114499 2005-12-04 22:06 0000 sys-apps/texinfo: patch for insecure temporary file creation changes texindex behavior 2006-02-07 22:30:54 0000 1 Unclassified Gentoo Linux Core system unspecified All Linux RESOLVED FIXED P2 normal --- 1 jaervosz@gentoo.org base-system@gentoo.org security@gentoo.org jaervosz@gentoo.org 2005-12-04 22:06:37 0000 Seems like there might be problems with the patch on bug #106105 It looks like the fix for CAN-2005-3011 (texinfo predictable temporary files issue) being used by ubuntu and others is incorrect (see below). Does anyone have a better and/or officially blessed (does texinfo have a maintainer?) patch for this? Colin Percival -------- Original Message -------- Subject: [csjp@FreeBSD.org: Re: Ubuntu patch for texinfo (CAN-2005-3011)] Date: Sat, 3 Dec 2005 19:11:12 +0000 From: Christian S.J. Peron <csjp@freebsd.org> To: secteam@freebsd.org Colin / team I sent this message to Martin Pitt a while ago, but I have not recieved any response. Who owns texinfo? I am sure we can roll our own fix but I would rather whoever maintains this program provide a security fix. Any ideas? ----- Forwarded message from "Christian S.J. Peron" <csjp@FreeBSD.org> ----- From: "Christian S.J. Peron" <csjp@FreeBSD.org> To: martin.pitt@canonical.com Date: Sun, 13 Nov 2005 05:43:34 +0000 Subject: Re: Ubuntu patch for texinfo (CAN-2005-3011) On Don, 06 Okt 2005, Martin Pitt wrote: > Since the previously proposed patch is very intrusive and not really > appropriate for a security update, I created my own minimal patch: > > http://patches.ubuntu.com/patches/texinfo.CAN-2005-3011.diff After discussing this fix with some of my colleagues, it appears that your fix makes it impossible to unlink the temporary files. void flush_tempfiles (int to_count) { if (keep_tempfiles) return; while (last_deleted_tempcount < to_count) unlink (maketempname (++last_deleted_tempcount)); } flush_tempfiles would result in texindex exiting via EEXIST, because now maketempname actually creates the files with the O_EXCL flag. Although this fixes the race condition, it changes the behavior of the program. Was this intentional or am I missing something here? -- Christian S.J. Peron csjp@FreeBSD.ORG FreeBSD Committer FreeBSD Security Team ----- End forwarded message ----- -- Christian S.J. Peron csjp@FreeBSD.ORG FreeBSD Committer FreeBSD Security Team _______________________________________________________ Please think twice when forwarding, cc:ing, or bcc:ing security-team messages. Ask if you are unsure. jaervosz@gentoo.org 2005-12-05 00:34:04 0000 http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/texinfo/ texinfo-4.8-owl-texindex-tmp.diff is our current patch. Older versions of it (for older versions of texinfo) may be found in the Attic. Originally, this was a part of texinfo-4.0-owl-tmp.diff, which I entered with this comment: * Wed Jan 03 2001 Solar Designer <solar-at-owl.openwall.com> - Patch to create temporary files safely. - Give offline sorting in texindex a chance to work (fixed a bug in there; did anyone ever test that code, it certainly looks like not). This patch has the disadvantage of producing a spurious link-time warning about mktemp() (although the surrounding code makes this call safe). This is because we still had glibc 2.1.3 at the time. This should be updated to use mkdtemp() now (the change is trivial). -- /sd koon@gentoo.org 2005-12-09 06:56:41 0000 Ccing vapier so that he doublechecks Gentoo's status on this. koon@gentoo.org 2005-12-13 10:18:01 0000 vapier: any hint on our vulnerability status here ? koon@gentoo.org 2005-12-20 04:06:19 0000 We use a patch based on Martin Pitt's one. Apparently would be better to use the patch from Openwall, which I'll attach here. Note that this is not a security issue, since Martin Pitt's patch solves the security problem, it just changes the way texindex is supposed to work, so it would be a bug. koon@gentoo.org 2005-12-20 04:07:41 0000 Created an attachment (id=75188) texinfo-4.8-owl-texindex-tmp.diff New patch, from Owl vapier@gentoo.org 2006-02-07 22:30:54 0000 4.8-r3 uses the patch here 75188 2005-12-20 04:07 0000 texinfo-4.8-owl-texindex-tmp.diff texinfo-4.8-owl-texindex-tmp.diff text/plain ZGlmZiAtcHVOciB0ZXhpbmZvLTQuOC5vcmlnL3V0aWwvdGV4aW5kZXguYyB0ZXhpbmZvLTQuOC91 dGlsL3RleGluZGV4LmMKLS0tIHRleGluZm8tNC44Lm9yaWcvdXRpbC90ZXhpbmRleC5jCVN1biBB cHIgMTEgMTc6NTY6NDcgMjAwNAorKysgdGV4aW5mby00LjgvdXRpbC90ZXhpbmRleC5jCVdlZCBN YXIgMzAgMDE6NTM6MjMgMjAwNQpAQCAtMjAsNiArMjAsNyBAQAogCiAjaW5jbHVkZSAic3lzdGVt LmgiCiAjaW5jbHVkZSA8Z2V0b3B0Lmg+CisjaW5jbHVkZSA8c3RkbGliLmg+CiAKIHN0YXRpYyBj aGFyICpwcm9ncmFtX25hbWUgPSAidGV4aW5kZXgiOwogCkBAIC0zNyw4ICszOCw2IEBAIHN0YXRp YyBjaGFyICpwcm9ncmFtX25hbWUgPSAidGV4aW5kZXgiOwogI2RlZmluZSBtZW1zZXQocHRyLCBp Z25vcmUsIGNvdW50KSBiemVybyAocHRyLCBjb3VudCkKICNlbmRpZgogCi1jaGFyICpta3RlbXAg KGNoYXIgKik7Ci0KICNpZiAhZGVmaW5lZCAoU0VFS19TRVQpCiAjICBkZWZpbmUgU0VFS19TRVQg MAogIyAgZGVmaW5lIFNFRUtfQ1VSIDEKQEAgLTE0Niw2ICsxNDUsNyBAQCB2b2lkIGVycm9yIChj b25zdCBjaGFyICpmb3JtYXQsIGNvbnN0IGNoCiB2b2lkICp4bWFsbG9jICgpLCAqeHJlYWxsb2Mg KCk7CiBjaGFyICpjb25jYXQgKGNoYXIgKnMxLCBjaGFyICpzMik7CiB2b2lkIGZsdXNoX3RlbXBm aWxlcyAoaW50IHRvX2NvdW50KTsKK3ZvaWQgZmx1c2hfdGVtcGZpbGVzX2F0ZXhpdCAoKTsKIAwK ICNkZWZpbmUgTUFYX0lOX0NPUkVfU09SVCA1MDAwMDAKIApAQCAtMzA3LDYgKzMwNyw3IEBAIGRl Y29kZV9jb21tYW5kIChpbnQgYXJnYywgY2hhciAqKmFyZ3YpCiAgIGludCBhcmdfaW5kZXggPSAx OwogICBjaGFyICoqaXA7CiAgIGNoYXIgKipvcDsKKyAgaW50IHJldHJpZXM7CiAKICAgLyogU3Rv cmUgZGVmYXVsdCB2YWx1ZXMgaW50byBwYXJhbWV0ZXIgdmFyaWFibGVzLiAqLwogCkBAIC0zMjAs OCArMzIxLDI2IEBAIGRlY29kZV9jb21tYW5kIChpbnQgYXJnYywgY2hhciAqKmFyZ3YpCiAgIGVs c2UKICAgICB0ZW1wZGlyID0gY29uY2F0ICh0ZW1wZGlyLCAiLyIpOwogCisgIHRlbXBkaXIgPSBj b25jYXQgKHRlbXBkaXIsICJ0eGlkeC5YWFhYWFgiKTsKKyAgcmV0cmllcyA9IDB4MTAwMDsKKwor ICBkbworICAgIHsKKyAgICAgIGNoYXIgKmRvdDsKKyAgICAgIGlmIChta3RlbXAodGVtcGRpcikg PT0gTlVMTCB8fCAhdGVtcGRpclswXSkKKyAgICAgICAgZmF0YWwoIm1rdGVtcCBmYWlsZWQgZm9y ICclcyciLCB0ZW1wZGlyKTsKKyAgICAgIGlmIChta2Rpcih0ZW1wZGlyLCAwNzAwKSA9PSAwKSBi cmVhazsKKyAgICAgIGlmIChlcnJubyAhPSBFRVhJU1QgfHwgIS0tcmV0cmllcykKKyAgICAgICAg cGZhdGFsX3dpdGhfbmFtZSh0ZW1wZGlyKTsKKyAgICAgIGlmICgoZG90ID0gc3RycmNociAodGVt cGRpciwgIi4iKSkpCisgICAgICAgIHN0cmNweSAoZG90LCAiLlhYWFhYWCIpOworICAgIH0KKyAg d2hpbGUgKDEpOworCiAgIGtlZXBfdGVtcGZpbGVzID0gMDsKIAorICBhdGV4aXQoZmx1c2hfdGVt cGZpbGVzX2F0ZXhpdCk7CisKICAgLyogQWxsb2NhdGUgQVJHQyBpbnB1dCBmaWxlcywgd2hpY2gg bXVzdCBiZSBlbm91Z2guICAqLwogCiAgIGluZmlsZXMgPSAoY2hhciAqKikgeG1hbGxvYyAoYXJn YyAqIHNpemVvZiAoY2hhciAqKSk7CkBAIC0zODksMjEgKzQwOCw5IEBAIEZvciBtb3JlIGluZm9y bWF0aW9uIGFib3V0IHRoZXNlIG1hdHRlcnMKIHN0YXRpYyBjaGFyICoKIG1ha2V0ZW1wbmFtZSAo aW50IGNvdW50KQogewotICBzdGF0aWMgY2hhciAqdGVtcGJhc2UgPSBOVUxMOwogICBjaGFyIHRl bXBzdWZmaXhbMTBdOwotCi0gIGlmICghdGVtcGJhc2UpCi0gICAgewotICAgICAgaW50IGZkOwot ICAgICAgdGVtcGJhc2UgPSBjb25jYXQgKHRlbXBkaXIsICJ0eGlkeFhYWFhYWCIpOwotCi0gICAg ICBmZCA9IG1rc3RlbXAgKHRlbXBiYXNlKTsKLSAgICAgIGlmIChmZCA9PSAtMSkKLSAgICAgICAg cGZhdGFsX3dpdGhfbmFtZSAodGVtcGJhc2UpOwotICAgIH0KLQotICBzcHJpbnRmICh0ZW1wc3Vm Zml4LCAiLiVkIiwgY291bnQpOwotICByZXR1cm4gY29uY2F0ICh0ZW1wYmFzZSwgdGVtcHN1ZmZp eCk7CisgIHNwcmludGYgKHRlbXBzdWZmaXgsICIvJWQiLCBjb3VudCk7CisgIHJldHVybiBjb25j YXQgKHRlbXBkaXIsIHRlbXBzdWZmaXgpOwogfQogCiAKQEAgLTQxNiw2ICs0MjMsMTMgQEAgZmx1 c2hfdGVtcGZpbGVzIChpbnQgdG9fY291bnQpCiAgICAgcmV0dXJuOwogICB3aGlsZSAobGFzdF9k ZWxldGVkX3RlbXBjb3VudCA8IHRvX2NvdW50KQogICAgIHVubGluayAobWFrZXRlbXBuYW1lICgr K2xhc3RfZGVsZXRlZF90ZW1wY291bnQpKTsKKyAgcm1kaXIodGVtcGRpcik7Cit9CisKK3ZvaWQK K2ZsdXNoX3RlbXBmaWxlc19hdGV4aXQgKHZvaWQpCit7CisgIGZsdXNoX3RlbXBmaWxlcyAodGVt cGNvdW50KTsKIH0KIAogDApAQCAtMTYyMiw3ICsxNjM2LDcgQEAgY29uY2F0IChjaGFyICpzMSwg Y2hhciAqczIpCiAKICAgc3RyY3B5IChyZXN1bHQsIHMxKTsKICAgc3RyY3B5IChyZXN1bHQgKyBs ZW4xLCBzMik7Ci0gICoocmVzdWx0ICsgbGVuMSArIGxlbjIpID0gMDsKKyAgcmVzdWx0W2xlbjEg KyBsZW4yXSA9ICdcMCc7CiAKICAgcmV0dXJuIHJlc3VsdDsKIH0K