eqn2graph: Vulnerable to symlink attack through temporary file
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
groff (Debian) |
Fix Released
|
Unknown
|
|||
groff (Ubuntu) |
Fix Released
|
High
|
Martin Pitt |
Bug Description
Automatically imported from Debian bug report #286372 http://
CVE References
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
|
#1 |
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
|
#2 |
On Sun, Dec 19, 2004 at 11:18:13PM +0100, Javier Fernández-Sanguino Peña wrote:
> Package: groff
> Version: 1.18.1.1-3
> Priority: important
> Tags: security
>
> The pic2graph script does not protect itself from temporary filename
> attacks since it creates file in an insecure manner (the process PID
> is not suffient to avoid and attack) and does not check
> if the temporary file it uses exists before using them.
>
> The attached patch fixes this behaviour.
Thanks. This and #286372 were both fixed upstream a while back in a
somewhat more elaborate way, so I'm taking their patch.
> PS: I initially reported this to the security team back in June,
> but have not found time to follow up on this issue until today.
> Security team, please check
> Resent-Message-ID: <email address hidden>
groff in stable didn't have either pic2graph or eqn2graph; they were new
features in 1.18. The security team (as opposed to the nascent
secure-testing team) is therefore unlikely to be interested.
Cheers,
--
Colin Watson [<email address hidden>]
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
|
#3 |
Source: groff
Source-Version: 1.18.1.1-5
We believe that the bug you reported is fixed in the latest version of
groff, which is due to be installed in the Debian FTP archive:
groff-base_
to pool/main/
groff_1.
to pool/main/
groff_1.
to pool/main/
groff_1.
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <email address hidden> (supplier of updated groff package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 20 Dec 2004 14:26:25 +0000
Source: groff
Binary: groff-base groff
Architecture: source powerpc
Version: 1.18.1.1-5
Distribution: unstable
Urgency: high
Maintainer: Colin Watson <email address hidden>
Changed-By: Colin Watson <email address hidden>
Description:
groff - GNU troff text-formatting system
groff-base - GNU troff text-formatting system (base system components)
Closes: 286371 286372
Changes:
groff (1.18.1.1-5) unstable; urgency=high
.
* Upstream fix for temporary file handling vulnerability in pic2graph
(closes: #286371).
* Upstream fix for temporary file handling vulnerability in eqn2graph
(closes: #286372).
Files:
41ffe57c38bcc1
60e74aa726e7f8
e19a659582671c
67ca52267606bc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Colin Watson <email address hidden> -- Debian developer
iD8DBQFBxur19t0
LZVzkn+
=XSoM
-----END PGP SIGNATURE-----
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Debian Bug Importer (debzilla) wrote : | #4 |
Automatically imported from Debian bug report #286372 http://
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Debian Bug Importer (debzilla) wrote : | #5 |
Message-ID: <20041219221953
Date: Sun, 19 Dec 2004 23:19:53 +0100
From: Javier =?iso-8859-
To: <email address hidden>
Subject: eqn2graph: Vulnerable to symlink attack through temporary file
--tjCHc7DPkfUGtrlw
Content-Type: text/plain; charset=us-ascii
Content-
Package: groff
Version: 1.18.1.1-3
Priority: important
Tags: security
The eqn2graph script does not protect itself from temporary filename
attacks since it creates file in an insecure manner (the process PID
is not suffient to avoid and attack) and does not check
if the temporary file it uses exists before using them.
The attached patch fixes this behaviour.
Regards
Javier
PS: I initially reported this to the security team back in June,
but have not found time to follow up on this issue until today.
Security team, please check
Resent-Message-ID: <email address hidden>
--tjCHc7DPkfUGtrlw
Content-Type: text/plain; charset=us-ascii
Content-
--- eqn2graph.orig 2004-12-19 23:18:38.000000000 +0100
+++ eqn2graph 2004-12-19 23:19:09.000000000 +0100
@@ -63,7 +63,7 @@
# 2. Process through eqn(1) to emit troff markup.
# 3. Process through groff(1) to emit Postscript.
# 4. Use convert(1) to crop the Postscript and turn it into a bitmap.
-tmp=/tmp/
+tmp=`mktemp -t eqn2graph.XXXXXX` || {echo "$0: Cannot create temporary file" >&2; exit 1 }
trap "rm ${tmp}.*" 0 2 15
read equation
(echo ".EQ"; echo 'delim $$'; echo ".EN"; echo '$'"${equation}
--tjCHc7DPkfUGt
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Debian Bug Importer (debzilla) wrote : | #6 |
Message-ID: <email address hidden>
Date: Mon, 20 Dec 2004 15:20:40 +0000
From: Colin Watson <email address hidden>
To: Javier =?iso-8859-
<email address hidden>, <email address hidden>
Subject: Re: Bug#286371: pic2graph: Vulnerable to symlink attack through temporary file
On Sun, Dec 19, 2004 at 11:18:13PM +0100, Javier Fern�ez-Sanguino Pe�rote:
> Package: groff
> Version: 1.18.1.1-3
> Priority: important
> Tags: security
>
> The pic2graph script does not protect itself from temporary filename
> attacks since it creates file in an insecure manner (the process PID
> is not suffient to avoid and attack) and does not check
> if the temporary file it uses exists before using them.
>
> The attached patch fixes this behaviour.
Thanks. This and #286372 were both fixed upstream a while back in a
somewhat more elaborate way, so I'm taking their patch.
> PS: I initially reported this to the security team back in June,
> but have not found time to follow up on this issue until today.
> Security team, please check
> Resent-Message-ID: <email address hidden>
groff in stable didn't have either pic2graph or eqn2graph; they were new
features in 1.18. The security team (as opposed to the nascent
secure-testing team) is therefore unlikely to be interested.
Cheers,
--
Colin Watson [<email address hidden>]
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Debian Bug Importer (debzilla) wrote : | #7 |
Message-ID: <email address hidden>
Date: Mon, 20 Dec 2004 15:17:00 +0000
From: Colin Watson <email address hidden>
To: <email address hidden>
Subject: symlink attack -> grave
severity 286371 grave
severity 286372 grave
thanks
--
Colin Watson [<email address hidden>]
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Debian Bug Importer (debzilla) wrote : | #8 |
Message-Id: <email address hidden>
Date: Mon, 20 Dec 2004 10:32:47 -0500
From: Colin Watson <email address hidden>
To: <email address hidden>
Subject: Bug#286372: fixed in groff 1.18.1.1-5
Source: groff
Source-Version: 1.18.1.1-5
We believe that the bug you reported is fixed in the latest version of
groff, which is due to be installed in the Debian FTP archive:
groff-base_
to pool/main/
groff_1.
to pool/main/
groff_1.
to pool/main/
groff_1.
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <email address hidden> (supplier of updated groff package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 20 Dec 2004 14:26:25 +0000
Source: groff
Binary: groff-base groff
Architecture: source powerpc
Version: 1.18.1.1-5
Distribution: unstable
Urgency: high
Maintainer: Colin Watson <email address hidden>
Changed-By: Colin Watson <email address hidden>
Description:
groff - GNU troff text-formatting system
groff-base - GNU troff text-formatting system (base system components)
Closes: 286371 286372
Changes:
groff (1.18.1.1-5) unstable; urgency=high
.
* Upstream fix for temporary file handling vulnerability in pic2graph
(closes: #286371).
* Upstream fix for temporary file handling vulnerability in eqn2graph
(closes: #286372).
Files:
41ffe57c38bcc1
60e74aa726e7f8
e19a659582671c
67ca52267606bc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Colin Watson <email address hidden> -- Debian developer
iD8DBQFBxur19t0
LZVzkn+
=XSoM
-----END PGP SIGNATURE-----
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
|
#9 |
On Mon, Dec 20, 2004 at 03:20:40PM +0000, Colin Watson wrote:
> > The attached patch fixes this behaviour.
>
> Thanks. This and #286372 were both fixed upstream a while back in a
> somewhat more elaborate way, so I'm taking their patch.
No problem. I just wanted to get those out of my "PENDING" queue. I believe
I checked the latest sources in Debian but might system might not have been
fully up to date, sorry.
> > PS: I initially reported this to the security team back in June,
> > but have not found time to follow up on this issue until today.
> > Security team, please check
> > Resent-Message-ID: <email address hidden>
>
> groff in stable didn't have either pic2graph or eqn2graph; they were new
> features in 1.18. The security team (as opposed to the nascent
> secure-testing team) is therefore unlikely to be interested.
Actually, some of the scripts with insecure temporary handling were present
in stable but the fact is that these vulnerabilities were not deemed
sufficient for a DSA, and the Security Team asked me to follow up on the
BTS since there was no need to coordinate with other security teams or
produce a DSA. I've actually haven't made an effort to review whether some
of the bugs I've opened are present in stable. <shrug>
Regards
Javier
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Martin Pitt (pitti) wrote : | #10 |
Fixed in Warty:
groff (1.18.1.
.
* SECURITY UPDATE: fix insecure temporary file creation
* contrib/
replaced insecure $$-based temporary file creation with mktemp call
* Thanks to Javier Fernández-Sanguino Peña for spotting this
* References:
http://
http://
Fixed in Hoary using the same patch.
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Debian Bug Importer (debzilla) wrote : | #11 |
Message-ID: <email address hidden>
Date: Mon, 20 Dec 2004 19:48:26 +0100
From: Javier =?iso-8859-
To: Colin Watson <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#286371: pic2graph: Vulnerable to symlink attack through temporary file
On Mon, Dec 20, 2004 at 03:20:40PM +0000, Colin Watson wrote:
> > The attached patch fixes this behaviour.
>
> Thanks. This and #286372 were both fixed upstream a while back in a
> somewhat more elaborate way, so I'm taking their patch.
No problem. I just wanted to get those out of my "PENDING" queue. I believe
I checked the latest sources in Debian but might system might not have been
fully up to date, sorry.
> > PS: I initially reported this to the security team back in June,
> > but have not found time to follow up on this issue until today.
> > Security team, please check
> > Resent-Message-ID: <email address hidden>
>
> groff in stable didn't have either pic2graph or eqn2graph; they were new
> features in 1.18. The security team (as opposed to the nascent
> secure-testing team) is therefore unlikely to be interested.
Actually, some of the scripts with insecure temporary handling were present
in stable but the fact is that these vulnerabilities were not deemed
sufficient for a DSA, and the Security Team asked me to follow up on the
BTS since there was no need to coordinate with other security teams or
produce a DSA. I've actually haven't made an effort to review whether some
of the bugs I've opened are present in stable. <shrug>
Regards
Javier
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
|
#12 |
Please use CAN-2004-1296 when you refer to this vulnerability, i.e. in
the changelog of fixed packages.
Regards,
Joey
--
All language designers are arrogant. Goes with the territory...
-- Larry Wall
Please always Cc to me when replying to me on the lists.
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Debian Bug Importer (debzilla) wrote : | #13 |
Message-ID: <email address hidden>
Date: Wed, 22 Dec 2004 12:23:41 +0100
From: Martin Schulze <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: Use CAN-2004-1296
Please use CAN-2004-1296 when you refer to this vulnerability, i.e. in
the changelog of fixed packages.
Regards,
Joey
--
All language designers are arrogant. Goes with the territory...
-- Larry Wall
Please always Cc to me when replying to me on the lists.
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
|
#14 |
reopen 286371
tags 286371 +sarge
reopen 286372
tags 286372 +sarge
thanks
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Debian Bug Importer (debzilla) wrote : | #15 |
Message-ID: <email address hidden>
Date: Sat, 1 Jan 2005 01:38:15 +0100
From: Adrian Bunk <email address hidden>
To: <email address hidden>
Subject: still present in sarge
reopen 286371
tags 286371 +sarge
reopen 286372
tags 286372 +sarge
thanks
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
|
#16 |
tags 286371 -sarge
tags 286372 -sarge
thanks
The version of groff that is purported to fix these bugs has reached
testing, therefore I believe they can be closed.
Thanks,
--
Steve Langasek
postmodern programmer
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Debian Bug Importer (debzilla) wrote : | #17 |
Message-ID: <email address hidden>
Date: Mon, 3 Jan 2005 21:36:38 -0800
From: Steve Langasek <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: groff update has reached testing
--C94crkcyjafcjHxo
Content-Type: text/plain; charset=us-ascii
Content-
Content-
tags 286371 -sarge
tags 286372 -sarge
thanks
The version of groff that is purported to fix these bugs has reached
testing, therefore I believe they can be closed.
Thanks,
--=20
Steve Langasek
postmodern programmer
--C94crkcyjafcjHxo
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFB2ithKN6
9XEcAT4JxeaqBOR
=45yI
-----END PGP SIGNATURE-----
--C94crkcyjafcj
Changed in groff: | |
status: | Unknown → Fix Released |
severity 286371 grave
severity 286372 grave
thanks
--
Colin Watson [<email address hidden>]