- From: Regis Boudin <regis@boudin.name>
- Date: Wed, 18 Jul 2007 12:19:53 +0100 (BST)
- To: www-amaya@w3.org
- Message-ID: <5140.195.224.154.166.1184757593.squirrel@mail.imalip.net>
Hi again, I've had a little time yesterday to have a look at this bug, and have a patch against the current CVS HEAD (attached). Instead of some nasty system() call grepped, sed, written into a temp file which is then read, parsed and deleted, I simply call nl_langinfo(), which is what locale does to give the requested value. You might need to put the additional "#include" between #ifdef/#endif for windows, though. Please confirm whether it works fine. Thanks, Regis On Thu, July 5, 2007 14:33, Regis Boudin wrote: > > Hi, > > I've been notified this bug, by Steve Kemps who is running a security > audit of the source code in the debian archive. I'm a very busy at the > moment so don't have time to provide a patch going with it, but will be > happy to give some help if you need it. > > Thanks, > > Regis > > ---------------------------- Original Message ---------------------------- > Subject: Bug#431600: amaya: Insecure use of temporary files allows > arbitary file trunaction/creation > From: "Steve Kemp" <skx@debian.org> > Date: Tue, July 3, 2007 19:42 > To: "Debian Bug Tracking System" <submit@bugs.debian.org> > -------------------------------------------------------------------------- > > Package: amaya > Version: 9.54~dfsg.0-1 > Severity: important > > > The Amaya package contains the following code inside > amaya-9.51/Amaya/thotlib/unicode/ustring.c > > { > int fd; > char buffer[256]; > memset ( buffer, 0, 256 ); > /* ask the system using locale command */ > system ("locale -ck LC_MESSAGES | grep messages-codeset | sed > 's/.*=\"//' | sed 's/\"//' > /tmp/locale"); > fd = open ("/tmp/locale", O_RDONLY); > > > This can be abused to allow arbitary files to be created, or truncated, > when a user runs the browser as this session shows: > > # check there are no files, then create an evil symlink > skx@vain:~$ ls -l /etc/nologin /tmp/locale > ls: /etc/nologin: No such file or directory > ls: /tmp/locale: No such file or directory > skx@vain:~$ ln -s /etc/nologin /tmp/locale > > # wait for root to run the application > skx@vain:~$ sudo -s > root@vain:~# amaya > > # see the file > root@vain:~# ls /etc/nologin > /etc/nologin > root@vain:~# cat /etc/nologin > UTF-8 > > Obviously this example relies upon root to run the application and > linking > to /etc/passwd would trash the system. > > I guess the solution is to generate a secure temporary filename with > mktemp, mkstemp, or similar.. > > -- System Information: > Debian Release: lenny/sid > APT prefers unstable > APT policy: (500, 'unstable') > Architecture: amd64 (x86_64) > > Kernel: Linux 2.6.18-xen (SMP w/2 CPU cores) > Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/bash > > Versions of packages amaya depends on: > ii amaya-data 9.54~dfsg.0-1 Web Browser, HTML Editor and > Testb > ii libc6 2.5-11 GNU C Library: Shared > libraries > ii libexpat1 1.95.8-3.4 XML parsing C library - > runtime li > ii libfreetype6 2.2.1-6 FreeType 2 font engine, > shared lib > ii libgcc1 1:4.2-20070627-1 GCC support library > ii libgl1-mesa-glx [libgl1 6.5.2-5 A free implementation of the > OpenG > ii libglu1-mesa [libglu1] 6.5.2-5 The OpenGL utility library > (GLU) > ii libjpeg62 6b-13 The Independent JPEG Group's > JPEG > ii libpng12-0 1.2.15~beta5-2 PNG library - runtime > ii libraptor1 1.4.15-3 Raptor RDF parser and > serializer l > ii libstdc++6 4.2-20070627-1 The GNU Standard C++ Library > v3 > ii libwww-ssl0 5.4.0-11 The W3C-WWW library (SSL > support) > ii libwxbase2.6-0 2.6.3.2.1.5 wxBase library (runtime) - > non-GUI > ii libwxgtk2.6-0 2.6.3.2.1.5 wxWidgets Cross-platform C++ > GUI t > ii ttf-freefont 20060501cvs-12 Freefont Serif, Sans and Mono > True > ii zlib1g 1:1.2.3.3.dfsg-3 compression library - runtime > > Versions of packages amaya recommends: > pn amaya-doc <none> (no description available) > > -- no debconf information > > Steve > -- > # Kink-Friendly Dating > http://ctrl-alt-date.com/ > > > > >
Attachments
- text/x-c attachment: security_fix.diff
Received on Wednesday, 18 July 2007 11:20:14 UTC