DistUpgrade/DistUpgradeViewKDE.py uses mktemp -- which is insecure

Bug #881541 reported by David
This bug affects 1 person
Affects Status Importance Assigned to Milestone
update-manager (Ubuntu)
Fix Released
Michael Vogt

Bug Description

The DistUpgradeViewKDE class performs a copy of "the xauthority file before it removes it when Adept is killed".
However, when it does this it uses the tempfile.mktemp function (which is insecure) when it (IMHO) should be using the tempfile.mkstemp function (secure).

The vulnerable code is the following:

        #kdesu requires us to copy the xauthority file before it removes it when Adept is killed
        copyXauth = tempfile.mktemp("", "adept")
        if 'XAUTHORITY' in os.environ and os.environ['XAUTHORITY'] != copyXauth:
            shutil.copy(os.environ['XAUTHORITY'], copyXauth)
            os.environ["XAUTHORITY"] = copyXauth

<--- so if can attacker can win the race between the mktemp call to create a ~random file-name and before shutil.copy is called (if XAUTHORITY is in the user's environment and the tempfile isn't the same as the current XAUTHORITY file) they can obtain the contents of the user's XAUTHORITY file. (shutil.copy ends up writing to the destination file before copying over the permissions on the file, if this order was reversed then it probably wouldn't be vulnerable :-) ).

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Michael, could you please take a look at this? Thanks

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This is CVE-2011-3154.

Changed in update-manager (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Michael Vogt (mvo)
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Michael, I gather simply replacing it with tempfile.mkstemp should be enough?
I'll add this to the update-manager upload when we fix #881548.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package update-manager - 1:

update-manager (1: oneiric-security; urgency=low

  * SECURITY UPDATE: arbitrary code execution via directory traversal
    (LP: #881548)
    - UpdateManager/Core/DistUpgradeFetcherCore.py: verify signature before
      unpacking the tarball.
    - CVE-2011-3152
  * SECURITY UPDATE: information leak via insecure temp file (LP: #881541)
    - DistUpgrade/DistUpgradeViewKDE.py: use mkstemp instead of mktemp.
    - CVE-2011-3154
 -- Marc Deslauriers <email address hidden> Wed, 23 Nov 2011 08:52:19 -0500

Changed in update-manager (Ubuntu):
status: Confirmed → Fix Released
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.