Bug#463907: Creates tempfiles in a unsafe way
Hi, the first issue got CVE id CVE-2008-0665 and the other issues got CVE-2008-0666. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpexCXzeHjpx.pgp Description: PGP signature
Bug#463907: Creates tempfiles in a unsafe way
Hi, attached is an updated patch which I will upload as a 0-day NMU with permission of the maintainer. Many thanks to Frank for his input! Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. diff -u wml-2.0.11/debian/changelog wml-2.0.11/debian/changelog --- wml-2.0.11/debian/changelog +++ wml-2.0.11/debian/changelog @@ -1,3 +1,13 @@ +wml (2.0.11-3.1) unstable; urgency=high + + * Non-maintainer upload by security team. + * Fix insecure temporary file creations in eperl and ipp +backends and a similar issue in the wmg.cgi contrib file +leading to possible symlink attacks. +If you already use wmg.cgi please update your copy (Closes: #463907). + + -- Nico Golde <[EMAIL PROTECTED]> Thu, 07 Feb 2008 12:01:43 +0100 + wml (2.0.11-3) unstable; urgency=low [ Luk Claes ] diff -u wml-2.0.11/wml_contrib/wmg.cgi wml-2.0.11/wml_contrib/wmg.cgi --- wml-2.0.11/wml_contrib/wmg.cgi +++ wml-2.0.11/wml_contrib/wmg.cgi @@ -366,14 +366,7 @@ ($w, $h, $t) = Image::Size::imgsize(\$contents); if ($w*$h == 1) { # read image into GD -$tmpfile = "/tmp/pe.tmp.$$"; -unlink($tmpfile); -open(TMP, ">$tmpfile"); -print TMP $contents; -close(TMP); -open(TMP, "<$tmpfile"); -$tmpimg = newFromGif GD::Image(TMP); -close(TMP); +$tmpimg = newFromGif GD::Image($contents); unlink($tmpfile); if ($tmpimg->transparent != -1) { my $im = new GD::Image($w, $h); diff -u wml-2.0.11/wml_backend/p1_ipp/ipp.src wml-2.0.11/wml_backend/p1_ipp/ipp.src --- wml-2.0.11/wml_backend/p1_ipp/ipp.src +++ wml-2.0.11/wml_backend/p1_ipp/ipp.src @@ -566,6 +566,8 @@ # process the pre-loaded include files # $tmpdir = $ENV{'TMPDIR'} || '/tmp'; +my $tmpldir = ($ENV{'TMPDIR'} || '/tmp') . '/ipp.XX'; +$tmpdir = mkdtemp($tmpldir) or die "Unable to create temporary directory: $!\n"; $tmpfile = $tmpdir . "/ipp.$$.tmp"; unlink($tmpfile); $tmp = new IO::File; only in patch2: unchanged: --- wml-2.0.11.orig/wml_backend/p3_eperl/eperl_sys.c +++ wml-2.0.11/wml_backend/p3_eperl/eperl_sys.c @@ -211,13 +211,20 @@ { char ca[1024]; char *cp, *tmpdir; +char tmpfile[]="eperl_sourceXX"; int i; +int fd=-1; tmpdir = getenv ("TMPDIR"); if (tmpdir == (char *) NULL) tmpdir="/tmp"; -snprintf(ca, sizeof(ca), "%s/%s.%d.tmp%d", tmpdir, id, (int)getpid(), mytmpfilecnt++); +snprintf(ca, sizeof(ca), "%s/%s", tmpdir, tmpfile); +if((fd = mkstemp(tmpfile)) == -1){ +perror("can not create tmpfile"); +return NULL; +} +close(fd); ca[sizeof(ca)-1] = NUL; cp = strdup(ca); for (i = 0; mytmpfiles[i] != NULL; i++) pgpLbALUiRCOp.pgp Description: PGP signature
Bug#463907: Creates tempfiles in a unsafe way
Hi, I found a similar issue in wml_contrib/wmg.cgi which we also install in our package: 369 $tmpfile = "/tmp/pe.tmp.$$"; 370 unlink($tmpfile); 371 open(TMP, ">$tmpfile"); 372 print TMP $contents; 373 close(TMP); 374 open(TMP, "<$tmpfile"); 375 $tmpimg = newFromGif GD::Image(TMP); 376 close(TMP); 377 unlink($tmpfile); And one in wml_backend/p3_eperl/eperl_sys.c: 210 char *mytmpfile(char *id) 211 { 212 char ca[1024]; 213 char *cp, *tmpdir; 214 int i; 215 216 tmpdir = getenv ("TMPDIR"); 217 if (tmpdir == (char *) NULL) 218 tmpdir="/tmp"; 219 220 snprintf(ca, sizeof(ca), "%s/%s.%d.tmp%d", tmpdir, id, (int)getpid(), mytmpfilecnt++); 221 ca[sizeof(ca)-1] = NUL; 222 cp = strdup(ca); 223 for (i = 0; mytmpfiles[i] != NULL; i++) 224 ; 225 mytmpfiles[i++] = cp; 226 mytmpfiles[i] = NULL; 227 return cp; 228 } I am going to fix this using mkstemp, however the fix won't be race free because ideally you also need you have to open the file via the file descriptor returned by mkstemp to ensure that the file did not change. For this I would need to completely change the function and I don't want to do such an intrusive change. However this is not a big issue and more theoretical but should be fixed by upstream later. I am going to fix this as well. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpcZNUePQdst.pgp Description: PGP signature
Bug#463907: Creates tempfiles in a unsafe way
Hi Felipe, * Felipe Augusto van de Wiel (faw) <[EMAIL PROTECTED]> [2008-02-06 18:26]: > On 04-02-2008 10:16, Nico Golde wrote: > > * Frank Lichtenheld <[EMAIL PROTECTED]> [2008-02-04 12:56]: [...] > >> $tmpdir = $ENV{'TMPDIR'} || '/tmp'; > >> $tmpfile = $tmpdir . "/ipp.$$.tmp"; > >> unlink($tmpfile); > >> $tmp = new IO::File; > >> $tmp->open(">$tmpfile") || error("cannot write into $tmpfile: $!"); > > [...] > > > > Thanks I confirmed this, a CVE id is pending. I tried to catch you up in #debian-security but you didn't join for some days :) > Just for the record, there is a new version of wml that > should be packaged, I will take care to properly keep this fix > if it is not present upstream. Would you like me to prepare a > package to fix this? Or should I wait for Debian Security Team? > I'm OK with a NMU. If you can upload a fix before tomorrow do it, otherwise I'll take care of this tomorrow. > As soon as possible, I will work on the new package and > also to clean up the BTS for wml. Sorry for the delay. No problem :) Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpUn2S8igdjY.pgp Description: PGP signature
Bug#463907: Creates tempfiles in a unsafe way
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 tags 463907 + confirmed thanks On 04-02-2008 10:16, Nico Golde wrote: > * Frank Lichtenheld <[EMAIL PROTECTED]> [2008-02-04 12:56]: >> Package: wml >> Version: 2.0.11-1 >> Severity: serious >> Tags: security >> >> The following code in wml_backend/p1_ipp/ipp.src is obviously unsafe >> (and actually causing practical problems during the Debian website >> build): >> >> $tmpdir = $ENV{'TMPDIR'} || '/tmp'; >> $tmpfile = $tmpdir . "/ipp.$$.tmp"; >> unlink($tmpfile); >> $tmp = new IO::File; >> $tmp->open(">$tmpfile") || error("cannot write into $tmpfile: $!"); > [...] > > Thanks I confirmed this, a CVE id is pending. > Kind regards > Nico Just for the record, there is a new version of wml that should be packaged, I will take care to properly keep this fix if it is not present upstream. Would you like me to prepare a package to fix this? Or should I wait for Debian Security Team? I'm OK with a NMU. As soon as possible, I will work on the new package and also to clean up the BTS for wml. Sorry for the delay. Kind regards, - -- Felipe Augusto van de Wiel (faw) "Debian. Freedom to code. Code to freedom!" -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHqeuvCjAO0JDlykYRAu8dAJsHOipcdRwmkEZrSEWbwCUa8sIufACeMHXT jbRk9HEtScmQCp7Ucru89TM= =ScIt -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#463907: Creates tempfiles in a unsafe way
severity 463907 grave thanks Hi, * Frank Lichtenheld <[EMAIL PROTECTED]> [2008-02-04 12:56]: > Package: wml > Version: 2.0.11-1 > Severity: serious > Tags: security > > The following code in wml_backend/p1_ipp/ipp.src is obviously unsafe > (and actually causing practical problems during the Debian website > build): > > $tmpdir = $ENV{'TMPDIR'} || '/tmp'; > $tmpfile = $tmpdir . "/ipp.$$.tmp"; > unlink($tmpfile); > $tmp = new IO::File; > $tmp->open(">$tmpfile") || error("cannot write into $tmpfile: $!"); [...] Thanks I confirmed this, a CVE id is pending. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgp3YKWh1nlry.pgp Description: PGP signature
Bug#463907: Creates tempfiles in a unsafe way
Package: wml Version: 2.0.11-1 Severity: serious Tags: security The following code in wml_backend/p1_ipp/ipp.src is obviously unsafe (and actually causing practical problems during the Debian website build): $tmpdir = $ENV{'TMPDIR'} || '/tmp'; $tmpfile = $tmpdir . "/ipp.$$.tmp"; unlink($tmpfile); $tmp = new IO::File; $tmp->open(">$tmpfile") || error("cannot write into $tmpfile: $!"); Sadly enough this was fixed by the former maintainer for sarge but apparently got lost when the new upstream was packaged for etch. See the following code in sarge's version: my $tmpldir = ($ENV{'TMPDIR'} || '/tmp') . '/ipp.XX'; $tmpdir = mkdtemp($tmpldir) or die "Unable to create temporary directory: $!\n"; $tmpfile = $tmpdir . "/ipp.$$.tmp"; unlink($tmpfile); $tmp = new IO::File; $tmp->open(">$tmpfile") || error("cannot write into $tmpfile: $!"); You could probably just use that again. Gruesse, Frank Lichtenheld -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (900, 'unstable'), (900, 'testing'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.23-1-686 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages wml depends on: ii eperl 2.2.14-15 Embedded Perl 5 Language ii iselect 1.3.1-3An interactive line selection tool ii libbit-vector-perl6.4-7 Perl and C library for bit vectors ii libc6 2.7-6 GNU C Library: Shared libraries ii libimage-size-perl3.1-3 determine the size of images in se ii libpng12-01.2.15~beta5-3 PNG library - runtime ii libterm-readkey-perl 2.30-3 A perl module for simple terminal ii m41.4.10-1 a macro processing language ii mp4h 1.3.1-4Macro processor for HTML documents ii perl 5.8.8-12 Larry Wall's Practical Extraction ii perl-base [perlapi-5.8.8] 5.8.8-12 The Pathologically Eclectic Rubbis ii slice 1.3.8-9Extract out pre-defined slices of Versions of packages wml recommends: ii libhtml-clean-perl 0.8-10Cleans up HTML code for web browse ii linklint 2.3.5-5 A fast link checker and web site m ii tidy 20080116cvs-2 HTML syntax checker and reformatte ii txt2html 2.50-2Text to HTML converter -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]