Bug#340079: insecure tempfiles
On Sun, Nov 20, 2005 at 03:01:58PM -0800, Steve Langasek wrote: On Sun, Nov 20, 2005 at 10:13:00PM +0100, Bill Allombert wrote: However I am not sure this is a security bug: The original script create a file named tempfile in the current directory, not int /tmp. Would you consider this script to have a security hole? #!/bin/sh cat $1 tempfile mv tempfile $2 Yes, because the tool may be run in an untrusted directory that can be written to by an attacker. Hello Steve, I have not received any answer from the security team. should I upload the package to unstable in the mean time ? (the unstable version is identical to the sarge version, so in principle a DSA address sarge, etch and sid at once). Cheers, -- Bill. [EMAIL PROTECTED] Imagine a large red swirl here. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#340079: insecure tempfiles
On Mon, Dec 19, 2005 at 04:01:32PM +0100, Bill Allombert wrote: On Sun, Nov 20, 2005 at 03:01:58PM -0800, Steve Langasek wrote: On Sun, Nov 20, 2005 at 10:13:00PM +0100, Bill Allombert wrote: However I am not sure this is a security bug: The original script create a file named tempfile in the current directory, not int /tmp. Would you consider this script to have a security hole? #!/bin/sh cat $1 tempfile mv tempfile $2 Yes, because the tool may be run in an untrusted directory that can be written to by an attacker. Hello Steve, I have not received any answer from the security team. should I upload the package to unstable in the mean time ? (the unstable version is identical to the sarge version, so in principle a DSA address sarge, etch and sid at once). Under the circumstances, uploading a fix to unstable seems sensible. Cheers, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ signature.asc Description: Digital signature
Bug#340079: insecure tempfiles
Package: libjpeg-progs Version: 6b-10 Severity: grave File: /usr/bin/exifautotran Tags: security patch Hello, exifautotran just uses a file named tempfile for temporarly saving the result of jpegtran. With the attached patch applied, it uses mktemp for their creation. Best regards Uwe -- System Information: Debian Release: testing/unstable APT prefers testing-proposed-updates APT policy: (900, 'testing-proposed-updates'), (900, 'testing'), (300, 'unstable'), (1, 'proposed-updates'), (1, 'oldstable'), (1, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.14 Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages libjpeg-progs depends on: ii libc6 2.3.5-6GNU C Library: Shared libraries an ii libjpeg62 6b-10 The Independent JPEG Group's JPEG libjpeg-progs recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#340079: insecure tempfiles
On Sun, Nov 20, 2005 at 08:17:17PM +0100, Uwe Zeisberger wrote: Tags: security patch With the attached patch applied, it uses mktemp for their creation. The patch is .. missing. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#340079: insecure tempfiles
On Sun, Nov 20, 2005 at 08:17:17PM +0100, Uwe Zeisberger wrote: Package: libjpeg-progs Version: 6b-10 Severity: grave File: /usr/bin/exifautotran Tags: security patch Hello, exifautotran just uses a file named tempfile for temporarly saving the result of jpegtran. With the attached patch applied, it uses mktemp for their creation. Probably but there were no patch attached... Cheers, -- Bill. [EMAIL PROTECTED] Imagine a large red swirl here. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#340079: insecure tempfiles
Steve Kemp wrote: On Sun, Nov 20, 2005 at 08:17:17PM +0100, Uwe Zeisberger wrote: The patch is .. missing. Uuups, sorry, here it comes... Best regards, Uwe -- Uwe Zeisberger scriptalert(This is a virus for Outlook)/script --- /usr/bin/exifautotran 2005-03-02 13:26:24.0 +0100 +++ /usr/bin/exifautotran 2005-11-20 19:57:38.612512182 +0100 @@ -3,6 +3,9 @@ # # Transforms Exif files so that Orientation becomes 1 # + +trap if test -n \\$tempfile\; then rm -f \\$tempfile\; fi INT QUIT TERM + for i do case $i in @@ -28,13 +31,21 @@ *) transform=;; esac if test -n $transform; then + tempfile=`mktemp`; + if test $? -ne 0; then +echo Failed to create temporary file 2 +exit 1; + fi echo Executing: jpegtran -copy all $transform $i 2 - jpegtran -copy all $transform $i tempfile + jpegtran -copy all $transform $i $tempfile if test $? -ne 0; then echo Error while transforming $i - skipped. 2 + rm $tempfile + tempfile= else rm $i - mv tempfile $i + mv $tempfile $i + tempfile= jpegexiforient -1 $i /dev/null fi fi signature.asc Description: Digital signature
Bug#340079: insecure tempfiles
On Sun, Nov 20, 2005 at 08:17:17PM +0100, Uwe Zeisberger wrote: Package: libjpeg-progs Version: 6b-10 Severity: grave File: /usr/bin/exifautotran Tags: security patch Hello, exifautotran just uses a file named tempfile for temporarly saving the result of jpegtran. Note that woody is not affected since it does not include exifautotran. Note that sarge, etch and sid include the same version. I have put fixed package at http://people.Debian.org/~ballombe/jpeg I won't upload them until I get advice from the security team. However I am not sure this is a security bug: The original script create a file named tempfile in the current directory, not int /tmp. Would you consider this script to have a security hole? #!/bin/sh cat $1 tempfile mv tempfile $2 or even #!/bin/sh cat $1 $2 Cheers, -- Bill. [EMAIL PROTECTED] Imagine a large red swirl here. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#340079: insecure tempfiles
On Sun, Nov 20, 2005 at 10:13:00PM +0100, Bill Allombert wrote: However I am not sure this is a security bug: The original script create a file named tempfile in the current directory, not int /tmp. Would you consider this script to have a security hole? #!/bin/sh cat $1 tempfile mv tempfile $2 Yes, because the tool may be run in an untrusted directory that can be written to by an attacker. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ signature.asc Description: Digital signature
