Debian Bug report logs -
#756432
gummi: Uses predictable filenames in /tmp based on basename (CVE-2015-7758)
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, jak@debian.org, Daniel Stender <debian@danielstender.com>
:
Bug#756432
; Package gummi
.
(Tue, 29 Jul 2014 19:45:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Julian Andres Klode <jak@debian.org>
:
New Bug report received and forwarded. Copy sent to jak@debian.org, Daniel Stender <debian@danielstender.com>
.
(Tue, 29 Jul 2014 19:45:11 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: gummi
Version: 0.6.5-3
Severity: normal
I opened a file called thesis.tex in gummi, this created the following
files in /tmp:
-rw-r--r-- 1 jak jak 3196 Jul 29 21:39 .thesis.tex.aux
-rw-r--r-- 1 jak jak 42672 Jul 29 21:39 .thesis.tex.log
-rw-r--r-- 1 jak jak 559 Jul 29 21:39 .thesis.tex.out
-rw-r--r-- 1 jak jak 266755 Jul 29 21:39 .thesis.tex.pdf
-rw-r--r-- 1 jak jak 885 Jul 29 21:39 .thesis.tex.toc
Obviously, this has serious implications for multi-user systems, because
two users editing a file with the same name would write to the same files
in /tmp.
I'm not sure if there are security implications here if you create symbol
links using those names that an attacker could use to overwrite files
in /home (potentially deleting valuable user information)
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (980, 'unstable'), (500, 'unstable'), (100, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.14-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages gummi depends on:
ii libc6 2.19-7
ii libcairo2 1.12.16-2
ii libgdk-pixbuf2.0-0 2.30.7-1
ii libglib2.0-0 2.40.0-3
ii libgtk2.0-0 2.24.24-1
ii libgtksourceview2.0-0 2.10.5-1
ii libgtkspell0 2.0.16-1
ii libpango-1.0-0 1.36.3-1
ii libpoppler-glib8 0.26.3-1
ii zlib1g 1:1.2.8.dfsg-1
Versions of packages gummi recommends:
ii texlive-extra-utils 2014.20140717-1
ii texlive-latex-base 2014.20140717-01
ii texlive-xetex 2014.20140717-01
gummi suggests no packages.
-- no debconf information
--
Julian Andres Klode - Debian Developer, Ubuntu Member
See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.
Be friendly, do not top-post, and follow RFC 1855 "Netiquette".
- If you don't I might ignore you.
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#756432
; Package gummi
.
(Wed, 30 Jul 2014 22:24:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Stender <debian@danielstender.com>
:
Extra info received and forwarded to list.
(Wed, 30 Jul 2014 22:24:11 GMT) (full text, mbox, link).
Message #10 received at 756432@bugs.debian.org (full text, mbox, reply):
Control: tags 756432 confirmed
Thank you very much for the bug report. I'll forward this issue to
upstream as soon as the development site is again fully working.
Greetings,
Daniel Stender
--
http://www.danielstender.com/blog/
PGP key: 2048R/E41BD2D0
C879 5E41 1ED7 EE80 0F2E 7D0C DBDD 4D96 E41B D2D0
Added tag(s) confirmed.
Request was from Daniel Stender <debian@danielstender.com>
to 756432-submit@bugs.debian.org
.
(Wed, 30 Jul 2014 22:24:11 GMT) (full text, mbox, link).
Bug reassigned from package 'gummi' to 'src:gummi'.
Request was from Daniel Stender <debian@danielstender.com>
to control@bugs.debian.org
.
(Sun, 10 Aug 2014 15:03:04 GMT) (full text, mbox, link).
No longer marked as found in versions gummi/0.6.5-3.
Request was from Daniel Stender <debian@danielstender.com>
to control@bugs.debian.org
.
(Sun, 10 Aug 2014 15:03:05 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Daniel Stender <debian@danielstender.com>
to control@bugs.debian.org
.
(Mon, 14 Sep 2015 07:51:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#756432
; Package src:gummi
.
(Thu, 08 Oct 2015 11:15:12 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Stender <debian@danielstender.com>
:
Extra info received and forwarded to list. Copy sent to Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
.
(Thu, 08 Oct 2015 11:15:12 GMT) (full text, mbox, link).
Message #25 received at 756432@bugs.debian.org (full text, mbox, reply):
On 08.10.2015 13:00, Salvatore Bonaccorso wrote:
> Hello Daniel,
>
> On Thu, Oct 08, 2015 at 12:20:27PM +0200, Daniel Stender wrote:
>> Hello,
>>
>> there was a bug reported on gummi/0.6.5-3 [1], the program uses
>> predictable filenames in /tmp [2].
>>
>> I'm going to fix that problem now (upstream is dead). Question: do
>> we have a (minor) security related problem here, which also needs to
>> be fixed for stable? I've learned from another case that this might
>> be a problematic race condition [3].
>
> Thanks for going to fix this in unstable already. For wheezy and
> jessie: This issue does not warrant on it's own a DSA, in particular
> since such issues are mitigated in Debian: cf.
> https://www.debian.org/releases/stable/amd64/release-notes/ch-whats-new.en.html#security
>
> But: Could you fix this in wheezy and jessie via the proposed-updates
> mechanism? See
> https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable
>
> Regards,
> Salvatore
Thx for the quick reply!
Yes, o.k., I'm going to fix this as non-dsa over proposed updates. I guess
a CVE request on this is not necessary, is it? Are you going to create an
entry in the security tracker, anyway?
DS
--
4096R/DF5182C8
46CB 1CA8 9EA3 B743 7676 1DB9 15E0 9AF4 DF51 82C8
LPI certified Linux admin (LPI000329859 64mz6f7kt4)
http://www.danielstender.com/blog/
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#756432
; Package src:gummi
.
(Thu, 08 Oct 2015 11:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
.
(Thu, 08 Oct 2015 11:33:04 GMT) (full text, mbox, link).
Message #30 received at 756432@bugs.debian.org (full text, mbox, reply):
Hi Daniel,
On Thu, Oct 08, 2015 at 01:05:30PM +0200, Daniel Stender wrote:
> On 08.10.2015 13:00, Salvatore Bonaccorso wrote:
> > Hello Daniel,
> >
> > On Thu, Oct 08, 2015 at 12:20:27PM +0200, Daniel Stender wrote:
> >> Hello,
> >>
> >> there was a bug reported on gummi/0.6.5-3 [1], the program uses
> >> predictable filenames in /tmp [2].
> >>
> >> I'm going to fix that problem now (upstream is dead). Question: do
> >> we have a (minor) security related problem here, which also needs to
> >> be fixed for stable? I've learned from another case that this might
> >> be a problematic race condition [3].
> >
> > Thanks for going to fix this in unstable already. For wheezy and
> > jessie: This issue does not warrant on it's own a DSA, in particular
> > since such issues are mitigated in Debian: cf.
> > https://www.debian.org/releases/stable/amd64/release-notes/ch-whats-new.en.html#security
> >
> > But: Could you fix this in wheezy and jessie via the proposed-updates
> > mechanism? See
> > https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable
> >
> > Regards,
> > Salvatore
>
> Thx for the quick reply!
You are welcome!
> Yes, o.k., I'm going to fix this as non-dsa over proposed updates. I guess
> a CVE request on this is not necessary, is it? Are you going to create an
> entry in the security tracker, anyway?
I have actually already created a tracker entry, see
https://security-tracker.debian.org/756432 . For the CVE request: not
absolutely necessary but helps identifying it across various security
trackers. Do you want to request a CVE on your own? This needs to be
done on the oss-security mailinglist:
http://oss-security.openwall.org/wiki/mailing-lists/oss-security
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#756432
; Package src:gummi
.
(Thu, 08 Oct 2015 16:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Stender <debian@danielstender.com>
:
Extra info received and forwarded to list. Copy sent to Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
.
(Thu, 08 Oct 2015 16:21:04 GMT) (full text, mbox, link).
Message #35 received at 756432@bugs.debian.org (full text, mbox, reply):
Hello,
I request a CVE for Gummi (LaTeX editor with preview pane) [1], the current
release is 0.6.5.
The program uses predictable filenames for files in /tmp, which produces a race
condition [2].
I'm Debian maintainer for this software.
Please assign a CVE as appropriate.
Thanks,
Daniel Stender
[1] https://github.com/alexandervdm/gummi
[2] https://bugs.debian.org/756432
gummi: Uses predictable filenames in /tmp based on basename
--
4096R/DF5182C8
46CB 1CA8 9EA3 B743 7676 1DB9 15E0 9AF4 DF51 82C8
LPI certified Linux admin (LPI000329859 64mz6f7kt4)
http://www.danielstender.com/blog/
Changed Bug title to 'gummi: Uses predictable filenames in /tmp based on basename (CVE-2015-7758)' from 'gummi: Uses predictable filenames in /tmp based on basename'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 08 Oct 2015 19:18:05 GMT) (full text, mbox, link).
Added tag(s) security.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 08 Oct 2015 19:18:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#756432
; Package src:gummi
.
(Thu, 08 Oct 2015 19:18:15 GMT) (full text, mbox, link).
Acknowledgement sent
to cve-assign@mitre.org
:
Extra info received and forwarded to list. Copy sent to Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
.
(Thu, 08 Oct 2015 19:18:15 GMT) (full text, mbox, link).
Message #44 received at 756432@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
> release is 0.6.5.
>
> The program uses predictable filenames for files in /tmp, which produces a race
> condition
>
> I'm Debian maintainer for this software.
>
> https://bugs.debian.org/756432
Use CVE-2015-7758.
Note that the discussion referenced by the bug report suggests that
Linux exploitability depends on the /proc/sys/fs/protected_symlinks
file.
- --
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJWFr7qAAoJEL54rhJi8gl5yNgQAIL2pKeo+zvzciqCpj0iSFYK
WITk6rVfX72Tp6FSQBLcXxGpBlOHbtz7gT8bqE/Xk8iCkcBayXyTWEs2LQvMwhws
rzyDeGFrj8iL/Z35PjAwDG5eGgsqcoDdlgCcu8SdKQX03qE6wI7jpKH2MZ2KF0JH
gQ3FuzvEiGvPDpSS31Y1PtoOZ2+5tO5duO6DS3mcilwwr19Dw8YnMg/Xa0snQAU1
/FjH1vt0WafAKxJwobjFUeZYfhYHGSA8hF6vofWOLT4hm5pIDpi22JgUEJdkzFq0
a18fKa6AW26LRWi6Qh41xCz8jbOnXJMoNTv+KwbyXOK0ZayXx/UD//SEhrx0DXgZ
C45Zu8bYnsXTckK35nELVHfPkswb1+BPwUkItehVcmCVxdT985p8M2pclRTAPTOu
KR2PUb9OAlGeZ5fk9ex1y/uUMg18ZBhssCqN8uC11YuzfdeVHsBfVUeO6jUCleIn
/KHqBTeXu6TZONKYIerExDuqKYW44ueHmgk+BzrjBeTlE7TmJuqwrYg0p+enRU6P
XwKvE1bKuZ+mMM2OW+zgl0iErFhZtsfXF1YNYUXudLKUCyNJtqGZl9WwJDvZA7eb
vetVlXgIkuz15KPumfilIZd+D3x5cba/kPtqN2upnoluFvFElJKS6s/g3ANZoVXz
XNKwz/M8+eIpxi1KsXjV
=9wUr
-----END PGP SIGNATURE-----
Added tag(s) pending.
Request was from Daniel Stender <debian@danielstender.com>
to control@bugs.debian.org
.
(Sun, 29 Nov 2015 00:42:04 GMT) (full text, mbox, link).
Message sent on
to Julian Andres Klode <jak@debian.org>
:
Bug#756432.
(Sun, 29 Nov 2015 00:42:07 GMT) (full text, mbox, link).
Message #49 received at 756432-submitter@bugs.debian.org (full text, mbox, reply):
tag 756432 pending
thanks
Hello,
Bug #756432 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
http://git.debian.org/?p=debian-science/packages/gummi.git;a=commitdiff;h=7d13b0b
---
commit 7d13b0b7347d691d7a84d6a245e47acf720653ea
Author: Daniel Stender <debian@danielstender.com>
Date: Sun Nov 29 01:16:48 2015 +0100
added no-predictable-tmpfiles.patch
diff --git a/debian/changelog b/debian/changelog
index ee181d7..e6383ef 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+gummi (0.6.5-6) unstable; urgency=medium
+
+ * Added no-predictable-tmpfiles.patch, fix of CVE-2015-7758 (Closes: #756432).
+
+ -- Daniel Stender <debian@danielstender.com> Sun, 29 Nov 2015 01:35:11 +0100
+
gummi (0.6.5-5) unstable; urgency=medium
* deb/copyright:
Reply sent
to Daniel Stender <debian@danielstender.com>
:
You have taken responsibility.
(Sun, 29 Nov 2015 01:09:04 GMT) (full text, mbox, link).
Notification sent
to Julian Andres Klode <jak@debian.org>
:
Bug acknowledged by developer.
(Sun, 29 Nov 2015 01:09:04 GMT) (full text, mbox, link).
Message #54 received at 756432-close@bugs.debian.org (full text, mbox, reply):
Source: gummi
Source-Version: 0.6.5-6
We believe that the bug you reported is fixed in the latest version of
gummi, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 756432@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Stender <debian@danielstender.com> (supplier of updated gummi package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 29 Nov 2015 01:35:11 +0100
Source: gummi
Binary: gummi
Architecture: source
Version: 0.6.5-6
Distribution: unstable
Urgency: medium
Maintainer: Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
Changed-By: Daniel Stender <debian@danielstender.com>
Closes: 756432
Description:
gummi - GTK+ based LaTeX editor with live preview
Changes:
gummi (0.6.5-6) unstable; urgency=medium
.
* Added no-predictable-tmpfiles.patch, fix of CVE-2015-7758 (Closes: #756432).
Checksums-Sha1:
acccbd72527390d03b59137b1296e5b35ef58ad8 2079 gummi_0.6.5-6.dsc
dc7cc00518f925629574990d13982ae050515e0b 520902 gummi_0.6.5.orig.tar.gz
3e2fafd39b10da63210710ea0ad8d3085927856e 5064 gummi_0.6.5-6.debian.tar.xz
Checksums-Sha256:
d6019ed67f7e00e8935494e6808663f84734e7f46560e1dcc80500f854410494 2079 gummi_0.6.5-6.dsc
b23c2958376ea43c701a276ad19ceac5b50d9cb32a489a10897b25aa5004fffb 520902 gummi_0.6.5.orig.tar.gz
cd6ff96c2861507a8c389ab601b2e07c0f6c61e11e485ea298eeac5e577c9f06 5064 gummi_0.6.5-6.debian.tar.xz
Files:
c6e13d478c397cb2d91dac9e007266f7 2079 tex optional gummi_0.6.5-6.dsc
da6b8736fd42ab3f5a9703a7a7917a7d 520902 tex optional gummi_0.6.5.orig.tar.gz
c5bff50cfbf9bc6ccbd141a42d07fa15 5064 tex optional gummi_0.6.5-6.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWWkzDAAoJEBXgmvTfUYLI3T0P/jp98LEqlt/o9y5yWaYKBOiA
t4m094MHC2CDU86nyynNEICFNuxyk6Y1NIweWEtK3mgT5n9H7uCA9TNf5SRTchw6
WbBL9L6zxZv7uvMHEFUli/0Dgna8tHQNty+SYB8PoRhvu1G2c93u0kY8xjiw+/p0
aB6wjW6tpw7D0PrmqDV09OPH+WvCnGL0zCFDDm6ghXOSaGlm1Nt0tF9bcaLpc2j6
rjy7JIxsHmTqpseNjKwVLhzg2Rdin5mDdxohliTkqdjG3YwMRV6uX9/wawOqYHnD
fYkdqIGXUQmBNBL240ZLUBc1XNyf/AVS0wp3DPUisH+vd9Pk7nDkDIu81ex1zJw2
pCyC7G1rmhglSszqVXLSF8wIla4cuWshMdCFkdviK1esAOybbpj60NdQ1fMye4QR
HOf/RcVgpoG4TerkSqUuIKzQkkZk1yhwPjd06nd4UaJtYiZo6CkVlWcVFSulyOln
tIhBUD8yxUhRXk47PrnVjHU28ndnEnvKdXtOBFx4ot/m5lEZ+hyUq1YaqTC5Ydzo
26ar9Gigx3UzeRbVCDOQkvGEvVW5ornOkqe2k5OkdKo+CZaV1sa5bgW9U+HPR/GZ
0KDt3bCNfyXFMPn7Wzyskcgfdns/2jdIxHw/4rOlKZXbYF8v/Zh5KYKuEooZfogs
+shBrZATtpeXoemRxS6L
=TmrH
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Fri, 01 Jan 2016 07:27:26 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:13:40 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.