/usr/bin/getweb is vulnerable to "Insecure temporary file creation" weaknesses

Bug #805370 reported by David on 2011-07-04
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
foo2zjs (Ubuntu)
Low
Unassigned

Bug Description

/usr/bin/getweb is vulnerable to "Insecure temporary file creation". [0]
While I don't know if anyone uses the getweb command. The script makes a temporary directory in /tmp called foo2zjs it then may download (depending on user input) one or more gzip and extract them in /tmp/foo2zjs.
However, the script does not check if the folder already exists / the return code of mkdir - so the script could possibly result in the over-writing of files or simply extra junk placed in $random places on the file-system.

[0] - http://cwe.mitre.org/data/definitions/377.html

[1] line 488
"
mkdir -p /tmp/foo2zjs
cd /tmp/foo2zjs
"

Related branches

CVE References

David (d--) on 2011-07-04
summary: - /usr/bin/getweb is rather hillarious -- and is vulnerable to "Insecure
- temporary file creation" weaknesses
+ /usr/bin/getweb is vulnerable to "Insecure temporary file creation"
+ weaknesses
description: updated
visibility: private → public
Marc Deslauriers (mdeslaur) wrote :
Changed in foo2zjs (Ubuntu):
status: New → Confirmed
importance: Undecided → Low
Marc Deslauriers (mdeslaur) wrote :

This is CVE-2011-2684

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package foo2zjs - 20110722dfsg-3ubuntu1

---------------
foo2zjs (20110722dfsg-3ubuntu1) oneiric; urgency=low

  * Merge from debian unstable. Remaining changes:
    - Depends on the mscompress package.
    - Depends on cup and cups-client and does not only recommend them. Ubuntu
      supports only CUPS as printing system (more investigation needed).

foo2zjs (20110722dfsg-3) unstable; urgency=low

  * Update 60-getweb.in.patch to add set -e (Closes: #633870 again).

foo2zjs (20110722dfsg-2) unstable; urgency=low

  * Install usb_printerid and its manpage only in Linux (Closes: #635397).

foo2zjs (20110722dfsg-1) unstable; urgency=low

  New 20110722 upstream release.

  [ Didier Raboud ]
  * DFSG repack
    - remove binary file c5200mono.prn
    - remove crd/qpdl/CLP* , because copyright is unclear
  * Uploaders:
    - Add myself.
    - Drop Steffen Joeris, with thanks for his past work.
  * Package relationships:
    - Demote cups and cups-client from Depends to Recommends (Closes: #622125).
      This allows one to use foo2zjs with lprng.
    - Add a Recommends on mscompress.
  * Patches:
    - Refresh all.
    - Update 30-udev-rules patch to cope with cups' usblp blacklisting.
    - Add 40-desktop-direct-launch.patch to remove the superfluous "wish"
      launch (avoids a lintian warning).
    - Update debian/patches/60-getweb.in.patch:
      Fix CVE-2011-2684 "Insecure Temporary File" (CWE-277) in
      /usr/bin/getweb by creating a safe temporary directory with mktemp.
      (Closes: #633870, LP: #805370)
    - Enhance 60-getweb.in.patch to forbid live update of /usr/bin/getweb as it
      is packaged. Also correct the typo in getweb. (Closes: #632680)
    - Update 60-hplj1000.patch to use the correct paths in kFreeBSD too.
    - Update 90-manpages.patch to fix more hyphen-used-as-minus mistakes.
    - Add 91-spelling-fixes.patch to fix 'precission' spelling mistake.
  * Convert to source format 3.0 (quilt)
  * Convert packaging to "tiny" dh7 style.
  * Migrate packaging to Git from Subversion, update Vcs-* fields.
  * Bump Standards-Version to 3.9.2 without changes needed.

  [ Till Kamppeter ]
  * debian/rules: Added "-dNOINTERPOLATE" to the Ghostscript command lines to
    make Ghostscript rendering the pages significantly faster.
  * debian/patches/96-udev-firmware-script-cups-libusb-support.patch:
    Added support for uploading firmwae into printers using the USB backend of
    CUPS. This way the firmware upload also works without the usblp kernel
    module. (Closes: #630227, #630228)
  * debian/patches/95-udev-firmware-script-no-hplip-rules-removal.patch:
    Removed the lines in the UDEV script for the automatic firmware upload
    into the printer which remove the UDEV rules files for HPLIP's automatic
    firmware upload. (LP: #783389)
 -- Till Kamppeter <email address hidden> Thu, 28 Jul 2011 00:35:00 +0200

Changed in foo2zjs (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers