Javier Fern
Javier Fernández-Sanguino Peña of the Debian Security Audit project discovered that f2c and fc, which are both part of the f2c package, a fortran 77 to C/C++ translator, open temporary files insecurely and are hencely vulnerable to a symlink attack. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CAN-2005-0017 Multiple insecure temporary files in the f2c translator. CAN-2005-0018 Two insecure temporary files in the f2 shell script. Javier wrote: 1.- f2c (the C program) defines a set of temporary files in src/sysdep.c's set_tmp_names (called from main) like this: long pid = getpid(); sprintf(c_functions, "%s/f2c%ld_func", tmpdir, pid); sprintf(initfname, "%s/f2c%ld_rd", tmpdir, pid); sprintf(blkdfname, "%s/f2c%ld_blkd", tmpdir, pid); sprintf(p1_file, "%s/f2c%ld_p1f", tmpdir, pid); sprintf(p1_bakfile, "%s/f2c%ld_p1fb", tmpdir, pid); sprintf(sortfname, "%s/f2c%ld_sort", tmpdir, pid); (tmpdir is defined as /tmp and cannot be overwritten through $TMPDIR) All of these files are fopened' at different moments without further checks (do they exist? do they link somewhere?). An attacker could just monitor /tmp usage (I believe c_functions is first) and then make simlinks to the other files (they share the pid) or look for pid's of f2c starting up and symlink the files. 2.- the fc script uses the pid to create temporary files which is though of as unsafe (can be DoSed) and introduces a race condition (from when the value is used to when the file is created) These two bugs are present both in woody and in sarge/sid versions of f2c. The attached patch (untested) tries to introduce fixes to these bugs: 1.- use tempnam() instead of the pid to derive the filenames, this is not as safe as using mkstemp, but makes it more difficult to derive the value of the temporary files in f2c. This is a quick & dirty hack, however, the best way to fix this would be to change the code and have it use file descriptors (and not char names) in the set_tmp_names script. Also note that the code in charge of opening files (the opf() function in main.c) should probably be fixed to avoid following symlinks (using O_NOFOLLOW), there are other fopen calls that should be reviewed too. 2.- Use tempfile in the shell script and check it's output I'm pretty sure that other vendors also ship f2c so we should probably work on a coordinated disclosure. Please let me know if so and take a look at the attached patches.
Created attachment 48230 [details, diff] CAN-2005-0017.patch
Created attachment 48231 [details, diff] CAN-2005-0018.patch
Apparently we don't have the "fc" script (one of the patch fails). This is B3 so better wait and handle it in the open.
Danny please advise and attach an updated ebuild to this bug if needed.
Created attachment 49624 [details, diff] CAN-2005-0017.patch modified for sane build process I modified the official CAN-Patch some time ago. Solar forwarded it to me. The problem is that f2c checks its sources for sanity during build process by comparing md5sums of the sources against stored md5sums. Attached patch updates the md5sums for modified file(s). I also mailed my changes to solar and "joey@infodrom.org". The latter hasn't answered yet :-/ As you are right, we don't ship the f2c wrapper script "fc", so there is no need for the patch in attachment 48231 [details, diff]. - KEYWORDS="x86 amd64 ppc ppc64 sparc" This patch works fine on amd64, x86 and ppc; these archs can go stable. I can't test other archs myself. I suggest asking fmcor for testing on sparc and tchiwam for testing on ppc64. That will cover all arches.
Thx Danny (please also attach the complete ebuild to avoid any confusion). Calling individual arch testers: sparc -> fmccor ppc64 -> tchiwam Please test and report back on this bug.
On sparc, the patch applies after adding 'inherit eutils' and an appropriate 'epatch' to the ebuild for f2c. Simple tests indicate that f2c as patched works. Of course, once the ebuild is modified to apply the patch itself, a retest is necessary. As to 'fc', I don't know what that is, and the ebuild for f2c doesn't make any such thing.
Now public... Danny, please commit the ebuild to CVS. Followups to bug 79725 *** This bug has been marked as a duplicate of 79725 ***
Stable for sparc with ebuild for -r1 as committed.
