruno <lucab@debian.org>. (Sun, 08 Jul 2012 22:24:07 GMT) Full text and rfc822 format available.

Message #43 received at 659379@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: 659379@bugs.debian.org
Subject: Re: uzbl: world-readable (and writable!) cookie jar
Date: Sun, 08 Jul 2012 15:24:45 -0000
Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.6) - use target "stable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/659379/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51





Information forwarded to debian-bugs-dist@lists.debian.org, Luca Bruno <lucab@debian.org>:
Bug#659379; Package uzbl. (Sun, 08 Jul 2012 22:42:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Luca Bruno <lucab@debian.org>. (Sun, 08 Jul 2012 22:42:04 GMT) Full text and rfc822 format available.

Message #48 received at 659379@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: 659379@bugs.debian.org
Subject: Re: uzbl: world-readable (and writable!) cookie jar
Date: Sun, 08 Jul 2012 17:38:28 -0000
Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.6) - use target "stable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/659379/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 02 Jun 2013 08:19:37 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 04:38:17 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.