Re: [Fwd: Bug#431600: amaya: Insecure use of temporary files allows arbitary file trunaction/creation] from Irene Vatton on 2007-08-17 (www-amaya-dev@w3.org from August 2007)

From: Irene Vatton <Irene.Vatton@inrialpes.fr>
Date: Fri, 17 Aug 2007 15:16:16 +0200
To: "Regis Boudin" <regis@boudin.name>
Cc: www-amaya-dev@w3.org
Message-Id: <200708171516.16695.vatton@inrialpes.fr>
Hi Regis,

This patch is now integrated. Thanks for your contribution.

On Wednesday 18 July 2007 13:19, Regis Boudin wrote:
> Hi again,
>
> I've had a little time yesterday to have a look at this bug, and have a
> patch against the current CVS HEAD (attached). Instead of some nasty
> system() call grepped, sed, written into a temp file which is then read,
> parsed and deleted, I simply call nl_langinfo(), which is what locale does
> to give the requested value.
>
> You might need to put the additional "#include" between #ifdef/#endif for
> windows, though.
>
> Please confirm whether it works fine.
>
> Thanks,
> Regis
>
> On Thu, July 5, 2007 14:33, Regis Boudin wrote:
> > Hi,
> >
> > I've been notified this bug, by Steve Kemps who is running a security
> > audit of the source code in the debian archive. I'm a very busy at the
> > moment so don't have time to provide a patch going with it, but will be
> > happy to give some help if you need it.
> >
> > Thanks,
> >
> > Regis
> >
> > ---------------------------- Original Message
> > ---------------------------- Subject: Bug#431600: amaya: Insecure use of
> > temporary files allows arbitary file trunaction/creation
> > From:    "Steve Kemp" <skx@debian.org>
> > Date:    Tue, July 3, 2007 19:42
> > To:      "Debian Bug Tracking System" <submit@bugs.debian.org>
> > -------------------------------------------------------------------------
> >-
> >
> > Package: amaya
> > Version: 9.54~dfsg.0-1
> > Severity: important
> >
> >
> >   The Amaya package contains the following code inside
> >  amaya-9.51/Amaya/thotlib/unicode/ustring.c
> >
> >         {
> >           int  fd;
> >           char buffer[256];
> >           memset ( buffer, 0, 256 );
> >           /* ask the system using locale command */
> >           system ("locale -ck LC_MESSAGES | grep messages-codeset | sed
> > 's/.*=\"//' | sed 's/\"//' > /tmp/locale");
> >           fd = open ("/tmp/locale", O_RDONLY);
> >
> >
> >   This can be abused to allow arbitary files to be created, or truncated,
> >  when a user runs the browser as this session shows:
> >
> >   # check there are no files, then create an evil symlink
> > skx@vain:~$ ls -l /etc/nologin /tmp/locale
> > ls: /etc/nologin: No such file or directory
> > ls: /tmp/locale: No such file or directory
> > skx@vain:~$ ln -s /etc/nologin /tmp/locale
> >
> >  # wait for root to run the application
> > skx@vain:~$ sudo -s
> > root@vain:~# amaya
> >
> >  # see the file
> > root@vain:~# ls /etc/nologin
> > /etc/nologin
> > root@vain:~# cat /etc/nologin
> > UTF-8
> >
> >   Obviously this example relies upon root to run the application and
> > linking
> >  to /etc/passwd would trash the system.
> >
> >   I guess the solution is to generate a secure temporary filename with
> >  mktemp, mkstemp, or similar..
> >
> > -- System Information:
> > Debian Release: lenny/sid
> >   APT prefers unstable
> >   APT policy: (500, 'unstable')
> > Architecture: amd64 (x86_64)
> >
> > Kernel: Linux 2.6.18-xen (SMP w/2 CPU cores)
> > Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
> > Shell: /bin/sh linked to /bin/bash
> >
> > Versions of packages amaya depends on:
> > ii  amaya-data              9.54~dfsg.0-1    Web Browser, HTML Editor and
> > Testb
> > ii  libc6                   2.5-11           GNU C Library: Shared
> > libraries
> > ii  libexpat1               1.95.8-3.4       XML parsing C library -
> > runtime li
> > ii  libfreetype6            2.2.1-6          FreeType 2 font engine,
> > shared lib
> > ii  libgcc1                 1:4.2-20070627-1 GCC support library
> > ii  libgl1-mesa-glx [libgl1 6.5.2-5          A free implementation of the
> > OpenG
> > ii  libglu1-mesa [libglu1]  6.5.2-5          The OpenGL utility library
> > (GLU)
> > ii  libjpeg62               6b-13            The Independent JPEG Group's
> > JPEG
> > ii  libpng12-0              1.2.15~beta5-2   PNG library - runtime
> > ii  libraptor1              1.4.15-3         Raptor RDF parser and
> > serializer l
> > ii  libstdc++6              4.2-20070627-1   The GNU Standard C++ Library
> > v3
> > ii  libwww-ssl0             5.4.0-11         The W3C-WWW library (SSL
> > support)
> > ii  libwxbase2.6-0          2.6.3.2.1.5      wxBase library (runtime) -
> > non-GUI
> > ii  libwxgtk2.6-0           2.6.3.2.1.5      wxWidgets Cross-platform C++
> > GUI t
> > ii  ttf-freefont            20060501cvs-12   Freefont Serif, Sans and
> > Mono True
> > ii  zlib1g                  1:1.2.3.3.dfsg-3 compression library -
> > runtime
> >
> > Versions of packages amaya recommends:
> > pn  amaya-doc                     <none>     (no description available)
> >
> > -- no debconf information
> >
> > Steve
> > --
> > #  Kink-Friendly Dating
> > http://ctrl-alt-date.com/

-- 
     Irène.
-----
Irène Vatton                     INRIA Rhône-Alpes
INRIA                               ZIRST
e-mail: Irene.Vatton@inria.fr       655 avenue de l'Europe
Tel.: +33 4 76 61 53 61             Montbonnot
Fax:  +33 4 76 61 52 07             38334 Saint Ismier Cedex - France
Received on Friday, 17 August 2007 13:18:13 UTC