150264 2006-10-06 06:17 0000 dev-lang/mono - insecure temp file usage (CVE-2006-5072) 2006-11-28 12:32:16 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://www.ubuntu.com/usn/usn-357-1 B3 [glsa] P2 minor --- 1 carlo@gentoo.org security@gentoo.org dotnet@gentoo.org carlo@gentoo.org 2006-10-06 06:17:39 0000 from USN-357-1: Sebastian Krahmer of the SuSE security team discovered that the System.CodeDom.Compiler classes used temporary files in an insecure way. This could allow a symbolic link attack to create or overwrite arbitrary files with the privileges of the user invoking the program. Under some circumstances, a local attacker could also exploit this to inject arbitrary code into running Mono processes. http://www.ubuntu.com/usn/usn-357-1 vorlon@gentoo.org 2006-10-11 05:39:18 0000 dotnet, pls patch/bump latexer@gentoo.org 2006-10-11 09:15:01 0000 Wonderful of ubuntu/CVE to actually link to an open ximian bugzilla bug, or a SVN revision that fixes, it, etc. I will dig into SVN to try to find the fix for us. latexer@gentoo.org 2006-10-15 17:05:37 0000 Ok, added both 1.1.13.8.1 and 1.1.18. I suggest 1.1.13.8.1 for stabalisation, 1.1.17 and newer have some breakages that aren't properly handed in stable arch yet. Should I CC arches now? vorlon@gentoo.org 2006-10-17 04:24:34 0000 thanks Peter arches, pls test dev-lang/mono-1.1.13.8.1 and mark stable if possible fauli@gentoo.org 2006-10-17 05:21:16 0000 1) emerges fine, apart from bug #131569 2) passes collision test 3) works (media-sound/last-exit emerges fine and works) Portage 2.1.1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.17-gentoo-r8 i686) ================================================================= System uname: 2.6.17-gentoo-r8 i686 AMD Athlon(tm) XP 2500+ Gentoo Base System version 1.12.5 Last Sync: Tue, 17 Oct 2006 04:20:01 +0000 app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.3.7, 2.0.30 dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r4 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-O2" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test" GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo/" LANG="de_DE@euro" LC_ALL="de_DE@euro" LINGUAS="de" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.informatik.rwth-aachen.de/gentoo-portage" USE="x86 3dnow 3dnowext X Xaw3d a52 aiglx alsa artworkextra asf audiofile bash-completion beagle berkdb bidi bitmap-fonts bootsplash branding bzip2 cairo cdda cddb cdparanoia cdr cli cracklib crypt css cups curl custom-cflags dbus dga directfb divx4linux dlloader dri dts dvd dvdr dvdread dvi eds elibc_glibc emacs emboss encode esd evo exif expat fam fat fbcon ffmpeg firefox fortran ftp gb gcj gdbm gif gnome gpm gstreamer gtk gtk2 gtkhtml hal icq idn imagemagick imap input_devices_keyboard input_devices_mouse ipv6 isdnlog java javascript jikes jpeg jpeg2k kde kernel_linux ldap leim libg++ linguas_de lm_sensors mad maildir matroska mbox mhash mikmod mime mmx mmxext mng mono mp3 mpeg mpeg2 mule mysql nautilus ncurses nforce2 nls nocardbus nptl nptlonly nsplugin nvidia objc ogg opengl pam pcre pdf perl plotutils pmu png ppds pppd preview-latex print python qt3 qt4 quicktime readline reflection reiserfs samba sdk session slang spell spl sse ssl svg svga t1lib tcltk tcpd tetex theora thunderbird tiff truetype truetype-fonts type1-fonts udev usb userland_GNU vcd video_cards_fbdev video_cards_radeon video_cards_vesa videos vorbis win32codecs wmf wxwindows xine xml xorg xosd xv xvid zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS maekke@gentoo.org 2006-10-17 11:38:03 0000 1. emerges fine on x86 2. passes collision test 3. works as all mono-dependent packages rebuilt (and worked) fine. (some gnome/evolution stuff) emerge --info Portage 2.1.1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.18.1 i686) ================================================================= System uname: 2.6.18.1 i686 Genuine Intel(R) CPU T2300 @ 1.66GHz Gentoo Base System version 1.12.5 Last Sync: Tue, 17 Oct 2006 16:50:01 +0000 ccache version 2.3 [disabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.3.7, 2.0.30 dev-lang/python: 2.3.5-r3, 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r4 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--nospinner" FEATURES="autoconfig collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LINGUAS="en de en_GB de_CH" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="x86 X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dlloader dri dts dvd dvdr dvdread eds elibc_glibc emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kernel_linux ldap libg++ linguas_de linguas_de_CH linguas_en linguas_en_GB mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads truetype truetype-fonts type1-fonts udev unicode userland_GNU vcd video_cards_fbdev video_cards_i810 video_cards_vesa vorbis win32codecs wxwindows x264 xine xml xorg xprint xv xvid zlib" Unset: CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY dertobi123@gentoo.org 2006-10-21 15:43:37 0000 Fails on ppc, make[8]: Entering directory `/var/tmp/portage/mono-1.1.13.8.1/work/mono-1.1.13.8.1/mcs/class/Mono.Security' MONO_PATH="../../class/lib/net_2_0_bootstrap:$MONO_PATH" /var/tmp/portage/mono-1.1.13.8.1/work/mono-1.1.13.8.1/runtime/mono-wrapper ../../class/lib/net_2_0_bootstrap/mcs.exe /codepage:28591 -d:NET_1_1 -d:BOOTSTRAP_NET_2_0 -debug /noconfig -r:System.dll -unsafe -target:library -out:Mono.Security.dll @Mono.Security.dll.sources ** (../../class/lib/net_2_0_bootstrap/mcs.exe:2495): WARNING **: The class System.Text.EncoderFallbackBuffer could not be loaded, used in mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 ================================================================= Got a SIGSEGV while executing native code. This usually indicates a fatal error in the mono runtime or one of the native libraries used by your application. ================================================================= fauli@gentoo.org 2006-10-21 23:16:59 0000 (In reply to comment #7) > Fails on ppc, Unmerge and then emerge. dertobi123@gentoo.org 2006-10-22 07:03:52 0000 Ok, works then ... *sigh* .... Shouldn't that info be put in an einfo|ewarn in src_unpack? fauli@gentoo.org 2006-10-27 09:23:16 0000 x86 stable, though a notice about the unmerge->emerge cycle would be nice. dertobi123@gentoo.org 2006-10-27 10:37:46 0000 (In reply to comment #9) > Ok, works then ... *sigh* .... Shouldn't that info be put in an einfo|ewarn in > src_unpack? > ping? thedude0001@gmx.de 2006-10-31 11:26:09 0000 emerges fine on amd64, passes tests, good to go... emerge --info Portage 2.1.1-r1 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.18-suspend2-Dudebox-Edition x86_64) ================================================================= System uname: 2.6.18-suspend2-Dudebox-Edition x86_64 AMD Athlon(tm) 64 Processor 3200+ Gentoo Base System version 1.12.5 Last Sync: Tue, 31 Oct 2006 04:50:01 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] ccache version 2.3 [enabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: [Not Present] dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -msse3 -Os -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-march=k8 -msse3 -Os -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig buildpkg ccache collision-protect distcc distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test" GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp:///ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/" LDFLAGS="-Wl,-O1" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage_overlay" SYNC="rsync://server/gentoo-portage" USE="amd64 X alsa apache2 berkdb bitmap-fonts cairo cdr cli cracklib crypt cups dbus dlloader dri dvd dvdr eds elibc_glibc emboss encode esd fam firefox fortran gcj gdbm gif gpm gstreamer gtk gtk2 hal iconv imap input_devices_keyboard input_devices_mouse isdnlog jpeg kde kdeenablefinal kdehiddenvisibility kernel_linux libg++ mad mikmod mp3 mpeg mysql ncurses nls nptl nptlonly objc objc++ ogg oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection sdl session spell spl sqlite ssl tcpd test truetype truetype-fonts type1-fonts udev unicode userland_GNU video_cards_radeon vorbis xml xorg xv zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS malc@gentoo.org 2006-11-01 16:31:29 0000 Stable on amd64... though Kugelfang beat me to the commit... falco@gentoo.org 2006-11-03 05:36:18 0000 Usually we treat the insecure file creation vulnerabilities as *3 --> rerating "This could allow a symbolic link attack to create or overwrite arbitrary files with the privileges of the user invoking the program." normally this is not run as root "Under some circumstances, a local attacker could also exploit this to inject arbitrary code into running Mono processes." "local attacker" --> i would vote for no glsa. dertobi123@gentoo.org 2006-11-03 05:44:20 0000 Err, shall we ignore that "just updating" won't work? If it's that way I'm ok with stabling the package, but i would've expect to get at least an answer to my question. dertobi123@gentoo.org 2006-11-04 07:03:57 0000 As noone else seems to be interested in that ... ppc stable. falco@gentoo.org 2006-11-06 01:37:24 0000 i vote for noglsa because the impact is weak: a *local* attacker could perform a symlink attack, possibly leading to the execution of arbitrary code with the rights of the user running mono. falco@gentoo.org 2006-11-20 07:49:25 0000 sec team please make a sign of life jaervosz@gentoo.org 2006-11-20 08:21:15 0000 I vote YES. vorlon@gentoo.org 2006-11-23 13:38:30 0000 voting yes too jaervosz@gentoo.org 2006-11-24 01:48:59 0000 Let's have a GLSA then. falco@gentoo.org 2006-11-28 12:32:16 0000 GLSA 200611-23