Package: kdelibs4-dev Version: 4:3.3.2-2 Priority: normal Tags: patch security
Reviewing the Gentoo advisory GLSA 200503-14 [0] which refers to CAN-2005-0365 I've checked out to see if our dcopidlng script was vulnerable to the symlink attack found by Davide Madrisan even though it does not use /tmp (that's why I'm setting this bug as 'normal' severity instead of as 'important') It seems ours (see version above) is not because the temporary file is created in the local directory (instead of in /tmp) directly, however, the creation does provide a way for a race condition. I think the attached patch is a better fix for this issue than the one provided by Gentoo [1]. There are several bugs in Gentoo's fix: 1- The file is removed twice (once in the trap and once at the end of the fix) 2- Leaving temporary files in the home directory might not be good. Mktemp -t is better since users can set their TMPDIR environment variable to point to "/home/user/tmp" if they want to, but users without a home directory (think chroot) will work in any case (failsback to /tmp) 3- The temporafy file is still being create in an unsafe way (but in a safe directory), mktemp does this better So, please use the attached patch (and maybe forward it upstream) for a next release. Regards Javier [0] http://www.gentoo.org/security/en/glsa/glsa-200503-14.xml [1] http://bugs.gentoo.org/attachment.cgi?id=51120&action=view
--- dcopidlng.orig 2005-03-08 10:49:43.000000000 +0100 +++ dcopidlng 2005-03-08 10:51:08.000000000 +0100 @@ -1,15 +1,16 @@ #!/bin/sh -trap "rm -f dcopidlng.stderr.$$" +tmpfile=`mktemp -t dcopidlng.XXXXXX` || { echo "$0: Cannot create temporary file" >&2; exit 1; } +trap " [ -f \"$tmpfile\" ] && /bin/rm -f -- \"$tmpfile\"" 0 1 2 3 13 15 if test -z "$KDECONFIG"; then KDECONFIG=kde-config fi LIBDIR="`$KDECONFIG --install data --expandvars`/dcopidlng" -perl -I"$LIBDIR" "$LIBDIR/kalyptus" --allow_k_dcop_accessors -f dcopidl $1 2> dcopidlng.stderr.$$ +perl -I"$LIBDIR" "$LIBDIR/kalyptus" --allow_k_dcop_accessors -f dcopidl $1 2> $tmpfile RET=$? if [ $RET -ne 0 ] then - cat dcopidlng.stderr.$$ >&2 + cat $tmpfile >&2 fi exit $RET
signature.asc
Description: Digital signature