Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2014-9513 CVE-2014-2524

Source

Debian Bug report logs - #772473
xbindkeys-config: CVE-2014-9513: Insecure use of temporary files

Package: xbindkeys-config; Maintainer for xbindkeys-config is Joerg Jaspert <joerg@debian.org>; Source for xbindkeys-config is src:xbindkeys-config (PTS, buildd, popcon).

Reported by: Steve Kemp <steve@steve.org.uk>

Date: Sun, 7 Dec 2014 15:36:02 UTC

Severity: important

Tags: security

Found in version xbindkeys-config/0.1.3-2

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Joerg Jaspert <joerg@debian.org>:
Bug#772473; Package xbindkeys-config. (Sun, 07 Dec 2014 15:36:06 GMT) (full text, mbox, link).

Acknowledgement sent to Steve Kemp <steve@steve.org.uk>:
New Bug report received and forwarded. Copy sent to Joerg Jaspert <joerg@debian.org>. (Sun, 07 Dec 2014 15:36:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: xbindkeys-config
Version: 0.1.3-2
Severity: important
Tags: security

If you use this program and "view generated file" the current output
will be saved to the file /tmp/xbindkeysrc-tmp.

This allows the corruption of any file the user has permission to write
to.

Later this predictable file is used to execute commands:

/*****************************************************************************/
void middle_apply_action(GtkWidget *parent, void *data)
{

  unlink(TEMP_FILE); 
  save_file(TEMP_FILE);
  system("killall -9 xbindkeys");
  usleep(500);
  /* printf("****\n\noutput = %d\n\n****",system("xbindkeys -f " TEMP_FILE )); */
  system("xbindkeys -f " TEMP_FILE );
}


Really most of this complexity could go away if we just assumed the
editor would write to a file the user specified, or ~/.xbindkeysrc.


Given the number of bugs that have been untouched for a long time this
package should probably not go into the Jessie release without a good
update.

Regardless this is a classic case of insecure-temporary files and should
almost certainly have a CVE ID allocated.

Steve


-- System Information:
Debian Release: 7.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16-0.bpo.2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash

Versions of packages xbindkeys-config depends on:
ii  libatk1.0-0     2.4.0-2
ii  libc6           2.13-38+deb7u6
ii  libcairo2       1.12.2-3
ii  libfontconfig1  2.9.0-7.1
ii  libfreetype6    2.4.9-1.1
ii  libglib2.0-0    2.33.12+really2.32.4-5
ii  libgtk2.0-0     2.24.10-2
ii  libpango1.0-0   1.30.0-1
ii  xbindkeys       1.8.5-1
ii  zlib1g          1:1.2.7.dfsg-13

xbindkeys-config recommends no packages.

xbindkeys-config suggests no packages.

-- no debconf information

Information forwarded to debian-bugs-dist@lists.debian.org, Joerg Jaspert <joerg@debian.org>:
Bug#772473; Package xbindkeys-config. (Mon, 08 Dec 2014 15:27:11 GMT) (full text, mbox, link).

Acknowledgement sent to Vasyl Kaigorodov <vkaigoro@redhat.com>:
Extra info received and forwarded to list. Copy sent to Joerg Jaspert <joerg@debian.org>. (Mon, 08 Dec 2014 15:27:11 GMT) (full text, mbox, link).

Message #10 received at 772473@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi Steve,

Did you request a CVE for it already?
The below sentence:

> This allows the corruption of any file the user has permission to
> write to.

make me believe that the trust boundaries are not crossed here, thus
I suppose it will be tracked as a secuirity hardening issue, and not a
flaw.
What do you think?

Thanks.
-- 
Vasyl Kaigorodov | Red Hat Product Security
PGP:  0xABB6E828 A7E0 87FF 5AB5 48EB 47D0 2868 217B F9FC ABB6 E828

[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Joerg Jaspert <joerg@debian.org>:
Bug#772473; Package xbindkeys-config. (Thu, 11 Dec 2014 17:12:08 GMT) (full text, mbox, link).

Acknowledgement sent to Steve Kemp <steve@steve.org.uk>:
Extra info received and forwarded to list. Copy sent to Joerg Jaspert <joerg@debian.org>. (Thu, 11 Dec 2014 17:12:08 GMT) (full text, mbox, link).

Message #15 received at 772473@bugs.debian.org (full text, mbox, reply):

  Sorry for the slow reply, I wasn't Cc'd so I didn't see your reply.


> Did you request a CVE for it already?

  No, I did not.

> make me believe that the trust boundaries are not crossed here, thus
> I suppose it will be tracked as a secuirity hardening issue, and not a
> flaw.
> What do you think?

  I suspect this program is only useful on a desktop system, and such
 systems might have multiple users.  On that basis the flaw could allow
 user "a" to truncate/destroy files belonging to user "b", which is
 a boundary-cross.  Unless I misunderstand how you use the term?

  I think that traditionally insecure uses of temporary files are
 tracked as security issues even if in practice they'll never be
 exploited.
 e.g. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2524

Steve
--

Information forwarded to debian-bugs-dist@lists.debian.org, Joerg Jaspert <joerg@debian.org>:
Bug#772473; Package xbindkeys-config. (Sun, 04 Jan 2015 09:45:04 GMT) (full text, mbox, link).

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
Extra info received and forwarded to list. Copy sent to Joerg Jaspert <joerg@debian.org>. (Sun, 04 Jan 2015 09:45:04 GMT) (full text, mbox, link).

Message #20 received at 772473@bugs.debian.org (full text, mbox, reply):

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE requested http://www.openwall.com/lists/oss-security/2015/01/03/17

- -- 
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlSpCtYACgkQXf6hBi6kbk+PYACgiWtl5na2ZN0KOi0Zu9LPFhB8
Za8AmwS2rNce+xYRP/UDyWxDfMe0it+d
=+RxR
-----END PGP SIGNATURE-----

Changed Bug title to 'CVE-2014-9513: xbindkeys-config: Insecure use of temporary files' from 'xbindkeys-config: Insecure use of temporary files' Request was from Henri Salo <henri@nerv.fi> to control@bugs.debian.org. (Mon, 05 Jan 2015 17:03:09 GMT) (full text, mbox, link).

Changed Bug title to 'xbindkeys-config: CVE-2014-9513: Insecure use of temporary files' from 'CVE-2014-9513: xbindkeys-config: Insecure use of temporary files' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 05 Jan 2015 17:39:08 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 15:20:42 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

xbindkeys-config: CVE-2014-9513: Insecure use of temporary files

Debian Bug report logs - #772473
xbindkeys-config: CVE-2014-9513: Insecure use of temporary files

Vulmon Search

About

Products

Connect

xbindkeys-config: CVE-2014-9513: Insecure use of temporary files

Debian Bug report logs - #772473 xbindkeys-config: CVE-2014-9513: Insecure use of temporary files

Vulmon Search

About

Products

Connect

Debian Bug report logs - #772473
xbindkeys-config: CVE-2014-9513: Insecure use of temporary files