Debian Bug report logs - #736357
syncevolution: CVE-2014-1639: tmp file vulnerability

version graph

Package: syncevolution; Maintainer for syncevolution is Tino Mettler <tino+debian@tikei.de>; Source for syncevolution is src:syncevolution.

Reported by: Helmut Grohne <helmut@subdivi.de>

Date: Wed, 22 Jan 2014 18:15:02 UTC

Severity: important

Tags: security

Found in version syncevolution/1.0+ds1~beta2a-2

Fixed in version syncevolution/1.3.99.7-1

Done: Tino Keitel <tino+debian@tikei.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Tino Keitel <tino+debian@tikei.de>:
Bug#736357; Package syncevolution. (Wed, 22 Jan 2014 18:15:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Helmut Grohne <helmut@subdivi.de>:
New Bug report received and forwarded. Copy sent to Tino Keitel <tino+debian@tikei.de>. (Wed, 22 Jan 2014 18:15:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Helmut Grohne <helmut@subdivi.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: syncevolution: tmp file vulnerability
Date: Wed, 22 Jan 2014 19:09:24 +0100
Package: syncevolution
Version: 1.0+ds1~beta2a-2
Severity: important
Tags: security

Dear Maintainer,

Your package contains a funny tmp file vulnerability.

$ grep 'mktemp`\.' -r .
./src/syncevo/installcheck-local.sh:TMPFILE_CXX=`mktemp`.cxx
./src/syncevo/installcheck-local.sh:TMPFILE_O=`mktemp`.o
$

Both of them are doing it wrong. They create a secure tempfile, but don't
use it and instead generate a (now) predictable(!) name without opening
it in a safe (O_CREAT) way.

Helmut



Information forwarded to debian-bugs-dist@lists.debian.org, Tino Keitel <tino+debian@tikei.de>:
Bug#736357; Package syncevolution. (Wed, 22 Jan 2014 20:00:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Tino Mettler <tino.mettler@tikei.de>:
Extra info received and forwarded to list. Copy sent to Tino Keitel <tino+debian@tikei.de>. (Wed, 22 Jan 2014 20:00:04 GMT) Full text and rfc822 format available.

Message #10 received at 736357@bugs.debian.org (full text, mbox):

From: Tino Mettler <tino.mettler@tikei.de>
To: Helmut Grohne <helmut@subdivi.de>, 736357@bugs.debian.org
Subject: Re: Bug#736357: syncevolution: tmp file vulnerability
Date: Wed, 22 Jan 2014 20:47:22 +0100
On Wed, Jan 22, 2014 at 19:09:24 +0100, Helmut Grohne wrote:
> Package: syncevolution
> Version: 1.0+ds1~beta2a-2
> Severity: important
> Tags: security
> 
> Dear Maintainer,
> 
> Your package contains a funny tmp file vulnerability.
> 
> $ grep 'mktemp`\.' -r .
> ./src/syncevo/installcheck-local.sh:TMPFILE_CXX=`mktemp`.cxx
> ./src/syncevo/installcheck-local.sh:TMPFILE_O=`mktemp`.o
> $
> 
> Both of them are doing it wrong. They create a secure tempfile, but don't
> use it and instead generate a (now) predictable(!) name without opening
> it in a safe (O_CREAT) way.

Hi,

could you point out in more detail what is wrong here, and how it
should be done right?

Regards,
Tino



Information forwarded to debian-bugs-dist@lists.debian.org, Tino Keitel <tino+debian@tikei.de>:
Bug#736357; Package syncevolution. (Wed, 22 Jan 2014 20:39:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Helmut Grohne <helmut@subdivi.de>:
Extra info received and forwarded to list. Copy sent to Tino Keitel <tino+debian@tikei.de>. (Wed, 22 Jan 2014 20:39:08 GMT) Full text and rfc822 format available.

Message #15 received at 736357@bugs.debian.org (full text, mbox):

From: Helmut Grohne <helmut@subdivi.de>
To: Tino Mettler <tino.mettler@tikei.de>
Cc: 736357@bugs.debian.org
Subject: Re: Bug#736357: syncevolution: tmp file vulnerability
Date: Wed, 22 Jan 2014 21:33:58 +0100
On Wed, Jan 22, 2014 at 08:47:22PM +0100, Tino Mettler wrote:
> On Wed, Jan 22, 2014 at 19:09:24 +0100, Helmut Grohne wrote:
> > Package: syncevolution
> > Version: 1.0+ds1~beta2a-2
> > Severity: important
> > Tags: security
> > 
> > Dear Maintainer,
> > 
> > Your package contains a funny tmp file vulnerability.
> > 
> > $ grep 'mktemp`\.' -r .
> > ./src/syncevo/installcheck-local.sh:TMPFILE_CXX=`mktemp`.cxx
> > ./src/syncevo/installcheck-local.sh:TMPFILE_O=`mktemp`.o
> > $
> > 
> > Both of them are doing it wrong. They create a secure tempfile, but don't
> > use it and instead generate a (now) predictable(!) name without opening
> > it in a safe (O_CREAT) way.
> 
> Hi,
> 
> could you point out in more detail what is wrong here, and how it
> should be done right?

Sorry for having assumed this obvious. So what happens when you create a
temporary file like is being done in syncevolution

TMPFILE=`mktemp`.suffix

is that a temporary file is securely made, but then you don't use it and
instead base your temporary filename on the secure temporary file. You
later write to it without using O_CREAT thus leading to the issue.

Ideally you don't manipulate the filename after the fact, so you need to
have the desired suffix incorporate into the creation process. Luckily
mktemp provides a mechanism for that: --suffix. So the correct solution
is:

TMPFILE=`mktemp --suffix .suffix`

Now the desired file is created by mktemp and when you write to it using
other tools, it already is known to be owned by the relevant user.

Hope this helps

Helmut



Information forwarded to debian-bugs-dist@lists.debian.org, Tino Keitel <tino+debian@tikei.de>:
Bug#736357; Package syncevolution. (Wed, 22 Jan 2014 20:45:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Tino Mettler <tino.mettler@tikei.de>:
Extra info received and forwarded to list. Copy sent to Tino Keitel <tino+debian@tikei.de>. (Wed, 22 Jan 2014 20:45:08 GMT) Full text and rfc822 format available.

Message #20 received at 736357@bugs.debian.org (full text, mbox):

From: Tino Mettler <tino.mettler@tikei.de>
To: Helmut Grohne <helmut@subdivi.de>, 736357@bugs.debian.org
Subject: Re: Bug#736357: syncevolution: tmp file vulnerability
Date: Wed, 22 Jan 2014 21:41:41 +0100
On Wed, Jan 22, 2014 at 21:33:58 +0100, Helmut Grohne wrote:

[...]

> Ideally you don't manipulate the filename after the fact, so you need to
> have the desired suffix incorporate into the creation process. Luckily
> mktemp provides a mechanism for that: --suffix. So the correct solution
> is:
> 
> TMPFILE=`mktemp --suffix .suffix`
> 
> Now the desired file is created by mktemp and when you write to it using
> other tools, it already is known to be owned by the relevant user.
> 
> Hope this helps

Hi,

thanks for the clarification. I expected exactly that, I just wanted to
make sure that we are thinking into the right direction.

Btw., don't expect me to fix this for oldstable, which is the version
you use. As far as I can see, the script is only used at build time.

Regards,
Tino



Changed Bug title to 'syncevolution: CVE-2014-1639: tmp file vulnerability' from 'syncevolution: tmp file vulnerability' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 23 Jan 2014 05:36:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Tino Keitel <tino+debian@tikei.de>:
Bug#736357; Package syncevolution. (Thu, 23 Jan 2014 06:06:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Helmut Grohne <helmut@subdivi.de>:
Extra info received and forwarded to list. Copy sent to Tino Keitel <tino+debian@tikei.de>. (Thu, 23 Jan 2014 06:06:04 GMT) Full text and rfc822 format available.

Message #27 received at 736357@bugs.debian.org (full text, mbox):

From: Helmut Grohne <helmut@subdivi.de>
To: Tino Mettler <tino.mettler@tikei.de>
Cc: 736357@bugs.debian.org
Subject: Re: Bug#736357: syncevolution: tmp file vulnerability
Date: Thu, 23 Jan 2014 07:02:35 +0100
On Wed, Jan 22, 2014 at 09:41:41PM +0100, Tino Mettler wrote:
> Btw., don't expect me to fix this for oldstable, which is the version
> you use. As far as I can see, the script is only used at build time.

The issue is reported against oldstable, because it is the oldest
relevant version applicable. I agree that fixing a build issue for
stable or oldstable is probably not worth the effort.

CVE-2014-1639 was assigned to this issue. Please mention the identifier
in the changelog when fixing.

Helmut



Information forwarded to debian-bugs-dist@lists.debian.org, Tino Keitel <tino+debian@tikei.de>:
Bug#736357; Package syncevolution. (Thu, 23 Jan 2014 07:09:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Patrick Ohly <patrick.ohly@intel.com>:
Extra info received and forwarded to list. Copy sent to Tino Keitel <tino+debian@tikei.de>. (Thu, 23 Jan 2014 07:09:04 GMT) Full text and rfc822 format available.

Message #32 received at 736357@bugs.debian.org (full text, mbox):

From: Patrick Ohly <patrick.ohly@intel.com>
To: Helmut Grohne <helmut@subdivi.de>, 736357@bugs.debian.org
Cc: Tino Mettler <tino.mettler@tikei.de>
Subject: Re: Bug#736357: syncevolution: tmp file vulnerability
Date: Thu, 23 Jan 2014 08:07:19 +0100
On Thu, 2014-01-23 at 07:02 +0100, Helmut Grohne wrote:
> On Wed, Jan 22, 2014 at 09:41:41PM +0100, Tino Mettler wrote:
> > Btw., don't expect me to fix this for oldstable, which is the version
> > you use. As far as I can see, the script is only used at build time.
> 
> The issue is reported against oldstable, because it is the oldest
> relevant version applicable. I agree that fixing a build issue for
> stable or oldstable is probably not worth the effort.
> 
> CVE-2014-1639 was assigned to this issue. Please mention the identifier
> in the changelog when fixing.

Thanks for reporting this. My first CVE - not sure whether I should be
ashamed or proud ;-} At least I am in good company
(http://seclists.org/oss-sec/2014/q1/138).

Tino, I finally finished packaging 1.3.99.7 yesterday and will announce
it today if final, manual testing goes well. I can put any fix into 1.4.

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.





Reply sent to Tino Keitel <tino+debian@tikei.de>:
You have taken responsibility. (Thu, 20 Feb 2014 18:03:29 GMT) Full text and rfc822 format available.

Notification sent to Helmut Grohne <helmut@subdivi.de>:
Bug acknowledged by developer. (Thu, 20 Feb 2014 18:03:30 GMT) Full text and rfc822 format available.

Message #37 received at 736357-close@bugs.debian.org (full text, mbox):

From: Tino Keitel <tino+debian@tikei.de>
To: 736357-close@bugs.debian.org
Subject: Bug#736357: fixed in syncevolution 1.3.99.7-1
Date: Thu, 20 Feb 2014 18:00:13 +0000
Source: syncevolution
Source-Version: 1.3.99.7-1

We believe that the bug you reported is fixed in the latest version of
syncevolution, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 736357@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tino Keitel <tino+debian@tikei.de> (supplier of updated syncevolution package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 31 Jan 2014 12:44:35 +0100
Source: syncevolution
Binary: syncevolution sync-ui syncevolution-common syncevolution-libs syncevolution-libs-gnome syncevolution-libs-kde syncevolution-dbus syncevolution-http syncevolution-dbg libsyncevolution0 libsyncevo-dbus0 libgdbussyncevo0
Architecture: source amd64 all
Version: 1.3.99.7-1
Distribution: unstable
Urgency: high
Maintainer: Tino Keitel <tino+debian@tikei.de>
Changed-By: Tino Keitel <tino+debian@tikei.de>
Description: 
 libgdbussyncevo0 - Sync personal information data using SyncML and CalDAV/CardDAV (s
 libsyncevo-dbus0 - Sync personal information data using SyncML and CalDAV/CardDAV (s
 libsyncevolution0 - Sync personal information data using SyncML and CalDAV/CardDAV (s
 sync-ui    - Sync personal information data using SyncML and CalDAV/CardDAV (G
 syncevolution - Sync personal information data using SyncML and CalDAV/CardDAV (C
 syncevolution-common - Sync personal information data using SyncML and CalDAV/CardDAV
 syncevolution-dbg - Sync personal information data using SyncML and CalDAV/CardDAV (d
 syncevolution-dbus - Sync personal information data using SyncML and CalDAV/CardDAV (D
 syncevolution-http - Sync personal information data using SyncML and CalDAV/CardDAV (H
 syncevolution-libs - Sync personal information data using SyncML and CalDAV/CardDAV (l
 syncevolution-libs-gnome - Sync personal information data using SyncML and CalDAV/CardDAV (l
 syncevolution-libs-kde - Sync personal information data using SyncML and CalDAV/CardDAV (l
Closes: 682520 736357
Changes: 
 syncevolution (1.3.99.7-1) unstable; urgency=high
 .
   * New upstream release candidate
   * Add 0001-Fix-incorrect-mktemp-usage-reported-by-Helmut-Grohne.patch,
     which fixes CVE-2014-1639
     (Closes: #736357)
   * Enable Akonadi support, separate Evolution (GNOME) and Akonadi (KDE) support
     (Closes: #682520)
   * Update standards version to 3.9.5, no changes needed
   * Add NEWS item to describe changes regarding KDE and GNOME support
Checksums-Sha1: 
 0f89b241e87f603bd7b22490f9f0a3af4162a2b8 2806 syncevolution_1.3.99.7-1.dsc
 2f4c4f703b43b227ddd865322f973e2189ee4399 1958220 syncevolution_1.3.99.7.orig.tar.gz
 d0d5e39f316afc6354ff84b13b8ac8633771ead4 11916 syncevolution_1.3.99.7-1.debian.tar.xz
 fad077d2a972a8e578c80e803d4a54597490c8e7 211704 syncevolution_1.3.99.7-1_amd64.deb
 d934c7420c5c7a8bd35b3f24f20a9d3d5d59206f 47212 sync-ui_1.3.99.7-1_amd64.deb
 4a623788d0c6758c05ddb7e3ed2d0793e602281b 115894 syncevolution-common_1.3.99.7-1_all.deb
 f1e15d6d9dac9f78693c6b1d1c56a893a71468db 230826 syncevolution-libs_1.3.99.7-1_amd64.deb
 5cc8c085195b3a314016c92c620bef15246ec428 167734 syncevolution-libs-gnome_1.3.99.7-1_amd64.deb
 67870bb107b9aa8452379bf8486e91a0ed3b01d5 88020 syncevolution-libs-kde_1.3.99.7-1_amd64.deb
 5a7d724fec6982ed1e21f0f6fb45c61b53f2de36 443854 syncevolution-dbus_1.3.99.7-1_amd64.deb
 851de5e299c9ebe186e3404b8c16ea3c95a1e5fe 14126 syncevolution-http_1.3.99.7-1_all.deb
 873891bebfef807b3d66d81c7ed752898d9566ac 34665722 syncevolution-dbg_1.3.99.7-1_amd64.deb
 e756920e85a5a7653ddbb3633827204ba0a29e1c 777170 libsyncevolution0_1.3.99.7-1_amd64.deb
 fb72ef81090e9853dd51688e4124585fe4532a92 19110 libsyncevo-dbus0_1.3.99.7-1_amd64.deb
 95f303b9996156dffbd7bcb530a5c746ee8b3c3d 22186 libgdbussyncevo0_1.3.99.7-1_amd64.deb
Checksums-Sha256: 
 a042a43e6447615956aec81414247d670ad115298f61cd0793039a9f6646d634 2806 syncevolution_1.3.99.7-1.dsc
 dcf9472e005653ffbe0138007950dc93201cf3ffce626924bc7e217885228cdd 1958220 syncevolution_1.3.99.7.orig.tar.gz
 988da1b571a1fed3ba969e8c03019b030b7dcb05c547f9eb25c3f8b6f2e91ff7 11916 syncevolution_1.3.99.7-1.debian.tar.xz
 c2a105bc38927d8b0de13130fa4fb029a7e011659e85bbbffd626357a3ba0d9f 211704 syncevolution_1.3.99.7-1_amd64.deb
 bef199d136c2604e964b1319348af61fecc8770bca5b3a7e5f94454d1b436790 47212 sync-ui_1.3.99.7-1_amd64.deb
 e2989dc61be68a5f6cb0075ba3502defc9b00851131ec4a79dbe95a4450c3e55 115894 syncevolution-common_1.3.99.7-1_all.deb
 a52c924f0c89575d276c274c970e7a7b66ae22d67ff16754d897003dd2ae929e 230826 syncevolution-libs_1.3.99.7-1_amd64.deb
 0bccc36d1df4eb8d88dd4b8f036199a9cf49136caa7359ecd6dc3da56bb88f95 167734 syncevolution-libs-gnome_1.3.99.7-1_amd64.deb
 d7c730e757e3d5713709ed5bb16f959307a51582a505fbaab870e23e0cb36b8f 88020 syncevolution-libs-kde_1.3.99.7-1_amd64.deb
 398a2250e253c98b89ab6289dfc54f5a07b2cb7411be9c2152e4d4751a8921ad 443854 syncevolution-dbus_1.3.99.7-1_amd64.deb
 55d6cca5343f9a3bf308e1a1bdcd6762b4aff98f1d664d9361fd6de09e373beb 14126 syncevolution-http_1.3.99.7-1_all.deb
 5e1ade0a7287299797236aeb6691a5af54904515e47497fb46e2918111c88bfb 34665722 syncevolution-dbg_1.3.99.7-1_amd64.deb
 4abbb239ebf9ebd53b9ec472eb0f6d8cda7cd5a382ea70cb40ed76ab6cfb0983 777170 libsyncevolution0_1.3.99.7-1_amd64.deb
 3e227e73693d73f914edddd1f8318dc5a4c1afac8f48231c2afea515f0a0bb84 19110 libsyncevo-dbus0_1.3.99.7-1_amd64.deb
 9f02569fbf0dba70c08547aa3fc2cce23d8d0496f5315aac34e531b53f0ff1b7 22186 libgdbussyncevo0_1.3.99.7-1_amd64.deb
Files: 
 51eadbcb3f686766aeac35f745538330 2806 utils optional syncevolution_1.3.99.7-1.dsc
 605bca9b237ec5c03d861bbfd5cc2ba7 1958220 utils optional syncevolution_1.3.99.7.orig.tar.gz
 d7fb6c88a4b025a64011364e77b2acc9 11916 utils optional syncevolution_1.3.99.7-1.debian.tar.xz
 07f6031090f07ff62c4c596be356d775 211704 utils optional syncevolution_1.3.99.7-1_amd64.deb
 abd10de4fc29d9049c5128723c53429a 47212 utils optional sync-ui_1.3.99.7-1_amd64.deb
 fd5e58df33c3adb775f9c71bd8caf3b3 115894 utils optional syncevolution-common_1.3.99.7-1_all.deb
 b0c82ea3a60b0f381a0de67bdd362e80 230826 utils optional syncevolution-libs_1.3.99.7-1_amd64.deb
 28933888e2aea4b22f19f10aad540e5d 167734 utils optional syncevolution-libs-gnome_1.3.99.7-1_amd64.deb
 e5c83e3c5c50629bfeb468cee93baf9b 88020 utils optional syncevolution-libs-kde_1.3.99.7-1_amd64.deb
 acd97c1e350db9b9aba7d84acacdb480 443854 utils optional syncevolution-dbus_1.3.99.7-1_amd64.deb
 25e053560dc6b3dbb2e355d890fb2bf2 14126 utils optional syncevolution-http_1.3.99.7-1_all.deb
 8eb7230db69f87106c311917ed71ddc6 34665722 debug extra syncevolution-dbg_1.3.99.7-1_amd64.deb
 390d6a23eef6460477b264cb2377a627 777170 utils optional libsyncevolution0_1.3.99.7-1_amd64.deb
 3fabc2665a51246a6efe6a65073a642d 19110 utils optional libsyncevo-dbus0_1.3.99.7-1_amd64.deb
 6cdf393d69fc343e3f4fbacaa3681397 22186 utils optional libgdbussyncevo0_1.3.99.7-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQGcBAEBCAAGBQJTAWkbAAoJEPIClx2kp54sRT8L/19+86H+amTTW3YFIxmfEdmZ
tGc3XKOASDpWZS/fq6t3boGbrnbP23usqMkMXelJSe0tCGMS2ymVQUdf1c70wWZQ
fpSWFycHopEkl59jo4awlE7DrhR7i0MXnoaAwwm6oPZiMSrdFSXnVDmpLfGlTMXi
LadIjfn6M4jToDuyFiURyWnMz9vAjqAAOpyJuMCEIQf6+lZFbFMXAvyk2IqDyLKS
alpWFCiUBGXBg3yzprmIFbcWq0iDUMzEdfNnOUtnADxpBWuRdzTfQTRB+h81m/kk
RW6AGCpY6GQQh4V4X7SSL1GcM4kqwk9a6PVNm3WjNj6qQQIie0Dw3OlrPZD2nMzh
Uxy8ZffMHNTlt+SCS7id326T7BRdTETOJpLSYpVg5v+rtaDiXRSWKQGg+h0GYpCH
uzXVOtWkfC9GIH/BFKGseoOZTwyH6vc/eeemr9f17Wv/d+5rIcv4SixQfVxEbTaA
c22GVVSNRc8xSvDkDi3sTexzCOYf4o2HAPRiXH/h8g==
=JJyS
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 21 Mar 2014 07:29:41 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 17:02:49 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.