- From: Regis Boudin <regis@boudin.name>
- Date: Thu, 5 Jul 2007 14:33:08 +0100 (BST)
- To: www-amaya@w3.org
Hi,
I've been notified this bug, by Steve Kemps who is running a security
audit of the source code in the debian archive. I'm a very busy at the
moment so don't have time to provide a patch going with it, but will be
happy to give some help if you need it.
Thanks,
Regis
---------------------------- Original Message ----------------------------
Subject: Bug#431600: amaya: Insecure use of temporary files allows
arbitary file trunaction/creation
From: "Steve Kemp" <skx@debian.org>
Date: Tue, July 3, 2007 19:42
To: "Debian Bug Tracking System" <submit@bugs.debian.org>
--------------------------------------------------------------------------
Package: amaya
Version: 9.54~dfsg.0-1
Severity: important
The Amaya package contains the following code inside
amaya-9.51/Amaya/thotlib/unicode/ustring.c
{
int fd;
char buffer[256];
memset ( buffer, 0, 256 );
/* ask the system using locale command */
system ("locale -ck LC_MESSAGES | grep messages-codeset | sed
's/.*=\"//' | sed 's/\"//' > /tmp/locale");
fd = open ("/tmp/locale", O_RDONLY);
This can be abused to allow arbitary files to be created, or truncated,
when a user runs the browser as this session shows:
# check there are no files, then create an evil symlink
skx@vain:~$ ls -l /etc/nologin /tmp/locale
ls: /etc/nologin: No such file or directory
ls: /tmp/locale: No such file or directory
skx@vain:~$ ln -s /etc/nologin /tmp/locale
# wait for root to run the application
skx@vain:~$ sudo -s
root@vain:~# amaya
# see the file
root@vain:~# ls /etc/nologin
/etc/nologin
root@vain:~# cat /etc/nologin
UTF-8
Obviously this example relies upon root to run the application and linking
to /etc/passwd would trash the system.
I guess the solution is to generate a secure temporary filename with
mktemp, mkstemp, or similar..
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.18-xen (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages amaya depends on:
ii amaya-data 9.54~dfsg.0-1 Web Browser, HTML Editor and
Testb
ii libc6 2.5-11 GNU C Library: Shared libraries
ii libexpat1 1.95.8-3.4 XML parsing C library -
runtime li
ii libfreetype6 2.2.1-6 FreeType 2 font engine,
shared lib
ii libgcc1 1:4.2-20070627-1 GCC support library
ii libgl1-mesa-glx [libgl1 6.5.2-5 A free implementation of the
OpenG
ii libglu1-mesa [libglu1] 6.5.2-5 The OpenGL utility library (GLU)
ii libjpeg62 6b-13 The Independent JPEG Group's
JPEG
ii libpng12-0 1.2.15~beta5-2 PNG library - runtime
ii libraptor1 1.4.15-3 Raptor RDF parser and
serializer l
ii libstdc++6 4.2-20070627-1 The GNU Standard C++ Library v3
ii libwww-ssl0 5.4.0-11 The W3C-WWW library (SSL
support)
ii libwxbase2.6-0 2.6.3.2.1.5 wxBase library (runtime) -
non-GUI
ii libwxgtk2.6-0 2.6.3.2.1.5 wxWidgets Cross-platform C++
GUI t
ii ttf-freefont 20060501cvs-12 Freefont Serif, Sans and Mono
True
ii zlib1g 1:1.2.3.3.dfsg-3 compression library - runtime
Versions of packages amaya recommends:
pn amaya-doc <none> (no description available)
-- no debconf information
Steve
--
# Kink-Friendly Dating
http://ctrl-alt-date.com/
Received on Thursday, 5 July 2007 13:33:19 UTC