unsafe tempfile handling

Bug #720112 reported by Jamie Strandboge on 2011-02-16
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Weather Indicator
Low
Vadim Rutkovsky
indicator-weather (Ubuntu)
Low
Unassigned

Bug Description

Binary package hint: indicator-weather

indicator-weather does not create temp files securely and has a TOCTOU vulnerability (time of check, time of use). Essentially it does:

pidPath = "/tmp/weather-indicator.pid"
if os.path.exists(pidPath):
    ... do stuff
else:
    self.lasterror=False

if not self.lasterror:
    fp=open(pidPath, 'w')
    fp.write(str(os.getpid()))
    fp.close()

This is unsafe as someone could perform tmp file race attacks and overwrite arbitrary files under the uid that indicator-weather runs as. Now, in maverick and later, this is actually not a problem because of kernel protections, but this issue should be fixed regardless. I suggest the use of tempfile.mkstemp() followed by a os.rename() to the pidPath, and exit with error if os.rename() fails.

description: updated
security vulnerability: no → yes
description: updated
Vadim Rutkovsky (roignac) wrote :

Good idea, we'll use that

Changed in indicator-weather (Ubuntu):
status: New → Confirmed
Changed in weather-indicator:
assignee: nobody → Vadim Rutkovsky (roignac)
importance: Undecided → Low
milestone: none → 11.02.27
status: New → Confirmed
Changed in weather-indicator:
status: Confirmed → Fix Committed
Changed in weather-indicator:
status: Fix Committed → Fix Released
Changed in indicator-weather (Ubuntu):
status: Confirmed → Triaged
importance: Undecided → Low
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package indicator-weather - 11.03.20+repack-0ubuntu1

---------------
indicator-weather (11.03.20+repack-0ubuntu1) natty; urgency=low

  * New upstream release.
   - Fix unsafe tempfile handling (LP: #720112).
   - Fix gconf related crashers (LP: #723557).
   - Fix TypeError in getHumidex() (LP: #730287).
   - Allow two userid's to run indicator-weather
     simultaneously (LP: #730378).
   - Fix night icon showing during daytime (LP: #715657).
   - Fix indicator invisible on first run (LP: #720030).
   - Fix AttributeError in __find_city_by_code() (LP: #733681).
   - Fix AttributeError when clicking "Forecast" if there is
     no network connection (LP: # 730193).
  * debian/control:
   - Drop depends on python-simplejson, python-gconf,
     python-pymetar, and python-gweather.
   - Add depends on python-desktopcouch-records and
     python-pywapi.
  * Drop all old patches, applied upstream.
  * 01_lp_738804.patch: Fix crash on city names with spaces.
  * debian/rules:
   - Tweak get-orig-source target for new upstream
     directory naming.
   - Don't compress AUTHORS and COPYING. Needed for
     about dialog.
  * debian/indicator-weather.install: Install AUTHORS
    and COPYING files to /usr/share/doc/indicator-weather
    to fix crash in about dialog.
  * debian/indicator-weather.lintian-overrides: Overide
    lintian warning about extra copyright file.
 -- Andrew Starr-Bochicchio <email address hidden> Sun, 20 Mar 2011 22:16:35 -0400

Changed in indicator-weather (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers