Re: [Fwd: Bug#431600: amaya: Insecure use of temporary files allows arbitary file trunaction/creation]

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: [Fwd: Bug#431600: amaya: Insecure use of temporary files allows arbitary file trunaction/creation]

Irene Vatton

Hi Regis,

This patch is now integrated. Thanks for your contribution.

On Wednesday 18 July 2007 13:19, Regis Boudin wrote:

> Hi again,
>
> I've had a little time yesterday to have a look at this bug, and have a
> patch against the current CVS HEAD (attached). Instead of some nasty
> system() call grepped, sed, written into a temp file which is then read,
> parsed and deleted, I simply call nl_langinfo(), which is what locale does
> to give the requested value.
>
> You might need to put the additional "#include" between #ifdef/#endif for
> windows, though.
>
> Please confirm whether it works fine.
>
> Thanks,
> Regis
>
> On Thu, July 5, 2007 14:33, Regis Boudin wrote:
> > Hi,
> >
> > I've been notified this bug, by Steve Kemps who is running a security
> > audit of the source code in the debian archive. I'm a very busy at the
> > moment so don't have time to provide a patch going with it, but will be
> > happy to give some help if you need it.
> >
> > Thanks,
> >
> > Regis
> >
> > ---------------------------- Original Message
> > ---------------------------- Subject: Bug#431600: amaya: Insecure use of
> > temporary files allows arbitary file trunaction/creation
> > From:    "Steve Kemp" <[hidden email]>
> > Date:    Tue, July 3, 2007 19:42
> > To:      "Debian Bug Tracking System" <[hidden email]>
> > -------------------------------------------------------------------------
> >-
> >
> > Package: amaya
> > Version: 9.54~dfsg.0-1
> > Severity: important
> >
> >
> >   The Amaya package contains the following code inside
> >  amaya-9.51/Amaya/thotlib/unicode/ustring.c
> >
> >         {
> >           int  fd;
> >           char buffer[256];
> >           memset ( buffer, 0, 256 );
> >           /* ask the system using locale command */
> >           system ("locale -ck LC_MESSAGES | grep messages-codeset | sed
> > 's/.*=\"//' | sed 's/\"//' > /tmp/locale");
> >           fd = open ("/tmp/locale", O_RDONLY);
> >
> >
> >   This can be abused to allow arbitary files to be created, or truncated,
> >  when a user runs the browser as this session shows:
> >
> >   # check there are no files, then create an evil symlink
> > skx@vain:~$ ls -l /etc/nologin /tmp/locale
> > ls: /etc/nologin: No such file or directory
> > ls: /tmp/locale: No such file or directory
> > skx@vain:~$ ln -s /etc/nologin /tmp/locale
> >
> >  # wait for root to run the application
> > skx@vain:~$ sudo -s
> > root@vain:~# amaya
> >
> >  # see the file
> > root@vain:~# ls /etc/nologin
> > /etc/nologin
> > root@vain:~# cat /etc/nologin
> > UTF-8
> >
> >   Obviously this example relies upon root to run the application and
> > linking
> >  to /etc/passwd would trash the system.
> >
> >   I guess the solution is to generate a secure temporary filename with
> >  mktemp, mkstemp, or similar..
> >
> > -- System Information:
> > Debian Release: lenny/sid
> >   APT prefers unstable
> >   APT policy: (500, 'unstable')
> > Architecture: amd64 (x86_64)
> >
> > Kernel: Linux 2.6.18-xen (SMP w/2 CPU cores)
> > Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
> > Shell: /bin/sh linked to /bin/bash
> >
> > Versions of packages amaya depends on:
> > ii  amaya-data              9.54~dfsg.0-1    Web Browser, HTML Editor and
> > Testb
> > ii  libc6                   2.5-11           GNU C Library: Shared
> > libraries
> > ii  libexpat1               1.95.8-3.4       XML parsing C library -
> > runtime li
> > ii  libfreetype6            2.2.1-6          FreeType 2 font engine,
> > shared lib
> > ii  libgcc1                 1:4.2-20070627-1 GCC support library
> > ii  libgl1-mesa-glx [libgl1 6.5.2-5          A free implementation of the
> > OpenG
> > ii  libglu1-mesa [libglu1]  6.5.2-5          The OpenGL utility library
> > (GLU)
> > ii  libjpeg62               6b-13            The Independent JPEG Group's
> > JPEG
> > ii  libpng12-0              1.2.15~beta5-2   PNG library - runtime
> > ii  libraptor1              1.4.15-3         Raptor RDF parser and
> > serializer l
> > ii  libstdc++6              4.2-20070627-1   The GNU Standard C++ Library
> > v3
> > ii  libwww-ssl0             5.4.0-11         The W3C-WWW library (SSL
> > support)
> > ii  libwxbase2.6-0          2.6.3.2.1.5      wxBase library (runtime) -
> > non-GUI
> > ii  libwxgtk2.6-0           2.6.3.2.1.5      wxWidgets Cross-platform C++
> > GUI t
> > ii  ttf-freefont            20060501cvs-12   Freefont Serif, Sans and
> > Mono True
> > ii  zlib1g                  1:1.2.3.3.dfsg-3 compression library -
> > runtime
> >
> > Versions of packages amaya recommends:
> > pn  amaya-doc                     <none>     (no description available)
> >
> > -- no debconf information
> >
> > Steve
> > --
> > #  Kink-Friendly Dating
> > http://ctrl-alt-date.com/

--
     Irène.
-----
Irène Vatton                     INRIA Rhône-Alpes
INRIA                               ZIRST
e-mail: [hidden email]       655 avenue de l'Europe
Tel.: +33 4 76 61 53 61             Montbonnot
Fax:  +33 4 76 61 52 07             38334 Saint Ismier Cedex - France


Reply | Threaded
Open this post in threaded view
|

Re: [Fwd: Bug#431600: amaya: Insecure use of temporary files allows arbitary file trunaction/creation]

Regis Boudin

Hi,

First, thanks for applying the patch. A quick question, though.

On Fri, August 17, 2007 14:16, Irene Vatton wrote:
> Hi Regis,
>
> This patch is now integrated. Thanks for your contribution.

Is there a specific reason to stick with the old (dangerous) code when not
using WX ? Since my code doesn't make use of the WX API, I fail to see the
point. If there is any issue with GTK, I would rather fix it to have the
same code in both cases than a different one...

Regis

Reply | Threaded
Open this post in threaded view
|

Re: [Fwd: Bug#431600: amaya: Insecure use of temporary files allows arbitary file trunaction/creation]

Irene Vatton

On Monday 20 August 2007 13:26, Regis Boudin wrote:

> Hi,
>
> First, thanks for applying the patch. A quick question, though.
>
> On Fri, August 17, 2007 14:16, Irene Vatton wrote:
> > Hi Regis,
> >
> > This patch is now integrated. Thanks for your contribution.
>
> Is there a specific reason to stick with the old (dangerous) code when not
> using WX ? Since my code doesn't make use of the WX API, I fail to see the
> point. If there is any issue with GTK, I would rather fix it to have the
> same code in both cases than a different one...
>
> Regis

Just because GTK version is no longer distributed.
Anyway, I removed the old code in the GTK version.
     Irène.
-----
Irène Vatton                     INRIA Rhône-Alpes
INRIA                               ZIRST
e-mail: [hidden email]       655 avenue de l'Europe
Tel.: +33 4 76 61 53 61             Montbonnot
Fax:  +33 4 76 61 52 07             38334 Saint Ismier Cedex - France