108690 2005-10-10 00:05 0000 media-gfx/graphviz insecure temp file issue 2005-11-15 02:20:48 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://www.debian.org/security/2005/dsa-857 B3 [noglsa] P2 minor --- 1 jaervosz@gentoo.org security@gentoo.org graphics@gentoo.org jaervosz@gentoo.org 2005-10-10 00:05:21 0000 Not sure wether we're affected. Javier Fern jaervosz@gentoo.org 2005-10-10 00:05:21 0000 Not sure wether we're affected. Javier Fernández-Sanguino Peña discovered insecure tmporary file creation. koon@gentoo.org 2005-10-10 01:46:34 0000 Can't tell where the patch is in the Debian diff. Maybe better to ask Ulf about it. koon@gentoo.org 2005-10-11 05:25:42 0000 I asked Javier about this bug. koon@gentoo.org 2005-10-11 07:15:58 0000 I checked, current stable (1.16) is affected (probably latest ~ also is). graphics herd: please bump with supplied patch... koon@gentoo.org 2005-10-11 07:17:17 0000 Created an attachment (id=70362) patch.CAN-2005-2965.graphviz Patch from Javier. taviso@gentoo.org 2005-10-11 11:41:24 0000 I dont recognise that language, but that seems like a fairly poor fix. creating ten thousand symbolic links is not out of the question, and theres no race condition i need to win. koon@gentoo.org 2005-10-12 02:29:10 0000 This may be the best they can do in that language ? taviso@gentoo.org 2005-10-12 08:27:17 0000 yeah, i suppose they could do system("mktemp.."), but if this is the best that's possible i guess i will have to live with it :) koon@gentoo.org 2005-10-18 06:17:18 0000 sekretarz should have a look at it later today jaervosz@gentoo.org 2005-10-21 23:50:35 0000 sekretarz any progress on this one? lu_zero@gentoo.org 2005-10-24 06:37:03 0000 patch committed, amd64 should stabilize at least to the 1.16 I assume that the 2.6 is safe, isn't it? koon@gentoo.org 2005-10-24 07:02:11 0000 Yes, 2.6 is already fixed. Luca: we'll need a revbump to 1.16-r1 so that it can be picked up in upgrades, and you'll be done. lu_zero@gentoo.org 2005-10-24 08:20:06 0000 I'd just call for having 2.6 stable and remove all versions but 2.6 and add 1.16-r1 (if is still needed) koon@gentoo.org 2005-10-24 08:26:15 0000 Hm. Too many arches don't even have it as ~ so I think it's much quicker to bump to 1.16-r1 and ask arches to mark 1.16-r1 stable and 2.6 ~. lu_zero@gentoo.org 2005-10-24 08:40:33 0000 revbump committed, please notice amd64 that the older versions will be removed soon. koon@gentoo.org 2005-10-24 08:51:44 0000 amd64: please test and mark 1.16-r1 stable alpha hppa ia64 mips ppc-macos: please add ~ keyword to 2.6 hansmi@gentoo.org 2005-10-26 10:50:23 0000 KillerFox added ~hppa, thanks to him. aja@clanarmstrong.com 2005-10-27 19:52:23 0000 Tested media-gfx/graphviz-1.16-r1 for amd64. Builds and loads. Able to render several sample .dot files. No extensive regression testing, but as this is a security bump, tests stable for amd64. Portage 2.0.53_rc6 (default-linux/amd64/2005.1, gcc-3.4.4, glibc-2.3.5-r3, 2.6.1 3-gentoo-r4 x86_64) ================================================================= System uname: 2.6.13-gentoo-r4 x86_64 AMD Athlon(tm) 64 Processor 3500+ Gentoo Base System version 1.12.0_pre9 ccache version 2.4 [enabled] dev-lang/python: 2.3.5, 2.4.2 sys-apps/sandbox: 1.2.13 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.20 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64 ~amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -O2 -pipe -fweb -ftracer" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.3/env /usr/kde/3.3/share /config /usr/kde/3.3/shutdown /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kd e/3.4/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/lib64/mozilla/defau lts/pref /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/texmf/web2c /etc/env.d" CXXFLAGS="-march=k8 -O2 -pipe -fweb -ftracer" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache distlocks multilib-strict sandbox sfperms strict tes ting" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/ distributions/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/etc/portage/overlay" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="amd64 X alsa apache2 avi berkdb bitmap-fonts cddb cdr cli crypt cups curl d ba directfb dts dv dvd dvdr dvdread eds emacs emboss encode esd fam fame fbcon f fmpeg firefox foomaticdb gcj gd gdbm gif gpm gstreamer gtk gtk2 ieee1394 imagema gick imlib ipv6 java jikes jpeg junit ldap libwww lirc live lzw lzw-tiff mad mjp eg mozilla mp3 mpeg mysql ncurses nls nptl nptlonly nsplugin nvidia ogg oggvorbi s opengl pam pcre pdflib perl png python qt quicktime readline real rtc ruby sdl spell ssl tcpd tetex theora tiff truetype-fonts type1-fonts udev unicode usb us erlocales v4l v4l2 vorbis xine xml2 xmms xpm xv xvid zlib userland_GNU kernel_li nux elibc_glibc" Unset: ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS hparker@gentoo.org 2005-10-27 22:06:22 0000 amd64 would be happy, but: RepoMan scours the neighborhood... DEPEND.bad 1 media-gfx/graphviz/graphviz-2.6.ebuild: ~hppa(default-linux/hppa/2004.3) ['>=x11-libs/libsvg-cairo-0.1.3'] RDEPEND.bad 1 media-gfx/graphviz/graphviz-2.6.ebuild: ~hppa(default-linux/hppa/2004.3) ['>=x11-libs/libsvg-cairo-0.1.3'] digest.assumed 11 digest-graphviz-1.10::graphviz-1.10.tar.gz digest-graphviz-1.12::graphviz-1.12.tar.gz digest-graphviz-1.12-r1::graphviz-1.12.tar.gz digest-graphviz-1.12-r1::graphviz-1.12-configure.ac.bz2 digest-graphviz-1.16::graphviz-1.16-panic.patch.tar.bz2 digest-graphviz-2.2::graphviz-2.2.tar.gz digest-graphviz-2.2.1::graphviz-2.2.1.tar.gz digest-graphviz-2.2.1-r1::graphviz-2.2.1.tar.gz digest-graphviz-2.4::graphviz-2.4.tar.gz digest-graphviz-2.6::graphviz-2.6.tar.gz digest-graphviz-1.16-r1::graphviz-1.16-panic.patch.tar.bz2 Please fix these important QA issues first. RepoMan sez: "Make your QA payment on time and you'll never see the likes of me." If I've botched something, please smack me with it, but I don't see how anyone could of commited with those errors. hansmi@gentoo.org 2005-10-27 23:52:19 0000 (In reply to comment #18) > amd64 would be happy, but: > > RepoMan scours the neighborhood... > > DEPEND.bad 1 > media-gfx/graphviz/graphviz-2.6.ebuild: ~hppa(default-linux/hppa/2004.3) > ['>=x11-libs/libsvg-cairo-0.1.3'] How about a "cvs up" in x11-libs/libsvg-cairo? repoman scan doesn't complain here, and libsvg-cairo-0.1.6 is ~hppa. blubb@gentoo.org 2005-10-28 08:02:58 0000 repoman doesn't bitch here either, so amd64 is happy. sorry for the delay koon@gentoo.org 2005-10-28 11:38:41 0000 Still waiting on alpha, ia64, mips and ppc-macos to add the ~ keyword to graphviz-2.6 grobian@gentoo.org 2005-10-28 12:27:34 0000 FYI: there is a compilation issue that first needs to be resolved on ppc-macos before it can be marked ~ppc-macos. ferdy@gentoo.org 2005-10-28 13:56:04 0000 Kloeri did alpha and ia64 koon@gentoo.org 2005-10-29 02:20:45 0000 Ready for GLSA vote jaervosz@gentoo.org 2005-10-30 00:35:56 0000 If the main script is affected I vote YES. j4rg0n@gentoo.org 2005-10-30 21:08:38 0000 Testing ppc-macos. Sorry for the long wait -- we had undefined symbol problems. taviso@gentoo.org 2005-11-03 08:47:14 0000 looking at the patch again, i dont think this is an acceptable fix. making 10000 symlinks is not a serious obstacle to explanation, and even if for some reason that is infeasible, just creating 1000 gives you a 1:10 chance of getting it. As s there is no race conditon, you can create 1000 of them, and just wait, sooner or later it will be hit. I think we will have to use system('mktemp') or similar. taviso@gentoo.org 2005-11-03 08:47:39 0000 s/explanation/exploitation/ koon@gentoo.org 2005-11-03 09:14:34 0000 It's not easy to securely create tmpfiles in that "lefty" language (you just have "system" and apparently no way of getting stdout of commands). For those who want to try : http://www.graphviz.org/Documentation/leftyguide.pdf If you reduce the thing to a race condition, we'll take it. koon@gentoo.org 2005-11-10 07:11:45 0000 Tavis: I guess the only way out is to limit files in HOME or current directory... or expand the random to a few million possibilities. Would that be better ? taviso@gentoo.org 2005-11-10 07:20:57 0000 using $HOME sounds fine to me koon@gentoo.org 2005-11-10 07:32:54 0000 Created an attachment (id=72582) graphviz-1.16-tempdir.patch Taviso: like this ? koon@gentoo.org 2005-11-10 08:03:18 0000 Luca: care to update the graphviz patch withe the attached one ? lu_zero@gentoo.org 2005-11-10 12:31:01 0000 Patch updated jaervosz@gentoo.org 2005-11-10 22:20:44 0000 This one seems ready for GLSA decision. I tend to vote YES. cedric@berger.to 2005-11-11 02:06:30 0000 This patch breaks my compilation. >>> Unpacking graphviz-1.16.tar.gz to /var/tmp/portage/graphviz-1.16-r1/work * Applying graphviz-1.16-build.patch ... [ ok ] * Applying graphviz-1.16-tempdir.patch ... * Failed Patch: graphviz-1.16-tempdir.patch ! * ( /usr/portage/media-gfx/graphviz/files/graphviz-1.16-tempdir.patch ) * * Include in your bugreport the contents of: * * /var/tmp/portage/graphviz-1.16-r1/temp/graphviz-1.16-tempdir.patch-21313.ou cn400 ~ # cat /var/tmp/portage/graphviz-1.16-r1/temp/graphviz-1.16-tempdir.patch-21313.out ***** graphviz-1.16-tempdir.patch ***** ======================================= PATCH COMMAND: patch -p0 -g0 --no-backup-if-mismatch < /usr/portage/media-gfx/graphviz/files/graphviz-1.16-tempdir.patch ======================================= can't find file to patch at input line 3 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |--- graphviz-2.2.1.orig/dotty/dotty.lefty |+++ graphviz-2.2.1/dotty/dotty.lefty -------------------------- No file to patch. Skipping patch. patch: **** malformed patch at line 12: @@ -768,5 +771,5 @@ ======================================= PATCH COMMAND: patch -p1 -g0 --no-backup-if-mismatch < /usr/portage/media-gfx/graphviz/files/graphviz-1.16-tempdir.patch ======================================= patching file dotty/dotty.lefty patch: **** malformed patch at line 12: @@ -768,5 +771,5 @@ ======================================= PATCH COMMAND: patch -p2 -g0 --no-backup-if-mismatch < /usr/portage/media-gfx/graphviz/files/graphviz-1.16-tempdir.patch ======================================= can't find file to patch at input line 3 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |--- graphviz-2.2.1.orig/dotty/dotty.lefty |+++ graphviz-2.2.1/dotty/dotty.lefty -------------------------- No file to patch. Skipping patch. patch: **** malformed patch at line 12: @@ -768,5 +771,5 @@ ======================================= PATCH COMMAND: patch -p3 -g0 --no-backup-if-mismatch < /usr/portage/media-gfx/graphviz/files/graphviz-1.16-tempdir.patch ======================================= missing header for unified diff at line 3 of patch can't find file to patch at input line 3 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |--- graphviz-2.2.1.orig/dotty/dotty.lefty |+++ graphviz-2.2.1/dotty/dotty.lefty -------------------------- No file to patch. Skipping patch. patch: **** malformed patch at line 12: @@ -768,5 +771,5 @@ ======================================= PATCH COMMAND: patch -p4 -g0 --no-backup-if-mismatch < /usr/portage/media-gfx/graphviz/files/graphviz-1.16-tempdir.patch ======================================= missing header for unified diff at line 3 of patch can't find file to patch at input line 3 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |--- graphviz-2.2.1.orig/dotty/dotty.lefty |+++ graphviz-2.2.1/dotty/dotty.lefty -------------------------- No file to patch. Skipping patch. patch: **** malformed patch at line 12: @@ -768,5 +771,5 @@ lu_zero@gentoo.org 2005-11-11 02:19:35 0000 Note to self: newer check a patch by reading it. koon@gentoo.org 2005-11-11 02:49:55 0000 Note to self : Try to find the time to test patches I submit. koon@gentoo.org 2005-11-15 00:38:20 0000 I tend to vote no, as dotty is not the main program and this is typically run as user... but feel free to disagree. dercorny@gentoo.org 2005-11-15 02:17:16 0000 Mhhh, tend to say no jaervosz@gentoo.org 2005-11-15 02:20:48 0000 Since this affects only dotty I revert my vote to a full NO and closing. Feel free to reopen if you disagree. 70362 2005-10-11 07:17 0000 patch.CAN-2005-2965.graphviz patch.CAN-2005-2965.graphviz text/plain LS0tIGdyYXBodml6LTIuMi4xLm9yaWcvZG90dHkvZG90dHkubGVmdHkKKysrIGdyYXBodml6LTIu Mi4xL2RvdHR5L2RvdHR5LmxlZnR5CkBAIC02NjgsNyArNjY4LDEwIEBACiAgICAgICAgIGlmICh+ KG90eXBlID0gYXNrICgncHJpbnQgdG8nLCAnY2hvaWNlJywgJ2ZpbGV8cHJpbnRlcicpKSkKICAg ICAgICAgICAgIHJldHVybjsKICAgICBpZiAob3R5cGUgPT0gJ3ByaW50ZXInKSB7Ci0gICAgICAg IG5hbWUgPSAnL3RtcC9kb3R0eW91dC5wcyc7CisgICAgICAgIGlmICh+Z2V0ZW52ICgnVE1QRElS JykpCisgICAgICAgICAgICBuYW1lID0gY29uY2F0IChnZXRlbnYgKCdIT01FJyksICcvLmRvdHR5 b3V0LnBzJyk7CisgICAgICAgIGVsc2UKKyAgICAgICAgICAgIG5hbWUgPSBjb25jYXQgKGdldGVu diAoJ1RNUERJUicpLCAnLy5kb3R0eW91dC5wcycsIHJhbmRvbSAoMTAwMDApKTsKICAgICAgICAg aWYgKGdldGVudiAoJ0xFRlRZV0lOU1lTJykgfj0gJ21zd2luJyAmIH5wcikKICAgICAgICAgICAg IGlmICh+KHByID0gYXNrICgncHJpbnRlciBjb21tYW5kJywgJ3N0cmluZycsICdscHInKSkpCiAg ICAgICAgICAgICAgICAgcmV0dXJuOwpAQCAtNzY4LDUgKzc3MSw1IEBACiAgICAgdnQuY2FudmFz ID0gY2FudmFzOwogICAgIGRlc3Ryb3l3aWRnZXQgKHBzY2FudmFzKTsKICAgICBpZiAob3R5cGUg PT0gJ3ByaW50ZXInICYgZ2V0ZW52ICgnTEVGVFlXSU5TWVMnKSB+PSAnbXN3aW4nKQotICAgICAg ICBzeXN0ZW0gKGNvbmNhdCAocHIsICcgL3RtcC9kb3R0eW91dC5wczsgcm0gL3RtcC9kb3R0eW91 dC5wcycpKTsKKyAgICAgICAgc3lzdGVtIChjb25jYXQgKHByLCAnICcsIG5hbWUsICc7IHJtICcs bmFtZSkpOwogfTsK 72582 2005-11-10 07:32 0000 graphviz-1.16-tempdir.patch graphviz-1.16-tempdir.patch text/plain LS0tIGdyYXBodml6LTIuMi4xLm9yaWcvZG90dHkvZG90dHkubGVmdHkKKysrIGdyYXBodml6LTIu Mi4xL2RvdHR5L2RvdHR5LmxlZnR5CkBAIC02NjgsNyArNjY4LDEwIEBACiAgICAgICAgIGlmICh+ KG90eXBlID0gYXNrICgncHJpbnQgdG8nLCAnY2hvaWNlJywgJ2ZpbGV8cHJpbnRlcicpKSkKICAg ICAgICAgICAgIHJldHVybjsKICAgICBpZiAob3R5cGUgPT0gJ3ByaW50ZXInKSB7Ci0gICAgICAg IG5hbWUgPSAnL3RtcC9kb3R0eW91dC5wcyc7CisgICAgICAgIG5hbWUgPSBjb25jYXQgKGdldGVu diAoJ0hPTUUnKSwgJy8uZG90dHlvdXQucHMnKTsKICAgICAgICAgaWYgKGdldGVudiAoJ0xFRlRZ V0lOU1lTJykgfj0gJ21zd2luJyAmIH5wcikKICAgICAgICAgICAgIGlmICh+KHByID0gYXNrICgn cHJpbnRlciBjb21tYW5kJywgJ3N0cmluZycsICdscHInKSkpCiAgICAgICAgICAgICAgICAgcmV0 dXJuOwpAQCAtNzY4LDUgKzc3MSw1IEBACiAgICAgdnQuY2FudmFzID0gY2FudmFzOwogICAgIGRl c3Ryb3l3aWRnZXQgKHBzY2FudmFzKTsKICAgICBpZiAob3R5cGUgPT0gJ3ByaW50ZXInICYgZ2V0 ZW52ICgnTEVGVFlXSU5TWVMnKSB+PSAnbXN3aW4nKQotICAgICAgICBzeXN0ZW0gKGNvbmNhdCAo cHIsICcgL3RtcC9kb3R0eW91dC5wczsgcm0gL3RtcC9kb3R0eW91dC5wcycpKTsKKyAgICAgICAg c3lzdGVtIChjb25jYXQgKHByLCAnICcsIG5hbWUsICc7IHJtICcsbmFtZSkpOwogfTsK