[CVE-2012-6076] inkscape reads .eps files from /tmp instead of the current directory

Debian Bug report logs - #654341
[CVE-2012-6076] inkscape reads .eps files from /tmp instead of the current directory

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Vincent Lefevre <vincent@vinc17.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: inkscape reads .eps files from /tmp instead of the current directory

Date: Tue, 3 Jan 2012 04:01:12 +0100

Package: inkscape
Version: 0.48.1-2.1+b1
Severity: grave
Tags: security
Justification: user security hole

When I want to open a .eps file with something like

  inkscape file.eps

inkscape tries to open the file from /tmp instead of the current
directory (if the file doesn't exist, I get a ghostscript error from
ps2pdf, which is the same error as when ps2pdf is run manually).

According to strace, inkscape does a chdir to /tmp before running
ps2pdf on the argument, hence the problem.

The security problem is that the user A may open a file belonging
to some user B from /tmp, which can contain incorrect data, an
offensive image and so on. It can also be a symbolic link to some
protected file of user A (which may inadvertently diffused to other
users) or to some other special file that shouldn't be read, such as
/proc/<pid>/fd/0, which can make program <pid> behave incorrectly.

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.1.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages inkscape depends on:
ii  libaspell15         0.60.7~20110707-1
ii  libatk1.0-0         2.2.0-2
ii  libatkmm-1.6-1      2.22.6-1
ii  libc6               2.13-24
ii  libcairo2           1.10.2-6.2
ii  libcairomm-1.0-1    1.10.0-1
ii  libfontconfig1      2.8.0-3
ii  libfreetype6        2.4.8-1
ii  libgc1c2            1:7.1-8
ii  libgcc1             1:4.6.2-9
ii  libgconf2-4         3.2.3-1
ii  libgdk-pixbuf2.0-0  2.24.0-2
ii  libglib2.0-0        2.30.2-4
ii  libglibmm-2.4-1c2a  2.30.0-2
ii  libgnomevfs2-0      1:2.24.4-1
ii  libgomp1            4.6.2-9
ii  libgsl0ldbl         1.15+dfsg-1
ii  libgtk2.0-0         2.24.8-2
ii  libgtkmm-2.4-1c2a   1:2.24.2-1
ii  libgtkspell0        2.0.16-1
ii  liblcms1            1.19.dfsg-1+b1
ii  libmagick++4        8:6.6.9.7-5+b2
ii  libmagickcore4      8:6.6.9.7-5+b2
ii  libpango1.0-0       1.29.4-2
ii  libpangomm-1.4-1    2.28.4-1
ii  libpng12-0          1.2.46-3
ii  libpoppler-glib6    0.16.7-2+b1
ii  libpoppler13        0.16.7-2+b1
ii  libpopt0            1.16-3
ii  libsigc++-2.0-0c2a  2.2.9-1.1
ii  libstdc++6          4.6.2-9
ii  libwpd-0.9-9        0.9.4-1
ii  libwpg-0.2-2        0.2.1-1
ii  libx11-6            2:1.4.4-4
ii  libxml2             2.7.8.dfsg-5.1
ii  libxslt1.1          1.1.26-8
ii  zlib1g              1:1.2.3.4.dfsg-3

Versions of packages inkscape recommends:
ii  aspell       0.60.7~20110707-1
ii  imagemagick  8:6.6.9.7-5+b2
ii  libwmf-bin   <none>
ii  perlmagick   <none>
ii  pstoedit     3.60-1

Versions of packages inkscape suggests:
pn  dia | dia-gnome      <none>
pn  libgnomevfs2-extra   1:2.24.4-1
pn  libsvg-perl          <none>
pn  libxml-xql-perl      <none>
pn  python               2.7.2-9
pn  python-lxml          <none>
pn  python-numpy         1:1.5.1-3
pn  python-uniconvertor  <none>
pn  ruby                 4.8
pn  ruby1.8 [ruby]       1.8.7.352-2
pn  skencil              <none>

-- no debconf information

Message #12 received at 654341@bugs.debian.org (full text, mbox, reply):

From: Marcos Marado <mindboosternoori@gmail.com>

To: 654341@bugs.debian.org

Subject: Re: inkscape reads .eps files from /tmp instead of the current directory

Date: Thu, 12 Jan 2012 19:15:25 +0000

Hi there,

FYI, the link for the upstream bug is broken. I tried to find out the
correct bug report upstream, but I couldn't find it.

Best regards,
-- 
Marcos Marado

Message #17 received at 654341@bugs.debian.org (full text, mbox, reply):

From: Alex Valavanis <valavanisalex@gmail.com>

To: Marcos Marado <mindboosternoori@gmail.com>, 654341@bugs.debian.org

Subject: Re: Bug#654341: inkscape reads .eps files from /tmp instead of the current directory

Date: Thu, 12 Jan 2012 19:22:11 +0000

Hi Marcos,

Actually, the link is OK, but the upstream report is set as private
because this is a security issue.  If you or anyone else would like to
have access to the report, please let me know your launchpad user ID
and I will subscribe you.

Thanks,


Alex

On 12 January 2012 19:15, Marcos Marado <mindboosternoori@gmail.com> wrote:
> Hi there,
>
> FYI, the link for the upstream bug is broken. I tried to find out the
> correct bug report upstream, but I couldn't find it.
>
> Best regards,
> --
> Marcos Marado
>
>
>

Message #22 received at 654341@bugs.debian.org (full text, mbox, reply):

From: Marcos Marado <mindboosternoori@gmail.com>

To: Alex Valavanis <valavanisalex@gmail.com>

Cc: 654341@bugs.debian.org

Subject: Re: Bug#654341: inkscape reads .eps files from /tmp instead of the current directory

Date: Thu, 12 Jan 2012 19:27:21 +0000

On Thursday 12 January 2012 19:22:11 Alex Valavanis wrote:
> Hi Marcos,
> 
> Actually, the link is OK, but the upstream report is set as private
> because this is a security issue.

Oh, OK, thanks for the reply.

> If you or anyone else would like to
> have access to the report, please let me know your launchpad user ID
> and I will subscribe you.

That won't be necessary, thank you.

Be well,
-- 
Marcos Marado

Message #27 received at 654341@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Alex Valavanis <valavanisalex@gmail.com>, 654341@bugs.debian.org

Subject: Re: Bug#654341: inkscape reads .eps files from /tmp instead of the current directory

Date: Sun, 4 Mar 2012 14:55:55 +0000

On Thu, 12 Jan 2012 at 19:22:11 +0000, Alex Valavanis wrote:
> Actually, the link is OK, but the upstream report is set as private
> because this is a security issue.

Given that it's public in the Debian BTS, there's little point in having
the Launchpad bug private (unless the Launchpad bug reveals further security
issues or whatever), it just impedes fixing it.

Regards,
    smcv
    at the Cambridge BSP

Message #32 received at 654341@bugs.debian.org (full text, mbox, reply):

From: Alex Valavanis <valavanisalex@gmail.com>

To: Simon McVittie <smcv@debian.org>

Cc: 654341@bugs.debian.org

Subject: Re: Bug#654341: inkscape reads .eps files from /tmp instead of the current directory

Date: Sun, 4 Mar 2012 16:10:34 +0000

Hi,

Yes - I actually made it public a while ago, following the same rationale.

Cheers,


AV

On 4 March 2012 14:55, Simon McVittie <smcv@debian.org> wrote:
> On Thu, 12 Jan 2012 at 19:22:11 +0000, Alex Valavanis wrote:
>> Actually, the link is OK, but the upstream report is set as private
>> because this is a security issue.
>
> Given that it's public in the Debian BTS, there's little point in having
> the Launchpad bug private (unless the Launchpad bug reveals further security
> issues or whatever), it just impedes fixing it.
>
> Regards,
>    smcv
>    at the Cambridge BSP

Message #37 received at 654341@bugs.debian.org (full text, mbox, reply):

From: Alex Valavanis <valavanisalex@gmail.com>

To: Simon McVittie <smcv@debian.org>

Cc: 654341@bugs.debian.org

Subject: Re: Bug#654341: inkscape reads .eps files from /tmp instead of the current directory

Date: Sun, 4 Mar 2012 16:12:15 +0000

Oops... at least I thought I had!

I've changed it now.

Cheers,


AV

On 4 March 2012 16:10, Alex Valavanis <valavanisalex@gmail.com> wrote:
> Hi,
>
> Yes - I actually made it public a while ago, following the same rationale.
>
> Cheers,
>
>
> AV
>
> On 4 March 2012 14:55, Simon McVittie <smcv@debian.org> wrote:
>> On Thu, 12 Jan 2012 at 19:22:11 +0000, Alex Valavanis wrote:
>>> Actually, the link is OK, but the upstream report is set as private
>>> because this is a security issue.
>>
>> Given that it's public in the Debian BTS, there's little point in having
>> the Launchpad bug private (unless the Launchpad bug reveals further security
>> issues or whatever), it just impedes fixing it.
>>
>> Regards,
>>    smcv
>>    at the Cambridge BSP

Message #42 received at 654341@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Vincent Lefevre <vincent@vinc17.net>, 654341@bugs.debian.org

Subject: Re: Bug#654341: inkscape reads .eps files from /tmp instead of the current directory

Date: Sat, 29 Dec 2012 13:14:30 +0100

[Message part 1 (text/plain, inline)]

Hi

I have asked if this warrants a CVE and if one can be assigned. If so
I will then update it here. Here is the temporary entry in the
security-tracker:

 https://security-tracker.debian.org/tracker/TEMP-0654341-9198B9

p.s.: A user might be tricked also to save the open file and loose data,
      by overwriting the file in current directory by the content found
      in the /tmp file.

Regards,
Salvatore

[signature.asc (application/pgp-signature, inline)]

Message #47 received at 654341@bugs.debian.org (full text, mbox, reply):

From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>

To: 654341@bugs.debian.org

Cc: Vincent Lefevre <vincent@vinc17.net>, Marcos Marado <mindboosternoori@gmail.com>, Alex Valavanis <valavanisalex@gmail.com>, Simon McVittie <smcv@debian.org>, Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#654341: inkscape reads .eps files from /tmp instead of the

Date: Sat, 29 Dec 2012 21:48:42 +0100

[Message part 1 (text/plain, inline)]

Hi,

I have just uploaded inkscape 0.48.3.1-1.3 which includes a patch by
Michael Karcher to address this issue.

We have thoroughly tested the patch and the bug is now
fixed. Further checks show that the patch doesn't have any negative
impact on other areas of the script engine.

The patch makes sure that the relative file names are expanded before
they are passed to external scripts. EPS files are imported by
inkscape by means of an external Python script. The bug is caused by
the script engine assuming the filename passed is absolute and then it
changes the current working directory to the script directory first,
then into /tmp to make sure it is possible to write to disk.

I am attaching a series of patches against the git repository for the
Debian packaging [1]. The packaging repository is currently at version
0.48.3.1-1, the following three NMUs are therefore not in the
repository and I am attaching all patches necessary to update the
repository to version 0.48.3.1-1.3.

I will file an unblock request to the release team for version
0.48.3.1-1.3. The bug should be closed by my upload anytime soon.

Cheers,

Adrian

> [1] git://git.debian.org/git/collab-maint/inkscape.git

-- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaubitz@debian.org
`. `'   Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
  `-    GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913

[0001-switch-the-libpng12-dev-build-dependency-to-libpng-d.patch (text/x-diff, attachment)]

[0002-Update-Debian-changelog-for-0.48.3.1-1.1.patch (text/x-diff, attachment)]

[0003-Add-Debian-patch-to-fix-vulnerability-CVE-2012-5656.patch (text/x-diff, attachment)]

[0004-Update-Debian-changelog-for-0.48.3.1-1.2.patch (text/x-diff, attachment)]

[0005-Add-patch-to-fix-upstream-vulnerability-LP-911146.patch (text/x-diff, attachment)]

[0006-Update-Debian-changelog-for-0.48.3.1-1.3.patch (text/x-diff, attachment)]

Message #52 received at 654341-close@bugs.debian.org (full text, mbox, reply):

From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>

To: 654341-close@bugs.debian.org

Subject: Bug#654341: fixed in inkscape 0.48.3.1-1.3

Date: Sat, 29 Dec 2012 22:17:43 +0000

Source: inkscape
Source-Version: 0.48.3.1-1.3

We believe that the bug you reported is fixed in the latest version of
inkscape, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 654341@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> (supplier of updated inkscape package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 29 Dec 2012 19:15:46 +0100
Source: inkscape
Binary: inkscape
Architecture: source amd64
Version: 0.48.3.1-1.3
Distribution: unstable
Urgency: low
Maintainer: Wolfram Quester <wolfi@sigxcpu.org>
Changed-By: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Description: 
 inkscape   - vector-based drawing program
Closes: 654341
Changes: 
 inkscape (0.48.3.1-1.3) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Add Debian patch to fix relative filename vulnerability (Closes: #654341).
Checksums-Sha1: 
 48ef367fdd2ccae756b24d3df2d83af6f73ddebd 2372 inkscape_0.48.3.1-1.3.dsc
 04c039fdc609c7a0d358c6a743b6efe761a3f85c 20557 inkscape_0.48.3.1-1.3.diff.gz
 d6463eae71391db323bdb48846ce9c975f52fb72 24775326 inkscape_0.48.3.1-1.3_amd64.deb
Checksums-Sha256: 
 71b0c065c92e1d497d288373084b4c7fdce3bff836761d13310f84d9113843eb 2372 inkscape_0.48.3.1-1.3.dsc
 703ce11f605597b8e0f9b14837319339fcddc36b10a87826b90f8d7848cec35f 20557 inkscape_0.48.3.1-1.3.diff.gz
 3b1d8fed6d8ed62d6368ae560537d8232ffba71efd5dff05f4120bdc1a9dda72 24775326 inkscape_0.48.3.1-1.3_amd64.deb
Files: 
 9f00972c8c3194f788d6c2712012f723 2372 graphics optional inkscape_0.48.3.1-1.3.dsc
 6f74f17bd59354fb535655415a8d3005 20557 graphics optional inkscape_0.48.3.1-1.3.diff.gz
 0e0aad6b26a0ef21bd35b71423d2bb4c 24775326 graphics optional inkscape_0.48.3.1-1.3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJQ32l5AAoJEHQmOzf1tfkTMN0P/j555yZ5M09EL9O6CY/e0YAh
BdcqKFomFxS+eD2y6YxOSI3ZlmlusOGkNAvAd0dwumDyk+nBnBz2QfWxPN8IiLfS
5Jn1pqNhdr2tKmCloZyEhuKe6BPaBsY7JwR6mgaCjsotLUZDHyIg06YhOZPylVyG
K2QeeXqMXe99H8Xy9JvJ9xq/xMfhkpEsYMpJuCLuF6S2sp4XwwWHuzJAPaN5W8Ky
OJbLofZxcGM6fjySOfiHg1rrm+az8YSzY/T9mZ33CDFyp/AX1Drq9ZVKHx+q05oS
q00Yv6rfQCaopvhU/Y7sPep0k4CN8Bnc4Gp6ax23cEtITdTSU1Doafe+8xlESQpR
/N/WieJOkB8s8v3M3ZCj2Q6LyDma/XMv5rKRQx+ZQuzyopWq75JXXt3Vqss1NSZw
CkGRdC8c0ePqKHrLhpV9xbySBiwdBkIrBV946WaSpnOF1OYz+VBIMCXf8r8ISEug
hbYpIb2FbmH4FnR1riASd3OJPKHztfM18ye34uXNoblXvzxm8/MvwVRY++ffljen
e/PnjYg/Dht21unQAZh+uFFobev2AQRCfY++O0ia8XrkVsaD/aUAGfndt9jKTeHT
e5zNUnaRuIRgs6ZevAn6297+GNl/u9vswh9xJsxl8Bsy6wn+CK5XQl9TEV++VP0e
cfbkGv5r4v8e4GfWaLl6
=DzUz
-----END PGP SIGNATURE-----

Message #57 received at 654341@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>, 654341@bugs.debian.org

Cc: Vincent Lefevre <vincent@vinc17.net>, Marcos Marado <mindboosternoori@gmail.com>, Alex Valavanis <valavanisalex@gmail.com>, Simon McVittie <smcv@debian.org>

Subject: Re: Bug#654341: inkscape reads .eps files from /tmp instead of the

Date: Sun, 30 Dec 2012 07:03:27 +0100

[Message part 1 (text/plain, inline)]

Control: retitle -1 [CVE-2012-6076] inkscape reads .eps files from /tmp instead of the current directory
Control: retitle 696915 unblock: inkscape/0.48.3.1-1.3

Hi

On Sat, Dec 29, 2012 at 09:48:42PM +0100, John Paul Adrian Glaubitz wrote:
> Hi,
> 
> I have just uploaded inkscape 0.48.3.1-1.3 which includes a patch by
> Michael Karcher to address this issue.
> 
> We have thoroughly tested the patch and the bug is now
> fixed. Further checks show that the patch doesn't have any negative
> impact on other areas of the script engine.
> 
> The patch makes sure that the relative file names are expanded before
> they are passed to external scripts. EPS files are imported by
> inkscape by means of an external Python script. The bug is caused by
> the script engine assuming the filename passed is absolute and then it
> changes the current working directory to the script directory first,
> then into /tmp to make sure it is possible to write to disk.
> 
> I am attaching a series of patches against the git repository for the
> Debian packaging [1]. The packaging repository is currently at version
> 0.48.3.1-1, the following three NMUs are therefore not in the
> repository and I am attaching all patches necessary to update the
> repository to version 0.48.3.1-1.3.

Thanks for your update. It was assigned now a CVE for this issue:
CVE-2012-6076.

Regards,
Salvatore

[signature.asc (application/pgp-signature, inline)]

Message #66 received at 654341@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: 654341@bugs.debian.org

Subject: Re: [CVE-2012-6076] inkscape reads .eps files from /tmp instead of the current directory

Date: Thu, 17 Jan 2013 11:42:00 -0000

Package: inkscape

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.7) - use target "stable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/654341/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Send a report that this bug log contains spam.