pycode-browser: CVE-2015-0849: predictable temporary file vulnerability

Debian Bug report logs - #790365
pycode-browser: CVE-2015-0849: predictable temporary file vulnerability

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "brian m. carlson" <sandals@crustytoothpaste.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: pycode-browser: predictable temporary file vulnerability

Date: Sun, 28 Jun 2015 14:21:14 +0000

[Message part 1 (text/plain, inline)]

Package: pycode-browser
Version: 20120614+git+b041dd2-8
Severity: normal
Tags: security

pycode-browser has a predictable temporary file vulnerability.

When following the below steps, it uses the predictable
temporary file /tmp/pycode-0007-0007.py and will overwrite its contents.
You can reproduce this with the attached script by running
"./test-pycode-browser pycode-browser" and following the steps.

* Launch pycode-browser (with or without the script).
* Open one of the test programs.
* Modify it in some way.
* Do not save the file.
* Click the Execute button.

The program will write the contents to the temporary file.  Upon
exiting, the script will report that the program is vulnerable.  The
vulnerability is ameliorated by fs.protected_symlinks, but systems
running without that enabled are vulnerable to a symlink attack.

The Debian Security Team has allocated CVE-2015-0849 to this
vulnerability.  I sent an email to upstream but have received no
response, so I'm filing this bug.  No DSA will be issued for this
vulnerability.

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.0.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=es_US.UTF-8, LC_CTYPE=es_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

[test-pycode-browser (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #18 received at 790365-close@bugs.debian.org (full text, mbox, reply):

From: Georges Khaznadar <georgesk@debian.org>

To: 790365-close@bugs.debian.org

Subject: Bug#790365: fixed in pycode-browser 1:1.0-1

Date: Sun, 28 Jun 2015 19:04:37 +0000

Source: pycode-browser
Source-Version: 1:1.0-1

We believe that the bug you reported is fixed in the latest version of
pycode-browser, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 790365@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Georges Khaznadar <georgesk@debian.org> (supplier of updated pycode-browser package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 28 Jun 2015 19:50:38 +0200
Source: pycode-browser
Binary: pycode-browser
Architecture: source all
Version: 1:1.0-1
Distribution: unstable
Urgency: medium
Maintainer: Georges Khaznadar <georgesk@debian.org>
Changed-By: Georges Khaznadar <georgesk@debian.org>
Description:
 pycode-browser - environment to teach with Python code snippets
Closes: 790189 790365
Changes:
 pycode-browser (1:1.0-1) unstable; urgency=medium
 .
   * created a file d/watch to take git tags in account
   * upgraded to the newest upstream version. Changed dependencies.
     Closes: #790189. Closes: #790365
   * fixed d/copyright for a few lintian warnings
Checksums-Sha1:
 358fdf2c58a2a92d9de2c0fe665c95b0c6d1d731 1890 pycode-browser_1.0-1.dsc
 5ad90869d8a97a1b17dade9b712f90def0d6dc41 3815876 pycode-browser_1.0.orig.tar.xz
 f3acd3b764da2012b09157fd21283313c7d672f0 5872 pycode-browser_1.0-1.debian.tar.xz
 8e18402f881b92178c599573dd41f1e434ee13d9 3874544 pycode-browser_1.0-1_all.deb
Checksums-Sha256:
 0e319f1300eb0fcc890bbf0b4a6b792157abf8e350f37f9a665ec86b5df933e5 1890 pycode-browser_1.0-1.dsc
 8ca89f1544bb7dfee0b82870fcbdd4539b80a1e85fe936a64c017f8fdaeacdee 3815876 pycode-browser_1.0.orig.tar.xz
 be95bcc527af8547158d561676f11cfb64ed4654adaa805966ebff37189367ab 5872 pycode-browser_1.0-1.debian.tar.xz
 f1aeaf20f47c2311b6dfadc623c63b96aff5de71d323d9a70ad7e84a9ec8f738 3874544 pycode-browser_1.0-1_all.deb
Files:
 1cd109f875a4cd761f69c6febc7e22db 1890 education extra pycode-browser_1.0-1.dsc
 f0bd078c3808ca213dbc015e5c42746c 3815876 education extra pycode-browser_1.0.orig.tar.xz
 a8572fb413784ff589eee71868249909 5872 education extra pycode-browser_1.0-1.debian.tar.xz
 de916898bac7004f7241810f53bfb848 3874544 education extra pycode-browser_1.0-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBVZBAxRwoFpBxNq45AQikzxAAl1biCE89fuvyUA5M5CdSmC1eH0kQHa5c
J7JvpVPdfyz+sQ/2gJWFPoyxICrXrYJrH3B2sBI2QLze1XeeUTimHS3qRNUwuVI5
CwldxJpUa/xEemB34RZGbs/h4WTqMOJxNKhN9olmHfpaIWB4T+5e1ONCCeIIjyOf
3FZa86QnMGLALh5/jiMGv/85D82Oil5sW3srLjd5pSnYxvpzwo6KoF8bPJ8nVkKi
vpJ0avsj/VPx989YSCkV3IdlQiyribp0byjxYWdn2wJY163a8nGUOqtPlz3dvX0a
qC2uMyDpOpG79suP/AztslrRg0L+0a5ToxWXA1jqASeAq31Rm4/o01pNPJVlqpvZ
8Ws15TxnWwyn6E9q2mWcjWIb1I6N5enXLQdoEVHVjirxYw5nSgZDnk++bJhksk/d
b3RJecP/4Mx6hpQXTaKZIWUWiA3Q0gUhncsG9BoHrsR/kK7vLD3S7DQuk9WoVO+G
hxl95H3xB374Awqh5mKQoOUQfQSsfCIbZOLeUFuTj7EdkC45GNncgTaVkOKbyl8p
v1uu8+qlqTomOchR+kEPPCenISYHFB7VpeGhENWc3iirg4Rlagb/M4hFZfcAzBx/
2FOYbsPhq5e1bFbPRvy3Hv8umfWPrNzoxLa4H1RBOWiBYSUk68prLS85GYNfDKPT
/emdQxmFO58=
=nbPe
-----END PGP SIGNATURE-----

Message #25 received at 790365-close@bugs.debian.org (full text, mbox, reply):

From: Alessandro Ghedini <ghedo@debian.org>

To: 790365-close@bugs.debian.org

Subject: Bug#790365: fixed in libwmf 0.2.8.4-10.4

Date: Fri, 31 Jul 2015 09:41:13 +0000

Source: libwmf
Source-Version: 0.2.8.4-10.4

We believe that the bug you reported is fixed in the latest version of
libwmf, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 790365@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alessandro Ghedini <ghedo@debian.org> (supplier of updated libwmf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 30 Jul 2015 17:10:05 +0200
Source: libwmf
Binary: libwmf0.2-7 libwmf-bin libwmf-dev libwmf-doc
Architecture: source amd64 all
Version: 0.2.8.4-10.4
Distribution: unstable
Urgency: high
Maintainer: Loïc Minier <lool@debian.org>
Changed-By: Alessandro Ghedini <ghedo@debian.org>
Description:
 libwmf-bin - Windows metafile conversion tools
 libwmf-dev - Windows metafile conversion development
 libwmf-doc - Windows metafile documentation
 libwmf0.2-7 - Windows metafile conversion library
Closes: 784192 784205 787644 790365
Changes:
 libwmf (0.2.8.4-10.4) unstable; urgency=high
 .
   * NMU from the Security Team
   * Fix multiple vulnerabilities:
     - CVE-2015-0848 (Closes: #790365)
     - CVE-2015-4588 (Closes: #787644)
     - CVE-2015-4695 (Closes: #784205)
     - CVE-2015-4696 (Closes: #784192)
   * Fix lintian override
Checksums-Sha1:
 450540d3d66a311ce99cb082597dadaa0ffb1edc 2066 libwmf_0.2.8.4-10.4.dsc
 47d30a5d40b35d19fe13e95406833218b796f060 10720 libwmf_0.2.8.4-10.4.debian.tar.xz
 c45e10aeae14667fdd9d7300be18cf15eecf33b2 33178 libwmf-bin_0.2.8.4-10.4_amd64.deb
 16fa98ba6d9e767ad19960e864e0ff8e27fc8b89 185254 libwmf-dev_0.2.8.4-10.4_amd64.deb
 97d9d25df72efab358720c44c0c6a084d04fc4c4 230988 libwmf-doc_0.2.8.4-10.4_all.deb
 530330cb97d0807ce41aabaf8110d58e5119866e 162992 libwmf0.2-7_0.2.8.4-10.4_amd64.deb
Checksums-Sha256:
 91f1edacbc33e5414cc703556eb1b84e5903b128dc7e42e6dda612867d62886a 2066 libwmf_0.2.8.4-10.4.dsc
 5fd6bbf1d9f6af8b02b8d8531b331c12dbcec4e0dc11a8b94e30ce45032e0e89 10720 libwmf_0.2.8.4-10.4.debian.tar.xz
 1d5de3e28f9324167c344c6f5b54487f5886bd2a7177ccca50356b5a000a5d42 33178 libwmf-bin_0.2.8.4-10.4_amd64.deb
 e179edacece3530112b93e2b6ad8833346433cc8dd71f13bc71316b4c6b83620 185254 libwmf-dev_0.2.8.4-10.4_amd64.deb
 a3c23122f4fa0aa12981f7492fcec0633eaeb0364991e6d5e2404aeb59593b58 230988 libwmf-doc_0.2.8.4-10.4_all.deb
 cfc43e06dfe1276e38b8c25e37f6a873437368794a4aa4c6c58e9aef16512e8f 162992 libwmf0.2-7_0.2.8.4-10.4_amd64.deb
Files:
 3e42e8e78db503b77c617a1a55a6870b 2066 libs optional libwmf_0.2.8.4-10.4.dsc
 04815b571768138d80b1a41ce4073738 10720 libs optional libwmf_0.2.8.4-10.4.debian.tar.xz
 dd93758e6acec8489d45ced9fa916bbc 33178 graphics optional libwmf-bin_0.2.8.4-10.4_amd64.deb
 47806380e2379a35344122dd31d4195c 185254 libdevel optional libwmf-dev_0.2.8.4-10.4_amd64.deb
 7f8fea554b22dc39a4f7f6fb3a204d8b 230988 doc optional libwmf-doc_0.2.8.4-10.4_all.deb
 3c9b859bf279fcf201cc630da37690c1 162992 libs optional libwmf0.2-7_0.2.8.4-10.4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVuysGAAoJEK+lG9bN5XPLqasP/2E0NgkqguzR4wbexpantyXm
Ntgob/yva4MaYyj8FPARns/59UdzLKJ98vM9jzH+HBHbQ5o0nomGFBRLpMSZtloq
qfqbnL8tzvZtrMYTKuD9H55ZpVDIP7tIjEps7onKHPxMR+v0UB+SwD8E5jTZW1SX
hmgo+r1fNfaz3kg/X/eE/gitpyEY+5ca5XRJU5aCuujodi4GGsq14nxtWcycOm4q
xfVV65rD3cil9grZLCz7jK4U3FTibUylTAj9hBahu9w/D8/jCwn9dOL+cyjSYonB
0bzxLTWWSUge6aNw4xy5YEKvvdmEanj2PO3qkz1/1C72Eohgblk8kIHAygXb6TJi
b3vdqdk7jxITApgMK2uDjG69GVuxJQ0Gq6ce95k4x2EFEq1WtVI7x8QIT6DH563/
1Ie1EpRR03FGg6+j9HTRI/fyk4OEV41P3je+tGKHoqMb9HjQtVwvbxc7RVhjo2VS
Xqpl/uXQjicKsKEG7HnTEAr8HNrqW7P+LnDgiJDoKp5aNHO8uO1Q3yoB/It1mFIz
8XDkCRS+D8QZWGAKT8TJsYy3eRHZLZxplO5M9UAOu/IUCEOD/TupMdRpj5m40Oab
LgTWf9PIRQHJyYoLD4LuwQM+V2/3xlJGFNm+FfsDRzngZHwKEFAFc5AGOo6KlM8y
PVkgFYYr9lYxM1TCfElG
=VF5W
-----END PGP SIGNATURE-----

Message #30 received at 790365@bugs.debian.org (full text, mbox, reply):

From: Alessandro Ghedini <ghedo@debian.org>

To: 790365@bugs.debian.org

Cc: "brian m. carlson" <sandals@crustytoothpaste.net>

Subject: Re: Bug#790365 closed by Alessandro Ghedini <ghedo@debian.org> (Bug#790365: fixed in libwmf 0.2.8.4-10.4)

Date: Fri, 31 Jul 2015 12:37:21 +0200

[Message part 1 (text/plain, inline)]

Control: notfixed -1 libwmf/0.2.8.4-10.4

On Fri, Jul 31, 2015 at 09:45:17AM +0000, Debian Bug Tracking System wrote:
> This is an automatic notification regarding your Bug report
> which was filed against the pycode-browser package:
> 
> #790365: pycode-browser: CVE-2015-0849: predictable temporary file vulnerability
> 
> It has been closed by Alessandro Ghedini <ghedo@debian.org>.
> 
> Their explanation is attached below along with your original report.
> If this explanation is unsatisfactory and you have not received a
> better one in a separate message then please contact Alessandro Ghedini <ghedo@debian.org> by
> replying to this email.

Not sure how this happened, but it looks like I closed the wrong bug... Sorry
for the noise.

Cheers

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.