66355 2004-10-04 15:00 0000 sys-devel/gettext: Insecure tempfile handling 2004-10-16 22:16:51 0000 1 1 1 Unclassified Gentoo Linux Security unspecified All All RESOLVED FIXED http://www.securityfocus.com/advisories/7263 A3 [glsa] lewk P2 minor --- 1 lewk@gentoo.org security@gentoo.org gentoo@geb.ep.wisc.edu lewk@gentoo.org 2004-10-04 15:00:47 0000 Problem description: Trustix Security Engineers identified that all these packages had one or more script(s) that handled temporary files in an insecure manner. While it is not believed that any of these holes could lead to privilege escalation, it would be possible to trick the scripts to overwrite data writable by the user that invokes the script. These problems can only be exploited by local users, and they would have to wait for someone else, preferably root, to run the vulnerable scripts. lewk@gentoo.org 2004-10-04 15:01:52 0000 Created an attachment (id=41095) gettext-0.14.1-tempfile.patch Patch from Trustix to fix tempfile insecurities. lewk@gentoo.org 2004-10-04 15:04:34 0000 base-system guys, please verify and apply patch if necessary. The stable version of gettext, 0.12.1, seems to be vulnerable to this as well. solar@gentoo.org 2004-10-04 21:36:23 0000 The newest revision we have in portage right now is gettext-0.12.1-r1 looks like we might want to consider a newer version all together. testing.. solar@gentoo.org 2004-10-04 21:41:07 0000 Oh even better Mike Frysinger just told me he is already working on this one. vapier@gentoo.org 2004-10-05 05:43:07 0000 version bumped in cvs; everyone needs loving on this one lewk@gentoo.org 2004-10-05 06:11:46 0000 archs, please mark gettext-0.14.1 stable. lv@gentoo.org 2004-10-05 08:04:17 0000 stable on amd64... kloeri@gentoo.org 2004-10-05 08:39:40 0000 Stable on alpha. vapier@gentoo.org 2004-10-05 15:50:22 0000 arm/hppa/ia64/s390 == OUTTA SIGHT gustavoz@gentoo.org 2004-10-05 18:51:55 0000 I'm getting failed tests: format-java-1 and format-java-2 with bus errors. This passed on gettext-0.12.1 so it's somewhat suspicious, did anyone test this on != sparc? sejo@gentoo.org 2004-10-06 01:40:29 0000 stable on ppc sejo@gentoo.org 2004-10-06 04:52:17 0000 Since i installed gettext 0.14.1 i get this error, can someone see to this? /usr/bin/xgettext: error while loading shared libraries: libgettextlib-0.12.1.so: cannot open shared object file: No such file or directory putted back to ~ppc untill the problem is solved vapier@gentoo.org 2004-10-06 05:53:33 0000 /usr/bin/xgettext: error while loading shared libraries: libgettextlib-0.12.1.so: cannot open shared object file: No such file or directory the fix is to run revdep-rebuild :P gustavoz@gentoo.org 2004-10-06 06:10:33 0000 sparc stable, with conjured patch for the java tests. tester@gentoo.org 2004-10-06 07:08:21 0000 well, xgettext is part of gettext.. So revdep-rebuild doesnt help much here.. Is it being built against the system installed gettext instead of the version in its own directory? Btw, it seems to have built correctly here. I think 66485 is a dupe... and this one is on x86.. I'm holding it off on stabilizing on x86 until this is sorted out.. tester@gentoo.org 2004-10-06 16:48:12 0000 *** Bug 66485 has been marked as a duplicate of this bug. *** vapier@gentoo.org 2004-10-06 22:08:16 0000 masked 0.14.1 ... i'll release a new 0.12.1-r# with the patch koon@gentoo.org 2004-10-07 01:40:04 0000 Back to ebuild status, current ebuild breaks things. NB to sec team: tempfile attacks are "3" not "4". vapier@gentoo.org 2004-10-07 16:59:33 0000 ok, i've added gettext-0.12.1-r2 to portage with the patch posted here ... one of the hunks is not relevant to 0.12.1 since it removes code that was added to gettext after this release lets try stablizing again shall we lewk@gentoo.org 2004-10-07 18:06:52 0000 archs, please mark gettext-0.12.1-r2 stable. eradicator@gentoo.org 2004-10-07 22:02:07 0000 stable x86 and amd64 eradicator@gentoo.org 2004-10-07 23:08:46 0000 stable on sparc sejo@gentoo.org 2004-10-08 02:07:56 0000 stable on ppc but QA isn't ok: The patch is bigger then 20K!!! gmsoft@gentoo.org 2004-10-08 07:34:03 0000 done on hppa. kloeri@gentoo.org 2004-10-09 02:37:17 0000 Stable on alpha. vapier@gentoo.org 2004-10-09 18:01:57 0000 arm/ia64/s390 done tgall@gentoo.org 2004-10-09 19:41:58 0000 stable on ppc64, thanks! lewk@gentoo.org 2004-10-10 15:32:37 0000 GLSA 200410-10 mips, please mark stable to benefit from GLSA. hardave@gentoo.org 2004-10-16 22:16:51 0000 Stable on mips. 41095 2004-10-04 15:01 0000 gettext-0.14.1-tempfile.patch gettext-0.14.1-tempfile.patch text/plain ZGlmZiAtdXIgZ2V0dGV4dC0wLjE0LjEub3JpZy9nZXR0ZXh0LXRvb2xzL21pc2MvYXV0b3BvaW50 LmluIGdldHRleHQtMC4xNC4xL2dldHRleHQtdG9vbHMvbWlzYy9hdXRvcG9pbnQuaW4KLS0tIGdl dHRleHQtMC4xNC4xLm9yaWcvZ2V0dGV4dC10b29scy9taXNjL2F1dG9wb2ludC5pbgkyMDA0LTAx LTI5IDIwOjE3OjI3LjAwMDAwMDAwMCArMDEwMAorKysgZ2V0dGV4dC0wLjE0LjEvZ2V0dGV4dC10 b29scy9taXNjL2F1dG9wb2ludC5pbgkyMDA0LTA5LTIwIDEwOjI2OjE0LjAwMDAwMDAwMCArMDIw MApAQCAtMzksMTQgKzM5LDcgQEAKICAgICAqLyogfCAqXFwqKSA7OwogICAgICopICMgTmVlZCB0 byBsb29rIGluIHRoZSBQQVRILgogICAgICAgaWYgdGVzdCAiJHtQQVRIX1NFUEFSQVRPUitzZXR9 IiAhPSBzZXQ7IHRoZW4KLSAgICAgICAgeyBlY2hvICIjISAvYmluL3NoIjsgZWNobyAiZXhpdCAw IjsgfSA+IC90bXAvY29uZiQkLnNoCi0gICAgICAgIGNobW9kICt4IC90bXAvY29uZiQkLnNoCi0g ICAgICAgIGlmIChQQVRIPSIvbm9uZXhpc3RlbnQ7L3RtcCI7IGNvbmYkJC5zaCkgPi9kZXYvbnVs bCAyPiYxOyB0aGVuCi0gICAgICAgICAgUEFUSF9TRVBBUkFUT1I9JzsnCi0gICAgICAgIGVsc2UK LSAgICAgICAgICBQQVRIX1NFUEFSQVRPUj06Ci0gICAgICAgIGZpCi0gICAgICAgIHJtIC1mIC90 bXAvY29uZiQkLnNoCisgICAgICAgIFBBVEhfU0VQQVJBVE9SPToKICAgICAgIGZpCiAgICAgICBz YXZlX0lGUz0iJElGUyI7IElGUz0iJFBBVEhfU0VQQVJBVE9SIgogICAgICAgZm9yIGRpciBpbiAk UEFUSDsgZG8KQEAgLTMxOCw3ICszMTEsMTUgQEAKIGN2c19kaXI9dG1wY3ZzJCQKIHdvcmtfZGly PXRtcHdyayQkCiBta2RpciAiJGN2c19kaXIiCitpZiBbICQ/IC1uZSAwIF07IHRoZW4KKyAgZWNo byAiRVJST1IgbWFraW5nICRjdnNfZGlyIgorICBleGl0IDEKK2ZpCiBta2RpciAiJHdvcmtfZGly IgoraWYgWyAkPyAtbmUgMCBdOyB0aGVuCisgIGVjaG8gIkVSUk9SIG1ha2luZyAkd29ya19kaXIi CisgIGV4aXQgMQorZmkKIENWU1JPT1Q9IiRzcmNkaXIvJGN2c19kaXIiCiBleHBvcnQgQ1ZTUk9P VAogdW5zZXQgQ1ZTX0NMSUVOVF9MT0cKQEAgLTM4NCw4ICszODUsNyBAQAogIyBvcmlnaW5hbCAt IHRvbyBncmVhdCByaXNrIG9mIHZlcnNpb24gbWlzbWF0Y2guCiBpZiB0ZXN0IC16ICIkZm9yY2Ui OyB0aGVuCiAgIG1pc21hdGNoPQotICBtaXNtYXRjaGZpbGU9IiR7VE1QRElSLS90bXB9Ii9hdXRv cG9pbnQkJC5kaWZmCi0gIHJtIC1mICIkbWlzbWF0Y2hmaWxlIgorICBtaXNtYXRjaGZpbGU9ImBt a3RlbXAgLXQgYXV0b3BvaW50LmRpZmYuWFhYWFhYYCIKICAgZm9yIGZpbGUgaW4gYGZpbmQgIiR3 b3JrX2Rpci9hcmNoaXZlIiAtdHlwZSBmIC1wcmludCB8IHNlZCAtZSAicyxeJHdvcmtfZGlyL2Fy Y2hpdmUvLCwiIHwgTENfQUxMPUMgc29ydGA7IGRvCiAgICAgZnVuY19kZXN0ZmlsZSAiJGZpbGUi CiAgICAgaWYgdGVzdCAtbiAiJGRlc3RmaWxlIjsgdGhlbgpAQCAtNDE3LDYgKzQxNywxMCBAQAog ICAgICMgUmVjb21wdXRlIGJhc2UuIEl0IHdhcyBjbG9iYmVyZWQgYnkgdGhlIHJlY3Vyc2l2ZSBj YWxsLgogICAgIGJhc2U9YGVjaG8gIiQxIiB8IHNlZCAtZSAncywvW14vXSokLCwnYAogICAgIHRl c3QgLWQgIiRiYXNlIiB8fCB7IGVjaG8gIkNyZWF0aW5nIGRpcmVjdG9yeSAkYmFzZSI7IG1rZGly ICIkYmFzZSI7IH0KKyAgICBpZiBbICQ/IC1uZSAwIF07IHRoZW4KKyAgICAgIGVjaG8gIkVSUk9S IG1ha2luZyBkaXJlY3RvcnkgJGJhc2UiCisgICAgICBleGl0IDEKKyAgICBmaQogICBmaQogfQog CmRpZmYgLXVyIGdldHRleHQtMC4xNC4xLm9yaWcvZ2V0dGV4dC10b29scy9taXNjL2dldHRleHRp emUuaW4gZ2V0dGV4dC0wLjE0LjEvZ2V0dGV4dC10b29scy9taXNjL2dldHRleHRpemUuaW4KLS0t IGdldHRleHQtMC4xNC4xLm9yaWcvZ2V0dGV4dC10b29scy9taXNjL2dldHRleHRpemUuaW4JMjAw NC0wMS0yMCAxMjozMDowNi4wMDAwMDAwMDAgKzAxMDAKKysrIGdldHRleHQtMC4xNC4xL2dldHRl eHQtdG9vbHMvbWlzYy9nZXR0ZXh0aXplLmluCTIwMDQtMDktMjAgMTA6MjI6MzkuMDAwMDAwMDAw ICswMjAwCkBAIC0zOSwxNCArMzksNyBAQAogICAgICovKiB8ICpcXCopIDs7CiAgICAgKikgIyBO ZWVkIHRvIGxvb2sgaW4gdGhlIFBBVEguCiAgICAgICBpZiB0ZXN0ICIke1BBVEhfU0VQQVJBVE9S K3NldH0iICE9IHNldDsgdGhlbgotICAgICAgICB7IGVjaG8gIiMhIC9iaW4vc2giOyBlY2hvICJl eGl0IDAiOyB9ID4gL3RtcC9jb25mJCQuc2gKLSAgICAgICAgY2htb2QgK3ggL3RtcC9jb25mJCQu c2gKLSAgICAgICAgaWYgKFBBVEg9Ii9ub25leGlzdGVudDsvdG1wIjsgY29uZiQkLnNoKSA+L2Rl di9udWxsIDI+JjE7IHRoZW4KLSAgICAgICAgICBQQVRIX1NFUEFSQVRPUj0nOycKLSAgICAgICAg ZWxzZQotICAgICAgICAgIFBBVEhfU0VQQVJBVE9SPToKLSAgICAgICAgZmkKLSAgICAgICAgcm0g LWYgL3RtcC9jb25mJCQuc2gKKyAgICAgICAgUEFUSF9TRVBBUkFUT1I9OgogICAgICAgZmkKICAg ICAgIHNhdmVfSUZTPSIkSUZTIjsgSUZTPSIkUEFUSF9TRVBBUkFUT1IiCiAgICAgICBmb3IgZGly IGluICRQQVRIOyBkbwo=