Bug#463907: Creates tempfiles in a unsafe way

2008-02-08 Thread Nico Golde 
Hi,
the first issue got CVE id CVE-2008-0665 and the other 
issues got CVE-2008-0666.

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.


pgpexCXzeHjpx.pgp
Description: PGP signature

Bug#463907: Creates tempfiles in a unsafe way

2008-02-07 Thread Nico Golde 
Hi,
attached is an updated patch which I will upload as a 0-day 
NMU with permission of the maintainer.
Many thanks to Frank for his input!

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
diff -u wml-2.0.11/debian/changelog wml-2.0.11/debian/changelog
--- wml-2.0.11/debian/changelog
+++ wml-2.0.11/debian/changelog
@@ -1,3 +1,13 @@
+wml (2.0.11-3.1) unstable; urgency=high
+
+  * Non-maintainer upload by security team.
+  * Fix insecure temporary file creations in eperl and ipp
+backends and a similar issue in the wmg.cgi contrib file
+leading to possible symlink attacks.
+If you already use wmg.cgi please update your copy (Closes: #463907).
+
+ -- Nico Golde <[EMAIL PROTECTED]>  Thu, 07 Feb 2008 12:01:43 +0100
+
 wml (2.0.11-3) unstable; urgency=low
 
   [ Luk Claes ]
diff -u wml-2.0.11/wml_contrib/wmg.cgi wml-2.0.11/wml_contrib/wmg.cgi
--- wml-2.0.11/wml_contrib/wmg.cgi
+++ wml-2.0.11/wml_contrib/wmg.cgi
@@ -366,14 +366,7 @@
 ($w, $h, $t) = Image::Size::imgsize(\$contents);
 if ($w*$h == 1) {
 #   read image into GD
-$tmpfile = "/tmp/pe.tmp.$$";
-unlink($tmpfile);
-open(TMP, ">$tmpfile");
-print TMP $contents;
-close(TMP);
-open(TMP, "<$tmpfile");
-$tmpimg = newFromGif GD::Image(TMP);
-close(TMP);
+$tmpimg = newFromGif GD::Image($contents);
 unlink($tmpfile);
 if ($tmpimg->transparent != -1) {
 my $im = new GD::Image($w, $h);
diff -u wml-2.0.11/wml_backend/p1_ipp/ipp.src wml-2.0.11/wml_backend/p1_ipp/ipp.src
--- wml-2.0.11/wml_backend/p1_ipp/ipp.src
+++ wml-2.0.11/wml_backend/p1_ipp/ipp.src
@@ -566,6 +566,8 @@
 #   process the pre-loaded include files
 #
 $tmpdir = $ENV{'TMPDIR'} || '/tmp';
+my $tmpldir = ($ENV{'TMPDIR'} || '/tmp') . '/ipp.XX';
+$tmpdir = mkdtemp($tmpldir) or die "Unable to create temporary directory: $!\n";
 $tmpfile = $tmpdir . "/ipp.$$.tmp";
 unlink($tmpfile);
 $tmp = new IO::File;
only in patch2:
unchanged:
--- wml-2.0.11.orig/wml_backend/p3_eperl/eperl_sys.c
+++ wml-2.0.11/wml_backend/p3_eperl/eperl_sys.c
@@ -211,13 +211,20 @@
 {
 char ca[1024];
 char *cp, *tmpdir;
+char tmpfile[]="eperl_sourceXX";
 int i;
+int fd=-1;
 
 tmpdir = getenv ("TMPDIR");
 if (tmpdir == (char *) NULL)
 tmpdir="/tmp";
 
-snprintf(ca, sizeof(ca), "%s/%s.%d.tmp%d", tmpdir, id, (int)getpid(), mytmpfilecnt++);
+snprintf(ca, sizeof(ca), "%s/%s", tmpdir, tmpfile);
+if((fd = mkstemp(tmpfile)) == -1){
+perror("can not create tmpfile");
+return NULL;
+}
+close(fd);
 ca[sizeof(ca)-1] = NUL;
 cp = strdup(ca);
 for (i = 0; mytmpfiles[i] != NULL; i++)


pgpLbALUiRCOp.pgp
Description: PGP signature

Bug#463907: Creates tempfiles in a unsafe way

2008-02-07 Thread Nico Golde 
Hi,
I found a similar issue in wml_contrib/wmg.cgi which we also install in our
package:

 369 $tmpfile = "/tmp/pe.tmp.$$";
 370 unlink($tmpfile);
 371 open(TMP, ">$tmpfile");
 372 print TMP $contents;
 373 close(TMP);
 374 open(TMP, "<$tmpfile");
 375 $tmpimg = newFromGif GD::Image(TMP);
 376 close(TMP);
 377 unlink($tmpfile);

And one in wml_backend/p3_eperl/eperl_sys.c:
210 char *mytmpfile(char *id)
211 {
212 char ca[1024];
213 char *cp, *tmpdir;
214 int i;
215
216 tmpdir = getenv ("TMPDIR");
217 if (tmpdir == (char *) NULL)
218 tmpdir="/tmp";
219
220 snprintf(ca, sizeof(ca), "%s/%s.%d.tmp%d", tmpdir, id, (int)getpid(), 
mytmpfilecnt++);
221 ca[sizeof(ca)-1] = NUL;
222 cp = strdup(ca);
223 for (i = 0; mytmpfiles[i] != NULL; i++)
224 ;
225 mytmpfiles[i++] = cp;
226 mytmpfiles[i] = NULL;
227 return cp;
228 }

I am going to fix this using mkstemp, however the fix won't
be race free because ideally you also need you have to open the
file via the file descriptor returned by mkstemp to ensure
that the file did not change. For this I would need to completely
change the function and I don't want to do such an intrusive change.
However this is not a big issue and more theoretical but should be
fixed by upstream later.

I am going to fix this as well.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.


pgpcZNUePQdst.pgp
Description: PGP signature

Bug#463907: Creates tempfiles in a unsafe way

2008-02-06 Thread Nico Golde 
Hi Felipe,
* Felipe Augusto van de Wiel (faw) <[EMAIL PROTECTED]> [2008-02-06 18:26]:
> On 04-02-2008 10:16, Nico Golde wrote:
> > * Frank Lichtenheld <[EMAIL PROTECTED]> [2008-02-04 12:56]:
[...] 
> >> $tmpdir = $ENV{'TMPDIR'} || '/tmp';
> >> $tmpfile = $tmpdir . "/ipp.$$.tmp";
> >> unlink($tmpfile);
> >> $tmp = new IO::File;
> >> $tmp->open(">$tmpfile") || error("cannot write into $tmpfile: $!");
> > [...] 
> > 
> > Thanks I confirmed this, a CVE id is pending.

I tried to catch you up in #debian-security but you didn't 
join for some days :)

>   Just for the record, there is a new version of wml that
> should be packaged, I will take care to properly keep this fix
> if it is not present upstream. Would you like me to prepare a
> package to fix this? Or should I wait for Debian Security Team?
> I'm OK with a NMU.

If you can upload a fix before tomorrow do it, otherwise 
I'll take care of this tomorrow.

>   As soon as possible, I will work on the new package and
> also to clean up the BTS for wml. Sorry for the delay.

No problem :)
Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.


pgpUn2S8igdjY.pgp
Description: PGP signature

Bug#463907: Creates tempfiles in a unsafe way

2008-02-06 Thread Felipe Augusto van de Wiel (faw) 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

tags 463907 + confirmed
thanks

On 04-02-2008 10:16, Nico Golde wrote:
> * Frank Lichtenheld <[EMAIL PROTECTED]> [2008-02-04 12:56]:
>> Package: wml
>> Version: 2.0.11-1
>> Severity: serious
>> Tags: security
>>
>> The following code in wml_backend/p1_ipp/ipp.src is obviously unsafe
>> (and actually causing practical problems during the Debian website
>> build):
>>
>> $tmpdir = $ENV{'TMPDIR'} || '/tmp';
>> $tmpfile = $tmpdir . "/ipp.$$.tmp";
>> unlink($tmpfile);
>> $tmp = new IO::File;
>> $tmp->open(">$tmpfile") || error("cannot write into $tmpfile: $!");
> [...] 
> 
> Thanks I confirmed this, a CVE id is pending.
> Kind regards
> Nico

Just for the record, there is a new version of wml that
should be packaged, I will take care to properly keep this fix
if it is not present upstream. Would you like me to prepare a
package to fix this? Or should I wait for Debian Security Team?
I'm OK with a NMU.

As soon as possible, I will work on the new package and
also to clean up the BTS for wml. Sorry for the delay.

Kind regards,
- --
Felipe Augusto van de Wiel (faw)
"Debian. Freedom to code. Code to freedom!"
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHqeuvCjAO0JDlykYRAu8dAJsHOipcdRwmkEZrSEWbwCUa8sIufACeMHXT
jbRk9HEtScmQCp7Ucru89TM=
=ScIt
-END PGP SIGNATURE-



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#463907: Creates tempfiles in a unsafe way

2008-02-04 Thread Nico Golde 
severity 463907 grave
thanks

Hi,
* Frank Lichtenheld <[EMAIL PROTECTED]> [2008-02-04 12:56]:
> Package: wml
> Version: 2.0.11-1
> Severity: serious
> Tags: security
> 
> The following code in wml_backend/p1_ipp/ipp.src is obviously unsafe
> (and actually causing practical problems during the Debian website
> build):
> 
> $tmpdir = $ENV{'TMPDIR'} || '/tmp';
> $tmpfile = $tmpdir . "/ipp.$$.tmp";
> unlink($tmpfile);
> $tmp = new IO::File;
> $tmp->open(">$tmpfile") || error("cannot write into $tmpfile: $!");
[...] 

Thanks I confirmed this, a CVE id is pending.
Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.


pgp3YKWh1nlry.pgp
Description: PGP signature

Bug#463907: Creates tempfiles in a unsafe way

2008-02-03 Thread Frank Lichtenheld 
Package: wml
Version: 2.0.11-1
Severity: serious
Tags: security

The following code in wml_backend/p1_ipp/ipp.src is obviously unsafe
(and actually causing practical problems during the Debian website
build):

$tmpdir = $ENV{'TMPDIR'} || '/tmp';
$tmpfile = $tmpdir . "/ipp.$$.tmp";
unlink($tmpfile);
$tmp = new IO::File;
$tmp->open(">$tmpfile") || error("cannot write into $tmpfile: $!");

Sadly enough this was fixed by the former maintainer for sarge but
apparently got lost when the new upstream was packaged for etch. See
the following code in sarge's version:

my $tmpldir = ($ENV{'TMPDIR'} || '/tmp') . '/ipp.XX';
$tmpdir = mkdtemp($tmpldir) or die "Unable to create temporary directory: $!\n";
$tmpfile = $tmpdir . "/ipp.$$.tmp";
unlink($tmpfile);
$tmp = new IO::File;
$tmp->open(">$tmpfile") || error("cannot write into $tmpfile: $!");

You could probably just use that again.

Gruesse,
Frank Lichtenheld

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (900, 'unstable'), (900, 'testing'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.23-1-686 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages wml depends on:
ii  eperl 2.2.14-15  Embedded Perl 5 Language
ii  iselect   1.3.1-3An interactive line selection tool
ii  libbit-vector-perl6.4-7  Perl and C library for bit vectors
ii  libc6 2.7-6  GNU C Library: Shared libraries
ii  libimage-size-perl3.1-3  determine the size of images in se
ii  libpng12-01.2.15~beta5-3 PNG library - runtime
ii  libterm-readkey-perl  2.30-3 A perl module for simple terminal 
ii  m41.4.10-1   a macro processing language
ii  mp4h  1.3.1-4Macro processor for HTML documents
ii  perl  5.8.8-12   Larry Wall's Practical Extraction 
ii  perl-base [perlapi-5.8.8] 5.8.8-12   The Pathologically Eclectic Rubbis
ii  slice 1.3.8-9Extract out pre-defined slices of 

Versions of packages wml recommends:
ii  libhtml-clean-perl 0.8-10Cleans up HTML code for web browse
ii  linklint   2.3.5-5   A fast link checker and web site m
ii  tidy   20080116cvs-2 HTML syntax checker and reformatte
ii  txt2html   2.50-2Text to HTML converter

-- no debconf information



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]