Fedora
inkscape package

Insecure temporary file use in OCAL code

Bug #191847 reported by Lubomir Rintel on 2008-02-14

254

Affects		Status	Importance	Assigned to	Milestone
	Inkscape	Fix Released	Medium	Kees Cook	Inkscape 0.46
	inkscape (Fedora)	Fix Released	Low	redhat-bugs #432807

Bug Description

Here are the patches:

This one is ugly. Pardon me, I never wrote C++ code longer than three lines before.
If someone uses "Mentor someone fixing this bug" I'd be very happy.
http://cvs.fedora.redhat.com/viewcvs/*checkout*/rpms/inkscape/devel/inkscape-0.46pre1-ocal1.patch

This one is not as ugly as first. Also contains workaround for bug #179326
http://cvs.fedora.redhat.com/viewcvs/*checkout*/rpms/inkscape/devel/inkscape-0.46pre1-ocal2.patch

Revision history for this message

In Red Hat Bugzilla #432807, Lubomir (lubomir-redhat-bugs) wrote on 2008-02-14:

#5

Description of problem:

Inkscape uses predictable names for OCAL feed's and thumbnails' temporary files,
which make it possible for a local attacker to overwrite files via symlink attack.

Revision history for this message

In Red Hat Bugzilla #432807, Lubomir (lubomir-redhat-bugs) wrote on 2008-02-14:

#6

Fixed in inkscape-0.45.1+0.46pre1-4

Revision history for this message

In Red Hat Bugzilla #432807, Lubomir (lubomir-redhat-bugs) wrote on 2008-02-14:

#7

https://bugs.launchpad.net/fedora/+source/inkscape/+bug/191847

Revision history for this message

In Red Hat Bugzilla #432807, Lubomir (lubomir-redhat-bugs) wrote on 2008-02-14:

#8

CVE name was requested.

Revision history for this message

Lubomir Rintel (lkundrak) wrote on 2008-02-14:

#1

Note -ocal1.patch also fixes a functionality bug. If two cliparts possibly in different directories had same file name, only thumbnail of the first one would be visible.

Ted Gould (ted) on 2008-02-14

Changed in inkscape:
milestone:	none → 0.46

Revision history for this message

Lubomir Rintel (lkundrak) wrote on 2008-02-14:

#2

Actually -ocal1.patch is broken. Choosing a random file name such as /tmp/mHpvUM looses the file extenstion and in case it's not SVG inkscape won't be able to open it as it won't be able to determine the file type. Possible solution would be to use a temporary directory so that it will be possible for file names to be chosen arbitrarily instead of randomly.

Bug Watch Updater (bug-watch-updater) on 2008-02-15

Changed in inkscape:
status:	Unknown → Confirmed

Revision history for this message

Kees Cook (kees) wrote on 2008-02-17:

#3

I've applied ocal2.patch to SVN now. Thanks for these fixes!

I'm investigating other solutions for the ocal1.patch issues.

Changed in inkscape:
assignee:	nobody → keescook
importance:	Undecided → Medium
status:	New → Confirmed

Revision history for this message

Kees Cook (kees) wrote on 2008-02-17:

#4

Based on Lubomir's patch, I've fixed up the temp file handling. While it might be possible to DoS-race the target, it is no longer vulnerable to overwrite attacks.

Changed in inkscape:
status:	Confirmed → Fix Released

Bug Watch Updater (bug-watch-updater) on 2008-03-26

Changed in inkscape:
status:	Confirmed → Fix Released

Bug Watch Updater (bug-watch-updater) on 2017-10-26

Changed in inkscape (Fedora):
importance:	Unknown → Low

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

redhat-bugs #432807
[CLOSED RAWHIDE] Edit

Bug watches keep track of this bug in other bug trackers.