vim: Race conditions and symlink attacks in vim (tcltags and vimspell)

Automatically imported from Debian bug report #289560 http://bugs.debian.org/289560

Message-ID: <email address hidden>
Date: Sun, 9 Jan 2005 21:05:26 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <email address hidden>
To: <email address hidden>
Cc: Bram Moolenaar <email address hidden>
Subject: vim: Race conditions and symlink attacks in vim (tcltags and vimspell)

--2B/JsCI69OhZNC5r
Content-Type: multipart/mixed; boundary="AhhlLboLdkugWU4S"
Content-Disposition: inline

--AhhlLboLdkugWU4S
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: vim
Version: 1:6.3-046+1
Severity: minor
Tags: patch security sid woody sarge

Hi there,

Reviewing vim as part of the security audit the Audit team [1] is=20
conducting I've found what I believe are some race conditions and symlink=
=20
attacks through temporary files in vim. They appear in two scripts which=20
are not installed in Debian in binary locations (they are installed under
/usr/share/doc/vim/tools/) but are provided with execute permissions.

That's mainly why I'm opening this bug up in Debian's BTS and not=20
contacting the security team directly although the code is present in all=
=20
vim releases in Debian.

These appear in:

1.- the tcltags script (runtime/tools/tcltags):
    (...)
    11 tmp_tagfile=3D/tmp/${program_name}.$$
    (...)
    130 sed -e "/^!_TAG_FILE_SORTED/s/ [01] / $sorted /"=
=20
\
    131 -e "/^!_TAG_FILE_FORMAT/s/ 1 / $format /"=
=20
\
    132 $tagfile > $tmp_tagfile

2.- the vimspell script (runtime/tools/vimspell.sh)

     16 OUTFILE=3D/tmp/vimspell.$$
     17 # if you have "tempfile", use the following line
     18 #OUTFILE=3D`tempfile`
(...)
     30 spell $SPELL_ARGS $INFILE | sort -u |
     31 awk '
     32 {
     33 printf "syntax match SpellErrors \"\\<%s\\>\"\n", $0 ;
     34 }
     35
     36 END {
     37 printf "highlight link SpellErrors ErrorMsg\n\n" ;
     38 }
     39 ' > $OUTFILE
     40 echo "!rm $OUTFILE" >> $OUTFILE
     41 echo $OUTFILE

Since these are tools that are run from vim, an attacker can get a=20
good-enough approximation of the PIDs that will be used in these temporary=
=20
files and can conduct a symlink attack if these tools are used.

The attached patch should fix both of these issues, I've taken the=20
approach implemented in vimtutor, but modified it slightly for vimspell as=
=20
the temporary file cannot be removed by the script (vim removes it) when=20
mktemp and tempfile are not avilable, there will still be a race condition=
=20
in the script. Since most GNU/Linux and UNIX operating systems seem to=20
have either one I don't think it's a big issue, however.

Best regards

Javier

--AhhlLboLdkugWU4S
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="vim-6.3.diff"
Content-Transfer-Encoding: quoted-printable

diff -Nru vim-6.3.old/vim63/runtime/tools/tcltags vim-6.3/vim63/runtime/too=
ls/tcltags
--- vim-6.3.old/vim63/runtime/tools/tcltags 1999-08-01 14:01:46.000000000 +=
0200
+++ vim-6.3/vim63/runtime/tools/tcltags 2005-01-09 20:41:41.000000000 +0100
@@ -8,7 +8,31 @@
 program_version=3D"0.3"
 pr...

Message-ID: <email address hidden>
Date: Sun, 9 Jan 2005 22:24:11 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <email address hidden>
To: Bram Moolenaar <email address hidden>
Cc: <email address hidden>
Subject: Re: vim: Race conditions and symlink attacks in vim (tcltags and vimspell)

--h31gzZEtNLTqOjlF
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Jan 09, 2005 at 10:02:35PM +0100, Bram Moolenaar wrote:
>=20
> Javier -
>=20
> > Reviewing vim as part of the security audit the Audit team [1] is=20
> > conducting I've found what I believe are some race conditions and symli=
nk=20
> > attacks through temporary files in vim. They appear in two scripts whic=
h=20
> > are not installed in Debian in binary locations (they are installed und=
er
> > /usr/share/doc/vim/tools/) but are provided with execute permissions.
>=20
> Thanks for looking into this and providing patches.
>=20
> Did you contact the original authors, Darren Hiebert and Neil
> Schemenauer?

No, I didn't. I was not sure if they were still active. Do you want me to=
=20
forward this?

> I wonder if there isn't a shorter method. The handling of the temp file
> becomes more than half the script this way.

Actually, there is, you could remove the lines that try to use a temporary
file in a temporary directory (below the comments) and just abort with a=20
"Cannot create temporary file" message if tmp_tagfile (or OUTFILE) are=20
'none'.

Regards

Javier

--h31gzZEtNLTqOjlF
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB4aD7i4sehJTrj0oRAsBOAJ0Yq+XhvkJHMktJ2AeHx+m+23Z9GQCeJJ5+
GN96nagKmHLn6ZOPi1WuG4g=
=Clm9
-----END PGP SIGNATURE-----

--h31gzZEtNLTqOjlF--

Message-Id: <email address hidden>
Date: Mon, 10 Jan 2005 10:33:00 +0100
From: Bram Moolenaar <email address hidden>
To: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <email address hidden>
Cc: <email address hidden>
Subject: Re: vim: Race conditions and symlink attacks in vim (tcltags and vimspell)

Javier -

> > Did you contact the original authors, Darren Hiebert and Neil
> > Schemenauer?
>
> No, I didn't. I was not sure if they were still active. Do you want me to
> forward this?

Yes. They are the authors, thus I hesitate to change their work without
at least trying to contact them.

> > I wonder if there isn't a shorter method. The handling of the temp file
> > becomes more than half the script this way.
>
> Actually, there is, you could remove the lines that try to use a temporary
> file in a temporary directory (below the comments) and just abort with a
> "Cannot create temporary file" message if tmp_tagfile (or OUTFILE) are
> 'none'.

So there would be a few (old?) systems where the script won't work?

--
GALAHAD: No. Look, I can tackle this lot single-handed!
GIRLS: Yes, yes, let him Tackle us single-handed!
                 "Monty Python and the Holy Grail" PYTHON (MONTY) PICTURES LTD

 /// Bram Moolenaar -- <email address hidden> -- http://www.Moolenaar.net \\\
/// Sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ Project leader for A-A-P -- http://www.A-A-P.org ///
 \\\ Buy LOTR 3 and help AIDS victims -- http://ICCF.nl/lotr.html ///

Message-ID: <email address hidden>
Date: Mon, 10 Jan 2005 10:56:21 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <email address hidden>
To: Bram Moolenaar <email address hidden>
Cc: <email address hidden>
Subject: Re: vim: Race conditions and symlink attacks in vim (tcltags and vimspell)

--jRHKVT23PllUwdXP
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Jan 10, 2005 at 10:33:00AM +0100, Bram Moolenaar wrote:
> > > Did you contact the original authors, Darren Hiebert and Neil
> > > Schemenauer?
> >=20
> > No, I didn't. I was not sure if they were still active. Do you want me =
to=20
> > forward this?
>=20
> Yes. They are the authors, thus I hesitate to change their work without
> at least trying to contact them.

Ok. Will do.

>=20
> > > I wonder if there isn't a shorter method. The handling of the temp f=
ile
> > > becomes more than half the script this way.
> >=20
> > Actually, there is, you could remove the lines that try to use a tempor=
ary
> > file in a temporary directory (below the comments) and just abort with =
a=20
> > "Cannot create temporary file" message if tmp_tagfile (or OUTFILE) are=
=20
> > 'none'.
>=20
> So there would be a few (old?) systems where the script won't work?

Correct. Those that don't have mktemp or tempfile. These should be=20
available in most Linux distributions but I'm not sure about their=20
availability in other UNIX systems (I believe mktemp is available in=20
Solaris, in HP-UX and in Tru64 but not in AIX, for example)

Regards

Javier

--jRHKVT23PllUwdXP
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB4lFEi4sehJTrj0oRAj/oAJ4noEvzB1xylY3V/ZJK5ig9zikIZACgmxCG
yzQ9eYybzBKTj2DQwuAeM1o=
=Te3y
-----END PGP SIGNATURE-----

--jRHKVT23PllUwdXP--

Message-ID: <email address hidden>
Date: Mon, 10 Jan 2005 11:01:57 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <email address hidden>
To: Bram Moolenaar <email address hidden>
Cc: <email address hidden>
Subject: Re: vim: Race conditions and symlink attacks in vim (tcltags and vimspell)

--C7zPtVaVf+AK4Oqc
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Jan 10, 2005 at 10:33:00AM +0100, Bram Moolenaar wrote:
>=20
> Javier -
>=20
> > > Did you contact the original authors, Darren Hiebert and Neil
> > > Schemenauer?
> >=20
> > No, I didn't. I was not sure if they were still active. Do you want me =
to=20
> > forward this?
>=20
> Yes. They are the authors, thus I hesitate to change their work without
> at least trying to contact them.

At least one of the mail addresses (<email address hidden>) bounces.

Regards

Javier

--C7zPtVaVf+AK4Oqc
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB4lKVi4sehJTrj0oRAgzhAJwIzXD4zsWypd85IW0hrDNo+LBHMgCeOY/i
Cz0yawlLrADOXtmOJ8NF640=
=ar6A
-----END PGP SIGNATURE-----

--C7zPtVaVf+AK4Oqc--

Message-ID: <email address hidden>
Date: Mon, 10 Jan 2005 11:43:10 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <email address hidden>
To: Bram Moolenaar <email address hidden>
Cc: <email address hidden>
Subject: Re: vim: Race conditions and symlink attacks in vim (tcltags and vimspell)

--G4iJoqBmSsgzjUCe
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Jan 10, 2005 at 11:01:57AM +0100, Javier Fern=E1ndez-Sanguino Pe=F1=
a wrote:
> At least one of the mail addresses (<email address hidden>) bounces.

The other author address (<email address hidden>) bounces too.

Regards

Javier

--G4iJoqBmSsgzjUCe
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB4lw9i4sehJTrj0oRAozwAJ9upECIqyGyB8vBkPhiuHMxynouQgCgzcPj
lYDYqqTjW3k/md2HT6ciZX4=
=8RO4
-----END PGP SIGNATURE-----

--G4iJoqBmSsgzjUCe--

Message-ID: <email address hidden>
Date: Fri, 14 Jan 2005 12:30:15 +0000 (GMT)
From: Mark J Cox <email address hidden>
To: <email address hidden>
Subject: [<email address hidden>: Re: CVE request] (fwd

This is CAN-2005-0069.

Message-ID: <email address hidden>
Date: Fri, 14 Jan 2005 14:16:06 +0100
From: Martin Schulze <email address hidden>
To: <email address hidden>
Subject: cve id

Please use CAN-2005-0069.

Regards,

 Joey

--
The MS-DOS filesystem is nice for removable media. -- H. Peter Anvin

Please always Cc to me when replying to me on the lists.

Message-ID: <email address hidden>
Date: Sat, 15 Jan 2005 20:42:35 +0100
From: Norbert Tretkowski <email address hidden>
To: <email address hidden>
Subject: tags

tags 289560 +pending
thanks

Norbert

Message-ID: <email address hidden>
Date: Tue, 18 Jan 2005 23:45:40 +0100
From: Norbert Tretkowski <email address hidden>
To: Joey Hess <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#291125: vim: temporary file vulnerabilities (CAN-2005-0069)

severity 289560 grave
merge 289560 291125
thanks

* Joey Hess wrote:
> As described in the Ubuntu advisory below, vim's tcltags and vimspell
> scripts use temp files insecurely.

Updated package is already building currently.

Norbert

*** Bug 12027 has been marked as a duplicate of this bug. ***

Message-Id: <email address hidden>
Date: Wed, 19 Jan 2005 02:17:20 -0500
From: Norbert Tretkowski <email address hidden>
To: <email address hidden>
Subject: Bug#289560: fixed in vim 1:6.3-058+1

Source: vim
Source-Version: 1:6.3-058+1

We believe that the bug you reported is fixed in the latest version of
vim, which is due to be installed in the Debian FTP archive:

kvim-perl_6.3-058+1_alpha.deb
  to pool/main/v/vim/kvim-perl_6.3-058+1_alpha.deb
kvim-python_6.3-058+1_alpha.deb
  to pool/main/v/vim/kvim-python_6.3-058+1_alpha.deb
kvim-ruby_6.3-058+1_alpha.deb
  to pool/main/v/vim/kvim-ruby_6.3-058+1_alpha.deb
kvim-tcl_6.3-058+1_alpha.deb
  to pool/main/v/vim/kvim-tcl_6.3-058+1_alpha.deb
kvim_6.3-058+1_alpha.deb
  to pool/main/v/vim/kvim_6.3-058+1_alpha.deb
vim-common_6.3-058+1_all.deb
  to pool/main/v/vim/vim-common_6.3-058+1_all.deb
vim-doc_6.3-058+1_all.deb
  to pool/main/v/vim/vim-doc_6.3-058+1_all.deb
vim-gnome_6.3-058+1_alpha.deb
  to pool/main/v/vim/vim-gnome_6.3-058+1_alpha.deb
vim-gtk_6.3-058+1_alpha.deb
  to pool/main/v/vim/vim-gtk_6.3-058+1_alpha.deb
vim-lesstif_6.3-058+1_alpha.deb
  to pool/main/v/vim/vim-lesstif_6.3-058+1_alpha.deb
vim-perl_6.3-058+1_alpha.deb
  to pool/main/v/vim/vim-perl_6.3-058+1_alpha.deb
vim-python_6.3-058+1_alpha.deb
  to pool/main/v/vim/vim-python_6.3-058+1_alpha.deb
vim-ruby_6.3-058+1_alpha.deb
  to pool/main/v/vim/vim-ruby_6.3-058+1_alpha.deb
vim-tcl_6.3-058+1_alpha.deb
  to pool/main/v/vim/vim-tcl_6.3-058+1_alpha.deb
vim_6.3-058+1.diff.gz
  to pool/main/v/vim/vim_6.3-058+1.diff.gz
vim_6.3-058+1.dsc
  to pool/main/v/vim/vim_6.3-058+1.dsc
vim_6.3-058+1_alpha.deb
  to pool/main/v/vim/vim_6.3-058+1_alpha.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Norbert Tretkowski <email address hidden> (supplier of updated vim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 18 Jan 2005 20:12:25 +0100
Source: vim
Binary: vim-lesstif vim-common vim-doc vim-gnome kvim-ruby vim vim-gtk kvim-perl vim-perl kvim-tcl vim-tiny vim-ruby vim-python vim-tcl kvim-python kvim
Architecture: source alpha all
Version: 1:6.3-058+1
Distribution: unstable
Urgency: high
Maintainer: Norbert Tretkowski <email address hidden>
Changed-By: Norbert Tretkowski <email address hidden>
Description:
 kvim - Vi IMproved - KDE 3.x version
 kvim-perl - Vi IMproved - KDE 3.x version with Perl scripting support
 kvim-python - Vi IMproved - KDE 3.x version with Python scripting support
 kvim-ruby - Vi IMproved - KDE 3.x version with Ruby scripting support
 kvim-tcl - Vi IMproved - KDE 3.x version with TCL scripting support
 vim - Vi IMproved - enhanced vi editor
 vim-common - Vi IMproved - Common files
 vim-doc - Vi IMproved - Documentatio...

Message-ID: <email address hidden>
Date: Wed, 19 Jan 2005 09:08:38 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <email address hidden>
To: <email address hidden>
Cc: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <email address hidden>
Subject: Re: Bug#289560 acknowledged by developer (Bug#289560: fixed in vim 1:6.3-058+1)

--fdj2RfSjLxBAspz7
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

> * added a new patch (stolen from Ubuntu) which modifies vimspell.sh and
> tcltags.sh so they use mktemp instead of insecure $$ construction to
> create temporary files (CAN-2005-0069) (closes: #289560)

A few comments and questions regarding this entry:

- the scripts seem to be ancient and no longer supported by either their=20
authors nor vim maintainer and have been removed upstream.

- I understand that Ubuntu's patch might be simpler, but I actually wrote=
=20
the patch based on what's done in vim's tcltutor script. There were some=20
reasons I wrote it which have been disregarded (mostly compatibility=20
reasons for things that don't have mktemp/tempfile)
(I can't find it in Ubuntu's bugzilla 5633 but found it in our BTS #291125)

- no credit is given to me, which I would have appreciated

- Ubuntu's patch for tcltags will remove the temporary file *twice* (once
on exit, once after the trap is called) as the last line of the script has
not been removed (rm $tmp_tagfile) as I did in my patch.

Regards

Javier

--fdj2RfSjLxBAspz7
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB7hWGi4sehJTrj0oRAqDnAKC/VNkaR3c53ic2WJvChz1GVEX1JwCeM+8u
BJ2Ur/vRHN1jeh4AirAXiOY=
=fC6E
-----END PGP SIGNATURE-----

--fdj2RfSjLxBAspz7--

Message-ID: <email address hidden>
Date: Wed, 19 Jan 2005 10:24:20 +0100
From: Martin Pitt <email address hidden>
To: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <email address hidden>,
 <email address hidden>
Subject: Re: Bug#289560: acknowledged by developer (Bug#289560: fixed in vim 1:6.3-058+1)

--+g7M9IMkV8truYOl
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi Javier!

Javier Fern=E1ndez-Sanguino Pe=F1a [2005-01-19 9:08 +0100]:
> > * added a new patch (stolen from Ubuntu) which modifies vimspell.sh =
and
> > tcltags.sh so they use mktemp instead of insecure $$ construction =
to
> > create temporary files (CAN-2005-0069) (closes: #289560)
>=20
> A few comments and questions regarding this entry:
>=20
> - the scripts seem to be ancient and no longer supported by either their=
=20
> authors nor vim maintainer and have been removed upstream.

Maybe, but still we ship them in our stable release, so we must fix
it.

> - I understand that Ubuntu's patch might be simpler, but I actually wrote=
=20
> the patch based on what's done in vim's tcltutor script. There were some=
=20
> reasons I wrote it which have been disregarded (mostly compatibility=20
> reasons for things that don't have mktemp/tempfile)
> (I can't find it in Ubuntu's bugzilla 5633 but found it in our BTS #29112=
5)

I read your patch, but I deliberately wrote my own very simple
version, because:

- I wanted to avoid the tempfile race in any case, so if mktemp is not
  available, the script should rather fail than be vulnerable. mktemp
  is shipped in a required package, so we can assume it is there.

- A security update must be as simple and unintrusive as possible. I
  do not care about the widest possible upstream portability in
  security updates, the solution only needs to work on the platforms
  we support.

> - no credit is given to me, which I would have appreciated

I credited you in the announcement [1] since you found the bug.
However, since I did not take your patch, but wrote my own, I did not
credit you for the patch (so if it's broken, it is seen as my fault
and not yours :-) ).

[1] http://www.ubuntulinux.org/support/documentation/usn/usn-61-1

> - Ubuntu's patch for tcltags will remove the temporary file *twice* (once
> on exit, once after the trap is called) as the last line of the script has
> not been removed (rm $tmp_tagfile) as I did in my patch.

Right, thanks for that hint. It would be nice to fix that in Sid and
our development release.

Have a nice day!

Martin

--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org

--+g7M9IMkV8truYOl
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB7idEDecnbV4Fd/IRAnJzAKCPbzOma8Nv/Q6r9r5lx7VAOfrqyQCgm2Xd
LX6jAxEVuHe9lnudfadSGCA=
=Bzyo
-----END PGP SIGNATURE-----

--+g7M9IMkV8truYOl--

Fixed in Warty in USN-61-1, fixed in Hoary in 1:6.3-046+1ubuntu2.

Message-ID: <email address hidden>
Date: Wed, 19 Jan 2005 11:40:47 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <email address hidden>
To: Martin Pitt <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#289560: acknowledged by developer (Bug#289560: fixed in vim 1:6.3-058+1)

--fUYQa+Pmc3FrFX/N
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Jan 19, 2005 at 10:24:20AM +0100, Martin Pitt wrote:
> I read your patch, but I deliberately wrote my own very simple
> version, because:

Martin, just to get things straight, my comments are not directed=20
towards you, but towards the vim maintainer.

>=20
> - I wanted to avoid the tempfile race in any case, so if mktemp is not
> available, the script should rather fail than be vulnerable. mktemp
> is shipped in a required package, so we can assume it is there.

It would be best if instead of=20

tmp_tagfile=3D`mktemp -t tcltagXXXXXX` || exit 1=20

you had used

tmp_tagfile=3D`mktemp -t tcltagXXXXXX` || { echo "$0: error creating the=20
temporary file" >&2; exit 1 ;}

IMHO

> - A security update must be as simple and unintrusive as possible. I
> do not care about the widest possible upstream portability in
> security updates, the solution only needs to work on the platforms
> we support.

Well, in the Debian case (not Ubuntu's) the patch was not intented to be
used as a DSA (since even if the code is in stable, it's in
/usr/share/doc). I wasn't complaining about the Ubuntu update, but about
the use of Ubuntu's patch in Debian when mine could be used instead for the
sid upload (and would've been more consistent with upstream source)

> > - no credit is given to me, which I would have appreciated
>=20
> I credited you in the announcement [1] since you found the bug.

I was mentioning Debian's changelog, not Ubuntu's advisory.
Actually, all my statements are with how this bug has been handled by the=
=20
Debian maintainer, which takes no action until an Ubuntu advisory is=20
released.

In any case, no use in arguing this when there is so many things to work on=
=20
(and so many similar security bugs to report)

Regards

Javier

--fUYQa+Pmc3FrFX/N
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB7jkui4sehJTrj0oRAuUcAJ9V0dPRoGRPpY7yIGxYilDSWdZvLgCgp/nE
Am8LJyeU5/wT1EyxiDseGtk=
=PGKH
-----END PGP SIGNATURE-----

--fUYQa+Pmc3FrFX/N--

Message-ID: <email address hidden>
Date: Wed, 19 Jan 2005 12:04:06 +0100
From: Martin Pitt <email address hidden>
To: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#289560: acknowledged by developer (Bug#289560: fixed in vim 1:6.3-058+1)

--H1spWtNR+x+ondvy
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi Javier!

Javier Fern=E1ndez-Sanguino Pe=F1a [2005-01-19 11:40 +0100]:
> It would be best if instead of=20
>=20
> tmp_tagfile=3D`mktemp -t tcltagXXXXXX` || exit 1=20
>=20
> you had used
>=20
> tmp_tagfile=3D`mktemp -t tcltagXXXXXX` || { echo "$0: error creating the=
=20
> temporary file" >&2; exit 1 ;}
>=20
> IMHO

There is no need for this. mktemp generates an error message on its
own, so this would only write two messages.

> In any case, no use in arguing this when there is so many things to work =
on=20
> (and so many similar security bugs to report)

Right, I just wanted to point out above mktemp behavior, since this
seems to be a common misconception.

Thanks for your great work and have a nice day!

Martin
--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org

--H1spWtNR+x+ondvy
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB7j6lDecnbV4Fd/IRAvVDAJ9pxVMq/0EbyXTVHUB89Q+aPcJSpgCdH3na
bScR4nUElxqtpDHcHQCO/Vc=
=iHbC
-----END PGP SIGNATURE-----

--H1spWtNR+x+ondvy--

Message-ID: <email address hidden>
Date: Wed, 19 Jan 2005 13:20:29 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <email address hidden>
To: Martin Pitt <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#289560: acknowledged by developer (Bug#289560: fixed in vim 1:6.3-058+1)

--mP3DRpeJDSE+ciuQ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Jan 19, 2005 at 12:04:06PM +0100, Martin Pitt wrote:
> > IMHO
>=20
> There is no need for this. mktemp generates an error message on its
> own, so this would only write two messages.

Mktemp might not be available. The || test would actually check wether=20
mktemp fails (not common) and wether it's available. My message is=20
associated with the later.

>=20
> > In any case, no use in arguing this when there is so many things to wor=
k on=20
> > (and so many similar security bugs to report)
>=20
> Right, I just wanted to point out above mktemp behavior, since this
> seems to be a common misconception.

Understood, but you don't cover the event of mktemp not being available.=20
The bash would output a message but an unknowledgeable user wouldn't know=
=20
what's amiss.

>=20
> Thanks for your great work and have a nice day!

Thank you for your work.

Regards

Javier

--mP3DRpeJDSE+ciuQ
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB7lCNi4sehJTrj0oRAi0dAKDGXur6Hl/02Z9LEb68C/Ko30dYMwCfbQ4p
ZhTqLwMOMxpnnaBoxUymPKU=
=qkrH
-----END PGP SIGNATURE-----

--mP3DRpeJDSE+ciuQ--

Message-ID: <email address hidden>
Date: Wed, 19 Jan 2005 21:23:26 +0100
From: Norbert Tretkowski <email address hidden>
To: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <email address hidden>,
 <email address hidden>
Subject: Re: Bug#289560: acknowledged by developer (Bug#289560: fixed in vim 1:6.3-058+1)

Oh well... looks like I did anything wrong what can be done wrong with
this bugreport...=20

* Javier Fern=E1ndez-Sanguino Pe=F1a wrote:
> > * added a new patch (stolen from Ubuntu) which modifies vimspell.s=
h and
> > tcltags.sh so they use mktemp instead of insecure $$ constructio=
n to
> > create temporary files (CAN-2005-0069) (closes: #289560)
>=20
> A few comments and questions regarding this entry:
>=20
> - the scripts seem to be ancient and no longer supported by either thei=
r=20
> authors nor vim maintainer and have been removed upstream.

You're right, it's better to remove those scripts.

> - no credit is given to me, which I would have appreciated

You're right again, sorry that I forgot that.

So, my plans for the next upload...

- remove vimspell.sh and tcltags.sh
- remove the Ubuntu patch
- notice in the changelog that you discovered these problems

I hope I'll find time next weekend for a new upload.

Regards, Norbert

Message-ID: <email address hidden>
Date: Thu, 20 Jan 2005 01:20:07 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <email address hidden>
To: Norbert Tretkowski <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#289560: acknowledged by developer (Bug#289560: fixed in vim 1:6.3-058+1)

> I hope I'll find time next weekend for a new upload.

There's no hurry, take your time, these scripts have been in Debian for
ages. You can even wait until the next upstream version is released, no
sense in making two uploads to fix these.

Regards

Javier

Message-ID: <email address hidden>
Date: Thu, 20 Jan 2005 10:24:34 +0100
From: Helge Kreutzmann <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: Woody still vulnerable (or at least no entry in non-vulns-list)

reopen 289560
thanks

At least woody is not fixed. I just checked, there is also no entry in
http://www.debian.org/security/nonvulns-woody
for this issue. Either one (the first preferably) needs to be handled.

Greetings

          Helge
--
Helge Kreutzmann, Dipl.-Phys. <email address hidden>
                       gpg signed mail preferred
    64bit GNU powered http://www.itp.uni-hannover.de/~kreutzm
       Help keep free software "libre": http://www.freepatents.org/

Message-Id: <email address hidden>
Date: Thu, 20 Jan 2005 22:58:39 +0100
From: Frank Lichtenheld <email address hidden>
To: <email address hidden>
Subject: tagging 289560

# Automatically generated email from bts, devscripts version 2.8.5
tags 289560 - sid

Message-ID: <email address hidden>
Date: Sat, 22 Jan 2005 21:05:49 -0800
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: fixed version reaches testing

tags 289560 -sarge
thanks

Message-ID: <email address hidden>
Date: Sun, 20 Feb 2005 18:07:23 +0100
From: Norbert Tretkowski <email address hidden>
To: Helge Kreutzmann <email address hidden>,
 <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#289560: Woody still vulnerable (or at least no entry in non-vulns-list)

severity 289560 minor
severity 291125 minor
thanks

* Helge Kreutzmann wrote:
> At least woody is not fixed. I just checked, there is also no entry in
> http://www.debian.org/security/nonvulns-woody
> for this issue. Either one (the first preferably) needs to be handled.

No DSA, statement from security team was: "problem is not in active
code".

I'll try to prepare an update and upload it to woody-proposed-updates
so it gets into 3.0r5.

Norbert

Message-Id: <email address hidden>
Date: Tue, 22 Mar 2005 11:00:27 +0100
From: "Pierre Habouzit <Debian VIM Maintainers" <email address hidden>
To: <email address hidden>
Subject: tagging 289560

# Automatically generated email from bts, devscripts version 2.8.11
tags 289560 + woody

Message-Id: <email address hidden>
Date: Sun, 03 Apr 2005 08:32:09 -0400
From: Norbert Tretkowski <email address hidden>
To: <email address hidden>
Subject: Bug#289560: fixed in vim 6.1.018-1woody1

Source: vim
Source-Version: 6.1.018-1woody1

We believe that the bug you reported is fixed in the latest version of
vim, which is due to be installed in the Debian FTP archive:

vim-gtk_6.1.018-1woody1_i386.deb
  to pool/main/v/vim/vim-gtk_6.1.018-1woody1_i386.deb
vim-perl_6.1.018-1woody1_i386.deb
  to pool/main/v/vim/vim-perl_6.1.018-1woody1_i386.deb
vim-python_6.1.018-1woody1_i386.deb
  to pool/main/v/vim/vim-python_6.1.018-1woody1_i386.deb
vim-ruby_6.1.018-1woody1_i386.deb
  to pool/main/v/vim/vim-ruby_6.1.018-1woody1_i386.deb
vim-tcl_6.1.018-1woody1_i386.deb
  to pool/main/v/vim/vim-tcl_6.1.018-1woody1_i386.deb
vim_6.1.018-1woody1.diff.gz
  to pool/main/v/vim/vim_6.1.018-1woody1.diff.gz
vim_6.1.018-1woody1.dsc
  to pool/main/v/vim/vim_6.1.018-1woody1.dsc
vim_6.1.018-1woody1_i386.deb
  to pool/main/v/vim/vim_6.1.018-1woody1_i386.deb
vim_6.1.018.orig.tar.gz
  to pool/main/v/vim/vim_6.1.018.orig.tar.gz

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Norbert Tretkowski <email address hidden> (supplier of updated vim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 3 Apr 2005 12:35:25 +0200
Source: vim
Binary: vim-python vim-gtk vim-ruby vim vim-tcl vim-perl
Architecture: source i386
Version: 6.1.018-1woody1
Distribution: stable
Urgency: medium
Maintainer: Debian VIM Maintainers <email address hidden>
Changed-By: Norbert Tretkowski <email address hidden>
Description:
 vim - Vi IMproved - enhanced vi editor
 vim-gtk - Vi IMproved - GTK version
 vim-perl - Vi IMproved, with perl scripting support
 vim-python - Vi IMproved, with python scripting support
 vim-ruby - Vi IMproved, with ruby scripting support
 vim-tcl - Vi IMproved, with tcl scripting support
Closes: 286223 289560 291125
Changes:
 vim (6.1.018-1woody1) stable; urgency=medium
 .
   * CAN-2004-1138: Backported and applied patch 6.3.045 which fixes several
     vulnerabilities related to the use of options in modelines.
     (closes: #286223)
   * CAN-2005-0069: Use mktemp instead of insecure $$ construction to create
     temporary files in vimspell.sh and tcltags. (closes: #289560, #291125)
   * Set maintainer address to project mailinglist on alioth and added myself to
     uploaders.
Files:
 1cfdd09715be69c8df993ad9e662b92f 804 editors optional vim_6.1.018-1woody1.dsc
 a72ece837a192262ef9daf29566fd6c1 4430373 editors optional vim_6.1.018.orig.tar.gz
 776f9a74f34ba52f9d4040323657d7df 30282 editors optional vim_6.1.018-1woody1.diff.gz
 e7e1230281e4d71...