multiple insecure temporary file vulnerabilities
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gs-common (Debian) |
Fix Released
|
Unknown
|
|||
gs-common (Ubuntu) |
Fix Released
|
Medium
|
Martin Pitt |
Bug Description
Automatically imported from Debian bug report #278282 http://
CVE References
Debian Bug Importer (debzilla) wrote : | #1 |
Debian Bug Importer (debzilla) wrote : | #2 |
Message-ID: <email address hidden>
Date: Mon, 25 Oct 2004 17:03:59 -0400
From: Joey Hess <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: multiple insecure temporary file vulnerabilities
--x+6KMIRAuhnl3hBn
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Package: gs-common
Version: 0.3.6
Severity: serious
Tags: security
CAN-2004-0967 describes multiple insecure uses of temporary files in
programs ghostscript:
The (1) pj-gs.sh, ps2epsi(2) , (3) pv.sh, and (4) sysvlp.sh scripts in th=
e ESP
Ghostscript (espgs) package in Trustix Secure Linux 1.5 through 2.1, and
possibly other operating systems, allow local users to overwrite files vi=
a a
symlink attack on temporary files.
Of these, ps2epsi and pv.sh were all I could find in Debian, in the
gs-common package.=20
ps2epsi is clearly vulnerable:
tmpfile=
I think this part of pv.sh is vulnerable, if it happens to be run in /tmp or
another world-writable directory.
dvips -p $PAGE -n 1 $FILE $* -o $FILE.$$.pv
There's a patch here:
http://
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=3Den_US, LC_CTYPE=3Den_US (charmap=
Versions of packages gs-common depends on:
ii debconf 1.4.39 Debian configuration managemen=
t sy
ii debianutils 2.10.3 Miscellaneous utilities specif=
ic t
ii defoma 0.11.8-0.1 Debian Font Manager -- automat=
ic f
ii gs 8.01-5 Transitional package
ii gs-gpl [gs] 8.01-5 The GPL Ghostscript PostScript=
int
ii gsfonts 8.14+v8.11-0.1 Fonts for the Ghostscript inte=
rpre
-- no debconf information
--=20
see shy jo
--x+6KMIRAuhnl3hBn
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBfWo+
s8z9PQImVhYSlU9
=49nA
-----END PGP SIGNATURE-----
--x+6KMIRAuhnl3
In Debian Bug tracker #278282, Martin Pitt (pitti) wrote : Patch | #3 |
tag 278282 patch
thanks
Hi!
I just prepared and uploaded an updated Ubuntu package. I checked all
scripts for tempfile vulnerabilities. I completely replaced the broken
01_fix_
patches for ps2epsi and pv.sh.
The updated dpatch and changelog entry are in our bug tracking system:
https:/
Have a nice day,
Martin
--
Martin Pitt http://
Ubuntu Developer http://
Debian GNU/Linux Developer http://
Martin Pitt (pitti) wrote : | #4 |
- dpatch to fix all insecure temporary file creations Edit (1.9 KiB, text/plain)
Created an attachment (id=603)
dpatch to fix all insecure temporary file creations
Since the patch already existed (but was insecure as well), I replaced it with
the above one, so an interdiff looks strange. Apart from this dpatch, only the
changelog was modified:
gs-common (0.3.6ubuntu1.1) warty-security; urgency=low
.
* SECURITY UPDATE: fix multiple insecure temporary file vulnerabilities
* completely replaced original patch 01_fix_
an insecure temporary file by a less insecure temporary directory (still
vulnerable to DOS attack)
* new patch 01_fix_
temporary files in scripts/ps2epsi and scripts/pv.sh (Warty bug #9447)
* References:
- CAN-2004-0967
- http://
Martin Pitt (pitti) wrote : | #5 |
Waiting for upload approval
Martin Pitt (pitti) wrote : | #6 |
Got approval from Jeff, uploaded.
Debian Bug Importer (debzilla) wrote : | #7 |
Message-ID: <email address hidden>
Date: Tue, 26 Oct 2004 10:04:03 +0200
From: Martin Pitt <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: Patch
--0F1p//8PRICkK4MW
Content-Type: text/plain; charset=us-ascii
Content-
Content-
tag 278282 patch
thanks
Hi!
I just prepared and uploaded an updated Ubuntu package. I checked all
scripts for tempfile vulnerabilities. I completely replaced the broken
01_fix_
patches for ps2epsi and pv.sh.
The updated dpatch and changelog entry are in our bug tracking system:
https:/
Have a nice day,
Martin
--=20
Martin Pitt http://
Ubuntu Developer http://
Debian GNU/Linux Developer http://
--0F1p//8PRICkK4MW
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBfgTzDec
OUlmHd6feFYDDL9
=hPg0
-----END PGP SIGNATURE-----
--0F1p/
Martin Pitt (pitti) wrote : | #8 |
It is fixed in Warty, but must still be fixed in Hoary. Reopening and adjusting
as appropriate.
Martin Pitt (pitti) wrote : | #9 |
Uploaded the same fix to Hoary. We have diverted the package anyway.
In Debian Bug tracker #278282, Frank Lichtenheld (djpig) wrote : Fixed in NMU of gs-common 0.3.6-0.1 | #10 |
tag 278282 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 29 Oct 2004 00:35:34 +0200
Source: gs-common
Binary: gs-common
Architecture: source all
Version: 0.3.6-0.1
Distribution: unstable
Urgency: high
Maintainer: Masayuki Hatta (mhatta) <email address hidden>
Changed-By: Frank Lichtenheld <email address hidden>
Description:
gs-common - Common files for different Ghostscript releases
Closes: 278282
Changes:
gs-common (0.3.6-0.1) unstable; urgency=high
.
* Non-maintainer upload.
* Include new 01_fix_
Martin Pitt <email address hidden> which fixes some more issues
(Closes: #278282)
Files:
fab6683275f089
00b335b1afce42
466b84851b4ede
adb5ac5e51fd5e
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBgsg8Qbn
+IH53LyuJL4nnoL
=u+hd
-----END PGP SIGNATURE-----
In Debian Bug tracker #278282, Frank Lichtenheld (djpig) wrote : Re: Bug#278282: Patch | #11 |
On Tue, Oct 26, 2004 at 10:04:03AM +0200, Martin Pitt wrote:
> I just prepared and uploaded an updated Ubuntu package. I checked all
> scripts for tempfile vulnerabilities. I completely replaced the broken
> 01_fix_
> patches for ps2epsi and pv.sh.
>
> The updated dpatch and changelog entry are in our bug tracking system:
> https:/
I've uploaded a NMU for this:
diff -Naur gs-common-
--- gs-common-
+++ gs-common-
@@ -1,3 +1,12 @@
+gs-common (0.3.6-0.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Include new 01_fix_
+ Martin Pitt <email address hidden> which fixes some more issues
+ (Closes: #278282)
+
+ -- Frank Lichtenheld <email address hidden> Fri, 29 Oct 2004 00:35:34 +0200
+
gs-common (0.3.6) unstable; urgency=low
* Build-Depends -> Build-Depends-Indep
diff -Naur gs-common-
--- gs-common-
+++ gs-common-
@@ -1,44 +1,61 @@
#! /bin/sh -e
-## 01_fix_
+## 01_fix_
##
-## All lines beginning with \`## DP:' are a description of the patch.
-## DP: Fixes insecure /tmp usage (See Bug#173237)
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: fix insecure temporary file creations
+## DP: CAN-2004-0967
+## DP: Debian bug #278282
+## DP: Ubuntu Warty bug #2744
-if [ $# -ne 1 ]; then
- echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
+if [ $# -lt 1 ]; then
+ echo "`basename $0`: script expects -patch|-unpatch as argument" >&2
exit 1
fi
+
+[ -f debian/
+patch_
+
case "$1" in
- -patch) patch -f --no-backup-
-;;
- -unpatch) patch -f --no-backup-
- *)
- echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
- exit 1;;
+ -patch) patch -p1 ${patch_opts} < $0;;
+ -unpatch) patch -R -p1 ${patch_opts} < $0;;
+ *)
+ echo "`basename $0`: script expects -patch|-unpatch as argument" >&2
+ exit 1;;
esac
exit 0
-diff -urN gs-common-
---- gs-common-
-+++ gs-common-
-@@ -1,7 +1,9 @@
+@DPATCH@
+diff -urNad gs-common-
+--- gs...
Debian Bug Importer (debzilla) wrote : | #12 |
Message-Id: <email address hidden>
Date: Sun, 31 Oct 2004 17:47:05 -0500
From: Frank Lichtenheld <email address hidden>
To: <email address hidden>
Cc: Frank Lichtenheld <email address hidden>, Masayuki Hatta (mhatta) <email address hidden>
Subject: Fixed in NMU of gs-common 0.3.6-0.1
tag 278282 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 29 Oct 2004 00:35:34 +0200
Source: gs-common
Binary: gs-common
Architecture: source all
Version: 0.3.6-0.1
Distribution: unstable
Urgency: high
Maintainer: Masayuki Hatta (mhatta) <email address hidden>
Changed-By: Frank Lichtenheld <email address hidden>
Description:
gs-common - Common files for different Ghostscript releases
Closes: 278282
Changes:
gs-common (0.3.6-0.1) unstable; urgency=high
.
* Non-maintainer upload.
* Include new 01_fix_
Martin Pitt <email address hidden> which fixes some more issues
(Closes: #278282)
Files:
fab6683275f089
00b335b1afce42
466b84851b4ede
adb5ac5e51fd5e
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBgsg8Qbn
+IH53LyuJL4nnoL
=u+hd
-----END PGP SIGNATURE-----
Debian Bug Importer (debzilla) wrote : | #13 |
Message-ID: <email address hidden>
Date: Mon, 1 Nov 2004 00:11:32 +0100
From: Frank Lichtenheld <email address hidden>
To: Martin Pitt <email address hidden>, <email address hidden>
Subject: Re: Bug#278282: Patch
On Tue, Oct 26, 2004 at 10:04:03AM +0200, Martin Pitt wrote:
> I just prepared and uploaded an updated Ubuntu package. I checked all
> scripts for tempfile vulnerabilities. I completely replaced the broken
> 01_fix_
> patches for ps2epsi and pv.sh.
>
> The updated dpatch and changelog entry are in our bug tracking system:
> https:/
I've uploaded a NMU for this:
diff -Naur gs-common-
--- gs-common-
+++ gs-common-
@@ -1,3 +1,12 @@
+gs-common (0.3.6-0.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Include new 01_fix_
+ Martin Pitt <email address hidden> which fixes some more issues
+ (Closes: #278282)
+
+ -- Frank Lichtenheld <email address hidden> Fri, 29 Oct 2004 00:35:34 +0200
+
gs-common (0.3.6) unstable; urgency=low
* Build-Depends -> Build-Depends-Indep
diff -Naur gs-common-
--- gs-common-
+++ gs-common-
@@ -1,44 +1,61 @@
#! /bin/sh -e
-## 01_fix_
+## 01_fix_
##
-## All lines beginning with \`## DP:' are a description of the patch.
-## DP: Fixes insecure /tmp usage (See Bug#173237)
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: fix insecure temporary file creations
+## DP: CAN-2004-0967
+## DP: Debian bug #278282
+## DP: Ubuntu Warty bug #9447
-if [ $# -ne 1 ]; then
- echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
+if [ $# -lt 1 ]; then
+ echo "`basename $0`: script expects -patch|-unpatch as argument" >&2
exit 1
fi
+
+[ -f debian/
+patch_
+
case "$1" in
- -patch) patch -f --no-backup-
-;;
- -unpatch) patch -f --no-backup-
- *)
- echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
- exit 1;;
+ -patch) patch -p1 ${patch_opts} < $0;;
+ -unpatch) patch -R -p1 ${patch_opts} < $0;;
+ *)
+ echo "`basename $0`: script expects -patch|-unpatch as argument" >&2
+ exit 1;;
esac
exit 0
-diff -urN gs-common-
---- gs-common-
In Debian Bug tracker #278282, Masayuki Hatta (mhatta) wrote : Bug#278282: fixed in gs-common 0.3.7 | #14 |
Source: gs-common
Source-Version: 0.3.7
We believe that the bug you reported is fixed in the latest version of
gs-common, which is due to be installed in the Debian FTP archive:
gs-common_0.3.7.dsc
to pool/main/
gs-common_
to pool/main/
gs-common_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Masayuki Hatta (mhatta) <email address hidden> (supplier of updated gs-common package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 13 Mar 2005 15:53:43 +0900
Source: gs-common
Binary: gs-common
Architecture: source all
Version: 0.3.7
Distribution: unstable
Urgency: low
Maintainer: Masayuki Hatta (mhatta) <email address hidden>
Changed-By: Masayuki Hatta (mhatta) <email address hidden>
Description:
gs-common - Common files for different Ghostscript releases
Closes: 278282 290169
Changes:
gs-common (0.3.7) unstable; urgency=low
.
* New upstream release, based on GPL gs 8.15.
* Acknowledged NMU, thanks guys - closes:#278282
* Fixed copyright information - closes: #290169
Files:
b6aa4e543f800a
aac1335bef22c1
1adc90bba3dabc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCNHyhy2+
VG0g0YkwAaWUMba
=6wg4
-----END PGP SIGNATURE-----
Debian Bug Importer (debzilla) wrote : | #15 |
Message-Id: <email address hidden>
Date: Sun, 13 Mar 2005 13:02:57 -0500
From: Masayuki Hatta (mhatta) <email address hidden>
To: <email address hidden>
Subject: Bug#278282: fixed in gs-common 0.3.7
Source: gs-common
Source-Version: 0.3.7
We believe that the bug you reported is fixed in the latest version of
gs-common, which is due to be installed in the Debian FTP archive:
gs-common_0.3.7.dsc
to pool/main/
gs-common_
to pool/main/
gs-common_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Masayuki Hatta (mhatta) <email address hidden> (supplier of updated gs-common package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 13 Mar 2005 15:53:43 +0900
Source: gs-common
Binary: gs-common
Architecture: source all
Version: 0.3.7
Distribution: unstable
Urgency: low
Maintainer: Masayuki Hatta (mhatta) <email address hidden>
Changed-By: Masayuki Hatta (mhatta) <email address hidden>
Description:
gs-common - Common files for different Ghostscript releases
Closes: 278282 290169
Changes:
gs-common (0.3.7) unstable; urgency=low
.
* New upstream release, based on GPL gs 8.15.
* Acknowledged NMU, thanks guys - closes:#278282
* Fixed copyright information - closes: #290169
Files:
b6aa4e543f800a
aac1335bef22c1
1adc90bba3dabc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCNHyhy2+
VG0g0YkwAaWUMba
=6wg4
-----END PGP SIGNATURE-----
Changed in gs-common: | |
status: | Unknown → Fix Released |
Automatically imported from Debian bug report #278282 http:// bugs.debian. org/278282