Debian Bug report logs -
#320541
unsafe temp file creation (CAN-2004-2265)
Reported by: Joey Hess <joeyh@debian.org>
Date: Sat, 30 Jul 2005 05:03:01 UTC
Severity: serious
Tags: security
Found in version uudeview/0.5.20-2
Fixed in version uudeview/0.5.20-2.1
Done: "Steinar H. Gunderson" <sesse@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Chris Hanson <cph@debian.org>
:
Bug#320541
; Package uudeview
.
(full text, mbox, link).
Acknowledgement sent to Joey Hess <joeyh@debian.org>
:
New Bug report received and forwarded. Copy sent to Chris Hanson <cph@debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: uudeview
Version: 0.5.20-2
Severity: serious
Tags: security
CAN-2004-2265 is a security hole in uudeview, although you won't find
much useful info in the advisories associated with that CAN.
After downloading OpenPKG's fix from
tp://ftp.openpkg.org/release/2.0/UPD/uudeview-0.5.19-2.0.1.src.rpm ,
I was able to verify the problem:
if ((stdfile = tempnam (NULL, "uu")) == NULL) {
fprintf (stderr, "proc_stdin: cannot get temporary file\n");
return 0;
}
if ((target = fopen (stdfile, "wb")) == NULL) {
fprintf (stderr, "proc_stdin: cannot open temp file %s for writing: %s\n",
stdfile, strerror (errno));
_FP_free (stdfile);
return 0;
}
This is a race, exploitable when uudeview is run on standard input.
I'm attaching OpenPKG's entire patch for uudeview 0.5.19, since you might
find unrelated changes also of interest. The relevent fixes for this hole
are change changes involving tempnam and _FP_tempnam.
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.4.27
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages uudeview depends on:
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
uudeview recommends no packages.
-- no debconf information
--
see shy jo
[uudeview.patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Chris Hanson <cph@debian.org>
:
Bug#320541
; Package uudeview
.
(full text, mbox, link).
Acknowledgement sent to Frank Lichtenheld <djpig@debian.org>
:
Extra info received and forwarded to list. Copy sent to Chris Hanson <cph@debian.org>
.
(full text, mbox, link).
Message #10 received at 320541@bugs.debian.org (full text, mbox, reply):
On Sat, Jul 30, 2005 at 12:54:10AM -0400, Joey Hess wrote:
> CAN-2004-2265 is a security hole in uudeview, although you won't find
> much useful info in the advisories associated with that CAN.
[...]
> This is a race, exploitable when uudeview is run on standard input.
> I'm attaching OpenPKG's entire patch for uudeview 0.5.19, since you might
> find unrelated changes also of interest. The relevent fixes for this hole
> are change changes involving tempnam and _FP_tempnam.
While I see the race I fail to see how the patch fixes that.
> mkstemp security enhancement. Similar to
> FreeBSD http://www.freebsd.org/cgi/query-pr.cgi?pr=41508
> SuSE uudeview-0.5.18-244.src.rpm
[...]
> --- uulib/fptools.c
> +++ uulib/fptools.c
> @@ -507,5 +507,15 @@
> char * TOOLEXPORT
> _FP_tempnam (char *dir, char *pfx)
> {
> - return _FP_strdup (tmpnam (NULL));
> + int fd;
> + char fileName[100];
> +
> + strncpy(fileName, pfx, 90);
> + strcat(fileName, "XXXXXX");
> + fd = mkstemp(fileName);
> + if (fd == -1)
> + return NULL;
> + close(fd);
> + unlink(fileName);
> + return _FP_strdup (fileName);
> }
I mean, after closing fd _and_ unlinking the temporary file it is
completly gone and the race is open again, isn't it? Wouldn't be
the right fix to return the fd from the function and not bother
about the filename at all?
Gruesse,
--
Frank Lichtenheld <djpig@debian.org>
www: http://www.djpig.de/
Information forwarded to debian-bugs-dist@lists.debian.org, Chris Hanson <cph@debian.org>
:
Bug#320541
; Package uudeview
.
(full text, mbox, link).
Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>
:
Extra info received and forwarded to list. Copy sent to Chris Hanson <cph@debian.org>
.
(full text, mbox, link).
Message #15 received at 320541@bugs.debian.org (full text, mbox, reply):
* Frank Lichtenheld:
> I mean, after closing fd _and_ unlinking the temporary file it is
> completly gone and the race is open again, isn't it? Wouldn't be
> the right fix to return the fd from the function and not bother
> about the filename at all?
In the interest of a minimal change, it might make more sense to
simply leave the file around, so that it is subsequently opened again?
Passing around a descriptor seems to require quite a few changes,
more than just the immediate caller.
Information forwarded to debian-bugs-dist@lists.debian.org, Chris Hanson <cph@debian.org>
:
Bug#320541
; Package uudeview
.
(full text, mbox, link).
Acknowledgement sent to Frank Lichtenheld <djpig@debian.org>
:
Extra info received and forwarded to list. Copy sent to Chris Hanson <cph@debian.org>
.
(full text, mbox, link).
Message #20 received at 320541@bugs.debian.org (full text, mbox, reply):
On Sat, Sep 03, 2005 at 11:53:52PM +0200, Florian Weimer wrote:
> * Frank Lichtenheld:
>
> > I mean, after closing fd _and_ unlinking the temporary file it is
> > completly gone and the race is open again, isn't it? Wouldn't be
> > the right fix to return the fd from the function and not bother
> > about the filename at all?
>
> In the interest of a minimal change, it might make more sense to
> simply leave the file around, so that it is subsequently opened again?
True, but that would mean not to unlink it, wouldn't it?
> Passing around a descriptor seems to require quite a few changes,
> more than just the immediate caller.
Gruesse,
--
Frank Lichtenheld <djpig@debian.org>
www: http://www.djpig.de/
Information forwarded to debian-bugs-dist@lists.debian.org, Chris Hanson <cph@debian.org>
:
Bug#320541
; Package uudeview
.
(full text, mbox, link).
Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>
:
Extra info received and forwarded to list. Copy sent to Chris Hanson <cph@debian.org>
.
(full text, mbox, link).
Message #25 received at 320541@bugs.debian.org (full text, mbox, reply):
* Frank Lichtenheld:
> On Sat, Sep 03, 2005 at 11:53:52PM +0200, Florian Weimer wrote:
>> * Frank Lichtenheld:
>>
>> > I mean, after closing fd _and_ unlinking the temporary file it is
>> > completly gone and the race is open again, isn't it? Wouldn't be
>> > the right fix to return the fd from the function and not bother
>> > about the filename at all?
>>
>> In the interest of a minimal change, it might make more sense to
>> simply leave the file around, so that it is subsequently opened again?
>
> True, but that would mean not to unlink it, wouldn't it?
Yes, this is exactly what I mean.
By the way, libconvert-uulib-perl contains a copy of the code. I'll
check if it is affected, too.
Information forwarded to debian-bugs-dist@lists.debian.org, Chris Hanson <cph@debian.org>
:
Bug#320541
; Package uudeview
.
(full text, mbox, link).
Acknowledgement sent to Matej Vela <vela@debian.org>
:
Extra info received and forwarded to list. Copy sent to Chris Hanson <cph@debian.org>
.
(full text, mbox, link).
Message #30 received at 320541@bugs.debian.org (full text, mbox, reply):
Hi,
Note that the following packages contain copies of uudeview:
dnprogs: mail/uulib/uulib.c (0.5.13)
goldedplus: build/goldlib/uulib/uulib.c (0.5.15)
libconvert-uulib-perl: uulib/uulib.c (0.5.20)
Fortunately, the version in libconvert-uulib-perl has been patched to
use mkstemp(3) and is not vulnerable as far as I can tell.
Thanks,
Matej
Information forwarded to debian-bugs-dist@lists.debian.org, Chris Hanson <cph@debian.org>
:
Bug#320541
; Package uudeview
.
(full text, mbox, link).
Acknowledgement sent to Justin Pryzby <justinpryzby@users.sourceforge.net>
:
Extra info received and forwarded to list. Copy sent to Chris Hanson <cph@debian.org>
.
(full text, mbox, link).
Message #35 received at 320541@bugs.debian.org (full text, mbox, reply):
Matej Vela, Sat, 18 Feb 2006 10:00:13 +0100:
>Note that the following packages contain copies of uudeview:
>
> dnprogs: mail/uulib/uulib.c (0.5.13)
> goldedplus: build/goldlib/uulib/uulib.c (0.5.15)
> libconvert-uulib-perl: uulib/uulib.c (0.5.20)
Should this bug be cloned against the first two packages? BTW, how
did you determine that uudeview was included in them? I have filed
#344980 which I would use if it were available ..
Justin
Information forwarded to debian-bugs-dist@lists.debian.org, Chris Hanson <cph@debian.org>
:
Bug#320541
; Package uudeview
.
(full text, mbox, link).
Acknowledgement sent to Matej Vela <vela@debian.org>
:
Extra info received and forwarded to list. Copy sent to Chris Hanson <cph@debian.org>
.
(full text, mbox, link).
Message #40 received at 320541@bugs.debian.org (full text, mbox, reply):
Justin Pryzby <justinpryzby@users.sourceforge.net> writes:
> Matej Vela, Sat, 18 Feb 2006 10:00:13 +0100:
>>Note that the following packages contain copies of uudeview:
>>
>> dnprogs: mail/uulib/uulib.c (0.5.13)
>> goldedplus: build/goldlib/uulib/uulib.c (0.5.15)
>> libconvert-uulib-perl: uulib/uulib.c (0.5.20)
>
> Should this bug be cloned against the first two packages?
Feel free to do so -- hopefully it will cause some activity. Someone
should also check whether they're affected by earlier vulnerabilities
[1].
> BTW, how did you determine that uudeview was included in them? I have
> filed #344980 which I would use if it were available ..
I searched the archive with a home-brewn script [2] (a local mirror
helps :-). IIRC the security team has something similar. Note that
solving #344980 won't help with dbs-style embedded tarballs, e.g. it
wouldn't have caught goldedplus.
[1] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0333>
[2] <http://people.debian.org/~vela/grep-sources>
Thanks,
Matej
Information forwarded to debian-bugs-dist@lists.debian.org, Chris Hanson <cph@debian.org>
:
Bug#320541
; Package uudeview
.
(full text, mbox, link).
Acknowledgement sent to Justin Pryzby <justinpryzby@users.sourceforge.net>
:
Extra info received and forwarded to list. Copy sent to Chris Hanson <cph@debian.org>
.
(full text, mbox, link).
Message #45 received at 320541@bugs.debian.org (full text, mbox, reply):
clone 320541 -1 -2
reassign -1 dnprogs
reassign -2 goldedplus
thanks
On Wed, Mar 22, 2006 at 11:20:50PM +0100, Matej Vela wrote:
> Justin Pryzby <justinpryzby@users.sourceforge.net> writes:
> > Matej Vela, Sat, 18 Feb 2006 10:00:13 +0100:
> >>Note that the following packages contain copies of uudeview:
> >>
> >> dnprogs: mail/uulib/uulib.c (0.5.13)
> >> goldedplus: build/goldlib/uulib/uulib.c (0.5.15)
> >> libconvert-uulib-perl: uulib/uulib.c (0.5.20)
> >
> > Should this bug be cloned against the first two packages?
>
> Feel free to do so -- hopefully it will cause some activity. Someone
> should also check whether they're affected by earlier vulnerabilities:
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0333>
Tags added: fixed
Request was from sesse@debian.org (Steinar H. Gunderson)
to control@bugs.debian.org
.
(full text, mbox, link).
Tags removed: fixed
Request was from "Steinar H. Gunderson" <sesse@debian.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug marked as fixed in version 0.5.20-2.1, send any further explanations to Joey Hess <joeyh@debian.org>
Request was from "Steinar H. Gunderson" <sesse@debian.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 25 Jun 2007 08:27:20 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:57:20 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.