libid3-3.8.3c2a: creates insecure temporary files

Debian Bug report logs - #438540
libid3-3.8.3c2a: creates insecure temporary files

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nikolaus Schulz <microschulz@web.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libid3-3.8.3c2a: creates insecure temporary files

Date: Fri, 17 Aug 2007 18:51:24 +0200

Package: libid3-3.8.3c2a
Version: 3.8.3-6
Severity: grave
Tags: security
Justification: user security hole

Hi, 

when tagging file $foo, a temporary copy of the file is created, and for some
reason, libid3 doesn't use mkstemp but just creates $foo.XXXXXX literally,
without any checking.  
This would silently truncate and overwrite an existing $foo.XXXXXX. 

,----[ src/tag_file.cpp ]
| 233     String filename = tag.GetFileName();
| 234     String sTmpSuffix = ".XXXXXX";
| 235     if (filename.size() + sTmpSuffix.size() > ID3_PATH_LENGTH)
| 236     {
| 237       // log this
| 238       return 0;
| 239       //ID3_THROW_DESC(ID3E_NoFile, "filename too long");
| 240     }
| 241     char sTempFile[ID3_PATH_LENGTH];
| 242     strcpy(sTempFile, filename.c_str());
| 243     strcat(sTempFile, sTmpSuffix.c_str());
| 244 
| 245 #if ((defined(__GNUC__) && __GNUC__ >= 3  ) || !defined(HAVE_MKSTEMP))
| 246     // This section is for Windows folk && gcc 3.x folk
| 247     fstream tmpOut;
| 248     createFile(sTempFile, tmpOut);
`----

HAND, 
Nikolaus

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-5-k7
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15)

Versions of packages libid3-3.8.3c2a depends on:
ii  libc6                  2.3.6.ds1-13etch4 GNU C Library: Shared libraries
ii  libgcc1                1:4.1.1-21        GCC support library
ii  libstdc++6             4.1.1-21          The GNU Standard C++ Library v3
ii  zlib1g                 1:1.2.3-13        compression library - runtime

libid3-3.8.3c2a recommends no packages.

-- no debconf information

Message #10 received at 438540-close@bugs.debian.org (full text, mbox, reply):

From: Robert Woodcock <rcw@debian.org>

To: 438540-close@bugs.debian.org

Subject: Bug#438540: fixed in id3lib3.8.3 3.8.3-7

Date: Sat, 18 Aug 2007 23:17:03 +0000

Source: id3lib3.8.3
Source-Version: 3.8.3-7

We believe that the bug you reported is fixed in the latest version of
id3lib3.8.3, which is due to be installed in the Debian FTP archive:

id3lib3.8.3_3.8.3-7.diff.gz
  to pool/main/i/id3lib3.8.3/id3lib3.8.3_3.8.3-7.diff.gz
id3lib3.8.3_3.8.3-7.dsc
  to pool/main/i/id3lib3.8.3/id3lib3.8.3_3.8.3-7.dsc
libid3-3.8.3-dev_3.8.3-7_i386.deb
  to pool/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-7_i386.deb
libid3-3.8.3c2a_3.8.3-7_i386.deb
  to pool/main/i/id3lib3.8.3/libid3-3.8.3c2a_3.8.3-7_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 438540@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Robert Woodcock <rcw@debian.org> (supplier of updated id3lib3.8.3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 18 Aug 2007 15:52:52 -0700
Source: id3lib3.8.3
Binary: libid3-3.8.3-dev libid3-3.8.3c2a
Architecture: source i386
Version: 3.8.3-7
Distribution: unstable
Urgency: high
Maintainer: Robert Woodcock <rcw@debian.org>
Changed-By: Robert Woodcock <rcw@debian.org>
Description: 
 libid3-3.8.3-dev - ID3 Tag Library: Development Libraries and Header Files.
 libid3-3.8.3c2a - Library for manipulating ID3v1 and ID3v2 tags.
Closes: 438540
Changes: 
 id3lib3.8.3 (3.8.3-7) unstable; urgency=high
 .
   * SECURITY: Change #ifdef logic to select mkstemp() code instead of
     insecure tempfile creation code, and fix mkstemp() code to work with g++
     3.x, closes: #438540
Files: 
 84eebc97a2d04bc41e1320bcae11c86a 642 libs optional id3lib3.8.3_3.8.3-7.dsc
 c13c3a9a179a5c6548475a3f5f748a9a 135421 libs optional id3lib3.8.3_3.8.3-7.diff.gz
 5cf02d4ecd80a3f4414857b4cd1b0e0f 263108 libdevel optional libid3-3.8.3-dev_3.8.3-7_i386.deb
 598bc63b80a935e7f1c94a5cb40a0e32 176814 libs optional libid3-3.8.3c2a_3.8.3-7_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGx3vc9c5o62/wq/IRAusYAKCN2ScPsZNhhntc5RLVAJ1UnqfE0gCeIlhq
SoFByPRyB3Oh/YMgkpZQC1I=
=lQ9K
-----END PGP SIGNATURE-----

Message #15 received at 438540@bugs.debian.org (full text, mbox, reply):

From: Martin Schulze <joey@infodrom.org>

To: Nikolaus Schulz <microschulz@web.de>

Cc: Debian Bug Tracking System <438540@bugs.debian.org>

Subject: Re: libid3-3.8.3c2a: creates insecure temporary files

Date: Wed, 22 Aug 2007 22:11:47 +0200

Nikolaus Schulz wrote:
> Package: libid3-3.8.3c2a
> Version: 3.8.3-6
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Hi, 
> 
> when tagging file $foo, a temporary copy of the file is created, and for some
> reason, libid3 doesn't use mkstemp but just creates $foo.XXXXXX literally,
> without any checking.  
> This would silently truncate and overwrite an existing $foo.XXXXXX. 

Please use CVE-2007-3912 for this.

Robert, please mention this id in the changelog when you upload a
new package (i.e. edit the current changelog entry when you're doing
another upload anyway).

Regards,

	Joey

-- 
Those who don't understand Unix are condemned to reinvent it, poorly.

Please always Cc to me when replying to me on the lists.

Send a report that this bug log contains spam.