unsafe temp file creation (CAN-2004-2265)

Debian Bug report logs - #320541
unsafe temp file creation (CAN-2004-2265)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Joey Hess <joeyh@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: unsafe temp file creation (CAN-2004-2265)

Date: Sat, 30 Jul 2005 00:54:10 -0400

[Message part 1 (text/plain, inline)]

Package: uudeview
Version: 0.5.20-2
Severity: serious
Tags: security

CAN-2004-2265 is a security hole in uudeview, although you won't find
much useful info in the advisories associated with that CAN.

After downloading OpenPKG's fix from
tp://ftp.openpkg.org/release/2.0/UPD/uudeview-0.5.19-2.0.1.src.rpm ,
I was able to verify the problem:

  if ((stdfile = tempnam (NULL, "uu")) == NULL) {
    fprintf (stderr, "proc_stdin: cannot get temporary file\n");
    return 0;
  }

  if ((target = fopen (stdfile, "wb")) == NULL) {
    fprintf (stderr, "proc_stdin: cannot open temp file %s for writing: %s\n",
             stdfile, strerror (errno));
    _FP_free (stdfile);
    return 0;
  }

This is a race, exploitable when uudeview is run on standard input.
I'm attaching OpenPKG's entire patch for uudeview 0.5.19, since you might
find unrelated changes also of interest. The relevent fixes for this hole
are change changes involving tempnam and _FP_tempnam.

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.4.27
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages uudeview depends on:
ii  libc6                       2.3.2.ds1-22 GNU C Library: Shared libraries an

uudeview recommends no packages.

-- no debconf information

-- 
see shy jo

[uudeview.patch (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 320541@bugs.debian.org (full text, mbox, reply):

From: Frank Lichtenheld <djpig@debian.org>

To: Joey Hess <joeyh@debian.org>, 320541@bugs.debian.org

Subject: Re: Bug#320541: unsafe temp file creation (CAN-2004-2265)

Date: Sat, 3 Sep 2005 17:39:14 +0200

On Sat, Jul 30, 2005 at 12:54:10AM -0400, Joey Hess wrote:
> CAN-2004-2265 is a security hole in uudeview, although you won't find
> much useful info in the advisories associated with that CAN.
[...]
> This is a race, exploitable when uudeview is run on standard input.
> I'm attaching OpenPKG's entire patch for uudeview 0.5.19, since you might
> find unrelated changes also of interest. The relevent fixes for this hole
> are change changes involving tempnam and _FP_tempnam.

While I see the race I fail to see how the patch fixes that.

> mkstemp security enhancement. Similar to
> FreeBSD http://www.freebsd.org/cgi/query-pr.cgi?pr=41508
> SuSE uudeview-0.5.18-244.src.rpm
[...]
> --- uulib/fptools.c
> +++ uulib/fptools.c
> @@ -507,5 +507,15 @@
>  char * TOOLEXPORT
>  _FP_tempnam (char *dir, char *pfx)
>  {
> -  return _FP_strdup (tmpnam (NULL));
> +  int fd;
> +  char fileName[100];
> +
> +  strncpy(fileName, pfx, 90);
> +  strcat(fileName, "XXXXXX");
> +  fd = mkstemp(fileName);
> +  if (fd == -1)
> +	return NULL;
> +  close(fd);
> +  unlink(fileName);
> +  return _FP_strdup (fileName);
>  }

I mean, after closing fd _and_ unlinking the temporary file it is
completly gone and the race is open again, isn't it? Wouldn't be
the right fix to return the fd from the function and not bother
about the filename at all?

Gruesse,
-- 
Frank Lichtenheld <djpig@debian.org>
www: http://www.djpig.de/

Message #15 received at 320541@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: Frank Lichtenheld <djpig@debian.org>

Cc: 320541@bugs.debian.org, Joey Hess <joeyh@debian.org>

Subject: Re: Bug#320541: unsafe temp file creation (CAN-2004-2265)

Date: Sat, 03 Sep 2005 23:53:52 +0200

* Frank Lichtenheld:

> I mean, after closing fd _and_ unlinking the temporary file it is
> completly gone and the race is open again, isn't it? Wouldn't be
> the right fix to return the fd from the function and not bother
> about the filename at all?

In the interest of a minimal change, it might make more sense to
simply leave the file around, so that it is subsequently opened again?
Passing around a descriptor seems to require quite a few changes,
more than just the immediate caller.

Message #20 received at 320541@bugs.debian.org (full text, mbox, reply):

From: Frank Lichtenheld <djpig@debian.org>

To: Florian Weimer <fw@deneb.enyo.de>, 320541@bugs.debian.org

Cc: Joey Hess <joeyh@debian.org>

Subject: Re: Bug#320541: unsafe temp file creation (CAN-2004-2265)

Date: Sun, 4 Sep 2005 01:49:21 +0200

On Sat, Sep 03, 2005 at 11:53:52PM +0200, Florian Weimer wrote:
> * Frank Lichtenheld:
> 
> > I mean, after closing fd _and_ unlinking the temporary file it is
> > completly gone and the race is open again, isn't it? Wouldn't be
> > the right fix to return the fd from the function and not bother
> > about the filename at all?
> 
> In the interest of a minimal change, it might make more sense to
> simply leave the file around, so that it is subsequently opened again?

True, but that would mean not to unlink it, wouldn't it?

> Passing around a descriptor seems to require quite a few changes,
> more than just the immediate caller.

Gruesse,
-- 
Frank Lichtenheld <djpig@debian.org>
www: http://www.djpig.de/

Message #25 received at 320541@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: Frank Lichtenheld <djpig@debian.org>

Cc: 320541@bugs.debian.org, Joey Hess <joeyh@debian.org>

Subject: Re: Bug#320541: unsafe temp file creation (CAN-2004-2265)

Date: Sun, 04 Sep 2005 08:31:58 +0200

* Frank Lichtenheld:

> On Sat, Sep 03, 2005 at 11:53:52PM +0200, Florian Weimer wrote:
>> * Frank Lichtenheld:
>> 
>> > I mean, after closing fd _and_ unlinking the temporary file it is
>> > completly gone and the race is open again, isn't it? Wouldn't be
>> > the right fix to return the fd from the function and not bother
>> > about the filename at all?
>> 
>> In the interest of a minimal change, it might make more sense to
>> simply leave the file around, so that it is subsequently opened again?
>
> True, but that would mean not to unlink it, wouldn't it?

Yes, this is exactly what I mean.

By the way, libconvert-uulib-perl contains a copy of the code.  I'll
check if it is affected, too.

Message #30 received at 320541@bugs.debian.org (full text, mbox, reply):

From: Matej Vela <vela@debian.org>

To: 320541@bugs.debian.org

Subject: Bug#320541: unsafe temp file creation (CAN-2004-2265)

Date: Sat, 18 Feb 2006 10:00:13 +0100

Hi,

Note that the following packages contain copies of uudeview:

  dnprogs: mail/uulib/uulib.c (0.5.13)
  goldedplus: build/goldlib/uulib/uulib.c (0.5.15)
  libconvert-uulib-perl: uulib/uulib.c (0.5.20)

Fortunately, the version in libconvert-uulib-perl has been patched to
use mkstemp(3) and is not vulnerable as far as I can tell.

Thanks,

Matej

Message #35 received at 320541@bugs.debian.org (full text, mbox, reply):

From: Justin Pryzby <justinpryzby@users.sourceforge.net>

To: Matej Vela <vela@debian.org>, 320541@bugs.debian.org

Subject: uudeview and CAN-2004-2265

Date: Sat, 18 Mar 2006 16:15:27 -0500

Matej Vela, Sat, 18 Feb 2006 10:00:13 +0100:
>Note that the following packages contain copies of uudeview:
>
>  dnprogs: mail/uulib/uulib.c (0.5.13)
>  goldedplus: build/goldlib/uulib/uulib.c (0.5.15)
>  libconvert-uulib-perl: uulib/uulib.c (0.5.20)

Should this bug be cloned against the first two packages?  BTW, how
did you determine that uudeview was included in them?  I have filed
#344980 which I would use if it were available ..

Justin

Message #40 received at 320541@bugs.debian.org (full text, mbox, reply):

From: Matej Vela <vela@debian.org>

To: Justin Pryzby <justinpryzby@users.sourceforge.net>

Cc: 320541@bugs.debian.org

Subject: Re: uudeview and CAN-2004-2265

Date: Wed, 22 Mar 2006 23:20:50 +0100

Justin Pryzby <justinpryzby@users.sourceforge.net> writes:

> Matej Vela, Sat, 18 Feb 2006 10:00:13 +0100:
>>Note that the following packages contain copies of uudeview:
>>
>>  dnprogs: mail/uulib/uulib.c (0.5.13)
>>  goldedplus: build/goldlib/uulib/uulib.c (0.5.15)
>>  libconvert-uulib-perl: uulib/uulib.c (0.5.20)
>
> Should this bug be cloned against the first two packages?

Feel free to do so -- hopefully it will cause some activity.  Someone
should also check whether they're affected by earlier vulnerabilities
[1].

> BTW, how did you determine that uudeview was included in them?  I have
> filed #344980 which I would use if it were available ..

I searched the archive with a home-brewn script [2] (a local mirror
helps :-).  IIRC the security team has something similar.  Note that
solving #344980 won't help with dbs-style embedded tarballs, e.g. it
wouldn't have caught goldedplus.

[1] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0333>
[2] <http://people.debian.org/~vela/grep-sources>

Thanks,

Matej

Message #45 received at 320541@bugs.debian.org (full text, mbox, reply):

From: Justin Pryzby <justinpryzby@users.sourceforge.net>

To: 320541@bugs.debian.org

Cc: Matej Vela <vela@debian.org>, control@bugs.debian.org

Subject: Re: uudeview and CAN-2004-2265

Date: Wed, 22 Mar 2006 17:29:02 -0500

clone 320541 -1 -2
reassign -1 dnprogs
reassign -2 goldedplus
thanks

On Wed, Mar 22, 2006 at 11:20:50PM +0100, Matej Vela wrote:
> Justin Pryzby <justinpryzby@users.sourceforge.net> writes:
> > Matej Vela, Sat, 18 Feb 2006 10:00:13 +0100:
> >>Note that the following packages contain copies of uudeview:
> >>
> >>  dnprogs: mail/uulib/uulib.c (0.5.13)
> >>  goldedplus: build/goldlib/uulib/uulib.c (0.5.15)
> >>  libconvert-uulib-perl: uulib/uulib.c (0.5.20)
> >
> > Should this bug be cloned against the first two packages?
> 
> Feel free to do so -- hopefully it will cause some activity.  Someone
> should also check whether they're affected by earlier vulnerabilities:

> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0333>

Send a report that this bug log contains spam.