autokey: insecure use of temporary files (Data Corruption, Local Denial of Service)

Bug #538471 reported by Luke Faraone on 2010-03-13
270
This bug affects 1 person
Affects Status Importance Assigned to Milestone
autokey (Debian)
Fix Released
Undecided
Luke Faraone
autokey (Ubuntu)
Medium
Unassigned
Karmic
Medium
Unassigned

Bug Description

Binary package hint: autokey

jwilk reported to the Debian Security Team:

'''
I discovered that autokey (0.61.3-1 and possibly earlier versions) init script is prone to symlink attacks, which allow local attacker to create or overwrite arbitrary files.

How to reproduce:
1. as root: /etc/init.d/autokey stop
2. as a normal user: ln -sf /file/you/want/to/overwrite /tmp/autokey-daemon.pid
3. as root: /etc/init.d/autokey start

Please tell me if/when I can disclose this vulnerability.
'''

This affects the version of Autokey in Lucid, and probably Karmic as well.

Luke Faraone (lfaraone) wrote :

Debian has decided to embargo this until March 20, 2010.

Luke Faraone (lfaraone) wrote :
Luke Faraone (lfaraone) on 2010-03-20
Changed in autokey (Debian):
status: New → Fix Released
assignee: nobody → Luke Faraone (lfaraone)
Luke Faraone (lfaraone) on 2010-03-21
visibility: private → public
tags: added: patch
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package autokey - 0.61.5-1ubuntu1

---------------
autokey (0.61.5-1ubuntu1) lucid; urgency=low

  * Make "autokey" a transitional package for autokey-gtk rather than -qt.

autokey (0.61.5-1) unstable; urgency=low

  * New upstream version:
     - Combine GTK and QT versions into single source tree
  * Provide "autokey" as a transitional package to autokey-common and autokey-qt
  * debian/autokey-common.postinst: call `update-python-modules -p` so that
    starting the daemon does not fail if qt4 was not fully configured.
    (LP: #543654)

autokey (0.61.3-2) unstable; urgency=high

  * SECURITY UPDATE: arbitrary file overwriting via symlinks (LP: #538471)
    - Store files for the EvDev daamon in FHS-specified locations
    - debian/autokey.init: Set pidfile path to '/var/run/autokey-daemon.pid'
    - src/lib/interface.py: Set DOMAIN_SOCKET_PATH to "/var/run/autokey-daemon"
    - CVE-2010-0398

autokey (0.61.3-1) unstable; urgency=low

  * debian/rules: call dh_installinit with --error-handler so that install
    doesn't fail if Autokey cannot be restarted during configure (LP: #479131)
  * New upstream version:
    - Merge changes to interface.py from GTK branch that were missed

autokey (0.61.2-2) unstable; urgency=low

  * Set DM-Upload-Allowed to Yes in control
  * Patch src/lib/daemon.py to handle empty or invalid PIDs (closes: #568070)
  * Fix typo in Vcs-Browser
  * Bump standards version
 -- Luke Faraone <email address hidden> Wed, 24 Mar 2010 22:06:35 -0400

Changed in autokey (Ubuntu):
status: New → Fix Released
Luke Faraone (lfaraone) on 2010-05-12
Changed in autokey (Ubuntu Karmic):
importance: Undecided → Medium
status: New → Confirmed
Kees Cook (kees) wrote :

ACK, thanks for the debdiff. (I've subscribed ubuntu-security-sponsors now.) I've uploaded this to the build queue now; it should be published shortly.

Changed in autokey (Ubuntu Karmic):
status: Confirmed → Fix Released
Kees Cook (kees) on 2010-05-13
Changed in autokey (Ubuntu Karmic):
status: Fix Released → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package autokey - 0.54.5-1ubuntu0.3

---------------
autokey (0.54.5-1ubuntu0.3) karmic-security; urgency=low

  * SECURITY UPDATE: arbitrary file overwriting via symlinks (LP: #538471)
    - Store files for the EvDev daamon in FHS-specified locations
    - debian/autokey.init: Set pidfile path to '/var/run/autokey-daemon.pid'
    - src/lib/interface.py: Set DOMAIN_SOCKET_PATH to "/var/run/autokey-daemon"
    - CVE-2010-0398
 -- Luke Faraone <email address hidden> Sat, 13 Mar 2010 17:14:24 -0500

Changed in autokey (Ubuntu Karmic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers