multiple insecure temporary file vulnerabilities

Automatically imported from Debian bug report #278282 http://bugs.debian.org/278282

Message-ID: <email address hidden>
Date: Mon, 25 Oct 2004 17:03:59 -0400
From: Joey Hess <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: multiple insecure temporary file vulnerabilities

--x+6KMIRAuhnl3hBn
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: gs-common
Version: 0.3.6
Severity: serious
Tags: security

CAN-2004-0967 describes multiple insecure uses of temporary files in
programs ghostscript:

  The (1) pj-gs.sh, ps2epsi(2) , (3) pv.sh, and (4) sysvlp.sh scripts in th=
e ESP
  Ghostscript (espgs) package in Trustix Secure Linux 1.5 through 2.1, and
  possibly other operating systems, allow local users to overwrite files vi=
a a
  symlink attack on temporary files.

Of these, ps2epsi and pv.sh were all I could find in Debian, in the
gs-common package.=20

ps2epsi is clearly vulnerable:

tmpfile=3D/tmp/ps2epsi$$

I think this part of pv.sh is vulnerable, if it happens to be run in /tmp or
another world-writable directory.

dvips -p $PAGE -n 1 $FILE $* -o $FILE.$$.pv

There's a patch here:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=3D136321

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=3Den_US, LC_CTYPE=3Den_US (charmap=3DISO-8859-1)

Versions of packages gs-common depends on:
ii debconf 1.4.39 Debian configuration managemen=
t sy
ii debianutils 2.10.3 Miscellaneous utilities specif=
ic t
ii defoma 0.11.8-0.1 Debian Font Manager -- automat=
ic f
ii gs 8.01-5 Transitional package
ii gs-gpl [gs] 8.01-5 The GPL Ghostscript PostScript=
 int
ii gsfonts 8.14+v8.11-0.1 Fonts for the Ghostscript inte=
rpre

-- no debconf information

--=20
see shy jo

--x+6KMIRAuhnl3hBn
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBfWo+d8HHehbQuO8RAk1iAJ9lr/8SUNT6TxMnjhfZ2tStZjHjSgCfV8JN
s8z9PQImVhYSlU93E+TyhnQ=
=49nA
-----END PGP SIGNATURE-----

--x+6KMIRAuhnl3hBn--

Created an attachment (id=603)
dpatch to fix all insecure temporary file creations

Since the patch already existed (but was insecure as well), I replaced it with
the above one, so an interdiff looks strange. Apart from this dpatch, only the
changelog was modified:

 gs-common (0.3.6ubuntu1.1) warty-security; urgency=low
 .
   * SECURITY UPDATE: fix multiple insecure temporary file vulnerabilities
   * completely replaced original patch 01_fix_insecure_tmpfile, which changed
     an insecure temporary file by a less insecure temporary directory (still
     vulnerable to DOS attack)
   * new patch 01_fix_insecure_tmpfile: use mktemp to properly generate
     temporary files in scripts/ps2epsi and scripts/pv.sh (Warty bug #9447)
   * References:
     - CAN-2004-0967
     - http://bugs.debian.org/278282

Waiting for upload approval

Got approval from Jeff, uploaded.

Message-ID: <email address hidden>
Date: Tue, 26 Oct 2004 10:04:03 +0200
From: Martin Pitt <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: Patch

--0F1p//8PRICkK4MW
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

tag 278282 patch
thanks

Hi!

I just prepared and uploaded an updated Ubuntu package. I checked all
scripts for tempfile vulnerabilities. I completely replaced the broken
01_fix_insecure_tmpfile (which only dealt with ps2epsi) with better
patches for ps2epsi and pv.sh.

The updated dpatch and changelog entry are in our bug tracking system:
https://bugzilla.ubuntulinux.org/show_bug.cgi?id=3D2744

Have a nice day,

Martin
--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org

--0F1p//8PRICkK4MW
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBfgTzDecnbV4Fd/IRArGsAKCXEpmbmYr9u72+zQ3S9AS+8OSIBACgvcaM
OUlmHd6feFYDDL9pkPQI4a4=
=hPg0
-----END PGP SIGNATURE-----

--0F1p//8PRICkK4MW--

It is fixed in Warty, but must still be fixed in Hoary. Reopening and adjusting
as appropriate.

Uploaded the same fix to Hoary. We have diverted the package anyway.

Message-Id: <email address hidden>
Date: Sun, 31 Oct 2004 17:47:05 -0500
From: Frank Lichtenheld <email address hidden>
To: <email address hidden>
Cc: Frank Lichtenheld <email address hidden>, Masayuki Hatta (mhatta) <email address hidden>
Subject: Fixed in NMU of gs-common 0.3.6-0.1

tag 278282 + fixed

quit

This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 29 Oct 2004 00:35:34 +0200
Source: gs-common
Binary: gs-common
Architecture: source all
Version: 0.3.6-0.1
Distribution: unstable
Urgency: high
Maintainer: Masayuki Hatta (mhatta) <email address hidden>
Changed-By: Frank Lichtenheld <email address hidden>
Description:
 gs-common - Common files for different Ghostscript releases
Closes: 278282
Changes:
 gs-common (0.3.6-0.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Include new 01_fix_insecure_tmpfile.dpatch from
     Martin Pitt <email address hidden> which fixes some more issues
     (Closes: #278282)
Files:
 fab6683275f089a44353204dfef8f691 647 text optional gs-common_0.3.6-0.1.dsc
 00b335b1afce42df495475d67ee699c1 30607 text optional gs-common_0.3.6.orig.tar.gz
 466b84851b4ede54ff8eeac025892a9e 1694 text optional gs-common_0.3.6-0.1.diff.gz
 adb5ac5e51fd5e0018288d2a99179a3f 45228 text optional gs-common_0.3.6-0.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBgsg8Qbn06FtxPfARAlL8AJ90TPUin8laXCRtIkiBmJQ1uY6q7wCfeDKc
+IH53LyuJL4nnoLS0oZtb5E=
=u+hd
-----END PGP SIGNATURE-----

Message-ID: <email address hidden>
Date: Mon, 1 Nov 2004 00:11:32 +0100
From: Frank Lichtenheld <email address hidden>
To: Martin Pitt <email address hidden>, <email address hidden>
Subject: Re: Bug#278282: Patch

On Tue, Oct 26, 2004 at 10:04:03AM +0200, Martin Pitt wrote:
> I just prepared and uploaded an updated Ubuntu package. I checked all
> scripts for tempfile vulnerabilities. I completely replaced the broken
> 01_fix_insecure_tmpfile (which only dealt with ps2epsi) with better
> patches for ps2epsi and pv.sh.
>
> The updated dpatch and changelog entry are in our bug tracking system:
> https://bugzilla.ubuntulinux.org/show_bug.cgi?id=2744

I've uploaded a NMU for this:

diff -Naur gs-common-0.3.6.bak/debian/changelog gs-common-0.3.6/debian/changelog
--- gs-common-0.3.6.bak/debian/changelog 2004-10-29 00:29:56.000000000 +0200
+++ gs-common-0.3.6/debian/changelog 2004-10-29 00:37:35.000000000 +0200
@@ -1,3 +1,12 @@
+gs-common (0.3.6-0.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Include new 01_fix_insecure_tmpfile.dpatch from
+ Martin Pitt <email address hidden> which fixes some more issues
+ (Closes: #278282)
+
+ -- Frank Lichtenheld <email address hidden> Fri, 29 Oct 2004 00:35:34 +0200
+
 gs-common (0.3.6) unstable; urgency=low

   * Build-Depends -> Build-Depends-Indep
diff -Naur gs-common-0.3.6.bak/debian/patches/01_fix_insecure_tmpfile.dpatch gs-common-0.3.6/debian/patches/01_fix_insecure_tmpfile.dpatch
--- gs-common-0.3.6.bak/debian/patches/01_fix_insecure_tmpfile.dpatch 2004-05-05 08:16:39.000000000 +0200
+++ gs-common-0.3.6/debian/patches/01_fix_insecure_tmpfile.dpatch 2004-10-29 00:42:51.000000000 +0200
@@ -1,44 +1,61 @@
 #! /bin/sh -e
-## 01_fix_insecure_tmpfile.dpatch by Masayuki Hatta <email address hidden>
+## 01_fix_insecure_tmpfile.dpatch by Martin Pitt <email address hidden>
 ##
-## All lines beginning with \`## DP:' are a description of the patch.
-## DP: Fixes insecure /tmp usage (See Bug#173237)
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: fix insecure temporary file creations
+## DP: CAN-2004-0967
+## DP: Debian bug #278282
+## DP: Ubuntu Warty bug #9447

-if [ $# -ne 1 ]; then
- echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
+if [ $# -lt 1 ]; then
+ echo "`basename $0`: script expects -patch|-unpatch as argument" >&2
     exit 1
 fi
+
+[ -f debian/patches/00patch-opts ] && . debian/patches/00patch-opts
+patch_opts="${patch_opts:--f --no-backup-if-mismatch} ${2:+-d $2}"
+
 case "$1" in
- -patch) patch -f --no-backup-if-mismatch --dry-run -p1 < $0 && patch -f --no-backup-if-mismatch -p1 < $0
-;;
- -unpatch) patch -f --no-backup-if-mismatch -R -p1 < $0;;
- *)
- echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
- exit 1;;
+ -patch) patch -p1 ${patch_opts} < $0;;
+ -unpatch) patch -R -p1 ${patch_opts} < $0;;
+ *)
+ echo "`basename $0`: script expects -patch|-unpatch as argument" >&2
+ exit 1;;
 esac

 exit 0

-diff -urN gs-common-0.3.3.2.orig/scripts/ps2epsi gs-common-0.3.3.2/scripts/ps2epsi
---- gs-common-0.3.3.2.orig/scripts/ps2epsi 2004-03-24 12:12:48...

Message-Id: <email address hidden>
Date: Sun, 13 Mar 2005 13:02:57 -0500
From: Masayuki Hatta (mhatta) <email address hidden>
To: <email address hidden>
Subject: Bug#278282: fixed in gs-common 0.3.7

Source: gs-common
Source-Version: 0.3.7

We believe that the bug you reported is fixed in the latest version of
gs-common, which is due to be installed in the Debian FTP archive:

gs-common_0.3.7.dsc
  to pool/main/g/gs-common/gs-common_0.3.7.dsc
gs-common_0.3.7.tar.gz
  to pool/main/g/gs-common/gs-common_0.3.7.tar.gz
gs-common_0.3.7_all.deb
  to pool/main/g/gs-common/gs-common_0.3.7_all.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Masayuki Hatta (mhatta) <email address hidden> (supplier of updated gs-common package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 13 Mar 2005 15:53:43 +0900
Source: gs-common
Binary: gs-common
Architecture: source all
Version: 0.3.7
Distribution: unstable
Urgency: low
Maintainer: Masayuki Hatta (mhatta) <email address hidden>
Changed-By: Masayuki Hatta (mhatta) <email address hidden>
Description:
 gs-common - Common files for different Ghostscript releases
Closes: 278282 290169
Changes:
 gs-common (0.3.7) unstable; urgency=low
 .
   * New upstream release, based on GPL gs 8.15.
   * Acknowledged NMU, thanks guys - closes:#278282
   * Fixed copyright information - closes: #290169
Files:
 b6aa4e543f800accb45613300258e92f 571 text optional gs-common_0.3.7.dsc
 aac1335bef22c1923126d511bc616680 33138 text optional gs-common_0.3.7.tar.gz
 1adc90bba3dabc5f91eec5be7f292a39 47918 text optional gs-common_0.3.7_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCNHyhy2+jQOcHWlQRAvf+AJ9Lu52e/PDGQCfdfZFo889SZ+/JYwCgnvMC
VG0g0YkwAaWUMbabnS8KKx4=
=6wg4
-----END PGP SIGNATURE-----