96192 2005-06-15 10:06 0000 not so secure tmpfile handling in rpm2targz 2005-07-06 02:43:12 0000 1 1 1 Unclassified Gentoo Linux Applications 2005.0 All All RESOLVED FIXED P2 normal --- 1 solar@gentoo.org liquidx@gentoo.org security@gentoo.org solar@gentoo.org 2005-06-15 10:06:17 0000 rpm2targz uses the mcookie app for tmpdir file handling. This mcookie program is ment to be used on files vs dirs and rpm2targz is using it for dir handling without really any error checking. I think all of that can lead us to some pretty nice race condition bugs. I'm not sure if this should be classed as a security problem or not so I'm assigning it to you for now with secuirty on the CC: solar@gentoo.org 2005-06-15 10:07:42 0000 Created an attachment (id=61287) rpm2targz.diff Attached local patch I'm using now. liquidx@gentoo.org 2005-06-25 05:41:58 0000 thanks for the patch solar, i've committed it to rpm2targz-9.0-r3. security hasn't said anything about this being a major problem, so i've marked it ~x86 for now, but i'll fast track it if security thinks it is necessary. liquidx@gentoo.org 2005-07-06 02:43:12 0000 i'm marking the new version of rpm2targz stable for x86. closing for now. 61287 2005-06-15 10:07 0000 rpm2targz.diff rpm2targz.diff text/plain LS0tIHJwbTJ0YXJnei5vcmlnCTIwMDUtMDYtMTUgMTA6MTk6MTIuMDAwMDAwMDAwIC0wNDAwCisr KyBycG0ydGFyZ3oJMjAwNS0wNi0xNSAxMjo1NToxMC4wMDAwMDAwMDAgLTA0MDAKQEAgLTIsNiAr Miw3IEBACiAjIENvcHlyaWdodCAxOTk3LCAxOTk4IFBhdHJpY2sgVm9sa2VyZGluZywgTW9vcmhl YWQsIE1OIFVTQQogIyBDb3B5cmlnaHQgMjAwMiBTbGFja3dhcmUgTGludXgsIEluYy4sIENvbmNv cmQsIENBIFVTQQogIyBBbGwgcmlnaHRzIHJlc2VydmVkLgorIyAkSGVhZGVyOiAkCiAjCiAjIFJl ZGlzdHJpYnV0aW9uIGFuZCB1c2Ugb2YgdGhpcyBzY3JpcHQsIHdpdGggb3Igd2l0aG91dCBtb2Rp ZmljYXRpb24sIGlzCiAjIHBlcm1pdHRlZCBwcm92aWRlZCB0aGF0IHRoZSBmb2xsb3dpbmcgY29u ZGl0aW9ucyBhcmUgbWV0OgpAQCAtMjMsMjAgKzI0LDI0IEBACiAKICMgZGVidWcgc3dpdGNoIHRv IGFsbG93IHRvIGJ5cGFzcyB1c2Ugb2YgcnBtMmNwaW8gcHJvdmlkZWQgYnkgdGhlIHJwbSBwYWNr YWdlCiBVU0VSUE0yQ1BJTz10cnVlCi1pZiBbICIkVE1QRElSIiA9ICIiIF07IHRoZW4KLSAgVE1Q RElSPS90bXAKK1sgIiRUTVBESVIiID09ICIiIF0gJiYgVE1QRElSPS90bXAKK2lmIFsgISAtZCAi JFRNUERJUiIgXTsgdGhlbgorCWVjaG8gIlRNUERJUj0kVE1QRElSIGlzIG5vdCBhIGRpciIgPiAv ZGV2L3N0ZGVycgorCWV4aXQgMQogZmkKLSMgSWYgbWNvb2tpZSBpcyBhdmFpbGFibGUsIHVzZSBp dCBmb3IgYmV0dGVyIC90bXAgc2VjdXJpdHkuCi1pZiBbIC14IGB3aGljaCBtY29va2llYCBdOyB0 aGVuCi0gIENPT0tJRT1gbWNvb2tpZWAKLWVsc2UKLSAgQ09PS0lFPSQkCitXT1JLRElSPWBta3Rl bXAgLWQgJFRNUERJUi8kJFhYWFhYWGAKK2lmIFsgJD8gIT0gMCBdOyB0aGVuCisJZWNobyAiRmFp bGVkIHRvIG1ha2UgdG1wIHdvcmtkaXIgZm9yIGZpbGUgaS9vIGNvbnZlcnNpb24iID4gL2Rldi9z dGRlcnIKKwlleGl0IDEKIGZpCisKIGlmIFsgIiQxIiA9ICIiIF07IHRoZW4KICAgZWNobyAiJDA6 ICBDb252ZXJ0cyBSUE0gZm9ybWF0IHRvIHN0YW5kYXJkIEdOVSB0YXIgKyBHTlUgemlwIGZvcm1h dC4iCi0gIGVjaG8gIiAgICAgICAgICAgICh2aWV3IGNvbnZlcnRlZCBwYWNrYWdlcyB3aXRoIFwi bGVzc1wiLCBpbnN0YWxsIGFuZCByZW1vdmUiCi0gIGVjaG8gIiAgICAgICAgICAgIHdpdGggXCJp bnN0YWxscGtnXCIsIFwicmVtb3ZlcGtnXCIsIFwicGtndG9vbFwiLCBvciBtYW51YWxseSIKLSAg ZWNobyAiICAgICAgICAgICAgd2l0aCBcInRhclwiKSIKKyAgaWYgWyAtZSAvZXRjL3NsYWNrd2Fy ZS12ZXJzaW9uIF07IHRoZW4KKyAgICBlY2hvICIgICAgICAgICAgICAodmlldyBjb252ZXJ0ZWQg cGFja2FnZXMgd2l0aCBcImxlc3NcIiwgaW5zdGFsbCBhbmQgcmVtb3ZlIgorICAgIGVjaG8gIiAg ICAgICAgICAgIHdpdGggXCJpbnN0YWxscGtnXCIsIFwicmVtb3ZlcGtnXCIsIFwicGtndG9vbFwi LCBvciBtYW51YWxseSIKKyAgICBlY2hvICIgICAgICAgICAgICB3aXRoIFwidGFyXCIpIgorICBm aQogICBlY2hvCiAgIGVjaG8gIlVzYWdlOiAgICAgICQwIDxmaWxlLnJwbT4iCiAgIGlmIFsgImBi YXNlbmFtZSAkMGAiID0gInJwbTJ0Z3oiIF07IHRoZW4KQEAgLTUwLDEyICs1NSwxMSBAQAogICBp ZiBbICEgIiQxIiA9ICIkKiIgXTsgdGhlbgogICAgIGVjaG8gIlByb2Nlc3NpbmcgZmlsZTogJGki CiAgIGZpCi0gIHJtIC1yZiAkVE1QRElSL3JwbTJ0YXJneiRDT09LSUUgIyBjbGVhciB0aGUgd2F5 LCBqdXN0IGluIGNhc2Ugb2YgbWlzY2hpZWYKLSAgbWtkaXIgJFRNUERJUi9ycG0ydGFyZ3okQ09P S0lFCisgIHJtIC1yZiAke1dPUktESVJ9LyogfHwgZXhpdCAxIDsgIyBjbGVhciB0aGUgd2F5LCBq dXN0IGluIGNhc2Ugb2YgbWlzY2hpZWYKIAogICAjIERldGVybWluZSBpZiB0aGlzIGlzIGEgc291 cmNlIG9yIGJpbmFyeSBSUE0uCiAgICMgSWYgd2UgaGF2ZSBnZXRycG10eXBlLCB1c2UgdGhhdC4g IE90aGVyd2lzZSwgdHJ5ICJmaWxlIi4KLSAgaWYgd2hpY2ggZ2V0cnBtdHlwZSAxPiAvZGV2L251 bGwgMj4gL2Rldi9udWxsOyB0aGVuCisgIGlmIHR5cGUgLXAgZ2V0cnBtdHlwZSAxPiAvZGV2L251 bGwgMj4gL2Rldi9udWxsOyB0aGVuCiAgICAgaWYgZ2V0cnBtdHlwZSAtbiAkaSB8IGdyZXAgc291 cmNlIDE+IC9kZXYvbnVsbCAyPiAvZGV2L251bGwgOyB0aGVuCiAgICAgICBpc1NvdXJjZT0xCiAg ICAgZWxzZQpAQCAtNjksMTIgKzczLDEyIEBACiAgICAgZmkKICAgZmkKIAotICBvZm49JFRNUERJ Ui9ycG0ydGFyZ3okQ09PS0lFL2BiYXNlbmFtZSAkaSAucnBtYC5jcGlvCisgIG9mbj0ke1dPUktE SVJ9L2BiYXNlbmFtZSAkaSAucnBtYC5jcGlvCiAgIGlmICRVU0VSUE0yQ1BJTyAmJiB3aGljaCBy cG0yY3BpbyAxPiAvZGV2L251bGwgMj4gL2Rldi9udWxsIDsgdGhlbgogICAgIHJwbTJjcGlvICRp ID4gJG9mbiAyPiAvZGV2L251bGwKICAgICBpZiBbICEgJD8gPSAwIF07IHRoZW4KICAgICAgIGVj aG8gIi4uLiBycG0yY3BpbyBmYWlsZWQuICAobWF5YmUgJGkgaXMgbm90IGFuIFJQTT8pIgotICAg ICAgKCBjZCAkVE1QRElSIDsgcm0gLXJmIHJwbTJ0YXJneiRDT09LSUUgKQorICAgICAgKCBybSAt cmYgIiR7V09SS0RJUn0vKiIgKQogICAgICAgY29udGludWUKICAgICBmaQogICBlbHNlICMgbGVz cyByZWxpYWJsZSB0aGFuIHJwbTJjcGlvLi4uCkBAIC05MCw3ICs5NCw3IEBACiAJZGVjb21wPSJi emlwMiIKICAgICBlbHNlCiAgICAgICAgIGVjaG8gICIgJGkgLSBubyBtYWdpYyBjb21wcmVzc2lv biBpZGVudGlmaWVyIGZvdW5kIC0gc2tpcHBpbmcgZmlsZSIKLSAgICAgICAgKCBjZCAkVE1QRElS IDsgcm0gLXJmIHJwbTJ0YXJneiRDT09LSUUgKQorICAgICAgICAoIHJtIC1yZiAiJHtXT1JLRElS fS8qIiApCiAgICAgICAgIGNvbnRpbnVlCiAgICAgZmkKICAgICBlY2hvIC1uICIgIHRyeWluZyB0 byBkZWNvbXByZXNzIHdpdGggJHtkZWNvbXB9Li4uIgpAQCAtMTAwLDExICsxMDQsMTEgQEAKICAg ICBlbHNlCiAgICAgICBlY2hvICIgIEZBSUxFRCIKICAgICAgIGVjaG8gICIgJGkgIGZhaWxlZCB0 byBkZWNvbXByZXNzIC0gc2tpcHBpbmcgZmlsZSIKLSAgICAgICggY2QgJFRNUERJUiA7IHJtIC1y ZiBycG0ydGFyZ3okQ09PS0lFICkKKyAgICAgICggcm0gLXJmICIke1dPUktESVJ9LyoiICkKICAg ICAgIGNvbnRpbnVlCiAgICAgZmkKICAgZmkKLSAgREVTVD0kVE1QRElSL3JwbTJ0YXJneiRDT09L SUUKKyAgREVTVD0ke1dPUktESVJ9CiAgICNpZiBbICIkaXNTb3VyY2UiID0gIjEiIF07IHRoZW4K ICAgIyAgIERFU1Q9JERFU1QvJChiYXNlbmFtZSAkKGJhc2VuYW1lICRpIC5ycG0pIC5zcmMpCiAg ICNmaQpAQCAtMTEzLDExICsxMTcsMTIgQEAKICAgICBjcGlvIC0tZXh0cmFjdCAtLXByZXNlcnZl LW1vZGlmaWNhdGlvbi10aW1lIC0tbWFrZS1kaXJlY3RvcmllcyA8ICRvZm4gMT4gL2Rldi9udWxs IDI+IC9kZXYvbnVsbAogICAgIHJtIC1mICRvZm4KICAgICBmaW5kIC4gLXR5cGUgZCAtcGVybSA3 MDAgLWV4ZWMgY2htb2QgNzU1IHt9IFw7ICkKLSAgKCBjZCAkVE1QRElSL3JwbTJ0YXJneiRDT09L SUUgOyB0YXIgY2YgLSAuICkgPiBgYmFzZW5hbWUgJGkgLnJwbWAudGFyCisgICggY2QgJHtXT1JL RElSfSA7IHRhciBjZiAtIC4gKSA+IGBiYXNlbmFtZSAkaSAucnBtYC50YXIKICAgZ3ppcCAtOSBg YmFzZW5hbWUgJGkgLnJwbWAudGFyCiAgIGlmIFsgImBiYXNlbmFtZSAkMGAiID0gInJwbTJ0Z3oi IF07IHRoZW4KICAgICBtdiBgYmFzZW5hbWUgJGkgLnJwbWAudGFyLmd6IGBiYXNlbmFtZSAkaSAu cnBtYC50Z3oKICAgZmkKLSAgKCBjZCAkVE1QRElSIDsgcm0gLXJmIHJwbTJ0YXJneiRDT09LSUUg KQorICAoIHJtIC1yZiAiJHtXT1JLRElSfS8qIiApCiAgIGVjaG8KIGRvbmUKK3JtIC1yZiAke1dP UktESVJ9Cg==