Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2012-3378

Source

Debian Bug report logs - #678026
libatk-adaptor: CVE-2012-3378: insecure tempdir handling

Package: libatk-adaptor; Maintainer for libatk-adaptor is Debian Accessibility Team <pkg-a11y-devel@lists.alioth.debian.org>; Source for libatk-adaptor is src:at-spi2-atk (PTS, buildd, popcon).

Reported by: Julien Cristau <jcristau@debian.org>

Date: Mon, 18 Jun 2012 18:00:01 UTC

Severity: grave

Tags: fixed-upstream, security

Found in versions at-spi2-atk/2.5.2-1, at-spi2-atk/2.0.2-1, 1.91.90

Fixed in version at-spi2-atk/2.5.3-1

Done: Samuel Thibault <sthibault@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://bugzilla.gnome.org/show_bug.cgi?id=678348

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Accessibility Team <debian-accessibility@lists.debian.org>:
Bug#678026; Package libatk-adaptor. (Mon, 18 Jun 2012 18:00:04 GMT) (full text, mbox, link).

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Accessibility Team <debian-accessibility@lists.debian.org>. (Mon, 18 Jun 2012 18:00:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Package: libatk-adaptor
Version: 2.5.2-1
Severity: grave
Tags: security
Justification: user security hole

atk-adaptor/bridge.c::register_application() is a big pile of FAIL.

Cheers,
Julien

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Accessibility Team <debian-accessibility@lists.debian.org>:
Bug#678026; Package libatk-adaptor. (Mon, 18 Jun 2012 18:15:04 GMT) (full text, mbox, link).

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Accessibility Team <debian-accessibility@lists.debian.org>. (Mon, 18 Jun 2012 18:15:04 GMT) (full text, mbox, link).

Message #10 received at 678026@bugs.debian.org (full text, mbox, reply):

On Mon, Jun 18, 2012 at 19:57:22 +0200, Julien Cristau wrote:

> Package: libatk-adaptor
> Version: 2.5.2-1
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> atk-adaptor/bridge.c::register_application() is a big pile of FAIL.
> 
I'd suggest something like this to make things a little bit better.
(Completely untested.)

diff --git a/atk-adaptor/bridge.c b/atk-adaptor/bridge.c
index 3a28faf..98f91ef 100644
--- a/atk-adaptor/bridge.c
+++ b/atk-adaptor/bridge.c
@@ -328,6 +328,7 @@ register_application (SpiBridge * app)
   DBusError error;
   DBusPendingCall *pending;
   const int max_addr_length = 128; /* should be long enough */
+  char template[] = "/tmp/at-spi2-XXXXXX";
 
   dbus_error_init (&error);
 
@@ -355,13 +356,11 @@ register_application (SpiBridge * app)
   if (message)
     dbus_message_unref (message);
 
-  /* could this be better, we accept some amount of race in getting the temp name*/
-  /* make sure the directory exists */
-  mkdir ("/tmp/at-spi2/", S_IRWXU|S_IRWXG|S_IRWXO|S_ISVTX);
-  chmod ("/tmp/at-spi2/", S_IRWXU|S_IRWXG|S_IRWXO|S_ISVTX);
+  if (!mkdtemp(template))
+         return FALSE;
   app->app_bus_addr = g_malloc(max_addr_length * sizeof(char));
 #ifndef DISABLE_P2P
-  sprintf (app->app_bus_addr, "unix:path=/tmp/at-spi2/socket-%d-%d", getpid(),
+  sprintf (app->app_bus_addr, "unix:path=%s/socket-%d-%d", template, getpid(),
            rand());
 #else
   app->app_bus_addr [0] = '\0';


Cheers,
Julien

Set Bug forwarded-to-address to 'https://bugzilla.gnome.org/show_bug.cgi?id=678348'. Request was from Julien Cristau <jcristau@debian.org> to control@bugs.debian.org. (Mon, 18 Jun 2012 18:54:06 GMT) (full text, mbox, link).

Marked as found in versions 1.91.90. Request was from Samuel Thibault <sthibault@debian.org> to control@bugs.debian.org. (Tue, 19 Jun 2012 12:05:32 GMT) (full text, mbox, link).

Marked as found in versions at-spi2-atk/2.0.2-1. Request was from Samuel Thibault <sthibault@debian.org> to control@bugs.debian.org. (Tue, 19 Jun 2012 12:06:33 GMT) (full text, mbox, link).

Added tag(s) fixed-upstream. Request was from bts-link-upstream@lists.alioth.debian.org to control@bugs.debian.org. (Thu, 28 Jun 2012 16:42:18 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from Anibal Monsalve Salazar <anibal@debian.org> to control@bugs.debian.org. (Fri, 29 Jun 2012 08:06:04 GMT) (full text, mbox, link).

Reply sent to Samuel Thibault <sthibault@debian.org>:
You have taken responsibility. (Fri, 29 Jun 2012 15:51:04 GMT) (full text, mbox, link).

Notification sent to Julien Cristau <jcristau@debian.org>:
Bug acknowledged by developer. (Fri, 29 Jun 2012 15:51:05 GMT) (full text, mbox, link).

Message #25 received at 678026-close@bugs.debian.org (full text, mbox, reply):

Source: at-spi2-atk
Source-Version: 2.5.3-1

We believe that the bug you reported is fixed in the latest version of
at-spi2-atk, which is due to be installed in the Debian FTP archive:

at-spi2-atk_2.5.3-1.debian.tar.gz
  to main/a/at-spi2-atk/at-spi2-atk_2.5.3-1.debian.tar.gz
at-spi2-atk_2.5.3-1.dsc
  to main/a/at-spi2-atk/at-spi2-atk_2.5.3-1.dsc
at-spi2-atk_2.5.3.orig.tar.xz
  to main/a/at-spi2-atk/at-spi2-atk_2.5.3.orig.tar.xz
libatk-adaptor-data_2.5.3-1_amd64.deb
  to main/a/at-spi2-atk/libatk-adaptor-data_2.5.3-1_amd64.deb
libatk-adaptor-dbg_2.5.3-1_amd64.deb
  to main/a/at-spi2-atk/libatk-adaptor-dbg_2.5.3-1_amd64.deb
libatk-adaptor_2.5.3-1_amd64.deb
  to main/a/at-spi2-atk/libatk-adaptor_2.5.3-1_amd64.deb
libatk-bridge2.0-0-dbg_2.5.3-1_amd64.deb
  to main/a/at-spi2-atk/libatk-bridge2.0-0-dbg_2.5.3-1_amd64.deb
libatk-bridge2.0-0_2.5.3-1_amd64.deb
  to main/a/at-spi2-atk/libatk-bridge2.0-0_2.5.3-1_amd64.deb
libatk-bridge2.0-dev_2.5.3-1_amd64.deb
  to main/a/at-spi2-atk/libatk-bridge2.0-dev_2.5.3-1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 678026@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Samuel Thibault <sthibault@debian.org> (supplier of updated at-spi2-atk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 28 Jun 2012 23:35:36 -0300
Source: at-spi2-atk
Binary: libatk-adaptor libatk-adaptor-dbg libatk-adaptor-data libatk-bridge2.0-0 libatk-bridge2.0-dev libatk-bridge2.0-0-dbg
Architecture: source amd64
Version: 2.5.3-1
Distribution: unstable
Urgency: low
Maintainer: Debian Accessibility Team <debian-accessibility@lists.debian.org>
Changed-By: Samuel Thibault <sthibault@debian.org>
Description: 
 libatk-adaptor - AT-SPI 2 toolkit bridge
 libatk-adaptor-data - AT-SPI 2 toolkit bridge - data
 libatk-adaptor-dbg - AT-SPI 2 toolkit bridge - debugging symbols
 libatk-bridge2.0-0 - AT-SPI 2 toolkit bridge - shared library
 libatk-bridge2.0-0-dbg - AT-SPI 2 toolkit bridge - debugging symbols
 libatk-bridge2.0-dev - Development files for the AT-SPI 2 toolkit bridge
Closes: 678026
Changes: 
 at-spi2-atk (2.5.3-1) unstable; urgency=low
 .
   [ Samuel Thibault ]
   * control: Fix Homepage URL, thanks DUCK!
   * copyright: Update.
 .
   [ Luke Yelavich ]
   * New upstream release. (Closes: #678026)
   * Add libatk-bridge2.0 series of packages for the newly introduced
     libatk-bridge shared library.
Checksums-Sha1: 
 3640502baa658d9ab058f65f63e77305e667693d 1863 at-spi2-atk_2.5.3-1.dsc
 a0fc241639fd9109081808d9ea4e2eb495c912c7 302960 at-spi2-atk_2.5.3.orig.tar.xz
 a37f07a44c44cf6c8f53d8b0f8c1cdea1da249bc 3515 at-spi2-atk_2.5.3-1.debian.tar.gz
 287723d305e7dd05a52a97acaacb89a3f3d89d90 5696 libatk-adaptor_2.5.3-1_amd64.deb
 d2fc08eeb7fa1a27657e745abc8c18211af9022f 5582 libatk-adaptor-dbg_2.5.3-1_amd64.deb
 44e805a23f53f0116758577087e4ada5c6fabb2e 21352 libatk-adaptor-data_2.5.3-1_amd64.deb
 d55e5bd94f78de954f3c73e6d0c7a4693e37ed9a 61538 libatk-bridge2.0-0_2.5.3-1_amd64.deb
 1242eccda3c03200866571795ce5295257c3bcd7 4180 libatk-bridge2.0-dev_2.5.3-1_amd64.deb
 5a74a0375bb5b7a5fbc86570bd7ceb7fc327da64 90036 libatk-bridge2.0-0-dbg_2.5.3-1_amd64.deb
Checksums-Sha256: 
 93710437cce4fc80c510f36029e2ab1266e65cf8aff5b3b446294731c6957b27 1863 at-spi2-atk_2.5.3-1.dsc
 bdbead509bb87e8939b06385febdadddef3c5e25dce4a0ed39f9a83d36c0c69b 302960 at-spi2-atk_2.5.3.orig.tar.xz
 d68883486c5b7373e35ca6a29338db44693beb95a3af8e178f5dc10171c9c440 3515 at-spi2-atk_2.5.3-1.debian.tar.gz
 cc951802d587dbec1944ab030e26dffeecaa8d20dbcc869f78eecf2ae77693a7 5696 libatk-adaptor_2.5.3-1_amd64.deb
 737c0d9bc6427152ad933a33422013d3c5f43d20dfde1ad397a03a76d0a99376 5582 libatk-adaptor-dbg_2.5.3-1_amd64.deb
 8692b8157b5c3ca8c6d947269e6576c5bd6ac31ba8f944f5d9560c0b98c9d282 21352 libatk-adaptor-data_2.5.3-1_amd64.deb
 f37c1660d5fbb716231a19063a6f4c9d7c9b90cb566100564bfcef0c9eff5329 61538 libatk-bridge2.0-0_2.5.3-1_amd64.deb
 d85098f1f94c21f84a814dc9ce31e46c4c152ad4c05a7591f7747e23c15a1fe0 4180 libatk-bridge2.0-dev_2.5.3-1_amd64.deb
 9f7ac3995c7a7dd7fd247c326f77226c1de4adbabdff4abcad3aeba665d5baea 90036 libatk-bridge2.0-0-dbg_2.5.3-1_amd64.deb
Files: 
 56e52bd25ec640221811a158291aabbf 1863 misc optional at-spi2-atk_2.5.3-1.dsc
 4d9dd4c955953ef5794cf3fe6117b15d 302960 misc optional at-spi2-atk_2.5.3.orig.tar.xz
 e628f763069b4db492b82a24912f89d9 3515 misc optional at-spi2-atk_2.5.3-1.debian.tar.gz
 624736f554cd236f1c37363ffa39567e 5696 misc optional libatk-adaptor_2.5.3-1_amd64.deb
 60b428b53c0a4c26a45a0617f219975b 5582 debug extra libatk-adaptor-dbg_2.5.3-1_amd64.deb
 a6c324f9c02d3ba1123dbb3c9b8e8790 21352 misc optional libatk-adaptor-data_2.5.3-1_amd64.deb
 1b3b8aa38b30883ba8fb2851741748e9 61538 libs optional libatk-bridge2.0-0_2.5.3-1_amd64.deb
 516fe7bffca78cd18f3501690fcf3a78 4180 libdevel optional libatk-bridge2.0-dev_2.5.3-1_amd64.deb
 4b8396fd38f78fdcc1fcf7e7a32caf76 90036 debug extra libatk-bridge2.0-0-dbg_2.5.3-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iF4EAREKAAYFAk/tF7MACgkQUesQhRznqyjGDwD/VGpMgbMJzEXc2r+be29fPDPx
kQMD/rkJVSt1TrDw1kEA/jpGn/vFqZImvQj+oG2k0V1HzRK4tVQUQJQ2iN1g3rY+
=dYhS
-----END PGP SIGNATURE-----

Changed Bug title to 'libatk-adaptor: CVE-2012-3378: insecure tempdir handling' from 'libatk-adaptor: insecure tempdir handling' Request was from Henri Salo <henri@nerv.fi> to control@bugs.debian.org. (Sat, 07 Jul 2012 22:21:03 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 07 Aug 2012 07:29:19 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 15:42:59 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

libatk-adaptor: CVE-2012-3378: insecure tempdir handling

Debian Bug report logs - #678026
libatk-adaptor: CVE-2012-3378: insecure tempdir handling

Vulmon Search

About

Products

Connect

libatk-adaptor: CVE-2012-3378: insecure tempdir handling

Debian Bug report logs - #678026 libatk-adaptor: CVE-2012-3378: insecure tempdir handling

Vulmon Search

About

Products

Connect

Debian Bug report logs - #678026
libatk-adaptor: CVE-2012-3378: insecure tempdir handling