gpicview: CVE-2008-3791 insecure temporary file usage

Debian Bug report logs - #495968
gpicview: CVE-2008-3791 insecure temporary file usage

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Wen-Yen Chuang <caleb@calno.com>

To: submit@bugs.debian.org

Subject: [gpicview] security RC bugs

Date: Fri, 22 Aug 2008 01:31:35 +0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package: gpicview
Version: 0.1.9-1
Severity: serious

There are three security bugs listed on sourceforge:
[1] [ 2019481 ] gpicview unsafe /tmp usage
[2] [ 2019485 ] gpicview ask_before_save is ignored with LIBJPEG
[3] [ 2019492 ] gpicview ask_before_save is ignored if auto_save_rotated

Thanks to Jeremy C. Reed for reporting these bugs and mailing me.
He also mailed to maintainers of other GNU/Linux and BSD distributions.

Kind regards
 Wen-Yen Chuang (caleb)

Reference:
[1]
http://sourceforge.net/tracker/index.php?func=detail&aid=2019481&group_id=180858&atid=894869
[2]
http://sourceforge.net/tracker/index.php?func=detail&aid=2019485&group_id=180858&atid=894869
[3]
http://sourceforge.net/tracker/index.php?func=detail&aid=2019492&group_id=180858&atid=894869
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkitpnYACgkQdEpXpumNYVkzRQCfQHVlrWhzMNy0tw/ACvrQnrPr
JoMAn0N9Aa27wMv9IN1+0urrSfIsmaVQ
=xzDV
-----END PGP SIGNATURE-----

Message #16 received at 495968@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 495968@bugs.debian.org

Subject: Re: [gpicview] security RC bugs

Date: Wed, 27 Aug 2008 16:47:42 +0200

[Message part 1 (text/plain, inline)]

Hi,
[2] [ 2019485 ] gpicview ask_before_save is ignored with LIBJPEG
[3] [ 2019492 ] gpicview ask_before_save is ignored if auto_save_rotated

those are no security bugs, there is no way for another user 
to exploit this. Those are just normal application bugs.

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #21 received at 495968@bugs.debian.org (full text, mbox, reply):

From: Wen-Yen Chuang <caleb@calno.com>

To: 495968@bugs.debian.org, control@bugs.debian.org

Subject: Re: gpicview unsafe /tmp usage

Date: Fri, 29 Aug 2008 14:52:21 +0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

retitle 495968 gpicview unsafe /tmp usage
thanks

Thanks to Nico.
I have splitted those two bugs to #497005 and #497006.

Once upstream's #2019481 [1] is fixed, this bug can be closed.

I plan to orphan gpicview after release of Lenny,
no matter gpicview is in Lenny or not.

I am still happy to maintain gpicview *BEFORE* release of Lenny,
but I will not spend time to read its source code and trying to fix it
by myself.

If there are patches to fix upstream's #2019481, I will test it and
contact security and release team, trying to push gpicview to Lenny.

If anyone want to adopt gpicview, feel free to upload it as "New
maintainer" (even before release of Lenny).

I will mail to WNPP and orphan gpicview *AFTER* release of Lenny.
(If nobody adopt it before release of Lenny, of course.)

Kind regards
 Wen-Yen Chuang (caleb)

Reference:
[1] [ 2019481 ] gpicview unsafe /tmp usage
http://sourceforge.net/tracker/index.php?func=detail&aid=2019481&group_id=180858&atid=894869
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAki3nKUACgkQdEpXpumNYVnGCgCfU1QrPK5eQk9OHyEx7ahsSiWN
9w8An0qz2PFSEoayHciGF9IoZlb1GtBl
=kdY7
-----END PGP SIGNATURE-----

Message #28 received at 495968@bugs.debian.org (full text, mbox, reply):

From: Thomas Viehmann <tv@beamnet.de>

To: 495968@bugs.debian.org

Cc: debian-release@lists.debian.org

Subject: remove gpicview from lenny?

Date: Sun, 31 Aug 2008 00:11:04 +0200

Hi,

based on the maintainer's comments in the bug log, it seems dubious
whether the bug #495968 (insecure /tmp file vulnerability) is fixed in
time for lenny. Given that it has never been released with Debian
before, it would be better to remove gpicview from lenny for now than to
risk releasing the vulnerable package.

Kind regards

T.
-- 
Thomas Viehmann, http://thomas.viehmann.net/

Message #33 received at 495968@bugs.debian.org (full text, mbox, reply):

From: Florian Maier <droneauth@gmail.com>

To: 495968@bugs.debian.org

Subject: (no subject)

Date: Sun, 31 Aug 2008 13:23:57 +0200

I had a look into the code and the fix for the /tmp file issue would be
a simple mkstemp call. But i'd also suggest to remove gpicview from the 
release, as the quaility of the code is simply not good enough to be
released anytime soon.

There some possible buffer overflows, multiple hacks, TODO comments and
the coding style overall is bad.

Florian

-- 
Florian Maier
  gpg fingerprint: 18D6 0A4D 5719 12E6 88DA  6DCC E624 7AF6 8E27 8B26
  http://www.marsmenschen.com/   -  -   http://www.planetlimux.org/

Message #38 received at 495968@bugs.debian.org (full text, mbox, reply):

From: Neil McGovern <maulkin@halon.org.uk>

To: Thomas Viehmann <tv@beamnet.de>

Cc: 495968@bugs.debian.org, debian-release@lists.debian.org

Subject: Re: remove gpicview from lenny?

Date: Sun, 31 Aug 2008 14:56:17 +0100

On Sun, Aug 31, 2008 at 12:11:04AM +0200, Thomas Viehmann wrote:
> based on the maintainer's comments in the bug log, it seems dubious
> whether the bug #495968 (insecure /tmp file vulnerability) is fixed in
> time for lenny. Given that it has never been released with Debian
> before, it would be better to remove gpicview from lenny for now than to
> risk releasing the vulnerable package.
> 

Removal hint added.

Neil
-- 
A. Because it breaks the logical sequence of discussion
Q. Why is top posting bad?
gpg key - http://www.halon.org.uk/pubkey.txt ; the.earth.li B345BDD3

Message #43 received at 495968@bugs.debian.org (full text, mbox, reply):

From: "Ying-Chun Liu (PaulLiu)" <grandpaul@gmail.com>

To: 495968@bugs.debian.org

Subject: Re: gpicview:gpicview unsafe /tmp usage

Date: Tue, 02 Sep 2008 18:30:07 +0800

[Message part 1 (text/plain, inline)]

Dear all,

I made a patch to fix this bug.

Regards,
 Paul

-- 
                                                PaulLiu(劉穎駿)
E-mail address: grandpaul@gmail.com

[gpicview_mkstemp_0.1.9.patch (text/x-patch, inline)]

--- main-win.c.orig	2008-02-21 02:29:29.000000000 +0800
+++ main-win.c	2008-09-02 18:23:58.185143816 +0800
@@ -675,6 +675,11 @@
 
 #ifdef HAVE_LIBJPEG
 int rotate_and_save_jpeg_lossless(char *  filename,int angle){
+    char tmpfilename[] = {"/tmp/rot.jpg.XXXXXX"};
+    int tmpfilefd;
+    FILE *cp_in;
+    FILE *cp_out;
+    char cp_buf[512];
     JXFORM_CODE code = JXFORM_NONE;
 
     angle = angle % 360;
@@ -686,17 +691,34 @@
     else if(angle == 270)
         code = JXFORM_ROT_270;
 
+    /* create tmp file */
+    tmpfilefd = mkstemp(tmpfilename);
+    if (tmpfilefd == -1) {
+      return -1;
+    }
+    close(tmpfilefd);
+
     //rotate the image and save it to /tmp/rot.jpg
-    int error = jpegtran (filename, "/tmp/rot.jpg" , code);
+    int error = jpegtran (filename, tmpfilename , code);
     if(error)
         return error;
 
     //now copy /tmp/rot.jpg back to the original file
-    char command[strlen(filename)+50]; //this should not generate buffer owerflow
-    // MS: didn't know, how to make it better, maybe an own copy routine
-    sprintf(command,"cp /tmp/rot.jpg \"%s\"",filename);
-    system(command);
+    cp_in = fopen(tmpfilename,"rb");
+    cp_out = fopen(filename,"wb");
+    while (!feof(cp_in)) {
+      int n;
+      n = fread(cp_buf,1,sizeof(cp_buf),cp_in);
+      if (n<=0) {
+        break;
+      }
+      fwrite (cp_buf,1,n,cp_out);
+    }
+    fclose(cp_in);
+    fclose(cp_out);
 
+    /* remove tmp file */
+    unlink(tmpfilename);
     return 0;
 }
 #endif

[signature.asc (application/pgp-signature, attachment)]

Message #48 received at 495968@bugs.debian.org (full text, mbox, reply):

From: Wen-Yen Chuang <caleb@calno.com>

To: 495968@bugs.debian.org

Subject: Re: gpicview unsafe /tmp usage

Date: Wed, 03 Sep 2008 20:00:33 +0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks to Paul.

Andrew Lee has promised that he will adopt gpicview. [1]
He is the current collaborate maintainer of gpicview,
and is one of the Project Admins of gpicview.

gpicview still has other RC bugs, so I will not handle the patch
currently.

Kind regards
 Wen-Yen Chuang (caleb)

[1] http://bugs.debian.org/497006#22
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAki+fGEACgkQdEpXpumNYVnkxgCfVDG73eZj3mdsbNptyORse+CK
6pwAn3bZ3kSPU1FWa1bLonbJhaLU1H2x
=Vpx0
-----END PGP SIGNATURE-----

Message #53 received at 495968@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 495968@bugs.debian.org

Subject: CVE id

Date: Thu, 4 Sep 2008 00:29:25 +0200

[Message part 1 (text/plain, inline)]

retitle 495968 gpicview: CVE-2008-3791 insecure temporary file creation
thanks

Hi,

CVE-2008-3791 has been assigned to this issue.
Please reference this CVE id in the changelog if you fix the 
bug.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #60 received at 495968@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 495968@bugs.debian.org

Subject: code execution possible as well

Date: Thu, 4 Sep 2008 18:15:18 +0200

[Message part 1 (text/plain, inline)]

retitle 495968 gpicview: CVE-2008-3791, CVE-2008-3904 insecure tempfile usage and code execution
thanks

Hi,
I discovered that this piece of code also allows code 
execution via crafted file names, have a look at:
http://marc.info/?l=oss-security&m=122014008313454&w=4
and
http://marc.info/?l=oss-security&m=122040004828615&w=4

this is CVE-2008-3904.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #67 received at 495968-close@bugs.debian.org (full text, mbox, reply):

From: Andrew Lee <andrew@linux.org.tw>

To: 495968-close@bugs.debian.org

Subject: Bug#495968: fixed in gpicview 0.1.9-2

Date: Sat, 06 Sep 2008 09:17:25 +0000

Source: gpicview
Source-Version: 0.1.9-2

We believe that the bug you reported is fixed in the latest version of
gpicview, which is due to be installed in the Debian FTP archive:

gpicview_0.1.9-2.diff.gz
  to pool/main/g/gpicview/gpicview_0.1.9-2.diff.gz
gpicview_0.1.9-2.dsc
  to pool/main/g/gpicview/gpicview_0.1.9-2.dsc
gpicview_0.1.9-2_amd64.deb
  to pool/main/g/gpicview/gpicview_0.1.9-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 495968@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andrew Lee <andrew@linux.org.tw> (supplier of updated gpicview package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 02 Sep 2008 21:49:47 +0800
Source: gpicview
Binary: gpicview
Architecture: source amd64
Version: 0.1.9-2
Distribution: unstable
Urgency: high
Maintainer: Andrew Lee <andrew@linux.org.tw>
Changed-By: Andrew Lee <andrew@linux.org.tw>
Description: 
 gpicview   - lightweight image viewer
Closes: 495968 497408
Changes: 
 gpicview (0.1.9-2) unstable; urgency=high
 .
   * Applied gpicview_mkstemp_0.1.9.dpatch for two RC bug fix,
     set urgency=high. (Closes: #495968, #497408)
     Thanks PaulLiu(劉穎駿) <grandpaul@gmail.com> for the patch.
   * New Maintainer Upload. Thanks Wen-Yen Chuang's contribution in the
     past year. I adopt this package become official maintainer now.
Checksums-Sha1: 
 e76ed76f5e561a928b039748f166893b0c61ba08 1029 gpicview_0.1.9-2.dsc
 4226090919ccf853e0db79b9216c28aea07b72c8 4050 gpicview_0.1.9-2.diff.gz
 2e7ef5f8310eda3278bcc7bc7e076bf52831a7de 48312 gpicview_0.1.9-2_amd64.deb
Checksums-Sha256: 
 534e92ed09e9352b70d3391f63ebebf67ef2cd129f5631004c113dd575102371 1029 gpicview_0.1.9-2.dsc
 c45a7539d4d4181e8ee6ac16ca8c43dbd59ed904cb303e0a2c76de8f7f971292 4050 gpicview_0.1.9-2.diff.gz
 7dc466122ccc82ab0e26c41962955e2288be1e8716273609165d4bbebb0adcfc 48312 gpicview_0.1.9-2_amd64.deb
Files: 
 2607c325fac79364303084e8dac2baf2 1029 graphics optional gpicview_0.1.9-2.dsc
 e86ad102968166ae258b994045da17f1 4050 graphics optional gpicview_0.1.9-2.diff.gz
 b0c46bf2111bffd7fc548eb283f67190 48312 graphics optional gpicview_0.1.9-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFIwjzV9LSwzHl+v6sRAkKtAJ4/ZqvL6qCYtT11aNUlZc4K+r+ZZgCdEq6z
j0cplFJLf69Lcr4Xt1kQdKk=
=7hMf
-----END PGP SIGNATURE-----

Message #72 received at 495968@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: control@bugs.debian.org

Cc: 495968@bugs.debian.org, andrew@linux.org.tw

Subject: cloning and reopening

Date: Sat, 6 Sep 2008 12:54:24 +0200

[Message part 1 (text/plain, inline)]

reopen 495968
retitle 495968 gpicview: CVE-2008-3791 insecure temporary file usage
clone 495968 -1
reopen -1
found -1 0.1.9-2
retitle -1 gpicview: CVE-2008-3904 arbitrary code execution via crafted file name
close 495968 0.1.9-2
reopen 497408
# don't close bugs that don't belong to your package.

Hi Andrew,
this bug closing was really not appropriate. Why do you 
close bugs via the changelog that don't belong to your 
package? Why do you just close a bug report that contains 
multiple bugs but you just fix one?

Please don't do that.
Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.