Bug 120577

Summary:	texinfo: insecure tmp file handling
Product:	[openSUSE] SUSE Linux 10.1	Reporter:	Thomas Biege <thomas>
Component:	Other	Assignee:	Security Team bot <security-team>
Status:	RESOLVED FIXED	QA Contact:	E-mail List <qa-bugs>
Severity:	Normal
Priority:	P5 - None	CC:	werner
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	All
Whiteboard:	CVE-2005-3011: CVSS v2 Base Score: 1.2 (AV:L/AC:H/Au:N/C:N/I:P/A:N)
Found By:	Other	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Attachments:	Replace mkstemp with mkdtemp

Description Thomas Biege 2005-10-06 07:45:24 UTC

Hello Werner,
if we are affected we need a fix for STABLE.

Gentoo Linux Security Advisory                           GLSA 200510-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: Texinfo: Insecure temporary file creation
      Date: October 05, 2005
      Bugs: #106105
        ID: 200510-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Texinfo is vulnerable to symlink attacks, potentially allowing a local
user to overwrite arbitrary files.

Background
==========

Texinfo is the official documentation system created by the GNU
project.

Affected packages
=================

    -------------------------------------------------------------------
     Package           /  Vulnerable  /                     Unaffected
    -------------------------------------------------------------------
  1  sys-apps/texinfo      < 4.8-r1                          >= 4.8-r1

Description
===========

Frank Lichtenheld has discovered that the "sort_offline()" function in
texindex insecurely creates temporary files with predictable filenames.

Impact
======

A local attacker could create symbolic links in the temporary files
directory, pointing to a valid file somewhere on the filesystem. When
texindex is executed, this would result in the file being overwritten
with the rights of the user running the application.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Texinfo users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=sys-apps/texinfo-4.8-r1"

References
==========

  [ 1 ] CAN-2005-3011
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3011

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200510-04.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

Comment 1 Dr. Werner Fink 2005-10-06 10:26:12 UTC

Which stupid has written maketempname() with

  static char *
  maketempname (int count)
  {
    static char *tempbase = NULL;
    char tempsuffix[10];

    if (!tempbase)
      {
        int fd;
        tempbase = concat (tempdir, "txidxXXXXXX");

        fd = mkstemp (tempbase);
        if (fd == -1)
          pfatal_with_name (tempbase);
      }

    sprintf (tempsuffix, ".%d", count);
    return concat (tempbase, tempsuffix);
  }

which uses mkstemp only once and returns after
this only new but easy predictable file names?

The correct way is to use alwaya mkstemp and
return the file descriptor for an fdopen().

Comment 2 Dr. Werner Fink 2005-10-06 10:55:16 UTC

With a few modification we can use mkdtemp() to create
a sub directory which then includes all temporary files.

Comment 3 Dr. Werner Fink 2005-10-06 11:40:06 UTC

Created attachment 51584 [details]
Replace mkstemp with mkdtemp

AFAIS this should work, any test file around here?

Comment 4 Dr. Werner Fink 2005-10-06 11:43:25 UTC

Comment on attachment 51584 [details]
Replace mkstemp with mkdtemp

>--- util/texindex.c
>+++ util/texindex.c	2005-10-06 12:48:09.000000000 +0200
>@@ -20,6 +20,7 @@
> 
> #include "system.h"
> #include <getopt.h>
>+#include <stdlib.h>
> 
> static char *program_name = "texindex";
> 
>@@ -37,8 +38,6 @@
> #define memset(ptr, ignore, count) bzero (ptr, count)
> #endif
> 
>-char *mktemp (char *);
>-
> #if !defined (SEEK_SET)
> #  define SEEK_SET 0
> #  define SEEK_CUR 1
>@@ -99,6 +98,10 @@
> /* Directory to use for temporary files.  On Unix, it ends with a slash.  */
> char *tempdir;
> 
>+/* The base directory for the temporary files located in tempdir */
>+
>+static char *tempbase = NULL;
>+
> /* Number of last temporary file.  */
> int tempcount;
> 
>@@ -146,6 +149,7 @@
> void *xmalloc (), *xrealloc ();
> char *concat (char *s1, char *s2);
> void flush_tempfiles (int to_count);
>+void flush_tempfiles_atexit ();
> 
> #define MAX_IN_CORE_SORT 500000
> 
>@@ -321,6 +325,7 @@
>     tempdir = concat (tempdir, "/");
> 
>   keep_tempfiles = 0;
>+  atexit(flush_tempfiles_atexit);
> 
>   /* Allocate ARGC input files, which must be enough.  */
> 
>@@ -384,25 +389,25 @@
>     usage (1);
> }
> 
>+
> /* Return a name for temporary file COUNT. */
> 
> static char *
> maketempname (int count)
> {
>-  static char *tempbase = NULL;
>-  char tempsuffix[10];
>+  char tempsuffix[20];
> 
>   if (!tempbase)
>     {
>-      int fd;
>-      tempbase = concat (tempdir, "txidxXXXXXX");
>+      char *td;
>+      tempbase = concat (tempdir, "txdirXXXXXX");
> 
>-      fd = mkstemp (tempbase);
>-      if (fd == -1)
>+      td = mkdtemp (tempbase);
>+      if (td == (char*)0)
>         pfatal_with_name (tempbase);
>     }
> 
>-  sprintf (tempsuffix, ".%d", count);
>+  sprintf (tempsuffix, "/txidx.%d", count);
>   return concat (tempbase, tempsuffix);
> }
> 
>@@ -418,6 +423,13 @@
>     unlink (maketempname (++last_deleted_tempcount));
> }
> 
>+void
>+flush_tempfiles_atexit (void)
>+{
>+  flush_tempfiles (tempcount);
>+  if (tempbase && !keep_tempfiles)
>+    (void)rmdir(tempbase);
>+}
> 
> /* Compare LINE1 and LINE2 according to the specified set of keyfields. */
>

Comment 5 Dr. Werner Fink 2005-10-06 14:11:31 UTC

Hmmm .... sort_offline() does not do its job even without the patch.

Comment 6 Dr. Werner Fink 2005-10-06 15:45:45 UTC

OK, I've submit to STABLE and have for

     9.0, 9.1/SLES9, 9.2, 9.3 and 10.0

the packages ready. 8.1 is not required
because the old texinfo version was already
fixed by me (but the developer upstream can
not read).

Which SLES9 should be used:

    /work/src/done/SLES9
    /work/src/done/SLES9-BETA
    /work/src/done/SLES9-SP3

... and I need patchinfo data.

Comment 7 Thomas Biege 2005-10-07 07:46:39 UTC

Thanks. :)

I'll do the patchinfo and swamp job...

Comment 8 Thomas Biege 2005-10-07 07:47:24 UTC

...and I do not know which sles9 should be used.

Comment 9 Marcus Meissner 2005-10-07 08:08:16 UTC

its easy. 
 
security fixes are always provided for the currently released line. 
Not Beta, Not SP. 
 
Directly to SLES9. Since you submitted to 9.1 already it is already there. 
 
Thanks!

Comment 10 Thomas Biege 2005-10-07 09:01:09 UTC

Maintenance-Tracker-2541

Comment 11 Thomas Biege 2005-10-07 09:07:56 UTC

/work/src/done/PATCHINFO/texinfo.patch.maintained
/work/src/done/PATCHINFO/texinfo.patch.box

Comment 12 Dr. Werner Fink 2005-10-07 09:23:47 UTC

Ok and here we are:

  /work/src/done/10.0/texinfo
  /work/src/done/9.0/texinfo
  /work/src/done/9.1/texinfo
  /work/src/done/9.2/texinfo
  /work/src/done/9.3/texinfo
  /work/src/done/SLES9/texinfo

Comment 13 Marcus Meissner 2005-10-24 09:14:34 UTC

updates released.

Comment 14 Thomas Biege 2009-10-13 21:39:22 UTC

CVE-2005-3011: CVSS v2 Base Score: 1.2 (AV:L/AC:H/Au:N/C:N/I:P/A:N)