Hi, Conky currently has an open issue [1] on the security tracker for stable and oldstable, but the security team has decided that it's not important enough for a DSA, so I would like to ask if the release team could upload fixed conky packages directly to stable/oldstable instead. A patch cherry-picked from upstream git [2] fixes this issue and applies cleanly to stable; the patch needs to be slightly modified for oldstable (diffs are attached).
Background info on this issue can be found on the BTS [3], Launchpad [4], and Secunia [5]. Thanks in advance! Kind regards, - Vincent Cheng [1] http://security-tracker.debian.org/tracker/TEMP-0612033-026F3E [2] http://git.omp.am/?p=conky.git;a=patch;h=70b6f35a846f7b85bd11e66c1f23feee6b369688 [3] http://bugs.debian.org/612033 [4] https://bugs.launchpad.net/bugs/607309 [5] http://secunia.com/advisories/43225
diff -Nru a/debian/changelog b/debian/changelog --- a/debian/changelog 2011-07-16 16:23:58.000000000 -0700 +++ b/debian/changelog 2011-07-27 18:29:34.000000000 -0700 @@ -1,3 +1,10 @@ +conky (1.6.0-2+lenny1) oldstable; urgency=low + + * Patch TEMP-0612033-026F3E: security issue in Conky's "eve" module, which + causes Conky to be vulnerable to rewriting any user file. + + -- Vincent Cheng <vincentc1...@gmail.com> Wed, 27 Jul 2011 18:29:12 -0700 + conky (1.6.0-2) testing; urgency=low * Backport of fixes from version 1.6.1-1. diff -Nru a/debian/patches/fix-race-condition.patch b/debian/patches/fix-race-condition.patch --- a/debian/patches/fix-race-condition.patch 1969-12-31 16:00:00.000000000 -0800 +++ b/debian/patches/fix-race-condition.patch 2011-07-27 18:28:51.000000000 -0700 @@ -0,0 +1,78 @@ +Description: Avoid rewriting an arbitrary user file + This patch fixes issue "TEMP-0612033-026F3E" in Debian's security tracker. +Origin: upstream, http://git.omp.am/?p=conky.git;a=patch;h=70b6f35a846f7b85bd11e66c1f23feee6b369688 +Bug-Debian: http://bugs.debian.org/612033 +Bug-Ubuntu: https://launchpad.net/bugs/607309 + +--- a/src/eve.c ++++ b/src/eve.c +@@ -161,7 +161,7 @@ + char *eve(char *userid, char *apikey, char *charid) + { + Character *chr = NULL; +- const char *skillfile = "/tmp/.cesf"; ++ char skillfile[] = "/tmp/.cesfXXXXXX"; + int i = 0; + char *output = 0; + char *timel = 0; +@@ -169,6 +169,7 @@ + char *content = 0; + time_t now = 0; + char *error = 0; ++ int tmp_fd, old_umask; + + + for (i = 0; i < MAXCHARS; i++) { +@@ -221,6 +222,14 @@ + + output = (char *)malloc(200 * sizeof(char)); + timel = formatTime(&chr->ends); ++ old_umask = umask(0066); ++ tmp_fd = mkstemp(skillfile); ++ umask(old_umask); ++ if (tmp_fd == -1) { ++ error = strdup("Cannot create temporary file"); ++ return error; ++ } ++ close(tmp_fd); + skill = getSkillname(skillfile, chr->skill); + + chr->skillname = strdup(skill); +@@ -294,19 +303,6 @@ + return 1; + } + +-int file_exists(const char *filename) +-{ +- struct stat fi; +- +- if ((stat(filename, &fi)) == 0) { +- if (fi.st_size > 0) +- return 1; +- else +- return 0; +- } else +- return 0; +-} +- + void writeSkilltree(char *content, const char *filename) + { + FILE *fp = fopen(filename, "w"); +@@ -322,13 +318,12 @@ + xmlDocPtr doc = 0; + xmlNodePtr root = 0; + +- if (!file_exists(file)) { +- skilltree = getXmlFromAPI(NULL, NULL, NULL, EVEURL_SKILLTREE); +- writeSkilltree(skilltree, file); +- free(skilltree); +- } ++ skilltree = getXmlFromAPI(NULL, NULL, NULL, EVEURL_SKILLTREE); ++ writeSkilltree(skilltree, file); ++ free(skilltree); + + doc = xmlReadFile(file, NULL, 0); ++ unlink(file); + if (!doc) + return NULL; + diff -Nru a/debian/patches/series b/debian/patches/series --- a/debian/patches/series 2011-07-16 16:23:58.000000000 -0700 +++ b/debian/patches/series 2011-07-27 18:28:51.000000000 -0700 @@ -3,3 +3,4 @@ man_page_type_first_char move_compile_end_man_page fix_hyphen_man_page +fix-race-condition.patch
diff -Nru a/debian/changelog b/debian/changelog --- a/debian/changelog 2010-04-01 07:42:19.000000000 -0700 +++ b/debian/changelog 2011-07-27 18:25:07.000000000 -0700 @@ -1,3 +1,10 @@ +conky (1.8.0-1+squeeze1) stable; urgency=low + + * Patch TEMP-0612033-026F3E: security issue in Conky's "eve" module, which + causes Conky to be vulnerable to rewriting any user file. + + -- Vincent Cheng <vincentc1...@gmail.com> Wed, 27 Jul 2011 18:21:50 -0700 + conky (1.8.0-1) unstable; urgency=low * New upstream release: diff -Nru a/debian/patches/fix-race-condition.patch b/debian/patches/fix-race-condition.patch --- a/debian/patches/fix-race-condition.patch 1969-12-31 16:00:00.000000000 -0800 +++ b/debian/patches/fix-race-condition.patch 2011-07-15 11:31:46.000000000 -0700 @@ -0,0 +1,80 @@ +Description: Avoid rewriting an arbitrary user file + This patch fixes issue "TEMP-0612033-026F3E" in Debian's security tracker. +Origin: upstream, http://git.omp.am/?p=conky.git;a=patch;h=70b6f35a846f7b85bd11e66c1f23feee6b369688 +Bug-Debian: http://bugs.debian.org/612033 +Bug-Ubuntu: https://launchpad.net/bugs/607309 + +Index: conky-1.8.0/src/eve.c +=================================================================== +--- conky-1.8.0.orig/src/eve.c 2011-04-03 15:15:02.658500522 +0200 ++++ conky-1.8.0/src/eve.c 2011-04-03 15:14:58.162500519 +0200 +@@ -252,19 +252,6 @@ + } + } + +-static int file_exists(const char *filename) +-{ +- struct stat fi; +- +- if ((stat(filename, &fi)) == 0) { +- if (fi.st_size > 0) +- return 1; +- else +- return 0; +- } else +- return 0; +-} +- + static void writeSkilltree(char *content, const char *filename) + { + FILE *fp = fopen(filename, "w"); +@@ -280,13 +267,12 @@ + xmlDocPtr doc = 0; + xmlNodePtr root = 0; + +- if (!file_exists(file)) { +- skilltree = getXmlFromAPI(NULL, NULL, NULL, EVEURL_SKILLTREE); +- writeSkilltree(skilltree, file); +- free(skilltree); +- } ++ skilltree = getXmlFromAPI(NULL, NULL, NULL, EVEURL_SKILLTREE); ++ writeSkilltree(skilltree, file); ++ free(skilltree); + + doc = xmlReadFile(file, NULL, 0); ++ unlink(file); + if (!doc) + return NULL; + +@@ -337,7 +323,7 @@ + static char *eve(char *userid, char *apikey, char *charid) + { + Character *chr = NULL; +- const char *skillfile = "/tmp/.cesf"; ++ char skillfile[] = "/tmp/.cesfXXXXXX"; + int i = 0; + char *output = 0; + char *timel = 0; +@@ -345,6 +331,7 @@ + char *content = 0; + time_t now = 0; + char *error = 0; ++ int tmp_fd, old_umask; + + + for (i = 0; i < MAXCHARS; i++) { +@@ -397,6 +384,14 @@ + + output = (char *)malloc(200 * sizeof(char)); + timel = formatTime(&chr->ends); ++ old_umask = umask(0066); ++ tmp_fd = mkstemp(skillfile); ++ umask(old_umask); ++ if (tmp_fd == -1) { ++ error = strdup("Cannot create temporary file"); ++ return error; ++ } ++ close(tmp_fd); + skill = getSkillname(skillfile, chr->skill); + + chr->skillname = strdup(skill); diff -Nru a/debian/patches/series b/debian/patches/series --- a/debian/patches/series 1969-12-31 16:00:00.000000000 -0800 +++ b/debian/patches/series 2011-07-16 16:27:34.000000000 -0700 @@ -0,0 +1 @@ +fix-race-condition.patch