Your message dated Wed, 10 Jun 2015 13:21:14 +0100 with message-id <camhuwoy2k_ajzdv9zmygactwqcdsbh_azzcdjltsaypf1id...@mail.gmail.com> and subject line Closing #756600 has caused the Debian Bug report #756600, regarding xcfa: Insecure use of temporary files, subject to race conditions (CVE-2014-5254 CVE-2014-5255) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 756600: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756600 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: xcfa Version: 4.3.1-1 Severity: important Tags: security xcfa contains several insecure uses of temporary files. For example the file src/get_info.c has code to test that curl is present, in the function GetInfo_wget which essentially runs: wget --user-agent=\"Mozilla 22.0\" --directory-prefix=/tmp/ http://google.fr/ .. if [ -e /tmp/index.html ]; then rm /tmp/index.html fi This is probably safe, because wget will not follow symlinks, and will instead create "index.html.1" - but any existing file called /tmp/index.html will be removed regardless. More serious issues exist throughout the codebase. For example the code in dvdread_create_recap_audio, located in src/dvd_read.c contains this lovely function: // Suppression du fichier precedant si il existe g_unlink ("/tmp/get_infos_dvd.sh"); g_unlink ("/tmp/infos_dvd.txt"); fp = fopen ("/tmp/get_infos_dvd.sh", "w"); fprintf (fp, "#!/bin/sh\n"); fprintf (fp, "\n"); fprintf (fp, "set -e\n"); fprintf (fp, "\n"); .. .. system ("chmod +x /tmp/get_infos_dvd.sh"); system ("/tmp/get_infos_dvd.sh"); g_unlink ("/tmp/get_infos_dvd.sh"); Similarly the code which copies files to the trashbin, located in src/file_trash.c, has some nice code which runs: system ("env | grep \"KDE_FULL_SESSION\" > /tmp/tst_kde_full_session.txt"); if ((fp = fopen ("/tmp/tst_kde_full_session.txt", "r")) != NULL) { while (fgets (buf, MAX_CARS_KDE, fp) != NULL) { if (strcmp (buf, "KDE_FULL_SESSION") == 0) { if (strcmp (buf, "true") == 0 || strcmp (buf, "TRUE") == 0) { BoolRet = TRUE; break; } } } fclose (fp); } g_unlink ("/tmp/tst_kde_full_session.txt"); In short this codebase is rife with race-conditions allowing arbitrary shell executation, via /tmp/get_infos_dvd.sh, and file truncation/deletion. I'd strongly urge the maintainer to audit the codebase for additional issues, with the help of upstream. Steve -- -- System Information: Debian Release: 7.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.14-0.bpo.1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF8) Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---Version: 5.0.1-1 -- Alessio Treglia | www.alessiotreglia.com Debian Developer | [email protected] Ubuntu Core Developer | [email protected] 0416 0004 A827 6E40 BB98 90FB E8A4 8AE5 311D 765A
--- End Message ---
