160130 2007-01-04 15:51 0000 sci-astronomy/predict: Insecure /tmp file usage in files/predict-update 2009-01-11 19:04:16 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED B3? [noglsa] P2 normal --- 1 shellsage@gentoo.org security@gentoo.org sci@gentoo.org shellsage@gentoo.org 2007-01-04 15:51:56 0000 The file files/predict-update that is distributed with the sci-astronomy/predict ebuild insecurely writes to files in /tmp. If the files were to exist, or be created by a local attacker in a race condition with wget, as symlinks, arbitrary files could possibly be overwritten upon the installation of sci-astronomy/predict. wget should not be used to write to files in /tmp, and even otherwise, the existence of files in wget should be checked for existence before data is written to them. jaervosz@gentoo.org 2007-01-06 12:57:48 0000 sci please advise. markusle@gentoo.org 2007-01-07 18:06:12 0000 Hi Vic, Thanks for pointing this out! Unfortunately, I am not familiar with this package, but it seems that the predict-update script is provided by gentoo rather than being part of the upstream package. It was committed by phosphan, so maybe he can advise on what to do. There are two options I can think of right now to resolve this issue: (1) We add "-nc" to wget to prevent it from overwriting already existing files. (2) We remove the script altogether and provide the user with a brief set of instructions on how to update his database "by hand". If (1) would be fine and sufficient with the security folks I could do that right away. Thanks, Markus taviso@gentoo.org 2007-01-07 18:10:03 0000 Hi Markus, an easy way to use /tmp securely from a shellscript is like so: mkdir /tmp/predict-$$ || exit 1 cd /tmp/predict-$$ now you can use wget safely, then just rm -rf the directory when finished...the imnportant part is you _must_ abort if mkdir returns error. If you dont mind making this minor change, that would be fine from a security perspective! markusle@gentoo.org 2007-01-07 23:49:44 0000 Created an attachment (id=105965) proposed patch to remove insecure file handling Hi Tavis, Thanks for the tip and this should work perfectly! I've attached a proposed patch for predict-update. If this looks fine to the security team I'll apply it asap and revision bump the ebuild. Thanks, Markus markusle@gentoo.org 2007-01-12 02:41:10 0000 @security folks: I've just bumped predict to version 2.2.3 which will pull in the updated predict-update script (see the posted patch). This should fix the insecure /tmp file handling, unless there are additional concerns with the updated version. The bumped ebuild is currently in ~amd64 and ~x86 and needs to be stabled on both arches to get the insecure version of predict-update off of user's systems. Please let me know if there's anything else you would like me to do. Thanks, Markus vorlon@gentoo.org 2007-01-26 11:28:42 0000 thanks Markus amd64/x86, pls test predict-2.2.3 and mark stable if possible armin76@gentoo.org 2007-01-26 11:43:18 0000 x86 stable beandog@gentoo.org 2007-01-26 14:43:59 0000 amd64 stable vorlon@gentoo.org 2007-01-26 14:45:16 0000 security please vote on glsa publication shellsage@gentoo.org 2007-01-27 21:36:03 0000 I vote yes; there were a bunch of these packages we found, we should probably do GLSAs for all of them. jaervosz@gentoo.org 2007-01-27 22:52:05 0000 Well if we can bundle a lot of similar issues it would be fine. Otherwise I tend to vote NO. falco@gentoo.org 2007-02-10 19:03:54 0000 (In reply to comment #11) > Well if we can bundle a lot of similar issues it would be fine. Otherwise I > tend to vote NO. > IMHO it should depend on the package, the severity and if the exploitation if easy. Here it's only during emerge, so i vote NO, and i close the bug. Feel free to reopen if you disagree 105965 2007-01-07 23:49 0000 proposed patch to remove insecure file handling predict-update.patch text/plain LS0tIHByZWRpY3QtdXBkYXRlLm9sZAkyMDA3LTAxLTA3IDE4OjQyOjE5LjAwMDAwMDAwMCAtMDUw MAorKysgcHJlZGljdC11cGRhdGUJMjAwNy0wMS0wNyAxODozOToyNi4wMDAwMDAwMDAgLTA1MDAK QEAgLTEsOCArMSw3IEBACiAjIS9iaW4vc2gKLVBWPQorb2xkcHdkPSRQV0QKIAogaWYgWyAhIC1m IH4vLnByZWRpY3QvcHJlZGljdC50bGUgXTsgdGhlbgotCW9sZHB3ZD0kUFdECiAJbWtkaXIgLXAg fi8ucHJlZGljdAogCWNkIH4vLnByZWRpY3QKIAljYXQgPiBwcmVkaWN0LnRsZSA8PCBFT0YKQEAg LTc5LDEwICs3OCwxNSBAQAogMSAyNjkyOVUgICAgICAgICAgMDIyMTYuNjc1NDg4NDMgIC4wMDA0 MjE2OSAgMDAwMDAtMCAgMDAwMDAtMCAwICAgICA5CiAyIDI2OTI5ICA2Ny4wNDI2IDI0Ni41NTQ0 IDAwMTEzMjYgMjM3LjkxMjkgMTIyLjA5ODEgMTUuNTczNjc1NjcgNDc2MzYKIEVPRgotCWNkICRv bGRwd2QKIGZpCi13Z2V0IC1xYyB3d3cuY2VsZXN0cmFrLmNvbS9OT1JBRC9lbGVtZW50cy9hbWF0 ZXVyLnR4dCAtTyAvdG1wL2FtYXRldXIudHh0Ci13Z2V0IC1xYyB3d3cuY2VsZXN0cmFrLmNvbS9O T1JBRC9lbGVtZW50cy92aXN1YWwudHh0IC1PIC90bXAvdmlzdWFsLnR4dAotd2dldCAtcWMgd3d3 LmNlbGVzdHJhay5jb20vTk9SQUQvZWxlbWVudHMvd2VhdGhlci50eHQgLU8gL3RtcC93ZWF0aGVy LnR4dAotcHJlZGljdCAtdSAvdG1wL2FtYXRldXIudHh0IC90bXAvdmlzdWFsLnR4dCAvdG1wL3dl YXRoZXIudHh0Ci1ybSAvdG1wL2FtYXRldXIudHh0IC90bXAvdmlzdWFsLnR4dCAvdG1wL3dlYXRo ZXIudHh0CisKK21rZGlyIC90bXAvcHJlZGljdC0kJCB8fCBleGl0IDEKK2NkIC90bXAvcHJlZGlj dC0kJAorCit3Z2V0IC1xYyB3d3cuY2VsZXN0cmFrLmNvbS9OT1JBRC9lbGVtZW50cy9hbWF0ZXVy LnR4dCAtTyAuL2FtYXRldXIudHh0Cit3Z2V0IC1xYyB3d3cuY2VsZXN0cmFrLmNvbS9OT1JBRC9l bGVtZW50cy92aXN1YWwudHh0IC1PIC4vdmlzdWFsLnR4dAord2dldCAtcWMgd3d3LmNlbGVzdHJh ay5jb20vTk9SQUQvZWxlbWVudHMvd2VhdGhlci50eHQgLU8gLi93ZWF0aGVyLnR4dAorcHJlZGlj dCAtdSAuL2FtYXRldXIudHh0IC4vdmlzdWFsLnR4dCAuL3dlYXRoZXIudHh0CisKK2NkICR7b2xk cHdkfQorcm0gLWZyIC90bXAvcHJlZGljdC0kJAo=