Re: [Fwd: Bug#431600: amaya: Insecure use of temporary files allows arbitary file trunaction/creation] from Regis Boudin on 2007-07-18 (www-amaya@w3.org from July to September 2007)

From: Regis Boudin <regis@boudin.name>
Date: Wed, 18 Jul 2007 12:19:53 +0100 (BST)
To: www-amaya@w3.org
Message-ID: <5140.195.224.154.166.1184757593.squirrel@mail.imalip.net>
Hi again,

I've had a little time yesterday to have a look at this bug, and have a
patch against the current CVS HEAD (attached). Instead of some nasty
system() call grepped, sed, written into a temp file which is then read,
parsed and deleted, I simply call nl_langinfo(), which is what locale does
to give the requested value.

You might need to put the additional "#include" between #ifdef/#endif for
windows, though.

Please confirm whether it works fine.

Thanks,
Regis

On Thu, July 5, 2007 14:33, Regis Boudin wrote:
>
> Hi,
>
> I've been notified this bug, by Steve Kemps who is running a security
> audit of the source code in the debian archive. I'm a very busy at the
> moment so don't have time to provide a patch going with it, but will be
> happy to give some help if you need it.
>
> Thanks,
>
> Regis
>
> ---------------------------- Original Message ----------------------------
> Subject: Bug#431600: amaya: Insecure use of temporary files allows
> arbitary file trunaction/creation
> From:    "Steve Kemp" <skx@debian.org>
> Date:    Tue, July 3, 2007 19:42
> To:      "Debian Bug Tracking System" <submit@bugs.debian.org>
> --------------------------------------------------------------------------
>
> Package: amaya
> Version: 9.54~dfsg.0-1
> Severity: important
>
>
>   The Amaya package contains the following code inside
>  amaya-9.51/Amaya/thotlib/unicode/ustring.c
>
>         {
>           int  fd;
>           char buffer[256];
>           memset ( buffer, 0, 256 );
>           /* ask the system using locale command */
>           system ("locale -ck LC_MESSAGES | grep messages-codeset | sed
> 's/.*=\"//' | sed 's/\"//' > /tmp/locale");
>           fd = open ("/tmp/locale", O_RDONLY);
>
>
>   This can be abused to allow arbitary files to be created, or truncated,
>  when a user runs the browser as this session shows:
>
>   # check there are no files, then create an evil symlink
> skx@vain:~$ ls -l /etc/nologin /tmp/locale
> ls: /etc/nologin: No such file or directory
> ls: /tmp/locale: No such file or directory
> skx@vain:~$ ln -s /etc/nologin /tmp/locale
>
>  # wait for root to run the application
> skx@vain:~$ sudo -s
> root@vain:~# amaya
>
>  # see the file
> root@vain:~# ls /etc/nologin
> /etc/nologin
> root@vain:~# cat /etc/nologin
> UTF-8
>
>   Obviously this example relies upon root to run the application and
> linking
>  to /etc/passwd would trash the system.
>
>   I guess the solution is to generate a secure temporary filename with
>  mktemp, mkstemp, or similar..
>
> -- System Information:
> Debian Release: lenny/sid
>   APT prefers unstable
>   APT policy: (500, 'unstable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 2.6.18-xen (SMP w/2 CPU cores)
> Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/bash
>
> Versions of packages amaya depends on:
> ii  amaya-data              9.54~dfsg.0-1    Web Browser, HTML Editor and
> Testb
> ii  libc6                   2.5-11           GNU C Library: Shared
> libraries
> ii  libexpat1               1.95.8-3.4       XML parsing C library -
> runtime li
> ii  libfreetype6            2.2.1-6          FreeType 2 font engine,
> shared lib
> ii  libgcc1                 1:4.2-20070627-1 GCC support library
> ii  libgl1-mesa-glx [libgl1 6.5.2-5          A free implementation of the
> OpenG
> ii  libglu1-mesa [libglu1]  6.5.2-5          The OpenGL utility library
> (GLU)
> ii  libjpeg62               6b-13            The Independent JPEG Group's
> JPEG
> ii  libpng12-0              1.2.15~beta5-2   PNG library - runtime
> ii  libraptor1              1.4.15-3         Raptor RDF parser and
> serializer l
> ii  libstdc++6              4.2-20070627-1   The GNU Standard C++ Library
> v3
> ii  libwww-ssl0             5.4.0-11         The W3C-WWW library (SSL
> support)
> ii  libwxbase2.6-0          2.6.3.2.1.5      wxBase library (runtime) -
> non-GUI
> ii  libwxgtk2.6-0           2.6.3.2.1.5      wxWidgets Cross-platform C++
> GUI t
> ii  ttf-freefont            20060501cvs-12   Freefont Serif, Sans and Mono
> True
> ii  zlib1g                  1:1.2.3.3.dfsg-3 compression library - runtime
>
> Versions of packages amaya recommends:
> pn  amaya-doc                     <none>     (no description available)
>
> -- no debconf information
>
> Steve
> --
> #  Kink-Friendly Dating
> http://ctrl-alt-date.com/
>
>
>
>
>
Attachments

text/x-c attachment: security_fix.diff
Received on Wednesday, 18 July 2007 11:20:14 UTC