Bugzilla – Bug 120577
texinfo: insecure tmp file handling
Last modified: 2009-10-13 21:39:22 UTC
Hello Werner, if we are affected we need a fix for STABLE. Gentoo Linux Security Advisory GLSA 200510-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Texinfo: Insecure temporary file creation Date: October 05, 2005 Bugs: #106105 ID: 200510-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Texinfo is vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files. Background ========== Texinfo is the official documentation system created by the GNU project. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 sys-apps/texinfo < 4.8-r1 >= 4.8-r1 Description =========== Frank Lichtenheld has discovered that the "sort_offline()" function in texindex insecurely creates temporary files with predictable filenames. Impact ====== A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When texindex is executed, this would result in the file being overwritten with the rights of the user running the application. Workaround ========== There is no known workaround at this time. Resolution ========== All Texinfo users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-apps/texinfo-4.8-r1" References ========== [ 1 ] CAN-2005-3011 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3011 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200510-04.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0
Which stupid has written maketempname() with static char * maketempname (int count) { static char *tempbase = NULL; char tempsuffix[10]; if (!tempbase) { int fd; tempbase = concat (tempdir, "txidxXXXXXX"); fd = mkstemp (tempbase); if (fd == -1) pfatal_with_name (tempbase); } sprintf (tempsuffix, ".%d", count); return concat (tempbase, tempsuffix); } which uses mkstemp only once and returns after this only new but easy predictable file names? The correct way is to use alwaya mkstemp and return the file descriptor for an fdopen().
With a few modification we can use mkdtemp() to create a sub directory which then includes all temporary files.
Created attachment 51584 [details] Replace mkstemp with mkdtemp AFAIS this should work, any test file around here?
Comment on attachment 51584 [details] Replace mkstemp with mkdtemp >--- util/texindex.c >+++ util/texindex.c 2005-10-06 12:48:09.000000000 +0200 >@@ -20,6 +20,7 @@ > > #include "system.h" > #include <getopt.h> >+#include <stdlib.h> > > static char *program_name = "texindex"; > >@@ -37,8 +38,6 @@ > #define memset(ptr, ignore, count) bzero (ptr, count) > #endif > >-char *mktemp (char *); >- > #if !defined (SEEK_SET) > # define SEEK_SET 0 > # define SEEK_CUR 1 >@@ -99,6 +98,10 @@ > /* Directory to use for temporary files. On Unix, it ends with a slash. */ > char *tempdir; > >+/* The base directory for the temporary files located in tempdir */ >+ >+static char *tempbase = NULL; >+ > /* Number of last temporary file. */ > int tempcount; > >@@ -146,6 +149,7 @@ > void *xmalloc (), *xrealloc (); > char *concat (char *s1, char *s2); > void flush_tempfiles (int to_count); >+void flush_tempfiles_atexit (); > > #define MAX_IN_CORE_SORT 500000 > >@@ -321,6 +325,7 @@ > tempdir = concat (tempdir, "/"); > > keep_tempfiles = 0; >+ atexit(flush_tempfiles_atexit); > > /* Allocate ARGC input files, which must be enough. */ > >@@ -384,25 +389,25 @@ > usage (1); > } > >+ > /* Return a name for temporary file COUNT. */ > > static char * > maketempname (int count) > { >- static char *tempbase = NULL; >- char tempsuffix[10]; >+ char tempsuffix[20]; > > if (!tempbase) > { >- int fd; >- tempbase = concat (tempdir, "txidxXXXXXX"); >+ char *td; >+ tempbase = concat (tempdir, "txdirXXXXXX"); > >- fd = mkstemp (tempbase); >- if (fd == -1) >+ td = mkdtemp (tempbase); >+ if (td == (char*)0) > pfatal_with_name (tempbase); > } > >- sprintf (tempsuffix, ".%d", count); >+ sprintf (tempsuffix, "/txidx.%d", count); > return concat (tempbase, tempsuffix); > } > >@@ -418,6 +423,13 @@ > unlink (maketempname (++last_deleted_tempcount)); > } > >+void >+flush_tempfiles_atexit (void) >+{ >+ flush_tempfiles (tempcount); >+ if (tempbase && !keep_tempfiles) >+ (void)rmdir(tempbase); >+} > > /* Compare LINE1 and LINE2 according to the specified set of keyfields. */ >
Hmmm .... sort_offline() does not do its job even without the patch.
OK, I've submit to STABLE and have for 9.0, 9.1/SLES9, 9.2, 9.3 and 10.0 the packages ready. 8.1 is not required because the old texinfo version was already fixed by me (but the developer upstream can not read). Which SLES9 should be used: /work/src/done/SLES9 /work/src/done/SLES9-BETA /work/src/done/SLES9-SP3 ... and I need patchinfo data.
Thanks. :) I'll do the patchinfo and swamp job...
...and I do not know which sles9 should be used.
its easy. security fixes are always provided for the currently released line. Not Beta, Not SP. Directly to SLES9. Since you submitted to 9.1 already it is already there. Thanks!
Maintenance-Tracker-2541
/work/src/done/PATCHINFO/texinfo.patch.maintained /work/src/done/PATCHINFO/texinfo.patch.box
Ok and here we are: /work/src/done/10.0/texinfo /work/src/done/9.0/texinfo /work/src/done/9.1/texinfo /work/src/done/9.2/texinfo /work/src/done/9.3/texinfo /work/src/done/SLES9/texinfo
updates released.
CVE-2005-3011: CVSS v2 Base Score: 1.2 (AV:L/AC:H/Au:N/C:N/I:P/A:N)