CVE-2007-6061: possible symlink attack

Debian Bug report logs - #453283
CVE-2007-6061: possible symlink attack

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2007-6061: possible symlink attack

Date: Wed, 28 Nov 2007 21:28:21 +1100

Package: audacity
Severity: grave
Tags: security
Justification: user security hole

Hi

The following CVE[0] has been issued against audacity.

CVE-2007-6061: 

Audacity 1.3.2 creates a temporary directory with a predictable name
without checking for previous existence of that directory, which allows
local users to cause a denial of service (recording deadlock) by
creating the directory before Audacity is run. NOTE: this issue can be
leveraged to delete arbitrary files or directories via a symlink attack.

Please mention the CVE id in your changelog, when you fix this bug.
Thanks for your efforts.

Cheers
Steffen

[0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6061

Message #10 received at 453283@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Steffen Joeris <steffen.joeris@skolelinux.de>

Cc: 453283@bugs.debian.org, team@security.debian.org

Subject: Re: CVE-2007-6103: remote DoS

Date: Wed, 28 Nov 2007 23:47:24 +0100

Steffen Joeris wrote:
> CVE-2007-6103: 
> 
> I Hear U (IHU) 0.5.6 and earlier allows remote attackers to cause (1) a
> denial of service (infinite loop) via a packet that contains zero in the
> size field in its header, which is improperly handled by the
> Receiver::processPacket function; and (2) a denial of service (daemon
> crash) via an (a) IHU_INFO_INIT or a (b) IHU_INFO_RING packet that does
> not specify the mode, which is improperly handled by the Player::ring
> function in Player.cpp.
> 
> When you fix this, please mention the CVE id in your changelog.
> Thanks for your efforts.

I'm not convinced that this is more than a regular bug: ihu is

| Description: Qt VoIP softphone with an own, encrypted protocol
| IHU creates an audio stream between two computers easily and with the minimal
| traffic on the network.

Performing the "attack" described above is effectively a creative way to
hang up. We wouldn't call hanging up remote DoS either...

Cheers,
        Moritz

Message #19 received at 453283@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>, 453283@bugs.debian.org

Subject: Re: Bug#453283: CVE-2007-6103: remote DoS

Date: Sun, 2 Dec 2007 15:14:28 +0100

[Message part 1 (text/plain, inline)]

Hi,
* Moritz Muehlenhoff <jmm@inutil.org> [2007-11-29 00:12]:
> Steffen Joeris wrote:
> > CVE-2007-6103: 
> > 
> > I Hear U (IHU) 0.5.6 and earlier allows remote attackers to cause (1) a
> > denial of service (infinite loop) via a packet that contains zero in the
> > size field in its header, which is improperly handled by the
> > Receiver::processPacket function; and (2) a denial of service (daemon
> > crash) via an (a) IHU_INFO_INIT or a (b) IHU_INFO_RING packet that does
> > not specify the mode, which is improperly handled by the Player::ring
> > function in Player.cpp.
> > 
> > When you fix this, please mention the CVE id in your changelog.
> > Thanks for your efforts.
> 
> I'm not convinced that this is more than a regular bug: ihu is
> 
> | Description: Qt VoIP softphone with an own, encrypted protocol
> | IHU creates an audio stream between two computers easily and with the minimal
> | traffic on the network.
> 
> Performing the "attack" described above is effectively a creative way to
> hang up. We wouldn't call hanging up remote DoS either...

This seems to be for #453280 :)
Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #24 received at 453283@bugs.debian.org (full text, mbox, reply):

From: Joost Yervante Damad <joost@damad.be>

To: 453283@bugs.debian.org

Subject: Re: Bug#453283: CVE-2007-6061: possible symlink attack

Date: Tue, 4 Dec 2007 20:51:57 +0100

On Wednesday 28 November 2007 11:28:21 Steffen Joeris wrote:
> Package: audacity
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Hi
>
> The following CVE[0] has been issued against audacity.
>
> CVE-2007-6061:
>
> Audacity 1.3.2 creates a temporary directory with a predictable name
> without checking for previous existence of that directory, which allows
> local users to cause a denial of service (recording deadlock) by
> creating the directory before Audacity is run. NOTE: this issue can be
> leveraged to delete arbitrary files or directories via a symlink attack.
>
> Please mention the CVE id in your changelog, when you fix this bug.
> Thanks for your efforts.

Does anyone have an idea how to fix this? I scanned trough the code, but did 
not find a "quick" solution, besides disabling the /tmp/audacity1.2-<LOGNAME> 
altogether.

I also checked upstream CVS and they don't have a fix yet.

Joost

Message #29 received at 453283@bugs.debian.org (full text, mbox, reply):

From: Luk Claes <luk@debian.org>

To: Joost Yervante Damad <joost@damad.be>

Cc: 453283@bugs.debian.org

Subject: Re: Bug#453283: CVE-2007-6061: possible symlink attack

Date: Sat, 29 Dec 2007 01:04:34 +0100

On Tue, Dec 04, 2007 at 08:51:57PM +0100, Joost Yervante Damad wrote:
> On Wednesday 28 November 2007 11:28:21 Steffen Joeris wrote:
> > Package: audacity
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> >
> > Hi
> >
> > The following CVE[0] has been issued against audacity.
> >
> > CVE-2007-6061:
> >
> > Audacity 1.3.2 creates a temporary directory with a predictable name
> > without checking for previous existence of that directory, which allows
> > local users to cause a denial of service (recording deadlock) by
> > creating the directory before Audacity is run. NOTE: this issue can be
> > leveraged to delete arbitrary files or directories via a symlink attack.
> >
> > Please mention the CVE id in your changelog, when you fix this bug.
> > Thanks for your efforts.
> 
> Does anyone have an idea how to fix this? I scanned trough the code, but did 
> not find a "quick" solution, besides disabling the /tmp/audacity1.2-<LOGNAME> 
> altogether.

Well, the easiest solution is to have a random name of the directory (mktemp -d for instance can create such a directory very easily).

Cheers

Luk

Message #34 received at 453283@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 453283@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: Bug#453283: CVE-2007-6061: possible symlink attack

Date: Mon, 21 Jan 2008 20:14:27 +0100

[Message part 1 (text/plain, inline)]

tags 453283 + patch
--

Hi,
* Luk Claes <luk@debian.org> [2007-12-29 02:33]:
> On Tue, Dec 04, 2007 at 08:51:57PM +0100, Joost Yervante Damad wrote:
> > On Wednesday 28 November 2007 11:28:21 Steffen Joeris wrote:
[...] 
> > Does anyone have an idea how to fix this? I scanned trough the code, but did 
> > not find a "quick" solution, besides disabling the /tmp/audacity1.2-<LOGNAME> 
> > altogether.
> 
> Well, the easiest solution is to have a random name of the 
> directory (mktemp -d for instance can create such a 
> directory very easily).

Attached is a patch for an NMU that fixes this problem by 
moving the temp directory to the users home directory.
I have chosen this method because audacity-data is already 
located in the users home directory.

Additionaly I added a NEWS file to alert users who already 
installed audacity and thus are already vulnerable.

The patch will be also archived on:
http://people.debian.org/~nion/nmu-diff/audacity-1.3.4-1_1.3.4-1.1.patch

NOTE: this is no patch for the upstream version as it does 
not fix this bug for MacOS and Windows users.

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[audacity-1.3.4-1_1.3.4-1.1.patch (text/x-diff, attachment)]

[Message part 3 (application/pgp-signature, inline)]

Message #41 received at 453283-close@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 453283-close@bugs.debian.org

Subject: Bug#453283: fixed in audacity 1.3.4-1.1

Date: Mon, 21 Jan 2008 20:47:05 +0000

Source: audacity
Source-Version: 1.3.4-1.1

We believe that the bug you reported is fixed in the latest version of
audacity, which is due to be installed in the Debian FTP archive:

audacity_1.3.4-1.1.diff.gz
  to pool/main/a/audacity/audacity_1.3.4-1.1.diff.gz
audacity_1.3.4-1.1.dsc
  to pool/main/a/audacity/audacity_1.3.4-1.1.dsc
audacity_1.3.4-1.1_i386.deb
  to pool/main/a/audacity/audacity_1.3.4-1.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 453283@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated audacity package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 21 Jan 2008 19:08:54 +0100
Source: audacity
Binary: audacity
Architecture: source i386
Version: 1.3.4-1.1
Distribution: unstable
Urgency: high
Maintainer: Debian Multimedia Team <debian-multimedia@lists.debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 audacity   - A fast, cross-platform audio editor
Closes: 453283
Changes: 
 audacity (1.3.4-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by security team.
   * Fix insecure directory creation in /tmp by moving the directory
     to the users home directory (CVE-2007-6061; Closes: #453283).
   * Adding NEWS file to advise the user to change the tmp path
     in his config file so there is a notification for users who
     are already vulnerable.
Files: 
 254c2f5c46969235b4dd7c7805c4b1f4 983 sound optional audacity_1.3.4-1.1.dsc
 68707f838a7a262301746c2c21458ecc 22152 sound optional audacity_1.3.4-1.1.diff.gz
 63c15dba4d8dd26ca579371dc457256b 2948366 sound optional audacity_1.3.4-1.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHlPcCHYflSXNkfP8RAuWgAKCTgkSQdIWJ29WV2Jg5eAF4Ae3BoACfZvNk
OyvukoH+QAmKP/DaT29qzJc=
=96fj
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.