Bug#756600: xcfa: Insecure use of temporary files, subject to race conditions
Hello, I just recode xcfa-5.x.x with gtk3 library and I also corrected the bugs: Bug#756600 http://bugs.debian.org/756600 The latest xcfa version is available here : http://download.tuxfamily.org/xcfaudio/xcfa_download/src/ Thank you for your patience. Claude Le 31/07/2014 11:38, Alessio Treglia a écrit : Hello, On Thu, Jul 31, 2014 at 10:00 AM, Steve Kemp st...@steve.org.uk wrote: Package: xcfa Version: 4.3.1-1 Severity: important Tags: security xcfa contains several insecure uses of temporary files. Thank you Steve for the great work. Claude, can you please have a look at this bug? It sounds pretty serious. http://bugs.debian.org/756600 Thanks in advance for any reply, and cheers! ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#756600: (xcfa: Insecure use of temporary files, subject to race conditions)
This bug report has now resulted in two CVE identifiers, as discussed here: http://www.openwall.com/lists/oss-security/2014/08/15/4 CVE-2014-5254 - For all symlink issues. CVE-2014-5255 - For code execution via the temporary shell script issue. Steve -- http://www.steve.org.uk/ ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#756600: xcfa: Insecure use of temporary files, subject to race conditions
Package: xcfa Version: 4.3.1-1 Severity: important Tags: security xcfa contains several insecure uses of temporary files. For example the file src/get_info.c has code to test that curl is present, in the function GetInfo_wget which essentially runs: wget --user-agent=\Mozilla 22.0\ --directory-prefix=/tmp/ http://google.fr/ .. if [ -e /tmp/index.html ]; then rm /tmp/index.html fi This is probably safe, because wget will not follow symlinks, and will instead create index.html.1 - but any existing file called /tmp/index.html will be removed regardless. More serious issues exist throughout the codebase. For example the code in dvdread_create_recap_audio, located in src/dvd_read.c contains this lovely function: // Suppression du fichier precedant si il existe g_unlink (/tmp/get_infos_dvd.sh); g_unlink (/tmp/infos_dvd.txt); fp = fopen (/tmp/get_infos_dvd.sh, w); fprintf (fp, #!/bin/sh\n); fprintf (fp, \n); fprintf (fp, set -e\n); fprintf (fp, \n); .. .. system (chmod +x /tmp/get_infos_dvd.sh); system (/tmp/get_infos_dvd.sh); g_unlink (/tmp/get_infos_dvd.sh); Similarly the code which copies files to the trashbin, located in src/file_trash.c, has some nice code which runs: system (env | grep \KDE_FULL_SESSION\ /tmp/tst_kde_full_session.txt); if ((fp = fopen (/tmp/tst_kde_full_session.txt, r)) != NULL) { while (fgets (buf, MAX_CARS_KDE, fp) != NULL) { if (strcmp (buf, KDE_FULL_SESSION) == 0) { if (strcmp (buf, true) == 0 || strcmp (buf, TRUE) == 0) { BoolRet = TRUE; break; } } } fclose (fp); } g_unlink (/tmp/tst_kde_full_session.txt); In short this codebase is rife with race-conditions allowing arbitrary shell executation, via /tmp/get_infos_dvd.sh, and file truncation/deletion. I'd strongly urge the maintainer to audit the codebase for additional issues, with the help of upstream. Steve -- -- System Information: Debian Release: 7.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.14-0.bpo.1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF8) Shell: /bin/sh linked to /bin/dash ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#756600: xcfa: Insecure use of temporary files, subject to race conditions
Hello, On Thu, Jul 31, 2014 at 10:00 AM, Steve Kemp st...@steve.org.uk wrote: Package: xcfa Version: 4.3.1-1 Severity: important Tags: security xcfa contains several insecure uses of temporary files. Thank you Steve for the great work. Claude, can you please have a look at this bug? It sounds pretty serious. http://bugs.debian.org/756600 Thanks in advance for any reply, and cheers! -- Alessio Treglia | www.alessiotreglia.com Debian Developer | ales...@debian.org Ubuntu Core Developer| quadris...@ubuntu.com 0416 0004 A827 6E40 BB98 90FB E8A4 8AE5 311D 765A ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers