104565 2005-09-02 02:16 0000 app-admin/gtkdiskfree <= 1.9.3 unsecure tmp file creation 2005-10-03 09:02:51 0000 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED B3 [glsa] P2 minor --- 1 zataz@zataz.net security@gentoo.org zataz@zataz.net 2005-09-02 02:16:40 0000 Hello, Take a look at : src/mount.h 23 #define TUBE_NAME "/tmp/gtkdiskfree" Then to : src/mount.c 32 open_cmd_tube (const gchar *cmd, const gchar *mount_point) 33 { 34 gint status; 35 gchar error[MAXLINE], *line; 36 FILE *sh, *tmp; 37 38 setbuf(stdout, error); 39 line = g_strconcat(cmd, " ", mount_point, " &> ", TUBE_NAME, NULL); 40 sh = popen(line, "r"); 41 g_free(line); 42 43 status = pclose(sh); 44 45 if (status == 0) { 46 remove(TUBE_NAME); 47 gui_list_main_update(GTK_TREE_VIEW(list_treeview)); 48 49 return; 50 } else { 51 if ((tmp = fopen(TUBE_NAME, "r")) == NULL) { 52 gui_list_main_update(GTK_TREE_VIEW(list_treeview)); 53 54 return; 55 } 56 if (fgets(error, MAXLINE-1, tmp) == NULL) { 57 fclose(tmp); 58 remove(TUBE_NAME); 59 gui_list_main_update(GTK_TREE_VIEW(list_treeview)); 60 61 return; 62 } 63 fclose(tmp); 64 remove(TUBE_NAME); 65 error_window(error); 66 } 67 gui_list_main_update(GTK_TREE_VIEW(list_treeview)); 68 69 return; 70 } Regards taviso@gentoo.org 2005-09-02 05:12:37 0000 Yes, obvious bug. He doesnt need a temp file to do that, popen returns a stream anyway, suggested quick fix attached. taviso@gentoo.org 2005-09-02 05:12:58 0000 Created an attachment (id=67471) temp file fix koon@gentoo.org 2005-09-03 02:43:18 0000 Let us know when upstream is aware. zataz@zataz.net 2005-09-05 00:50:12 0000 Hello, Upstream seems to be down. http://gtkdiskfree.tuxfamily.org/ or http://gtkdiskfree.sourceforge.net/ Regards. zataz@zataz.net 2005-09-05 00:53:22 0000 Hello, Email sends to vendor-sec@lst.de Regards. koon@gentoo.org 2005-09-07 07:36:14 0000 Pulling in maintainer: Daniel, this is still non-public. Since upstream is dead, would you be in favor of patching or removing ? zataz@zataz.net 2005-09-15 00:22:49 0000 Hello, Released the 15/09/2005 You can open the bug. Thxs for your time and help. Regards. jaervosz@gentoo.org 2005-09-15 00:27:15 0000 Opening koon@gentoo.org 2005-09-15 06:56:50 0000 morfic, your opinion ? vapier@gentoo.org 2005-09-15 15:23:53 0000 at a glance the patch looks good to me koon@gentoo.org 2005-09-17 05:50:12 0000 Not worth masking the package... Let's patch it, if we can find someone to do it... vapier: feel like it ? vapier@gentoo.org 2005-09-28 17:27:00 0000 1.9.3-r1 now in portage koon@gentoo.org 2005-09-29 00:41:39 0000 Archs, please test and mark stable... hansmi@gentoo.org 2005-09-29 08:43:07 0000 Stable on ppc. koon@gentoo.org 2005-09-30 01:01:05 0000 This is CAN-2005-2918 corsair@gentoo.org 2005-09-30 11:17:21 0000 stable on ppc64 fuzzyray@gentoo.org 2005-09-30 12:56:56 0000 stable on x86 blubb@gentoo.org 2005-09-30 12:59:16 0000 stable on amd64 koon@gentoo.org 2005-09-30 13:45:08 0000 Ready for GLSA vote koon@gentoo.org 2005-10-01 03:38:35 0000 I tend to vote yes. jaervosz@gentoo.org 2005-10-02 10:09:00 0000 I tend to vote NO. taviso@gentoo.org 2005-10-02 10:44:54 0000 I would vote YES, as it's so easy to exploit. koon@gentoo.org 2005-10-02 11:06:46 0000 Let there be a GLSA. koon@gentoo.org 2005-10-03 09:02:51 0000 GLSA 200510-01 67471 2005-09-02 05:12 0000 temp file fix gtkdiskfree-temp-sec.diff text/plain LS0tIGd0a2Rpc2tmcmVlLTEuOS4zL3NyYy9tb3VudC5jCTIwMDItMTEtMTcgMTU6MDg6MjcuMDAw MDAwMDAwICswMDAwCisrKyBndGtkaXNrZnJlZS0xLjkuMy5uZXcvc3JjL21vdW50LmMJMjAwNS0w OS0wMiAxMzowNToyNS42MzYzNjMxMjggKzAxMDAKQEAgLTMxLDQxICszMSwyMSBAQAogdm9pZAog b3Blbl9jbWRfdHViZSAoY29uc3QgZ2NoYXIgKmNtZCwgY29uc3QgZ2NoYXIgKm1vdW50X3BvaW50 KQogewotCWdpbnQgc3RhdHVzOwotCWdjaGFyIGVycm9yW01BWExJTkVdLCAqbGluZTsKLQlGSUxF ICpzaCwgKnRtcDsKKwlnY2hhciBlcnJvcltNQVhMSU5FXSwgKmxpbmUsICpzdGF0dXM7CisJRklM RSAqc2g7CiAJCiAJc2V0YnVmKHN0ZG91dCwgZXJyb3IpOwotCWxpbmUgPSBnX3N0cmNvbmNhdChj bWQsICIgIiwgbW91bnRfcG9pbnQsICIgJj4gIiwgVFVCRV9OQU1FLCBOVUxMKTsKKwlsaW5lID0g Z19zdHJjb25jYXQoY21kLCAiICIsIG1vdW50X3BvaW50LCAiIDI+JjEiLCBOVUxMKTsKIAlzaCA9 IHBvcGVuKGxpbmUsICJyIik7CiAJZ19mcmVlKGxpbmUpOwogCQotCXN0YXR1cyA9IHBjbG9zZShz aCk7Ci0JCi0JaWYgKHN0YXR1cyA9PSAwKSB7Ci0JCXJlbW92ZShUVUJFX05BTUUpOwotCQlndWlf bGlzdF9tYWluX3VwZGF0ZShHVEtfVFJFRV9WSUVXKGxpc3RfdHJlZXZpZXcpKTsKLQkJCi0JCXJl dHVybjsKLQl9IGVsc2UgewotCQlpZiAoKHRtcCA9IGZvcGVuKFRVQkVfTkFNRSwgInIiKSkgPT0g TlVMTCkgewotCQkJZ3VpX2xpc3RfbWFpbl91cGRhdGUoR1RLX1RSRUVfVklFVyhsaXN0X3RyZWV2 aWV3KSk7IAotCQkJCi0JCQlyZXR1cm47Ci0JCX0KLQkJaWYgKGZnZXRzKGVycm9yLCBNQVhMSU5F LTEsIHRtcCkgPT0gTlVMTCkgewotCQkJZmNsb3NlKHRtcCk7Ci0JCQlyZW1vdmUoVFVCRV9OQU1F KTsKLQkJCWd1aV9saXN0X21haW5fdXBkYXRlKEdUS19UUkVFX1ZJRVcobGlzdF90cmVldmlldykp OwotCQkJCi0JCQlyZXR1cm47Ci0JCX0KLQkJZmNsb3NlKHRtcCk7Ci0JCXJlbW92ZShUVUJFX05B TUUpOworCXN0YXR1cyA9IGZnZXRzKGVycm9yLCBNQVhMSU5FLTEsIHNoKTsKKworCWlmIChzdGF0 dXMgJiYgKHBjbG9zZShzaCkgIT0gMCkpCiAJCWVycm9yX3dpbmRvdyhlcnJvcik7Ci0JfQorCiAJ Z3VpX2xpc3RfbWFpbl91cGRhdGUoR1RLX1RSRUVfVklFVyhsaXN0X3RyZWV2aWV3KSk7Ci0JCisK IAlyZXR1cm47CiB9CiAK