Bug 58152 (CVE-2004-0494) - VUL-0: CVE-2004-0494: gnome-vfs: vulnerabilities in gnome-vfs
Summary: VUL-0: CVE-2004-0494: gnome-vfs: vulnerabilities in gnome-vfs
Status: RESOLVED FIXED
Alias: CVE-2004-0494
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: All Linux
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Thomas Biege
QA Contact: Security Team bot
URL:
Whiteboard: CVE-2004-0494: CVSS v2 Base Score: 7....
Keywords:
Depends on:
Blocks:
 
Reported: 2004-07-20 20:01 UTC by Thomas Biege
Modified: 2021-10-02 09:46 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
mcvfs-gnomevfs.txt (4.51 KB, text/plain)
2004-07-20 20:01 UTC, Thomas Biege 		Details
tar.diff (477 bytes, patch)
2004-11-15 20:25 UTC, Thomas Biege 		Details | Diff
cpio.diff (1.06 KB, patch)
2004-11-15 20:26 UTC, Thomas Biege 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2004-07-20 20:01:12 UTC 
Hi, 
the following reached us through vendor-sec. 
 
CAN-2004-0494 
CRD: 04.08.2004
Comment 1 Thomas Biege 2004-07-20 20:01:12 UTC 
<!-- SBZ_reproduce  -->
-
Comment 2 Thomas Biege 2004-07-20 20:01:37 UTC 
Created attachment 22302 [details]
mcvfs-gnomevfs.txt

private vendor-sec discussion
Comment 3 Stanislav Brabec 2004-07-20 21:37:33 UTC 
In SuSE Linux, following URIs are provided by extfs a:// ar:// arj:// cpio://
deb:// hp48:// lha:// mailfs:// patchfs:// rar:// rpm:// rpms:// trpm:// zip://
zoo://

I guess, that no application uses it, we default to file-roller.

Probably the best and simplest solution will be commenting out one line in
/etc/opt/gnome/gnome-vfs-2.0/modules/default-modules.conf with security warning
in comment.
Comment 4 Thomas Biege 2004-07-20 21:54:38 UTC 
commenting it out sounds good. 
 
how can we be sure no application uses it?
Comment 5 Stanislav Brabec 2004-07-20 22:30:35 UTC 
gnomevfs-ls 'zip:///home/sbrabec/XMMS-Green.zip#uzip'
Error opening: Unsupported operation

Does it work at all? Other gnome maintainers - any idea?

This type of URI can use any GNOME application using something like
"zip:///home/me/file.zip#uzip".

But actually:
- Extfs is not default for any type of archive (and it seems that cannot be).
- I am not even able to do anything with extfs. It seems to be broken or
misconfigured.
Comment 6 Luis Villa 2004-07-21 00:22:53 UTC 
I don't think that any app uses zip:// that I know of. Looks to me like we could
just safely nuke this.
Comment 7 Stanislav Brabec 2004-07-21 00:48:33 UTC 
And are you able to check, whether it works at all? Even after reading README, I
was not able to list archive (see above).
Comment 8 Thomas Biege 2004-07-21 01:29:59 UTC 
Even if it turns ot to be a non-issue for our distribution, please fix it in 
STABLE to make it secure. It may get activated in the future when we all 
forgot about this bug. :)
Comment 9 Jody Goldberg 2004-07-22 01:23:50 UTC 
I do not know of any apps that depend on extfs.
Comment 10 Stanislav Brabec 2004-07-22 16:10:10 UTC 
Me too. But gnome-vfs is configured to use it for some URIs. And I can imagine
an exploit on web, which will use someting as
zip://http://hacked.server/exploit.zip#uzip (or ask user for download and then
try to open), if such notation is possible. But I am not able to figure, whether
extfs is totally out of function or is able to work and be exploited.
Comment 11 Thomas Biege 2004-08-31 23:08:54 UTC 
Are there some news? Did you tried to verify if extfs works or not.
Comment 12 Stanislav Brabec 2004-08-31 23:18:12 UTC 
Tried and failed. Is anybody able to test, whether extfs works at all?
Comment 13 Thomas Biege 2004-09-22 16:39:36 UTC 
We made an update of mc which include fixes for the extfs scripts used. 
Maybe it's worth have a look at them and adopt the patches for future 
versions.
Comment 14 Thomas Biege 2004-10-08 19:47:40 UTC 
Can someone please respond.
Comment 15 Stanislav Brabec 2004-10-08 19:57:05 UTC 
For me extfs in gnome-vfs does not work. Or at least not works, as documented.

Maybe it worked in GNOME 1.4, which was last time in 8.1, but not sure.

But even if it worked, AFAIK it was never used as default by any application.

It means, that user had to explicitly type
zip:///home/me/hackmeplease.zip#something hack URL to be exploited. Fix me, if I
am not correct.
Comment 16 Thomas Biege 2004-10-08 20:42:10 UTC 
Thanks for the summary. 
 
Nevertheless can it be fixed in stable please 
see comment #8
Comment 17 Thomas Biege 2004-10-15 15:45:32 UTC 
ping!
Comment 18 Stanislav Brabec 2004-10-15 16:35:29 UTC 
For STABLE, we will do an update to branch 2.8.x. So I think, that fix of 2.6.x,
which will disappear soon is contraproductive.

Please keep the bug open. After update to 2.8, it will be checked again, and if
it is not yet in mainstream code, patch will be applied.
Comment 19 Thomas Biege 2004-10-15 17:39:00 UTC 
Ok! :)
Comment 20 Stanislav Brabec 2004-10-22 20:22:58 UTC 
Hmm. It works:

gnomevfs-ls file:///usr/share/xmms/kjofol/default.zip#zip:/

But I guess, nearly nobody uses, because nearly nobody knows, how to use it.
Comment 21 Thomas Biege 2004-10-22 20:27:13 UTC 
Unfortunately that doesn't matter: :-\
Comment 22 Stanislav Brabec 2004-10-27 21:57:49 UTC 
I have just looked at the code. Gnome-vfs uses very old version (4-5 years),
which has even more security problems than mc.

See zoo:
This filesystem is _dangerous_. It used to create symlinks in filesystem
with zoo file, it used to happily delete file from your filesystem.
Now it is 'only' very ugly (it creates temporary files in ~/.mc/

I guess the best solution will be use of fixed file systems from mc, if
possible, for YOU. For STABLE, removing them direct use of mc extfs should be
better (and optional Requires: mc).
Comment 23 Thomas Biege 2004-10-29 16:53:40 UTC 
Can you point me to the scripts, please. I'll have a look then.
Comment 24 Stanislav Brabec 2004-10-29 17:07:29 UTC 
/opt/gnome/lib/vfs/2.0/extfs for gnome-vfs2
/opt/gnome/lib/vfs/extfs for gnome-vfs

/usr/share/mc/extfs for mc

My suggestion is copy and rename mc ones for gnome-vfs and gnome-vfs2.
Comment 25 Thomas Biege 2004-10-29 19:38:59 UTC 
Ok, copying the mc scripts might be the best solution. :)
Comment 26 Stanislav Brabec 2004-10-29 21:04:19 UTC 
Please verify security of cpio and tar modules. Those are not present in mc
package. All other modules can be updated.
Comment 27 Stanislav Brabec 2004-11-13 01:17:35 UTC 
To security-team:

Please verify following scripts:

/opt/gnome/lib/vfs/2.0/extfs/cpio and /opt/gnome/lib/vfs/2.0/extfs/tar

These file are not present in mc, so I have to use these instances.
Comment 28 Thomas Biege 2004-11-15 18:38:32 UTC 
Sorry. I was on vacation. I'll have a look this week.
Comment 29 Thomas Biege 2004-11-15 20:25:44 UTC 
Created attachment 26091 [details]
tar.diff
Comment 30 Thomas Biege 2004-11-15 20:26:02 UTC 
Created attachment 26092 [details]
cpio.diff
Comment 31 Thomas Biege 2004-11-15 20:28:03 UTC 
The cpio diff also solves a possible tmp tace condition.
Comment 32 Stanislav Brabec 2004-11-16 21:14:22 UTC 
Patch submitted for:

gnome-vfs: 8.1, 8.2, 9.0, SLES9, 9.2, STABLE

gnome-vfs2: 8.1, 8.2, 9.0, SLEC, SLES9, SLES9-SLD, 9.2, STABLE, PLUS
Comment 33 Thomas Biege 2004-11-16 23:49:19 UTC 
I'll submit patchinfo files later. Thanks!
Comment 34 Thomas Biege 2004-11-17 18:53:18 UTC 
/work/src/done/PATCHINFO/gnome-vfs.patch.box 
/work/src/done/PATCHINFO/gnome-vfs.patch.maintained 
/work/src/done/PATCHINFO/gnome-vfs2.patch.box 
/work/src/done/PATCHINFO/gnome-vfs2.patch.maintained
Comment 35 Thomas Biege 2004-11-26 01:06:04 UTC 
packages approved.
Comment 36 Thomas Biege 2009-10-13 20:30:01 UTC 
CVE-2004-0494: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)