fbgs: uses insecure tempfiles

Debian Bug report logs - #361370
fbgs: uses insecure tempfiles

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jan Braun <janbraun@gmx.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: fbgs: uses insecure tempfiles

Date: Sat, 08 Apr 2006 11:58:05 +0200

[Message part 1 (text/plain, inline)]

Package: fbi
Version: 2.01-1.4
Severity: important
Tags: security patch

Hi,
the fbgs script uses an unsafe way to create its tempdir:
mkdir -p /var/tmp/fbps-$$
and proceeds to write to fixed filenames in this folder.
This can be raced to overwrite arbitrary files of the user running fbgs.
A patch is attached.
regards,
    Jan

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (990, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/dash
Kernel: Linux 2.6.15-1-k7
Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1)

Versions of packages fbi depends on:
ii  libc6                         2.3.6-3    GNU C Library: Shared libraries an
ii  libcurl3                      7.15.3-1   Multi-protocol file transfer libra
ii  libexif12                     0.6.13-4   library to parse EXIF files
ii  libfontconfig1                2.3.2-1.1  generic font configuration library
ii  libfreetype6                  2.1.10-1   FreeType 2 font engine, shared lib
ii  libjpeg62                     6b-12      The Independent JPEG Group's JPEG 
ii  libpcd2                       1.0.1      A library for reading PhotoCD imag
ii  libpng12-0                    1.2.8rel-5 PNG library - runtime
ii  libtiff4                      3.8.0-3    Tag Image File Format (TIFF) libra
ii  libungif4g                    4.1.4-2    shared library for GIF images (run
ii  zlib1g                        1:1.2.3-11 compression library - runtime

fbi recommends no packages.

-- no debconf information

[fbgs.mktemp.patch (text/plain, attachment)]

Message #10 received at 361370@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: Jan Braun <janbraun@gmx.net>

Cc: 361370@bugs.debian.org

Subject: Re: Bug#361370: fbgs: uses insecure tempfiles

Date: Sun, 09 Apr 2006 10:07:29 +0200

* Jan Braun:

>  # tmp dir
> -DIR="${TMPDIR-/var/tmp}/fbps-$$"
> -mkdir -p $DIR	|| exit 1
> +DIR=`mktemp -dtp /var/tmp fbgs-XXXXXX`
> +[ -d $DIR ]  || exit 1

I think you should use /tmp.  /var/tmp is not cleared on reboot.

Message #15 received at 361370@bugs.debian.org (full text, mbox, reply):

From: Jan Braun <janbraun@gmx.de>

To: Florian Weimer <fw@deneb.enyo.de>

Cc: 361370@bugs.debian.org

Subject: Re: Bug#361370: fbgs: uses insecure tempfiles

Date: Sun, 09 Apr 2006 21:28:11 +0200

Florian Weimer schrob:
> * Jan Braun:
> 
> >  # tmp dir
> > -DIR="${TMPDIR-/var/tmp}/fbps-$$"
> > -mkdir -p $DIR	|| exit 1
> > +DIR=`mktemp -dtp /var/tmp fbgs-XXXXXX`
> > +[ -d $DIR ]  || exit 1
> 
> I think you should use /tmp.  /var/tmp is not cleared on reboot.

You are right. I just kept the original location without thinking about
it.

    Jan

Message #20 received at 361370@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Jan Braun <janbraun@gmx.net>, 361370@bugs.debian.org

Subject: Re: Bug#361370: fbgs: uses insecure tempfiles

Date: Mon, 15 May 2006 04:42:04 +0200

Jan Braun wrote:
> Package: fbi
> Version: 2.01-1.4
> Severity: important
> Tags: security patch

Sorry for the late reply, an update is in preparation.

Cheers,
        Moritz

Message #25 received at 361370@bugs.debian.org (full text, mbox, reply):

From: Jan Braun <janbraun@gmx.net>

To: 361370@bugs.debian.org

Subject: Re: Bug#361370: fbgs: uses insecure tempfiles

Date: Mon, 19 Jun 2006 01:46:56 +0200

[Message part 1 (text/plain, inline)]

Hi again,
I'm sorry, my previous patch didn't check mktemp's return value, and if
mktemp fails, DIR is empty and [ -d $DIR ] succeeds (for whatever
reason). So this is still exploitable if fbgs is executed in a dir the
attacker has write access to.

Attached a new version which might be correct. :/

    Jan

[fbgs.mktemp.patch (text/plain, attachment)]

Message #30 received at 361370-close@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: 361370-close@bugs.debian.org

Subject: Bug#361370: fixed in fbi 2.05-1

Date: Sun, 06 Aug 2006 10:02:11 -0700

Source: fbi
Source-Version: 2.05-1

We believe that the bug you reported is fixed in the latest version of
fbi, which is due to be installed in the Debian FTP archive:

exiftran_2.05-1_i386.deb
  to pool/main/f/fbi/exiftran_2.05-1_i386.deb
fbi_2.05-1.dsc
  to pool/main/f/fbi/fbi_2.05-1.dsc
fbi_2.05-1.tar.gz
  to pool/main/f/fbi/fbi_2.05-1.tar.gz
fbi_2.05-1_i386.deb
  to pool/main/f/fbi/fbi_2.05-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 361370@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Moritz Muehlenhoff <jmm@debian.org> (supplier of updated fbi package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 23 Jul 2006 14:31:21 +0200
Source: fbi
Binary: fbi exiftran
Architecture: source i386
Version: 2.05-1
Distribution: unstable
Urgency: low
Maintainer: Moritz Muehlenhoff <jmm@debian.org>
Changed-By: Moritz Muehlenhoff <jmm@debian.org>
Description: 
 exiftran   - transform digital camera jpeg images
 fbi        - Linux frame buffer image viewer
Closes: 262805 266811 279566 282890 311226 320057 320058 322236 346726 356897 361370 361383 361388 367344 369049 379047 379250
Changes: 
 fbi (2.05-1) unstable; urgency=low
 .
   * New maintainer, thanks Gerd. (Closes: #379250)
   * New upstream release 2.05. (Closes: #367344)
     - Includes fix for insecure temp file usage in fbgs
       [CVE-2006-1695, DSA-1068] (Closes: #361370)
     - Includes fix for correct Postscript sanitising
       [CVE-2006-3119, DSA-1124]
     - Includes spelling fixes by A. Costa (Closes: #311226)
     - Includes support for color display in fbgs with the new
       -c option, based on patch by Jan Braun (Closes: #279566)
     - Fix pointer arithmetic (Closes: #369049)
     - Document zooming with "s" and fix rounding of zoom factor,
       patch by Jan Braun (Closes: #361383)
     - fbi now maintains zoom levels between multiple images
       (Closes: #361388)
   * Acknowledge NMUs. (Closes: #262805, #282890, #346726, #322236)
   * Add dependency on gs-gpl for fbgs. (Closes: #356897)
   * Correct build dependency on libcurl. (Closes: #320057, #320058)
   * Gerd has changed his name with his marriage, update copyright
     file.
   * Update upstream download location (Closes: #379047)
   * Bump debhelper level to 5
   * Mention fbgs in package description (Closes: #266811)
Files: 
 9bdc4883a5bb765972bbb0b171bb01cb 723 graphics optional fbi_2.05-1.dsc
 30b44920c314d3498b20199fbe057bac 212377 graphics optional fbi_2.05-1.tar.gz
 d0eda4b22ab8b5b71e50184a9e238566 54106 graphics optional fbi_2.05-1_i386.deb
 f68e65aad16d5b3323cf0da984e4be75 24414 graphics optional exiftran_2.05-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFE1hzmXm3vHE4uyloRAssMAKCfDPlUatUWk2e+UZmjxmureUrEdACg6uqG
vQwYOtZwPNj6u6BCWEDfe8M=
=doZO
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.