Debian Bug report logs -
#361370
fbgs: uses insecure tempfiles
Reported by: Jan Braun <janbraun@gmx.net>
Date: Sat, 8 Apr 2006 10:03:07 UTC
Severity: important
Tags: patch, security
Found in version fbi/2.01-1.4
Fixed in version fbi/2.05-1
Done: Moritz Muehlenhoff <jmm@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Gerd Knorr <kraxel@debian.org>
:
Bug#361370
; Package fbi
.
(full text, mbox, link).
Acknowledgement sent to Jan Braun <janbraun@gmx.net>
:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Gerd Knorr <kraxel@debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: fbi
Version: 2.01-1.4
Severity: important
Tags: security patch
Hi,
the fbgs script uses an unsafe way to create its tempdir:
mkdir -p /var/tmp/fbps-$$
and proceeds to write to fixed filenames in this folder.
This can be raced to overwrite arbitrary files of the user running fbgs.
A patch is attached.
regards,
Jan
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (990, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/dash
Kernel: Linux 2.6.15-1-k7
Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Versions of packages fbi depends on:
ii libc6 2.3.6-3 GNU C Library: Shared libraries an
ii libcurl3 7.15.3-1 Multi-protocol file transfer libra
ii libexif12 0.6.13-4 library to parse EXIF files
ii libfontconfig1 2.3.2-1.1 generic font configuration library
ii libfreetype6 2.1.10-1 FreeType 2 font engine, shared lib
ii libjpeg62 6b-12 The Independent JPEG Group's JPEG
ii libpcd2 1.0.1 A library for reading PhotoCD imag
ii libpng12-0 1.2.8rel-5 PNG library - runtime
ii libtiff4 3.8.0-3 Tag Image File Format (TIFF) libra
ii libungif4g 4.1.4-2 shared library for GIF images (run
ii zlib1g 1:1.2.3-11 compression library - runtime
fbi recommends no packages.
-- no debconf information
[fbgs.mktemp.patch (text/plain, attachment)]
Information forwarded to debian-bugs-dist@lists.debian.org, Gerd Knorr <kraxel@debian.org>
:
Bug#361370
; Package fbi
.
(full text, mbox, link).
Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>
:
Extra info received and forwarded to list. Copy sent to Gerd Knorr <kraxel@debian.org>
.
(full text, mbox, link).
Message #10 received at 361370@bugs.debian.org (full text, mbox, reply):
* Jan Braun:
> # tmp dir
> -DIR="${TMPDIR-/var/tmp}/fbps-$$"
> -mkdir -p $DIR || exit 1
> +DIR=`mktemp -dtp /var/tmp fbgs-XXXXXX`
> +[ -d $DIR ] || exit 1
I think you should use /tmp. /var/tmp is not cleared on reboot.
Information forwarded to debian-bugs-dist@lists.debian.org, Gerd Knorr <kraxel@debian.org>
:
Bug#361370
; Package fbi
.
(full text, mbox, link).
Acknowledgement sent to Jan Braun <janbraun@gmx.de>
:
Extra info received and forwarded to list. Copy sent to Gerd Knorr <kraxel@debian.org>
.
(full text, mbox, link).
Message #15 received at 361370@bugs.debian.org (full text, mbox, reply):
Florian Weimer schrob:
> * Jan Braun:
>
> > # tmp dir
> > -DIR="${TMPDIR-/var/tmp}/fbps-$$"
> > -mkdir -p $DIR || exit 1
> > +DIR=`mktemp -dtp /var/tmp fbgs-XXXXXX`
> > +[ -d $DIR ] || exit 1
>
> I think you should use /tmp. /var/tmp is not cleared on reboot.
You are right. I just kept the original location without thinking about
it.
Jan
Information forwarded to debian-bugs-dist@lists.debian.org, Gerd Knorr <kraxel@debian.org>
:
Bug#361370
; Package fbi
.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Gerd Knorr <kraxel@debian.org>
.
(full text, mbox, link).
Message #20 received at 361370@bugs.debian.org (full text, mbox, reply):
Jan Braun wrote:
> Package: fbi
> Version: 2.01-1.4
> Severity: important
> Tags: security patch
Sorry for the late reply, an update is in preparation.
Cheers,
Moritz
Information forwarded to debian-bugs-dist@lists.debian.org, Gerd Knorr <kraxel@debian.org>
:
Bug#361370
; Package fbi
.
(full text, mbox, link).
Acknowledgement sent to Jan Braun <janbraun@gmx.net>
:
Extra info received and forwarded to list. Copy sent to Gerd Knorr <kraxel@debian.org>
.
(full text, mbox, link).
Message #25 received at 361370@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi again,
I'm sorry, my previous patch didn't check mktemp's return value, and if
mktemp fails, DIR is empty and [ -d $DIR ] succeeds (for whatever
reason). So this is still exploitable if fbgs is executed in a dir the
attacker has write access to.
Attached a new version which might be correct. :/
Jan
[fbgs.mktemp.patch (text/plain, attachment)]
Reply sent to Moritz Muehlenhoff <jmm@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Jan Braun <janbraun@gmx.net>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #30 received at 361370-close@bugs.debian.org (full text, mbox, reply):
Source: fbi
Source-Version: 2.05-1
We believe that the bug you reported is fixed in the latest version of
fbi, which is due to be installed in the Debian FTP archive:
exiftran_2.05-1_i386.deb
to pool/main/f/fbi/exiftran_2.05-1_i386.deb
fbi_2.05-1.dsc
to pool/main/f/fbi/fbi_2.05-1.dsc
fbi_2.05-1.tar.gz
to pool/main/f/fbi/fbi_2.05-1.tar.gz
fbi_2.05-1_i386.deb
to pool/main/f/fbi/fbi_2.05-1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 361370@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Muehlenhoff <jmm@debian.org> (supplier of updated fbi package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 23 Jul 2006 14:31:21 +0200
Source: fbi
Binary: fbi exiftran
Architecture: source i386
Version: 2.05-1
Distribution: unstable
Urgency: low
Maintainer: Moritz Muehlenhoff <jmm@debian.org>
Changed-By: Moritz Muehlenhoff <jmm@debian.org>
Description:
exiftran - transform digital camera jpeg images
fbi - Linux frame buffer image viewer
Closes: 262805 266811 279566 282890 311226 320057 320058 322236 346726 356897 361370 361383 361388 367344 369049 379047 379250
Changes:
fbi (2.05-1) unstable; urgency=low
.
* New maintainer, thanks Gerd. (Closes: #379250)
* New upstream release 2.05. (Closes: #367344)
- Includes fix for insecure temp file usage in fbgs
[CVE-2006-1695, DSA-1068] (Closes: #361370)
- Includes fix for correct Postscript sanitising
[CVE-2006-3119, DSA-1124]
- Includes spelling fixes by A. Costa (Closes: #311226)
- Includes support for color display in fbgs with the new
-c option, based on patch by Jan Braun (Closes: #279566)
- Fix pointer arithmetic (Closes: #369049)
- Document zooming with "s" and fix rounding of zoom factor,
patch by Jan Braun (Closes: #361383)
- fbi now maintains zoom levels between multiple images
(Closes: #361388)
* Acknowledge NMUs. (Closes: #262805, #282890, #346726, #322236)
* Add dependency on gs-gpl for fbgs. (Closes: #356897)
* Correct build dependency on libcurl. (Closes: #320057, #320058)
* Gerd has changed his name with his marriage, update copyright
file.
* Update upstream download location (Closes: #379047)
* Bump debhelper level to 5
* Mention fbgs in package description (Closes: #266811)
Files:
9bdc4883a5bb765972bbb0b171bb01cb 723 graphics optional fbi_2.05-1.dsc
30b44920c314d3498b20199fbe057bac 212377 graphics optional fbi_2.05-1.tar.gz
d0eda4b22ab8b5b71e50184a9e238566 54106 graphics optional fbi_2.05-1_i386.deb
f68e65aad16d5b3323cf0da984e4be75 24414 graphics optional exiftran_2.05-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFE1hzmXm3vHE4uyloRAssMAKCfDPlUatUWk2e+UZmjxmureUrEdACg6uqG
vQwYOtZwPNj6u6BCWEDfe8M=
=doZO
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 26 Jun 2007 10:24:26 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:22:12 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.