gummi: Uses predictable filenames in /tmp based on basename (CVE-2015-7758)

Debian Bug report logs - #756432
gummi: Uses predictable filenames in /tmp based on basename (CVE-2015-7758)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Julian Andres Klode <jak@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: gummi: Uses predictable filenames in /tmp based on basename

Date: Tue, 29 Jul 2014 21:42:58 +0200

Package: gummi
Version: 0.6.5-3
Severity: normal

I opened a file called thesis.tex in gummi, this created the following
files in /tmp:

-rw-r--r--  1 jak  jak    3196 Jul 29 21:39 .thesis.tex.aux
-rw-r--r--  1 jak  jak   42672 Jul 29 21:39 .thesis.tex.log
-rw-r--r--  1 jak  jak     559 Jul 29 21:39 .thesis.tex.out
-rw-r--r--  1 jak  jak  266755 Jul 29 21:39 .thesis.tex.pdf
-rw-r--r--  1 jak  jak     885 Jul 29 21:39 .thesis.tex.toc

Obviously, this has serious implications for multi-user systems, because
two users editing a file with the same name would write to the same files
in /tmp. 

I'm not sure if there are security implications here if you create symbol
links using those names that an attacker could use to overwrite files
in /home (potentially deleting valuable user information)

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (980, 'unstable'), (500, 'unstable'), (100, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages gummi depends on:
ii  libc6                  2.19-7
ii  libcairo2              1.12.16-2
ii  libgdk-pixbuf2.0-0     2.30.7-1
ii  libglib2.0-0           2.40.0-3
ii  libgtk2.0-0            2.24.24-1
ii  libgtksourceview2.0-0  2.10.5-1
ii  libgtkspell0           2.0.16-1
ii  libpango-1.0-0         1.36.3-1
ii  libpoppler-glib8       0.26.3-1
ii  zlib1g                 1:1.2.8.dfsg-1

Versions of packages gummi recommends:
ii  texlive-extra-utils  2014.20140717-1
ii  texlive-latex-base   2014.20140717-01
ii  texlive-xetex        2014.20140717-01

gummi suggests no packages.

-- no debconf information

-- 
Julian Andres Klode  - Debian Developer, Ubuntu Member

See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.

Be friendly, do not top-post, and follow RFC 1855 "Netiquette".
    - If you don't I might ignore you.

Message #10 received at 756432@bugs.debian.org (full text, mbox, reply):

From: Daniel Stender <debian@danielstender.com>

To: 756432@bugs.debian.org

Subject: gummi: Uses predictable filenames in /tmp based on basename

Date: Thu, 31 Jul 2014 00:21:41 +0200

Control: tags 756432 confirmed

Thank you very much for the bug report. I'll forward this issue to 
upstream as soon as the development site is again fully working.

Greetings,
Daniel Stender

-- 
http://www.danielstender.com/blog/
PGP key: 2048R/E41BD2D0
C879 5E41 1ED7 EE80 0F2E 7D0C DBDD 4D96 E41B D2D0

Message #25 received at 756432@bugs.debian.org (full text, mbox, reply):

From: Daniel Stender <debian@danielstender.com>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 756432@bugs.debian.org

Subject: Re: possible security issue on gummi/0.6.5-3

Date: Thu, 08 Oct 2015 13:05:30 +0200

On 08.10.2015 13:00, Salvatore Bonaccorso wrote:
> Hello Daniel,
> 
> On Thu, Oct 08, 2015 at 12:20:27PM +0200, Daniel Stender wrote:
>> Hello,
>>
>> there was a bug reported on gummi/0.6.5-3 [1], the program uses
>> predictable filenames in /tmp [2].
>>
>> I'm going to fix that problem now (upstream is dead). Question: do
>> we have a (minor) security related problem here, which also needs to
>> be fixed for stable? I've learned from another case that this might
>> be a problematic race condition [3].
> 
> Thanks for going to fix this in unstable already. For wheezy and
> jessie: This issue does not warrant on it's own a DSA, in particular
> since such issues are mitigated in Debian: cf.
> https://www.debian.org/releases/stable/amd64/release-notes/ch-whats-new.en.html#security
> 
> But: Could you fix this in wheezy and jessie via the proposed-updates
> mechanism? See
> https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable
> 
> Regards,
> Salvatore

Thx for the quick reply!

Yes, o.k., I'm going to fix this as non-dsa over proposed updates. I guess
a CVE request on this is not necessary, is it? Are you going to create an
entry in the security tracker, anyway? 

DS

-- 
4096R/DF5182C8
46CB 1CA8 9EA3 B743 7676 1DB9 15E0 9AF4 DF51 82C8
LPI certified Linux admin (LPI000329859 64mz6f7kt4)
http://www.danielstender.com/blog/

Message #30 received at 756432@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Daniel Stender <debian@danielstender.com>

Cc: 756432@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: possible security issue on gummi/0.6.5-3

Date: Thu, 8 Oct 2015 13:29:49 +0200

Hi Daniel,

On Thu, Oct 08, 2015 at 01:05:30PM +0200, Daniel Stender wrote:
> On 08.10.2015 13:00, Salvatore Bonaccorso wrote:
> > Hello Daniel,
> > 
> > On Thu, Oct 08, 2015 at 12:20:27PM +0200, Daniel Stender wrote:
> >> Hello,
> >>
> >> there was a bug reported on gummi/0.6.5-3 [1], the program uses
> >> predictable filenames in /tmp [2].
> >>
> >> I'm going to fix that problem now (upstream is dead). Question: do
> >> we have a (minor) security related problem here, which also needs to
> >> be fixed for stable? I've learned from another case that this might
> >> be a problematic race condition [3].
> > 
> > Thanks for going to fix this in unstable already. For wheezy and
> > jessie: This issue does not warrant on it's own a DSA, in particular
> > since such issues are mitigated in Debian: cf.
> > https://www.debian.org/releases/stable/amd64/release-notes/ch-whats-new.en.html#security
> > 
> > But: Could you fix this in wheezy and jessie via the proposed-updates
> > mechanism? See
> > https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable
> > 
> > Regards,
> > Salvatore
> 
> Thx for the quick reply!

You are welcome!

> Yes, o.k., I'm going to fix this as non-dsa over proposed updates. I guess
> a CVE request on this is not necessary, is it? Are you going to create an
> entry in the security tracker, anyway? 

I have actually already created a tracker entry, see
https://security-tracker.debian.org/756432 . For the CVE request: not
absolutely necessary but helps identifying it across various security
trackers. Do you want to request a CVE on your own? This needs to be
done on the oss-security mailinglist:
http://oss-security.openwall.org/wiki/mailing-lists/oss-security

Regards,
Salvatore

Message #35 received at 756432@bugs.debian.org (full text, mbox, reply):

From: Daniel Stender <debian@danielstender.com>

To: oss-security@lists.openwall.com

Cc: 756432@bugs.debian.org, Debian Security Team <team@security.debian.org>, Salvatore Bonaccorso <carnil@debian.org>

Subject: CVE request: Gummi

Date: Thu, 08 Oct 2015 18:19:05 +0200

Hello,

I request a CVE for Gummi (LaTeX editor with preview pane) [1], the current
release is 0.6.5.

The program uses predictable filenames for files in /tmp, which produces a race
condition [2].

I'm Debian maintainer for this software.

Please assign a CVE as appropriate.

Thanks,
Daniel Stender

[1] https://github.com/alexandervdm/gummi

[2] https://bugs.debian.org/756432
    gummi: Uses predictable filenames in /tmp based on basename

-- 
4096R/DF5182C8
46CB 1CA8 9EA3 B743 7676 1DB9 15E0 9AF4 DF51 82C8
LPI certified Linux admin (LPI000329859 64mz6f7kt4)
http://www.danielstender.com/blog/

Message #44 received at 756432@bugs.debian.org (full text, mbox, reply):

From: cve-assign@mitre.org

To: debian@danielstender.com

Cc: cve-assign@mitre.org, oss-security@lists.openwall.com, 756432@bugs.debian.org, team@security.debian.org, carnil@debian.org

Subject: Re: CVE request: Gummi

Date: Thu, 8 Oct 2015 15:09:48 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> release is 0.6.5.
> 
> The program uses predictable filenames for files in /tmp, which produces a race
> condition
> 
> I'm Debian maintainer for this software.
> 
> https://bugs.debian.org/756432

Use CVE-2015-7758.

Note that the discussion referenced by the bug report suggests that
Linux exploitability depends on the /proc/sys/fs/protected_symlinks
file.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWFr7qAAoJEL54rhJi8gl5yNgQAIL2pKeo+zvzciqCpj0iSFYK
WITk6rVfX72Tp6FSQBLcXxGpBlOHbtz7gT8bqE/Xk8iCkcBayXyTWEs2LQvMwhws
rzyDeGFrj8iL/Z35PjAwDG5eGgsqcoDdlgCcu8SdKQX03qE6wI7jpKH2MZ2KF0JH
gQ3FuzvEiGvPDpSS31Y1PtoOZ2+5tO5duO6DS3mcilwwr19Dw8YnMg/Xa0snQAU1
/FjH1vt0WafAKxJwobjFUeZYfhYHGSA8hF6vofWOLT4hm5pIDpi22JgUEJdkzFq0
a18fKa6AW26LRWi6Qh41xCz8jbOnXJMoNTv+KwbyXOK0ZayXx/UD//SEhrx0DXgZ
C45Zu8bYnsXTckK35nELVHfPkswb1+BPwUkItehVcmCVxdT985p8M2pclRTAPTOu
KR2PUb9OAlGeZ5fk9ex1y/uUMg18ZBhssCqN8uC11YuzfdeVHsBfVUeO6jUCleIn
/KHqBTeXu6TZONKYIerExDuqKYW44ueHmgk+BzrjBeTlE7TmJuqwrYg0p+enRU6P
XwKvE1bKuZ+mMM2OW+zgl0iErFhZtsfXF1YNYUXudLKUCyNJtqGZl9WwJDvZA7eb
vetVlXgIkuz15KPumfilIZd+D3x5cba/kPtqN2upnoluFvFElJKS6s/g3ANZoVXz
XNKwz/M8+eIpxi1KsXjV
=9wUr
-----END PGP SIGNATURE-----

Message #49 received at 756432-submitter@bugs.debian.org (full text, mbox, reply):

From: Daniel Stender <debian@danielstender.com>

To: 756432-submitter@bugs.debian.org

Subject: Bug#756432 marked as pending

Date: Sun, 29 Nov 2015 00:39:59 +0000

tag 756432 pending
thanks

Hello,

Bug #756432 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=debian-science/packages/gummi.git;a=commitdiff;h=7d13b0b

---
commit 7d13b0b7347d691d7a84d6a245e47acf720653ea
Author: Daniel Stender <debian@danielstender.com>
Date:   Sun Nov 29 01:16:48 2015 +0100

    added no-predictable-tmpfiles.patch

diff --git a/debian/changelog b/debian/changelog
index ee181d7..e6383ef 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+gummi (0.6.5-6) unstable; urgency=medium
+
+  * Added no-predictable-tmpfiles.patch, fix of CVE-2015-7758 (Closes: #756432).
+
+ -- Daniel Stender <debian@danielstender.com>  Sun, 29 Nov 2015 01:35:11 +0100
+
 gummi (0.6.5-5) unstable; urgency=medium
 
   * deb/copyright:

Message #54 received at 756432-close@bugs.debian.org (full text, mbox, reply):

From: Daniel Stender <debian@danielstender.com>

To: 756432-close@bugs.debian.org

Subject: Bug#756432: fixed in gummi 0.6.5-6

Date: Sun, 29 Nov 2015 01:04:03 +0000

Source: gummi
Source-Version: 0.6.5-6

We believe that the bug you reported is fixed in the latest version of
gummi, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 756432@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Stender <debian@danielstender.com> (supplier of updated gummi package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 29 Nov 2015 01:35:11 +0100
Source: gummi
Binary: gummi
Architecture: source
Version: 0.6.5-6
Distribution: unstable
Urgency: medium
Maintainer: Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
Changed-By: Daniel Stender <debian@danielstender.com>
Closes: 756432
Description: 
 gummi      - GTK+ based LaTeX editor with live preview
Changes:
 gummi (0.6.5-6) unstable; urgency=medium
 .
   * Added no-predictable-tmpfiles.patch, fix of CVE-2015-7758 (Closes: #756432).
Checksums-Sha1: 
 acccbd72527390d03b59137b1296e5b35ef58ad8 2079 gummi_0.6.5-6.dsc
 dc7cc00518f925629574990d13982ae050515e0b 520902 gummi_0.6.5.orig.tar.gz
 3e2fafd39b10da63210710ea0ad8d3085927856e 5064 gummi_0.6.5-6.debian.tar.xz
Checksums-Sha256: 
 d6019ed67f7e00e8935494e6808663f84734e7f46560e1dcc80500f854410494 2079 gummi_0.6.5-6.dsc
 b23c2958376ea43c701a276ad19ceac5b50d9cb32a489a10897b25aa5004fffb 520902 gummi_0.6.5.orig.tar.gz
 cd6ff96c2861507a8c389ab601b2e07c0f6c61e11e485ea298eeac5e577c9f06 5064 gummi_0.6.5-6.debian.tar.xz
Files: 
 c6e13d478c397cb2d91dac9e007266f7 2079 tex optional gummi_0.6.5-6.dsc
 da6b8736fd42ab3f5a9703a7a7917a7d 520902 tex optional gummi_0.6.5.orig.tar.gz
 c5bff50cfbf9bc6ccbd141a42d07fa15 5064 tex optional gummi_0.6.5-6.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWWkzDAAoJEBXgmvTfUYLI3T0P/jp98LEqlt/o9y5yWaYKBOiA
t4m094MHC2CDU86nyynNEICFNuxyk6Y1NIweWEtK3mgT5n9H7uCA9TNf5SRTchw6
WbBL9L6zxZv7uvMHEFUli/0Dgna8tHQNty+SYB8PoRhvu1G2c93u0kY8xjiw+/p0
aB6wjW6tpw7D0PrmqDV09OPH+WvCnGL0zCFDDm6ghXOSaGlm1Nt0tF9bcaLpc2j6
rjy7JIxsHmTqpseNjKwVLhzg2Rdin5mDdxohliTkqdjG3YwMRV6uX9/wawOqYHnD
fYkdqIGXUQmBNBL240ZLUBc1XNyf/AVS0wp3DPUisH+vd9Pk7nDkDIu81ex1zJw2
pCyC7G1rmhglSszqVXLSF8wIla4cuWshMdCFkdviK1esAOybbpj60NdQ1fMye4QR
HOf/RcVgpoG4TerkSqUuIKzQkkZk1yhwPjd06nd4UaJtYiZo6CkVlWcVFSulyOln
tIhBUD8yxUhRXk47PrnVjHU28ndnEnvKdXtOBFx4ot/m5lEZ+hyUq1YaqTC5Ydzo
26ar9Gigx3UzeRbVCDOQkvGEvVW5ornOkqe2k5OkdKo+CZaV1sa5bgW9U+HPR/GZ
0KDt3bCNfyXFMPn7Wzyskcgfdns/2jdIxHw/4rOlKZXbYF8v/Zh5KYKuEooZfogs
+shBrZATtpeXoemRxS6L
=TmrH
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.