Debian Bug report logs - #78951
lock file problem

version graph

Package: dialog; Maintainer for dialog is Santiago Vila <sanvila@debian.org>; Source for dialog is src:dialog.

Reported by: Matt Kraai <kraai@debian.org>

Date: Wed, 6 Dec 2000 23:03:20 UTC

Severity: grave

Found in version 0.9a-20000118-3

Fixed in version dialog/0.9a-20001213-1

Done: Santiago Vila <sanvila@debian.org>

Bug is archived. No further changes may be made.

Forwarded to "T.E.Dickey" <dickey@clark.net>

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#78951; Package dialog. Full text and rfc822 format available.

Acknowledgement sent to Matt Kraai <kraai@debian.org>:
New Bug report received and forwarded. Copy sent to Santiago Vila <sanvila@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Matt Kraai <kraai@debian.org>
To: submit@bugs.debian.org
Subject: lock file problem
Date: Wed, 6 Dec 2000 15:43:10 -0700
Package: dialog
Version: 0.9a-20000118-3

The dialog package creates lock files in /tmp.  It is possible for an
attacker to create symbolic links and truncate any file that is writable
by the person running dialog.  Since dialog is run by debconf, which is
run by root, I think bad things could happen.  The appended patch
creates the lock files safely (and also avoids a race condition).

Matt

--- dialog-0.9a-20000118/util.c	Tue Jan 18 18:21:03 2000
+++ dialog/util.c	Wed Dec  6 14:14:07 2000
@@ -662,7 +662,6 @@
 void
 wrefresh_lock_sub(WINDOW *win)
 {
-    while_exist_lock(lock_refresh);
     create_lock(lock_refresh);
     wrefresh(win);
     beeping();
@@ -687,16 +686,11 @@
 }
 
 void
-while_exist_lock(char *filename)
-{
-    while (exist_lock(filename)) ;
-}
-
-void
 create_lock(char *filename)
 {
-    FILE *fil = fopen(filename, "w");
-    fclose(fil);
+    int fd;
+    while ((fd = open(filename, O_WRONLY|O_CREAT|O_EXCL, 0600)) == -1)
+	close(fd);
 }
 
 void



Reply sent to Santiago Vila <sanvila@unex.es>:
You have marked Bug as forwarded. Full text and rfc822 format available.

Message #8 received at 78951-forwarded@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@unex.es>
To: "T.E.Dickey" <dickey@clark.net>
Cc: 78951-forwarded@bugs.debian.org, Matt Kraai <kraai@debian.org>
Subject: Bug#78951: lock file problem (fwd)
Date: Thu, 7 Dec 2000 13:40:25 +0100 (CET)
Hello.

I received this report from the Debian bug system. It is possible that 
this is already fixed in latest version, but I have not checked it yet.

---------- Forwarded message ----------
Date: Wed, 6 Dec 2000 15:43:10 -0700
From: Matt Kraai <kraai@debian.org>
To: submit@bugs.debian.org
Subject: #78951: lock file problem

Package: dialog
Version: 0.9a-20000118-3

The dialog package creates lock files in /tmp.  It is possible for an
attacker to create symbolic links and truncate any file that is writable
by the person running dialog.  Since dialog is run by debconf, which is
run by root, I think bad things could happen.  The appended patch
creates the lock files safely (and also avoids a race condition).

Matt

--- dialog-0.9a-20000118/util.c	Tue Jan 18 18:21:03 2000
+++ dialog/util.c	Wed Dec  6 14:14:07 2000
@@ -662,7 +662,6 @@
 void
 wrefresh_lock_sub(WINDOW *win)
 {
-    while_exist_lock(lock_refresh);
     create_lock(lock_refresh);
     wrefresh(win);
     beeping();
@@ -687,16 +686,11 @@
 }
 
 void
-while_exist_lock(char *filename)
-{
-    while (exist_lock(filename)) ;
-}
-
-void
 create_lock(char *filename)
 {
-    FILE *fil = fopen(filename, "w");
-    fclose(fil);
+    int fd;
+    while ((fd = open(filename, O_WRONLY|O_CREAT|O_EXCL, 0600)) == -1)
+	close(fd);
 }
 
 void




Severity set to `grave'. Request was from Joey Hess <joeyh@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#78951; Package dialog. Full text and rfc822 format available.

Acknowledgement sent to Matt Kraai <kraai@alumni.carnegiemellon.edu>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. Full text and rfc822 format available.

Message #15 received at 78951@bugs.debian.org (full text, mbox):

From: Matt Kraai <kraai@alumni.carnegiemellon.edu>
To: 78951@bugs.debian.org
Subject: improved patch
Date: Tue, 12 Dec 2000 22:13:12 -0800
[Message part 1 (text/plain, inline)]
Howdy,

I just realized that the patch I submitted for this bug is broken.  Here
is a new and improved version.

Matt

--- dialog-0.9a-20001027/util.c	Fri Oct 27 18:09:49 2000
+++ dialog/util.c	Tue Dec 12 22:11:05 2000
@@ -681,7 +681,6 @@
 wrefresh_lock_sub(WINDOW *win)
 {
     if (lock_refresh) {
-	while_exist_lock(lock_refresh);
 	create_lock(lock_refresh);
     }
     (void) wrefresh(win);
@@ -707,16 +706,13 @@
 }
 
 void
-while_exist_lock(char *filename)
-{
-    while (exist_lock(filename)) ;
-}
-
-void
 create_lock(char *filename)
 {
-    FILE *fil = fopen(filename, "w");
-    (void) fclose(fil);
+    int fd;
+
+    while ((fd = open(filename, O_WRONLY|O_CREAT|O_EXCL, 0600)) == -1)
+	/* do nothing */;
+    close(fd);
 }
 
 void
[Message part 2 (application/pgp-signature, inline)]

Message #16 received at 78951-forwarded@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@unex.es>
To: Thomas Dickey <dickey@herndon4.his.com>
Cc: <78951-forwarded@bugs.debian.org>
Subject: Bug#78951: improved patch (fwd)
Date: Wed, 13 Dec 2000 17:23:14 +0100 (CET)
Hello Thomas.

I received this yesterday. Unfortunately, version 20001212 seem
to contain the wrong patch.

---------- Forwarded message ----------
Date: Tue, 12 Dec 2000 22:13:12 -0800
From: Matt Kraai <kraai@alumni.carnegiemellon.edu>
To: 78951@bugs.debian.org
Subject: Bug#78951: improved patch
Resent-Date: Wed, 13 Dec 2000 07:03:09 GMT
Resent-From: Matt Kraai <kraai@alumni.carnegiemellon.edu>
Resent-To: debian-bugs-dist@lists.debian.org
Resent-cc: Santiago Vila <sanvila@debian.org>

Howdy,

I just realized that the patch I submitted for this bug is broken.  Here
is a new and improved version.

Matt

--- dialog-0.9a-20001027/util.c	Fri Oct 27 18:09:49 2000
+++ dialog/util.c	Tue Dec 12 22:11:05 2000
@@ -681,7 +681,6 @@
 wrefresh_lock_sub(WINDOW *win)
 {
     if (lock_refresh) {
-	while_exist_lock(lock_refresh);
 	create_lock(lock_refresh);
     }
     (void) wrefresh(win);
@@ -707,16 +706,13 @@
 }

 void
-while_exist_lock(char *filename)
-{
-    while (exist_lock(filename)) ;
-}
-
-void
 create_lock(char *filename)
 {
-    FILE *fil = fopen(filename, "w");
-    (void) fclose(fil);
+    int fd;
+
+    while ((fd = open(filename, O_WRONLY|O_CREAT|O_EXCL, 0600)) == -1)
+	/* do nothing */;
+    close(fd);
 }

 void




Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#78951; Package dialog. Full text and rfc822 format available.

Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. Full text and rfc822 format available.

Message #21 received at 78951@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@unex.es>
To: Matt Kraai <kraai@alumni.carnegiemellon.edu>, <78951@bugs.debian.org>
Subject: Re: Bug#78951: improved patch
Date: Wed, 13 Dec 2000 17:38:34 +0100 (CET)
On Tue, 12 Dec 2000, Matt Kraai wrote:

> Howdy,
>
> I just realized that the patch I submitted for this bug is broken.  Here
> is a new and improved version.
> [...]

Please note that your second patch does not apply cleanly to the
version in potato.




Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#78951; Package dialog. Full text and rfc822 format available.

Acknowledgement sent to Chris Butler <chrisb@debian.org>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. Full text and rfc822 format available.

Message #26 received at 78951@bugs.debian.org (full text, mbox):

From: Chris Butler <chrisb@debian.org>
To: security@debian.org
Cc: 78951@bugs.debian.org
Subject: Re: FWD: Bug#78951: lock file problem
Date: Wed, 13 Dec 2000 18:23:54 +0000
[Message part 1 (text/plain, inline)]
On Wed, Dec 13, 2000 at 06:32:55PM +0100, Wichert Akkerman wrote:
> The fix creates a busy-loop which will load the system.. I would
> really like to see a different fix implemented.

Attached patch has a 1 second delay between attempts, and times out
after 10 attempts.

-- 
Chris
[dialog.patch (text/plain, attachment)]

Message #27 received at 78951-forwarded@bugs.debian.org (full text, mbox):

From: "Thomas E. Dickey" <dickey@herndon4.his.com>
To: Santiago Vila <sanvila@unex.es>
Cc: 78951-forwarded@bugs.debian.org
Subject: Re: Bug#78951: improved patch (fwd)
Date: Wed, 13 Dec 2000 13:06:17 -0500 (EST)
On Wed, 13 Dec 2000, Santiago Vila wrote:

> Hello Thomas.
> 
> I received this yesterday. Unfortunately, version 20001212 seem
> to contain the wrong patch.

thanks (I didn't spot the missing ';', though there was iirc another
problem with the original patch which I did fix).  I'll put a new
copy up tonight.
 
> +    while ((fd = open(filename, O_WRONLY|O_CREAT|O_EXCL, 0600)) == -1)
> +	/* do nothing */;
        oops...
> +    close(fd);
>  }

-- 
T.E.Dickey <dickey@herndon4.his.com>
http://dickey.his.com
ftp://dickey.his.com




Reply sent to Santiago Vila <sanvila@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Matt Kraai <kraai@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #32 received at 78951-close@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@debian.org>
To: 78951-close@bugs.debian.org
Subject: Bug#78951: fixed in dialog 0.9a-20001213-1
Date: Thu, 14 Dec 2000 16:13:45 -0500
We believe that the bug you reported is fixed in the latest version of
dialog, which has been installed in the Debian FTP archive:

dialog_0.9a-20001213-1.diff.gz
  to pool/main/d/dialog/dialog_0.9a-20001213-1.diff.gz
dialog_0.9a-20001213-1.dsc
  to pool/main/d/dialog/dialog_0.9a-20001213-1.dsc
dialog_0.9a-20001213-1_i386.deb
  to pool/main/d/dialog/dialog_0.9a-20001213-1_i386.deb
dialog_0.9a-20001213.orig.tar.gz
  to pool/main/d/dialog/dialog_0.9a-20001213.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 78951@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Santiago Vila <sanvila@debian.org> (supplier of updated dialog package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.6
Date: Thu, 14 Dec 2000 19:47:36 +0100
Source: dialog
Binary: dialog
Architecture: source i386
Version: 0.9a-20001213-1
Distribution: unstable
Urgency: high
Maintainer: Santiago Vila <sanvila@debian.org>
Description: 
 dialog     - Displays user-friendly dialog boxes from shell scripts
Closes: 77199 77200 78951
Changes: 
 dialog (0.9a-20001213-1) unstable; urgency=high
 .
   * New upstream release, featuring:
   - justify_text() now does text flow even when the string contains
     newlines (Closes: #77199).
   - Fixed manpage regarding --fselect (Closes: #77200).
   - Lock files in /tmp are now created securely (Closes: #78951).
     (Thanks to Matt Kraai, Chris Butler and Wichert Akkerman).
Files: 
 6bbeb690ac7333a30bb64b04ef8f2b75 628 misc optional dialog_0.9a-20001213-1.dsc
 61cf8bff9476a3902144cf2c616439f6 172198 misc optional dialog_0.9a-20001213.orig.tar.gz
 e47c31370ea8a9ce99365f28abef295a 4589 misc optional dialog_0.9a-20001213-1.diff.gz
 bfbfc3cd3aee27a73f6a13d6a8e990d2 80664 misc optional dialog_0.9a-20001213-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6ORf4d9Uuvj7yPNYRAq0eAKCrjzdnrZI/Tu2ynfxs9ygKwk+WUQCZAVti
wdQ7BmElFuelma4JUGpk1Sc=
=ljF5
-----END PGP SIGNATURE-----



Message #33 received at 78951-done@bugs.debian.org (full text, mbox):

From: dpk@egr.msu.edu
To: 78951-done@bugs.debian.org
Subject: dhcpcd to be removed from woody
Date: Mon, 15 Jan 2001 10:31:41 -0500 (EST)


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 15:56:25 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.