Re: [SECURITY] [DSA 2350-1] freetype security update
Gracias por contactar con nosotros, Este es un mensaje automatico para confirmar que hemos recibido su e-mail. Atenderemos su peticion lo antes posible. Equipo soporte técnico Progresa Internet Studios | Sistelia Cloudworks http://www.progresa.net | http://www.sistelia.com +34 902 501 454 | +34 935 325 863 | Fax +34 932 005 744 Tanto este mensaje como los documentos que, en su caso, lleve como anexos, pueden contener información reservada y/o confidencial, destinada exclusivamente para el uso del destinatario o la persona responsable de entregarlo al mismo, estando su uso no autorizado prohibido legalmente. Su contenido no constituye un compromiso para INSTANTWEB PROGRESA SL, salvo ratificación escrita por ambas partes. En caso de su recepción por error, rogamos nos lo comunique por igual vía, se abstenga de realizar copias del mensaje o documentos adjuntos, remitirlo o facilitarlo a un tercero, y proceda en su defecto, a su eliminación. This message and any other documents that, where appropriate, have appendices, may contain reserved and/or confidential information intended exclusively for the use of the addressee or the person responsible for delivering it to them, its unauthorised use being prohibited by law. Its contents do not constitute a commitment for INSTANTWEB PROGRESA SL, except by written ratification by both parties. In the case of receiving it by mistake, we request you inform us by the same method, abstain from making copies of the message or attached documents, sending it or providing it to a third party, and proceed, failing that, to eliminate it. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/2020200440.b9119252...@sstlx001.sistelia.net
Re: gnash creates world-readable cookies under /tmp
On Sun, 20 Nov 2011 15:39:36 +0100 Alexander Kurtz wrote: [...] > Hi, > > after watching videos on YouTube I found this in /tmp: > > $ ls -l /tmp/gnash* > -rw-r--r-- 1 alexander alexander 329 Nov 20 15:22 > /tmp/gnash-cookies.31032 > $ Hi! I am a user of the gnash package and I am experiencing the same issue. > > Please note that the file is world-readable. [...] > Since gnash is installed per default and also starts playing as soon as > flash content is detected, this can be a serious security/privacy issue > on multi-user systems. Gnash should either use $HOME for storing cookies > or create them with sane permissions (0600). I would add the following consideration: why does gnash create cookies at all? I thought I managed to disable flash cookies long time ago with the following setting: $ grep SOLSafeDir /etc/gnashrc set SOLSafeDir /dev/null but it seems that this option is not (or no longer?) enough to prevent gnash from creating/storing cookies. Could someone please tell me where is the option to disable cookies? I think there should be one, but I seem to be unable to find it... Thanks for your time! -- http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt New GnuPG key, see the transition document! . Francesco Poli . GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE pgpU1qArQsIgK.pgp Description: PGP signature
Re: Bug#649384: gnash creates world-readable cookies under /tmp
retitle 649384 gnash creates world-readable cookies under /tmp with predictable
filenames
thanks
On Sun, 2011-11-20 at 18:01 +0100, Gabriele Giacone wrote:
> tags 649384 fixed-upstream
> thanks
>
> On Sun, Nov 20, 2011 at 03:39:36PM +0100, Alexander Kurtz wrote:
> > or create them with sane permissions (0600).
>
> http://git.savannah.gnu.org/gitweb/?p=gnash.git;a=commitdiff;h=fa481c116e65ccf9137c7ddc8abc3cf05dc12f55
I don't think this fixes the underlying problem: An attacker would still
be able to read the cookie if he managed to win the race-condition and
opens the file before the chmod(). If you agree, please remove the
"fixed-upstream" tag.
Furthermore, I took a quick look at the code and noticed this:
1105 gnash::log_debug("The Cookie for %s is %s", url, ncookie);
1106 std::ofstream cookiefile;
1107 std::stringstream ss;
1108 ss << "/tmp/gnash-cookies." << getpid();
1109
1110 cookiefile.open(ss.str().c_str(), std::ios::out |
std::ios::trunc);
chmod (ss.str().c_str(), 0600);
I might be wrong, but I very strongly suspect a possible symlink attack
here which would enable an attacker to overwrite arbitrary files and
(with your patch) change their permissions.
Best regards
Alexander Kurtz
signature.asc
Description: This is a digitally signed message part
gnash creates world-readable cookies under /tmp
Package: gnash Version: 0.8.10~git20111001-1 Tags: security Severity: critical Justification: Introduces a new security hole Hi, after watching videos on YouTube I found this in /tmp: $ ls -l /tmp/gnash* -rw-r--r-- 1 alexander alexander 329 Nov 20 15:22 /tmp/gnash-cookies.31032 $ Please note that the file is world-readable. This enables things like: $ sudo -u nobody cat /tmp/gnash-cookies.31032 Set-Cookie: use_hitbox=72c46ff6cbcdb7c5585c36411b6b334edAEw Set-Cookie: VISITOR_INFO1_LIVE=WEbeevRfDNo Set-Cookie: recently_watched_video_id_list=885d7cf2658d586fc1bef37a995ce29cWwEAAABzCwAAAHV3SFIwM1pHd1k4 Set-Cookie: GEO=0bf89ff87b12d82d91e10ddf1da36d95cwszREVUmagnTskNGQ== Set-Cookie: PREF=f1=4000&fv=10.1.999 $ Since gnash is installed per default and also starts playing as soon as flash content is detected, this can be a serious security/privacy issue on multi-user systems. Gnash should either use $HOME for storing cookies or create them with sane permissions (0600). Best regards Alexander Kurtz signature.asc Description: This is a digitally signed message part
