Bug#756565: CVE

2014-09-09 Thread Steve Kemp 
On Tue Sep 09, 2014 at 12:52:38 +0300, Henri Salo wrote:

 Have you requested CVE already? If you want I can verify this issue and create
 the request.

  I have not, the lack of update to the bug report made it slip my mind.

  If you'd like to confirm the issues, which shouldn't be hard, and
 request one then please do feel free.

Steve
--

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#756600: xcfa: Insecure use of temporary files, subject to race conditions

2014-07-31 Thread Steve Kemp 

Package: xcfa
Version: 4.3.1-1
Severity: important
Tags: security

xcfa contains several insecure uses of temporary files.

For example the file src/get_info.c has code to test that
curl is present, in the function GetInfo_wget which
essentially runs:

wget --user-agent=\Mozilla 22.0\ --directory-prefix=/tmp/  
http://google.fr/
..
if [ -e /tmp/index.html ]; then 
rm /tmp/index.html
fi

This is probably safe, because wget will not follow symlinks, and will
instead create index.html.1 - but any existing file called /tmp/index.html
will be removed regardless.

More serious issues exist throughout the codebase.  For example the
code in dvdread_create_recap_audio, located in src/dvd_read.c contains
this lovely function:

// Suppression du fichier precedant si il existe
g_unlink (/tmp/get_infos_dvd.sh);
g_unlink (/tmp/infos_dvd.txt);

fp = fopen (/tmp/get_infos_dvd.sh, w);

fprintf (fp, #!/bin/sh\n);
fprintf (fp, \n);
fprintf (fp, set -e\n);
fprintf (fp, \n);

..
..

system (chmod +x /tmp/get_infos_dvd.sh);

system (/tmp/get_infos_dvd.sh);
g_unlink (/tmp/get_infos_dvd.sh);


Similarly the code which copies files to the trashbin, located in 
src/file_trash.c,
has some nice code which runs:

system (env | grep \KDE_FULL_SESSION\  
/tmp/tst_kde_full_session.txt);
if ((fp = fopen (/tmp/tst_kde_full_session.txt, r)) != NULL) {
while (fgets (buf, MAX_CARS_KDE, fp) != NULL) {
if (strcmp (buf, KDE_FULL_SESSION) == 0) {
if (strcmp (buf, true) == 0 || strcmp (buf, 
TRUE) == 0) {
BoolRet = TRUE;
break;
}
}
}
fclose (fp);
}
g_unlink (/tmp/tst_kde_full_session.txt);


In short this codebase is rife with race-conditions allowing arbitrary shell 
executation,
via /tmp/get_infos_dvd.sh, and file truncation/deletion.

I'd strongly urge the maintainer to audit the codebase for additional issues, 
with the
help of upstream.



Steve
--



-- System Information:
Debian Release: 7.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-0.bpo.1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#756565: lives: Numerous insecure temporary files used in smogrify

2014-07-30 Thread Steve Kemp 

Package: lives
Version: 1.6.2
Severity: important
Tags: security


lives contains a perl script, smogrify, which is what does
a lot of the work.

I don't want to point out line-by-line all the issues in the
smogrify script, but please consider significantly overhauling it.

There are numerous insecure uses of temporary files.  For example:

if ($command eq get_window_id) {
smog_system(xwininfo  \$curtmpdir/tmpinfo\);

smog_system(grep \Window id:\ \$curtmpdir/tmpinfo\  
\$curtmpdir/tmpinfo2\);
if (defined(open IN, $curtmpdir/tmpinfo2)) {
read IN,$win_id,128;
close IN;
}

You'll see that $curtmpdir is set to /tmp/smogrify, via code such as:

$handle=$ARGV[1];
$curtmpdir=$tmpdir/$handle;

To investigate all the issues is beyond my free timeframe, but I'd suggest
a  decent starting point is to run the whole system under strace and grep
for /tmp in open|close|unlink|creat calls.

Steve
--

-- System Information:
Debian Release: 7.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-0.bpo.1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers