Debian Bug report logs -
#453283
CVE-2007-6061: possible symlink attack
Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Wed, 28 Nov 2007 10:30:01 UTC
Severity: grave
Tags: patch, security
Fixed in version audacity/1.3.4-1.1
Done: Nico Golde <nion@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Multimedia Team <debian-multimedia@lists.debian.org>
:
Bug#453283
; Package audacity
.
(full text, mbox, link).
Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>
:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Multimedia Team <debian-multimedia@lists.debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: audacity
Severity: grave
Tags: security
Justification: user security hole
Hi
The following CVE[0] has been issued against audacity.
CVE-2007-6061:
Audacity 1.3.2 creates a temporary directory with a predictable name
without checking for previous existence of that directory, which allows
local users to cause a denial of service (recording deadlock) by
creating the directory before Audacity is run. NOTE: this issue can be
leveraged to delete arbitrary files or directories via a symlink attack.
Please mention the CVE id in your changelog, when you fix this bug.
Thanks for your efforts.
Cheers
Steffen
[0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6061
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Team <debian-multimedia@lists.debian.org>
:
Bug#453283
; Package audacity
.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Team <debian-multimedia@lists.debian.org>
.
(full text, mbox, link).
Message #10 received at 453283@bugs.debian.org (full text, mbox, reply):
Steffen Joeris wrote:
> CVE-2007-6103:
>
> I Hear U (IHU) 0.5.6 and earlier allows remote attackers to cause (1) a
> denial of service (infinite loop) via a packet that contains zero in the
> size field in its header, which is improperly handled by the
> Receiver::processPacket function; and (2) a denial of service (daemon
> crash) via an (a) IHU_INFO_INIT or a (b) IHU_INFO_RING packet that does
> not specify the mode, which is improperly handled by the Player::ring
> function in Player.cpp.
>
> When you fix this, please mention the CVE id in your changelog.
> Thanks for your efforts.
I'm not convinced that this is more than a regular bug: ihu is
| Description: Qt VoIP softphone with an own, encrypted protocol
| IHU creates an audio stream between two computers easily and with the minimal
| traffic on the network.
Performing the "attack" described above is effectively a creative way to
hang up. We wouldn't call hanging up remote DoS either...
Cheers,
Moritz
Severity set to `normal' from `grave'
Request was from Steffen Joeris <steffen.joeris@skolelinux.de>
to control@bugs.debian.org
.
(Thu, 29 Nov 2007 12:00:24 GMT) (full text, mbox, link).
Severity set to `grave' from `normal'
Request was from Steffen Joeris <steffen.joeris@skolelinux.de>
to control@bugs.debian.org
.
(Thu, 29 Nov 2007 12:06:17 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Team <debian-multimedia@lists.debian.org>
:
Bug#453283
; Package audacity
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Team <debian-multimedia@lists.debian.org>
.
(full text, mbox, link).
Message #19 received at 453283@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
* Moritz Muehlenhoff <jmm@inutil.org> [2007-11-29 00:12]:
> Steffen Joeris wrote:
> > CVE-2007-6103:
> >
> > I Hear U (IHU) 0.5.6 and earlier allows remote attackers to cause (1) a
> > denial of service (infinite loop) via a packet that contains zero in the
> > size field in its header, which is improperly handled by the
> > Receiver::processPacket function; and (2) a denial of service (daemon
> > crash) via an (a) IHU_INFO_INIT or a (b) IHU_INFO_RING packet that does
> > not specify the mode, which is improperly handled by the Player::ring
> > function in Player.cpp.
> >
> > When you fix this, please mention the CVE id in your changelog.
> > Thanks for your efforts.
>
> I'm not convinced that this is more than a regular bug: ihu is
>
> | Description: Qt VoIP softphone with an own, encrypted protocol
> | IHU creates an audio stream between two computers easily and with the minimal
> | traffic on the network.
>
> Performing the "attack" described above is effectively a creative way to
> hang up. We wouldn't call hanging up remote DoS either...
This seems to be for #453280 :)
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Team <debian-multimedia@lists.debian.org>
:
Bug#453283
; Package audacity
.
(full text, mbox, link).
Acknowledgement sent to Joost Yervante Damad <joost@damad.be>
:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Team <debian-multimedia@lists.debian.org>
.
(full text, mbox, link).
Message #24 received at 453283@bugs.debian.org (full text, mbox, reply):
On Wednesday 28 November 2007 11:28:21 Steffen Joeris wrote:
> Package: audacity
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Hi
>
> The following CVE[0] has been issued against audacity.
>
> CVE-2007-6061:
>
> Audacity 1.3.2 creates a temporary directory with a predictable name
> without checking for previous existence of that directory, which allows
> local users to cause a denial of service (recording deadlock) by
> creating the directory before Audacity is run. NOTE: this issue can be
> leveraged to delete arbitrary files or directories via a symlink attack.
>
> Please mention the CVE id in your changelog, when you fix this bug.
> Thanks for your efforts.
Does anyone have an idea how to fix this? I scanned trough the code, but did
not find a "quick" solution, besides disabling the /tmp/audacity1.2-<LOGNAME>
altogether.
I also checked upstream CVS and they don't have a fix yet.
Joost
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Team <debian-multimedia@lists.debian.org>
:
Bug#453283
; Package audacity
.
(full text, mbox, link).
Acknowledgement sent to Luk Claes <luk@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Team <debian-multimedia@lists.debian.org>
.
(full text, mbox, link).
Message #29 received at 453283@bugs.debian.org (full text, mbox, reply):
On Tue, Dec 04, 2007 at 08:51:57PM +0100, Joost Yervante Damad wrote:
> On Wednesday 28 November 2007 11:28:21 Steffen Joeris wrote:
> > Package: audacity
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> >
> > Hi
> >
> > The following CVE[0] has been issued against audacity.
> >
> > CVE-2007-6061:
> >
> > Audacity 1.3.2 creates a temporary directory with a predictable name
> > without checking for previous existence of that directory, which allows
> > local users to cause a denial of service (recording deadlock) by
> > creating the directory before Audacity is run. NOTE: this issue can be
> > leveraged to delete arbitrary files or directories via a symlink attack.
> >
> > Please mention the CVE id in your changelog, when you fix this bug.
> > Thanks for your efforts.
>
> Does anyone have an idea how to fix this? I scanned trough the code, but did
> not find a "quick" solution, besides disabling the /tmp/audacity1.2-<LOGNAME>
> altogether.
Well, the easiest solution is to have a random name of the directory (mktemp -d for instance can create such a directory very easily).
Cheers
Luk
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Team <debian-multimedia@lists.debian.org>
:
Bug#453283
; Package audacity
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Team <debian-multimedia@lists.debian.org>
.
(full text, mbox, link).
Message #34 received at 453283@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 453283 + patch
--
Hi,
* Luk Claes <luk@debian.org> [2007-12-29 02:33]:
> On Tue, Dec 04, 2007 at 08:51:57PM +0100, Joost Yervante Damad wrote:
> > On Wednesday 28 November 2007 11:28:21 Steffen Joeris wrote:
[...]
> > Does anyone have an idea how to fix this? I scanned trough the code, but did
> > not find a "quick" solution, besides disabling the /tmp/audacity1.2-<LOGNAME>
> > altogether.
>
> Well, the easiest solution is to have a random name of the
> directory (mktemp -d for instance can create such a
> directory very easily).
Attached is a patch for an NMU that fixes this problem by
moving the temp directory to the users home directory.
I have chosen this method because audacity-data is already
located in the users home directory.
Additionaly I added a NEWS file to alert users who already
installed audacity and thus are already vulnerable.
The patch will be also archived on:
http://people.debian.org/~nion/nmu-diff/audacity-1.3.4-1_1.3.4-1.1.patch
NOTE: this is no patch for the upstream version as it does
not fix this bug for MacOS and Windows users.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[audacity-1.3.4-1_1.3.4-1.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]
Tags added: patch
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org
.
(Mon, 21 Jan 2008 19:15:09 GMT) (full text, mbox, link).
Reply sent to Nico Golde <nion@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #41 received at 453283-close@bugs.debian.org (full text, mbox, reply):
Source: audacity
Source-Version: 1.3.4-1.1
We believe that the bug you reported is fixed in the latest version of
audacity, which is due to be installed in the Debian FTP archive:
audacity_1.3.4-1.1.diff.gz
to pool/main/a/audacity/audacity_1.3.4-1.1.diff.gz
audacity_1.3.4-1.1.dsc
to pool/main/a/audacity/audacity_1.3.4-1.1.dsc
audacity_1.3.4-1.1_i386.deb
to pool/main/a/audacity/audacity_1.3.4-1.1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 453283@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated audacity package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 21 Jan 2008 19:08:54 +0100
Source: audacity
Binary: audacity
Architecture: source i386
Version: 1.3.4-1.1
Distribution: unstable
Urgency: high
Maintainer: Debian Multimedia Team <debian-multimedia@lists.debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description:
audacity - A fast, cross-platform audio editor
Closes: 453283
Changes:
audacity (1.3.4-1.1) unstable; urgency=high
.
* Non-maintainer upload by security team.
* Fix insecure directory creation in /tmp by moving the directory
to the users home directory (CVE-2007-6061; Closes: #453283).
* Adding NEWS file to advise the user to change the tmp path
in his config file so there is a notification for users who
are already vulnerable.
Files:
254c2f5c46969235b4dd7c7805c4b1f4 983 sound optional audacity_1.3.4-1.1.dsc
68707f838a7a262301746c2c21458ecc 22152 sound optional audacity_1.3.4-1.1.diff.gz
63c15dba4d8dd26ca579371dc457256b 2948366 sound optional audacity_1.3.4-1.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHlPcCHYflSXNkfP8RAuWgAKCTgkSQdIWJ29WV2Jg5eAF4Ae3BoACfZvNk
OyvukoH+QAmKP/DaT29qzJc=
=96fj
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 16 Feb 2009 08:37:27 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:50:38 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.