subject:"Bug#756600\: xcfa\: Insecure use of temporary files, subject to race conditions"

Bug#756600: xcfa: Insecure use of temporary files, subject to race conditions

2015-03-03 Thread xcfaudio


Hello,

I just recode xcfa-5.x.x with gtk3 library and I also corrected the 
bugs: Bug#756600

http://bugs.debian.org/756600

The latest xcfa  version is available here :
http://download.tuxfamily.org/xcfaudio/xcfa_download/src/

Thank you for your patience.

Claude


Le 31/07/2014 11:38, Alessio Treglia a écrit :

Hello,

On Thu, Jul 31, 2014 at 10:00 AM, Steve Kemp st...@steve.org.uk wrote:


Package: xcfa
Version: 4.3.1-1
Severity: important
Tags: security

xcfa contains several insecure uses of temporary files.


Thank you Steve for the great work.

Claude, can you please have a look at this bug? It sounds pretty serious.

 http://bugs.debian.org/756600

Thanks in advance for any reply, and cheers!



___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#756600: (xcfa: Insecure use of temporary files, subject to race conditions)

2014-08-15 Thread Steve


  This bug report has now resulted in two CVE identifiers,
 as discussed here:

http://www.openwall.com/lists/oss-security/2014/08/15/4

   CVE-2014-5254 - For all symlink issues.

   CVE-2014-5255 - For code execution via the temporary shell script issue.

Steve
-- 
http://www.steve.org.uk/
___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#756600: xcfa: Insecure use of temporary files, subject to race conditions

2014-07-31 Thread Steve Kemp


Package: xcfa
Version: 4.3.1-1
Severity: important
Tags: security

xcfa contains several insecure uses of temporary files.

For example the file src/get_info.c has code to test that
curl is present, in the function GetInfo_wget which
essentially runs:

wget --user-agent=\Mozilla 22.0\ --directory-prefix=/tmp/  
http://google.fr/
..
if [ -e /tmp/index.html ]; then 
rm /tmp/index.html
fi

This is probably safe, because wget will not follow symlinks, and will
instead create index.html.1 - but any existing file called /tmp/index.html
will be removed regardless.

More serious issues exist throughout the codebase.  For example the
code in dvdread_create_recap_audio, located in src/dvd_read.c contains
this lovely function:

// Suppression du fichier precedant si il existe
g_unlink (/tmp/get_infos_dvd.sh);
g_unlink (/tmp/infos_dvd.txt);

fp = fopen (/tmp/get_infos_dvd.sh, w);

fprintf (fp, #!/bin/sh\n);
fprintf (fp, \n);
fprintf (fp, set -e\n);
fprintf (fp, \n);

..
..

system (chmod +x /tmp/get_infos_dvd.sh);

system (/tmp/get_infos_dvd.sh);
g_unlink (/tmp/get_infos_dvd.sh);


Similarly the code which copies files to the trashbin, located in 
src/file_trash.c,
has some nice code which runs:

system (env | grep \KDE_FULL_SESSION\  
/tmp/tst_kde_full_session.txt);
if ((fp = fopen (/tmp/tst_kde_full_session.txt, r)) != NULL) {
while (fgets (buf, MAX_CARS_KDE, fp) != NULL) {
if (strcmp (buf, KDE_FULL_SESSION) == 0) {
if (strcmp (buf, true) == 0 || strcmp (buf, 
TRUE) == 0) {
BoolRet = TRUE;
break;
}
}
}
fclose (fp);
}
g_unlink (/tmp/tst_kde_full_session.txt);


In short this codebase is rife with race-conditions allowing arbitrary shell 
executation,
via /tmp/get_infos_dvd.sh, and file truncation/deletion.

I'd strongly urge the maintainer to audit the codebase for additional issues, 
with the
help of upstream.



Steve
--



-- System Information:
Debian Release: 7.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-0.bpo.1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#756600: xcfa: Insecure use of temporary files, subject to race conditions

2014-07-31 Thread Alessio Treglia

Hello,

On Thu, Jul 31, 2014 at 10:00 AM, Steve Kemp st...@steve.org.uk wrote:

 Package: xcfa
 Version: 4.3.1-1
 Severity: important
 Tags: security

 xcfa contains several insecure uses of temporary files.

Thank you Steve for the great work.

Claude, can you please have a look at this bug? It sounds pretty serious.

http://bugs.debian.org/756600

Thanks in advance for any reply, and cheers!

-- 
Alessio Treglia  | www.alessiotreglia.com
Debian Developer | ales...@debian.org
Ubuntu Core Developer|  quadris...@ubuntu.com
0416 0004 A827 6E40 BB98 90FB E8A4 8AE5 311D 765A

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#756600: xcfa: Insecure use of temporary files, subject to race conditions

Bug#756600: (xcfa: Insecure use of temporary files, subject to race conditions)

Bug#756600: xcfa: Insecure use of temporary files, subject to race conditions

Bug#756600: xcfa: Insecure use of temporary files, subject to race conditions

4 matches

Site Navigation

Mail list logo

Footer information