Bug 117712 (CVE-2005-2991)

Summary: VUL-0: CVE-2005-2991: ncompress: insecure tmp file handling
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Thorsten Kukuk <kukuk>
Status: RESOLVED INVALID QA Contact: E-mail List <qa-bugs>
Severity: Minor    
Priority: P5 - None CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2005-2991: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Biege 2005-09-19 06:43:35 UTC 
Hello Uli,
are we affected by this one:

The ncompress issue was reported to gentoo on 2005-09-05, it seems to be
CAN-2004-0970
If you don't ship zcat in your package, you're fine.
http://bugs.gentoo.org/show_bug.cgi?id=104878
Comment 1 Thomas Biege 2005-09-19 06:44:20 UTC 
To: coley@mitre.org
Cc: vendor-sec@lst.de
From: Josh Bressers <bressers@redhat.com>
Subject: [vendor-sec] CAN-2004-0970 question
Errors-To: vendor-sec-admin@lst.de
Date: Fri, 16 Sep 2005 12:26:42 -0400

Steve,

An advisory was posted to full-disclosure today that references
CAN-2004-0970.
http://marc.theaimsgroup.com/?l=full-disclosure&m=112688098630314&w=2

The text of CAN-2004-0970 references gzip by name, and the code in question
isn't very similar.  The ncompress script in question is named zcmp, which
isn't listed as vulnerable in CAN-2004-0970.

I'm guessing there should be a new CVE id assigned to this.

Thanks.

--
    JB
Comment 2 Thomas Biege 2005-09-19 06:44:39 UTC 
On Fri, 16 Sep 2005, Josh Bressers wrote:

> An advisory was posted to full-disclosure today that references
> CAN-2004-0970.
> http://marc.theaimsgroup.com/?l=full-disclosure&m=112688098630314&w=2
>
> The text of CAN-2004-0970 references gzip by name, and the code in question
> isn't very similar.  The ncompress script in question is named zcmp, which
> isn't listed as vulnerable in CAN-2004-0970.

I suspect he linked it to CAN-2004-0970 because of this:

  "ncompress use vulnerable version off zdiff and zcmp."

zdiff is mentioned in CAN-2004-0970, but zcmp is not.

If the problem in ncompress is because it uses its own vulnerable copy of
zdiff, then that would argue for using the old CAN (similar to using the
same CAN for all the products that use vulnerable XML-RPC libraries).  But
it zcmp is still vulnerable, or there's some other issue that forces
people to patch, then it would probably be best to create a new CAN.

- Steve
_______________________________________________
Vendor Security mailing list
Comment 3 Thomas Biege 2005-09-21 08:05:00 UTC 
another bug:


======================================================
Candidate: CAN-2005-2991
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2991
Reference: FULLDISC:20050916 ncompress insecure temporary file creation
Reference: URL:http://marc.theaimsgroup.com/?l=full-disclosure&m=112688098630314&w=2
Reference: MISC:http://www.zataz.net/adviso/ncompress-09052005.txt

ncompress 4.2.4 and earlier allows local users to overwrite arbitrary
files via a symlink attack on temporary files using (1) zdiff or (2)
zcmp, a different vulnerability than CAN-2004-0970.
Comment 4 Thomas Biege 2005-10-05 13:30:58 UTC 
ping?
Comment 5 Ulrich Hecht 2005-10-11 11:53:36 UTC 
minor severity (this is an internal package); reassigning to maintainer
Comment 6 Thorsten Kukuk 2005-10-11 11:55:18 UTC 
Maintainer is still "uli@suse.de", even if the package was dead for some time.
Comment 7 Ulrich Hecht 2005-10-11 12:01:21 UTC 
a) BS, check pdb  
b) I resigned from that job in January 2003.
Comment 8 Thorsten Kukuk 2005-10-11 12:06:09 UTC 
a) uli@suse.de says autobuild and PDB history until some minutes ago.

Even if you changed that on your self, you can fool the tools.

Ok, seems nobody will take care for that.
Comment 9 Ulrich Hecht 2005-10-11 12:14:33 UTC 
You reactivated that package. If you did it for yourself, maintain it. If you 
did it for somebody else, let them maintain it. In any case, I have nothing to 
do with it.
Comment 10 Thorsten Kukuk 2005-10-11 12:22:36 UTC 
The whole report is invalid.
Comment 11 Thomas Biege 2005-10-11 13:13:17 UTC 
i think it is not.


thomas@bragg:~/work/9.1/ncompress/ncompress-4.2.4> grep tmp z*
zcmp:                   zcat $2 > /tmp/$F.$$
zcmp:                   zcat $1 | cmp $OPTIONS - /tmp/$F.$$
zcmp:                   zcat $2 > /tmp/$F.$$
zcmp:                   cmp $OPTIONS $1 /tmp/$F.$$
zdiff:                  zcat $2 > /tmp/$F.$$
zdiff:                  zcat $1 | diff $OPTIONS - /tmp/$F.$$
thomas@bragg:~/work/9.1/ncompress/ncompress-4.2.4> is_maintained ncompress
Package is on CD core9.i386
        Distribution: sles9-i386
        Distributionstring: SUSE-Linux-CORE-i386
        Marketing-Name: SUSE CORE 9 for x86
Package is on CD core9.ia64
        Distribution: sles9-ia64
        Distributionstring: SUSE-Linux-CORE-ia64
        Marketing-Name: SUSE CORE 9 for Itanium Processor Family
Package is on CD core9.ppc
        Distribution: sles9-ppc
        Distributionstring: SUSE-Linux-CORE-PPC
        Marketing-Name: SUSE CORE 9 for IBM POWER
Package is on CD core9.s390
        Distribution: sles9-s390
        Distributionstring: SUSE-Linux-CORE-s390
        Marketing-Name: SUSE CORE 9 for IBM S/390 31bit
Package is on CD core9.s390x
        Distribution: sles9-s390x
        Distributionstring: SUSE-Linux-CORE-s390x
        Marketing-Name: SUSE CORE 9 for IBM zSeries 64bit
Package is on CD core9.x86-64
        Distribution: sles9-x86_64
        Distributionstring: SUSE-Linux-CORE-x86-64
        Marketing-Name: SUSE CORE 9 for AMD64 and Intel EM64T
thomas@bragg:~/work/9.1/ncompress/ncompress-4.2.4> WhoMaintains ncompress
ncompress:      package 'ncompress'     maintained by 'kukuk@suse.de'
Comment 12 Thorsten Kukuk 2005-10-11 13:16:23 UTC 
Did you ever check if we ship that tools?
Comment 13 Thomas Biege 2009-10-13 21:34:03 UTC 
CVE-2005-2991: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N)