eqn2graph: Vulnerable to symlink attack through temporary file

Automatically imported from Debian bug report #286372 http://bugs.debian.org/286372

Message-ID: <20041219221953.GB9687@silicio>
Date: Sun, 19 Dec 2004 23:19:53 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <email address hidden>
To: <email address hidden>
Subject: eqn2graph: Vulnerable to symlink attack through temporary file

--tjCHc7DPkfUGtrlw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Package: groff
Version: 1.18.1.1-3
Priority: important
Tags: security

The eqn2graph script does not protect itself from temporary filename
attacks since it creates file in an insecure manner (the process PID
is not suffient to avoid and attack) and does not check
if the temporary file it uses exists before using them.

The attached patch fixes this behaviour.

Regards

Javier

PS: I initially reported this to the security team back in June,
but have not found time to follow up on this issue until today.
Security team, please check
Resent-Message-ID: <email address hidden>

--tjCHc7DPkfUGtrlw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="eqn2graph.diff"

--- eqn2graph.orig 2004-12-19 23:18:38.000000000 +0100
+++ eqn2graph 2004-12-19 23:19:09.000000000 +0100
@@ -63,7 +63,7 @@
 # 2. Process through eqn(1) to emit troff markup.
 # 3. Process through groff(1) to emit Postscript.
 # 4. Use convert(1) to crop the Postscript and turn it into a bitmap.
-tmp=/tmp/eqn2graph-$$
+tmp=`mktemp -t eqn2graph.XXXXXX` || {echo "$0: Cannot create temporary file" >&2; exit 1 }
 trap "rm ${tmp}.*" 0 2 15
 read equation
 (echo ".EQ"; echo 'delim $$'; echo ".EN"; echo '$'"${equation}"'$') | \

--tjCHc7DPkfUGtrlw--

Message-ID: <email address hidden>
Date: Mon, 20 Dec 2004 15:20:40 +0000
From: Colin Watson <email address hidden>
To: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <email address hidden>,
 <email address hidden>, <email address hidden>
Subject: Re: Bug#286371: pic2graph: Vulnerable to symlink attack through temporary file

On Sun, Dec 19, 2004 at 11:18:13PM +0100, Javier Fern�ez-Sanguino Pe�rote:
> Package: groff
> Version: 1.18.1.1-3
> Priority: important
> Tags: security
>
> The pic2graph script does not protect itself from temporary filename
> attacks since it creates file in an insecure manner (the process PID
> is not suffient to avoid and attack) and does not check
> if the temporary file it uses exists before using them.
>
> The attached patch fixes this behaviour.

Thanks. This and #286372 were both fixed upstream a while back in a
somewhat more elaborate way, so I'm taking their patch.

> PS: I initially reported this to the security team back in June,
> but have not found time to follow up on this issue until today.
> Security team, please check
> Resent-Message-ID: <email address hidden>

groff in stable didn't have either pic2graph or eqn2graph; they were new
features in 1.18. The security team (as opposed to the nascent
secure-testing team) is therefore unlikely to be interested.

Cheers,

--
Colin Watson [<email address hidden>]

Message-ID: <email address hidden>
Date: Mon, 20 Dec 2004 15:17:00 +0000
From: Colin Watson <email address hidden>
To: <email address hidden>
Subject: symlink attack -> grave

severity 286371 grave
severity 286372 grave
thanks

--
Colin Watson [<email address hidden>]

Message-Id: <email address hidden>
Date: Mon, 20 Dec 2004 10:32:47 -0500
From: Colin Watson <email address hidden>
To: <email address hidden>
Subject: Bug#286372: fixed in groff 1.18.1.1-5

Source: groff
Source-Version: 1.18.1.1-5

We believe that the bug you reported is fixed in the latest version of
groff, which is due to be installed in the Debian FTP archive:

groff-base_1.18.1.1-5_powerpc.deb
  to pool/main/g/groff/groff-base_1.18.1.1-5_powerpc.deb
groff_1.18.1.1-5.diff.gz
  to pool/main/g/groff/groff_1.18.1.1-5.diff.gz
groff_1.18.1.1-5.dsc
  to pool/main/g/groff/groff_1.18.1.1-5.dsc
groff_1.18.1.1-5_powerpc.deb
  to pool/main/g/groff/groff_1.18.1.1-5_powerpc.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <email address hidden> (supplier of updated groff package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 20 Dec 2004 14:26:25 +0000
Source: groff
Binary: groff-base groff
Architecture: source powerpc
Version: 1.18.1.1-5
Distribution: unstable
Urgency: high
Maintainer: Colin Watson <email address hidden>
Changed-By: Colin Watson <email address hidden>
Description:
 groff - GNU troff text-formatting system
 groff-base - GNU troff text-formatting system (base system components)
Closes: 286371 286372
Changes:
 groff (1.18.1.1-5) unstable; urgency=high
 .
   * Upstream fix for temporary file handling vulnerability in pic2graph
     (closes: #286371).
   * Upstream fix for temporary file handling vulnerability in eqn2graph
     (closes: #286372).
Files:
 41ffe57c38bcc172195021b3900a4d38 761 text important groff_1.18.1.1-5.dsc
 60e74aa726e7f84b544bb901ab6985ac 126657 text important groff_1.18.1.1-5.diff.gz
 e19a659582671c3bb1ee22b693231c31 867968 text important groff-base_1.18.1.1-5_powerpc.deb
 67ca52267606bca4d4a31b2ae0796a4c 1885614 text optional groff_1.18.1.1-5_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Colin Watson <email address hidden> -- Debian developer

iD8DBQFBxur19t0zAhD6TNERAnheAJwLzyQZtJnMWgUee44fB/afjrH4ngCcC+f2
LZVzkn+0gYduSq4tFGpOQA0=
=XSoM
-----END PGP SIGNATURE-----

Fixed in Warty:
 groff (1.18.1.1-1ubuntu0.2) warty-security; urgency=low
 .
   * SECURITY UPDATE: fix insecure temporary file creation
   * contrib/eqn2graph/eqn2graph.sh, contrib/pic2graph/pic2graph.sh:
     replaced insecure $$-based temporary file creation with mktemp call
   * Thanks to Javier Fernández-Sanguino Peña for spotting this
   * References:
     http://bugs.debian.org/286371
     http://bugs.debian.org/286372

Fixed in Hoary using the same patch.

Message-ID: <email address hidden>
Date: Mon, 20 Dec 2004 19:48:26 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <email address hidden>
To: Colin Watson <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#286371: pic2graph: Vulnerable to symlink attack through temporary file

On Mon, Dec 20, 2004 at 03:20:40PM +0000, Colin Watson wrote:
> > The attached patch fixes this behaviour.
>
> Thanks. This and #286372 were both fixed upstream a while back in a
> somewhat more elaborate way, so I'm taking their patch.

No problem. I just wanted to get those out of my "PENDING" queue. I believe
I checked the latest sources in Debian but might system might not have been
fully up to date, sorry.

> > PS: I initially reported this to the security team back in June,
> > but have not found time to follow up on this issue until today.
> > Security team, please check
> > Resent-Message-ID: <email address hidden>
>
> groff in stable didn't have either pic2graph or eqn2graph; they were new
> features in 1.18. The security team (as opposed to the nascent
> secure-testing team) is therefore unlikely to be interested.

Actually, some of the scripts with insecure temporary handling were present
in stable but the fact is that these vulnerabilities were not deemed
sufficient for a DSA, and the Security Team asked me to follow up on the
BTS since there was no need to coordinate with other security teams or
produce a DSA. I've actually haven't made an effort to review whether some
of the bugs I've opened are present in stable. <shrug>

Regards

Javier

Message-ID: <email address hidden>
Date: Wed, 22 Dec 2004 12:23:41 +0100
From: Martin Schulze <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: Use CAN-2004-1296

Please use CAN-2004-1296 when you refer to this vulnerability, i.e. in
the changelog of fixed packages.

Regards,

 Joey

--
All language designers are arrogant. Goes with the territory...
 -- Larry Wall

Please always Cc to me when replying to me on the lists.

Message-ID: <email address hidden>
Date: Sat, 1 Jan 2005 01:38:15 +0100
From: Adrian Bunk <email address hidden>
To: <email address hidden>
Subject: still present in sarge

reopen 286371
tags 286371 +sarge
reopen 286372
tags 286372 +sarge
thanks

Message-ID: <email address hidden>
Date: Mon, 3 Jan 2005 21:36:38 -0800
From: Steve Langasek <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: groff update has reached testing

--C94crkcyjafcjHxo
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

tags 286371 -sarge
tags 286372 -sarge
thanks

The version of groff that is purported to fix these bugs has reached
testing, therefore I believe they can be closed.

Thanks,
--=20
Steve Langasek
postmodern programmer

--C94crkcyjafcjHxo
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB2ithKN6ufymYLloRAmxgAJoCSHzqvOFlVpy2w/WzJF1tzgwO3ACfT5YR
9XEcAT4JxeaqBORHwoOQm2s=
=45yI
-----END PGP SIGNATURE-----

--C94crkcyjafcjHxo--