Debian Bug report logs -
#772473
xbindkeys-config: CVE-2014-9513: Insecure use of temporary files
Reported by: Steve Kemp <steve@steve.org.uk>
Date: Sun, 7 Dec 2014 15:36:02 UTC
Severity: important
Tags: security
Found in version xbindkeys-config/0.1.3-2
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Joerg Jaspert <joerg@debian.org>
:
Bug#772473
; Package xbindkeys-config
.
(Sun, 07 Dec 2014 15:36:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Steve Kemp <steve@steve.org.uk>
:
New Bug report received and forwarded. Copy sent to Joerg Jaspert <joerg@debian.org>
.
(Sun, 07 Dec 2014 15:36:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: xbindkeys-config
Version: 0.1.3-2
Severity: important
Tags: security
If you use this program and "view generated file" the current output
will be saved to the file /tmp/xbindkeysrc-tmp.
This allows the corruption of any file the user has permission to write
to.
Later this predictable file is used to execute commands:
/*****************************************************************************/
void middle_apply_action(GtkWidget *parent, void *data)
{
unlink(TEMP_FILE);
save_file(TEMP_FILE);
system("killall -9 xbindkeys");
usleep(500);
/* printf("****\n\noutput = %d\n\n****",system("xbindkeys -f " TEMP_FILE )); */
system("xbindkeys -f " TEMP_FILE );
}
Really most of this complexity could go away if we just assumed the
editor would write to a file the user specified, or ~/.xbindkeysrc.
Given the number of bugs that have been untouched for a long time this
package should probably not go into the Jessie release without a good
update.
Regardless this is a classic case of insecure-temporary files and should
almost certainly have a CVE ID allocated.
Steve
-- System Information:
Debian Release: 7.7
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16-0.bpo.2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash
Versions of packages xbindkeys-config depends on:
ii libatk1.0-0 2.4.0-2
ii libc6 2.13-38+deb7u6
ii libcairo2 1.12.2-3
ii libfontconfig1 2.9.0-7.1
ii libfreetype6 2.4.9-1.1
ii libglib2.0-0 2.33.12+really2.32.4-5
ii libgtk2.0-0 2.24.10-2
ii libpango1.0-0 1.30.0-1
ii xbindkeys 1.8.5-1
ii zlib1g 1:1.2.7.dfsg-13
xbindkeys-config recommends no packages.
xbindkeys-config suggests no packages.
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Joerg Jaspert <joerg@debian.org>
:
Bug#772473
; Package xbindkeys-config
.
(Mon, 08 Dec 2014 15:27:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Vasyl Kaigorodov <vkaigoro@redhat.com>
:
Extra info received and forwarded to list. Copy sent to Joerg Jaspert <joerg@debian.org>
.
(Mon, 08 Dec 2014 15:27:11 GMT) (full text, mbox, link).
Message #10 received at 772473@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Steve,
Did you request a CVE for it already?
The below sentence:
> This allows the corruption of any file the user has permission to
> write to.
make me believe that the trust boundaries are not crossed here, thus
I suppose it will be tracked as a secuirity hardening issue, and not a
flaw.
What do you think?
Thanks.
--
Vasyl Kaigorodov | Red Hat Product Security
PGP: 0xABB6E828 A7E0 87FF 5AB5 48EB 47D0 2868 217B F9FC ABB6 E828
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Joerg Jaspert <joerg@debian.org>
:
Bug#772473
; Package xbindkeys-config
.
(Thu, 11 Dec 2014 17:12:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Steve Kemp <steve@steve.org.uk>
:
Extra info received and forwarded to list. Copy sent to Joerg Jaspert <joerg@debian.org>
.
(Thu, 11 Dec 2014 17:12:08 GMT) (full text, mbox, link).
Message #15 received at 772473@bugs.debian.org (full text, mbox, reply):
Sorry for the slow reply, I wasn't Cc'd so I didn't see your reply.
> Did you request a CVE for it already?
No, I did not.
> make me believe that the trust boundaries are not crossed here, thus
> I suppose it will be tracked as a secuirity hardening issue, and not a
> flaw.
> What do you think?
I suspect this program is only useful on a desktop system, and such
systems might have multiple users. On that basis the flaw could allow
user "a" to truncate/destroy files belonging to user "b", which is
a boundary-cross. Unless I misunderstand how you use the term?
I think that traditionally insecure uses of temporary files are
tracked as security issues even if in practice they'll never be
exploited.
e.g. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2524
Steve
--
Information forwarded
to debian-bugs-dist@lists.debian.org, Joerg Jaspert <joerg@debian.org>
:
Bug#772473
; Package xbindkeys-config
.
(Sun, 04 Jan 2015 09:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>
:
Extra info received and forwarded to list. Copy sent to Joerg Jaspert <joerg@debian.org>
.
(Sun, 04 Jan 2015 09:45:04 GMT) (full text, mbox, link).
Message #20 received at 772473@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE requested http://www.openwall.com/lists/oss-security/2015/01/03/17
- --
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlSpCtYACgkQXf6hBi6kbk+PYACgiWtl5na2ZN0KOi0Zu9LPFhB8
Za8AmwS2rNce+xYRP/UDyWxDfMe0it+d
=+RxR
-----END PGP SIGNATURE-----
Changed Bug title to 'CVE-2014-9513: xbindkeys-config: Insecure use of temporary files' from 'xbindkeys-config: Insecure use of temporary files'
Request was from Henri Salo <henri@nerv.fi>
to control@bugs.debian.org
.
(Mon, 05 Jan 2015 17:03:09 GMT) (full text, mbox, link).
Changed Bug title to 'xbindkeys-config: CVE-2014-9513: Insecure use of temporary files' from 'CVE-2014-9513: xbindkeys-config: Insecure use of temporary files'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 05 Jan 2015 17:39:08 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:20:42 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.