|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2004-0494: gnome-vfs: vulnerabilities in gnome-vfs | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Thomas Biege <thomas> |
| Component: | Incidents | Assignee: | Thomas Biege <thomas> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | louie, patch-request, security-team |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | CVE-2004-0494: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) | ||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: |
mcvfs-gnomevfs.txt
tar.diff cpio.diff |
||
|
Description
Thomas Biege
2004-07-20 20:01:12 UTC
<!-- SBZ_reproduce --> - Created attachment 22302 [details]
mcvfs-gnomevfs.txt
private vendor-sec discussion
In SuSE Linux, following URIs are provided by extfs a:// ar:// arj:// cpio:// deb:// hp48:// lha:// mailfs:// patchfs:// rar:// rpm:// rpms:// trpm:// zip:// zoo:// I guess, that no application uses it, we default to file-roller. Probably the best and simplest solution will be commenting out one line in /etc/opt/gnome/gnome-vfs-2.0/modules/default-modules.conf with security warning in comment. commenting it out sounds good. how can we be sure no application uses it? gnomevfs-ls 'zip:///home/sbrabec/XMMS-Green.zip#uzip' Error opening: Unsupported operation Does it work at all? Other gnome maintainers - any idea? This type of URI can use any GNOME application using something like "zip:///home/me/file.zip#uzip". But actually: - Extfs is not default for any type of archive (and it seems that cannot be). - I am not even able to do anything with extfs. It seems to be broken or misconfigured. I don't think that any app uses zip:// that I know of. Looks to me like we could just safely nuke this. And are you able to check, whether it works at all? Even after reading README, I was not able to list archive (see above). Even if it turns ot to be a non-issue for our distribution, please fix it in STABLE to make it secure. It may get activated in the future when we all forgot about this bug. :) I do not know of any apps that depend on extfs. Me too. But gnome-vfs is configured to use it for some URIs. And I can imagine an exploit on web, which will use someting as zip://http://hacked.server/exploit.zip#uzip (or ask user for download and then try to open), if such notation is possible. But I am not able to figure, whether extfs is totally out of function or is able to work and be exploited. Are there some news? Did you tried to verify if extfs works or not. Tried and failed. Is anybody able to test, whether extfs works at all? We made an update of mc which include fixes for the extfs scripts used. Maybe it's worth have a look at them and adopt the patches for future versions. Can someone please respond. For me extfs in gnome-vfs does not work. Or at least not works, as documented. Maybe it worked in GNOME 1.4, which was last time in 8.1, but not sure. But even if it worked, AFAIK it was never used as default by any application. It means, that user had to explicitly type zip:///home/me/hackmeplease.zip#something hack URL to be exploited. Fix me, if I am not correct. Thanks for the summary. Nevertheless can it be fixed in stable please see comment #8 ping! For STABLE, we will do an update to branch 2.8.x. So I think, that fix of 2.6.x, which will disappear soon is contraproductive. Please keep the bug open. After update to 2.8, it will be checked again, and if it is not yet in mainstream code, patch will be applied. Ok! :) Hmm. It works: gnomevfs-ls file:///usr/share/xmms/kjofol/default.zip#zip:/ But I guess, nearly nobody uses, because nearly nobody knows, how to use it. Unfortunately that doesn't matter: :-\ I have just looked at the code. Gnome-vfs uses very old version (4-5 years), which has even more security problems than mc. See zoo: This filesystem is _dangerous_. It used to create symlinks in filesystem with zoo file, it used to happily delete file from your filesystem. Now it is 'only' very ugly (it creates temporary files in ~/.mc/ I guess the best solution will be use of fixed file systems from mc, if possible, for YOU. For STABLE, removing them direct use of mc extfs should be better (and optional Requires: mc). Can you point me to the scripts, please. I'll have a look then. /opt/gnome/lib/vfs/2.0/extfs for gnome-vfs2 /opt/gnome/lib/vfs/extfs for gnome-vfs /usr/share/mc/extfs for mc My suggestion is copy and rename mc ones for gnome-vfs and gnome-vfs2. Ok, copying the mc scripts might be the best solution. :) Please verify security of cpio and tar modules. Those are not present in mc package. All other modules can be updated. To security-team: Please verify following scripts: /opt/gnome/lib/vfs/2.0/extfs/cpio and /opt/gnome/lib/vfs/2.0/extfs/tar These file are not present in mc, so I have to use these instances. Sorry. I was on vacation. I'll have a look this week. Created attachment 26091 [details]
tar.diff
Created attachment 26092 [details]
cpio.diff
The cpio diff also solves a possible tmp tace condition. Patch submitted for: gnome-vfs: 8.1, 8.2, 9.0, SLES9, 9.2, STABLE gnome-vfs2: 8.1, 8.2, 9.0, SLEC, SLES9, SLES9-SLD, 9.2, STABLE, PLUS I'll submit patchinfo files later. Thanks! /work/src/done/PATCHINFO/gnome-vfs.patch.box /work/src/done/PATCHINFO/gnome-vfs.patch.maintained /work/src/done/PATCHINFO/gnome-vfs2.patch.box /work/src/done/PATCHINFO/gnome-vfs2.patch.maintained packages approved. CVE-2004-0494: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) |