Bug 58298 (CVE-2004-0690)

Summary:	VUL-0:CVE-2004-0690: insecure tempfile: dcopserver uses tempnam due to missing configure check
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Waldo Bastian <bastian>
Component:	Incidents	Assignee:	Thomas Biege <thomas>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	kde-maintainers, patch-request, security-team
Version:	unspecified
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	CVE-2004-0690: CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Attachments:	Patch for dcopserver (kdelibs) patchinfo.kdelibs3-4vulns patchinfo-box.kdelibs3-4vulns patchinfo.kdelibs3-3vulns patchinfo-box.kdelibs3-3vulns

Description Waldo Bastian 2004-07-26 18:16:01 UTC

In KDE 3.2.x the configure check for MKSTEMP is missing. This causes dcopserver 
to fall back to tempnam/fopen for the creation of its temporary file, which is 
insecure. 
 
See also http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=261386 
 
Affects NLD as well.

Comment 1 Waldo Bastian 2004-07-26 18:16:01 UTC

<!-- SBZ_reproduce  -->
The following command shows that tempnam is used: 
nm -D /opt/kde3/lib/libkdeinit_dcopserver.so|egrep 'tempnam|mkstemp' 
 
        U tempnam

Comment 2 Waldo Bastian 2004-07-26 18:21:42 UTC

Created attachment 22386 [details]
Patch for dcopserver (kdelibs)

Attached patch fixes by using the MKSTEMPS (notice the extra S) test and by
falling back to a local copy of mkstemps instead of tempnam if the system
provided mkstemps is not found (but mktemps should be picked up correctly,
check config.h!)

Please review patch. KDE security advisory is planned for august 11, together
with the other one(s).

Comment 3 Waldo Bastian 2004-07-26 20:08:42 UTC

The Common Vulnerabilities and Exposures project (cve.mitre.org) 
has assigned the name CAN-2004-0690 to this issue.

Comment 4 Thomas Biege 2004-07-26 20:15:10 UTC

Ok so this will be fixed together with bug 58298

Comment 5 Thomas Biege 2004-07-26 20:22:33 UTC

bug 57486 i meant...

Comment 6 Waldo Bastian 2004-07-26 20:47:22 UTC

See also bug 58269 which is a kdelibs issue as well. 
 
And then there is bug 58271 but we still don't have a good patch it.

Comment 7 Adrian Schröter 2004-07-27 16:08:15 UTC

patch got check into SLES9. 
 
reassign to Thomas for tracking.

Comment 8 Thomas Biege 2004-07-27 17:03:20 UTC

regarding comment #2, patch looks ok (based on widely used glibc code)

Comment 9 Thomas Biege 2004-08-05 17:19:11 UTC

Created attachment 22564 [details]
patchinfo.kdelibs3-4vulns

Comment 10 Thomas Biege 2004-08-05 17:19:30 UTC

Created attachment 22565 [details]
patchinfo-box.kdelibs3-4vulns

Comment 11 Thomas Biege 2004-08-05 17:55:12 UTC

Created attachment 22577 [details]
patchinfo.kdelibs3-3vulns

Comment 12 Thomas Biege 2004-08-05 17:55:34 UTC

Created attachment 22578 [details]
patchinfo-box.kdelibs3-3vulns

Comment 13 Thomas Biege 2004-08-13 21:13:30 UTC

packages approved

Comment 14 Thomas Biege 2009-10-13 20:30:53 UTC

CVE-2004-0690: CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)