/usr/bin/getweb is vulnerable to "Insecure temporary file creation" weaknesses

Bug #805370 reported by David
This bug affects 1 person
Affects Status Importance Assigned to Milestone
foo2zjs (Ubuntu)
Fix Released

Bug Description

/usr/bin/getweb is vulnerable to "Insecure temporary file creation". [0]
While I don't know if anyone uses the getweb command. The script makes a temporary directory in /tmp called foo2zjs it then may download (depending on user input) one or more gzip and extract them in /tmp/foo2zjs.
However, the script does not check if the folder already exists / the return code of mkdir - so the script could possibly result in the over-writing of files or simply extra junk placed in $random places on the file-system.

[0] - http://cwe.mitre.org/data/definitions/377.html

[1] line 488
mkdir -p /tmp/foo2zjs
cd /tmp/foo2zjs

Related branches

CVE References

David (d--)
summary: - /usr/bin/getweb is rather hillarious -- and is vulnerable to "Insecure
- temporary file creation" weaknesses
+ /usr/bin/getweb is vulnerable to "Insecure temporary file creation"
+ weaknesses
description: updated
visibility: private → public
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :
Changed in foo2zjs (Ubuntu):
status: New → Confirmed
importance: Undecided → Low
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This is CVE-2011-2684

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package foo2zjs - 20110722dfsg-3ubuntu1

foo2zjs (20110722dfsg-3ubuntu1) oneiric; urgency=low

  * Merge from debian unstable. Remaining changes:
    - Depends on the mscompress package.
    - Depends on cup and cups-client and does not only recommend them. Ubuntu
      supports only CUPS as printing system (more investigation needed).

foo2zjs (20110722dfsg-3) unstable; urgency=low

  * Update 60-getweb.in.patch to add set -e (Closes: #633870 again).

foo2zjs (20110722dfsg-2) unstable; urgency=low

  * Install usb_printerid and its manpage only in Linux (Closes: #635397).

foo2zjs (20110722dfsg-1) unstable; urgency=low

  New 20110722 upstream release.

  [ Didier Raboud ]
  * DFSG repack
    - remove binary file c5200mono.prn
    - remove crd/qpdl/CLP* , because copyright is unclear
  * Uploaders:
    - Add myself.
    - Drop Steffen Joeris, with thanks for his past work.
  * Package relationships:
    - Demote cups and cups-client from Depends to Recommends (Closes: #622125).
      This allows one to use foo2zjs with lprng.
    - Add a Recommends on mscompress.
  * Patches:
    - Refresh all.
    - Update 30-udev-rules patch to cope with cups' usblp blacklisting.
    - Add 40-desktop-direct-launch.patch to remove the superfluous "wish"
      launch (avoids a lintian warning).
    - Update debian/patches/60-getweb.in.patch:
      Fix CVE-2011-2684 "Insecure Temporary File" (CWE-277) in
      /usr/bin/getweb by creating a safe temporary directory with mktemp.
      (Closes: #633870, LP: #805370)
    - Enhance 60-getweb.in.patch to forbid live update of /usr/bin/getweb as it
      is packaged. Also correct the typo in getweb. (Closes: #632680)
    - Update 60-hplj1000.patch to use the correct paths in kFreeBSD too.
    - Update 90-manpages.patch to fix more hyphen-used-as-minus mistakes.
    - Add 91-spelling-fixes.patch to fix 'precission' spelling mistake.
  * Convert to source format 3.0 (quilt)
  * Convert packaging to "tiny" dh7 style.
  * Migrate packaging to Git from Subversion, update Vcs-* fields.
  * Bump Standards-Version to 3.9.2 without changes needed.

  [ Till Kamppeter ]
  * debian/rules: Added "-dNOINTERPOLATE" to the Ghostscript command lines to
    make Ghostscript rendering the pages significantly faster.
  * debian/patches/96-udev-firmware-script-cups-libusb-support.patch:
    Added support for uploading firmwae into printers using the USB backend of
    CUPS. This way the firmware upload also works without the usblp kernel
    module. (Closes: #630227, #630228)
  * debian/patches/95-udev-firmware-script-no-hplip-rules-removal.patch:
    Removed the lines in the UDEV script for the automatic firmware upload
    into the printer which remove the UDEV rules files for HPLIP's automatic
    firmware upload. (LP: #783389)
 -- Till Kamppeter <email address hidden> Thu, 28 Jul 2011 00:35:00 +0200

Changed in foo2zjs (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.