Your message dated Tue, 1 Apr 2008 13:41:03 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Re: Bug#462838: comix: insecure temporary file creation
has caused the Debian Bug report #462838,
regarding comix: insecure temporary file creation
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
462838: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=462838
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: comix
Version: 3.6.4-1
Severity: grave
Justification: user security hole
Tags: security
*** Please type your report below this line ***
/usr/bin/comix, line 10494:
# =======================================================
# Create the temporary directory used in this Comix session.
# The dir is /tmp/comix/<num> where <num> is 1 or higher
# depending on the number of Comix sessions opened.
# =======================================================
if not os.path.exists('/tmp/comix/'):
os.makedirs('/tmp/comix/')
os.chmod('/tmp/comix/', 0700)
dir_number = 1
while 1:
if not os.path.exists('/tmp/comix/' + str(dir_number)):
os.mkdir('/tmp/comix/' + str(dir_number))
os.chmod('/tmp/comix/' + str(dir_number), 0700)
self.base_dir = '/tmp/comix/' + str(dir_number) + '/'
break
dir_number += 1
Completely predictable filenames and chmodding after creation open this up
for symlink attack.
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (700, 'testing'), (500, 'stable'), (400, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.22-3-686 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages comix depends on:
ii gconf2 2.20.1-2 GNOME configuration database syste
ii python 2.4.4-6 An interactive high-level object-o
ii python-gtk2 2.12.1-1 Python bindings for the GTK+ widge
ii python-imaging 1.1.6-1 Python Imaging Library
comix recommends no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Hi hhaamu,
* [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2008-04-01 13:36]:
> On Mon, 31 Mar 2008 14:52:50 +0200
> Nico Golde <[EMAIL PROTECTED]> wrote:
> > * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2008-01-27 20:32]:
> > > Completely predictable filenames and chmodding after creation open this up
> > > for symlink attack.
> >
> > I just had a look at this issue and can not confirm what you
> > said. Can you please come up with an exploit scenario?
> >
> > You are right, the directory names are predictable and there
> > is of course a race condition between if not os.path.exists
> > and the mkdir call. But if the name is a dangling symlink
> > mkdir will fail because the file already exist.
> >
> > Did you test this?
>
> Ah, no, I did not. I just checked python's behaviour and it refused to
> create a directory on a symlink. I assumed that it would just follow
> the symlink like touch(1) does on files.
>
> I guess it is not exploitable, then.
Thanks closing this bug report.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgp79X4wJgxco.pgp
Description: PGP signature
--- End Message ---
