97184 2005-06-27 03:52 0000 sys-cluster/xpvm <= 1.2.5-r2 insecure tmp file creation 2005-08-23 22:06:17 0000 1 Unclassified Gentoo Security Vulnerabilities unspecified All All RESOLVED FIXED http://secunia.com/advisories/16040/ B3 [noglsa] jaervosz P2 minor --- 1 zataz@zataz.net security@gentoo.org dberkholz@gentoo.org tantive@gentoo.org voxus@gentoo.org xmerlin@gentoo.org zataz@zataz.net 2005-06-27 03:52:03 0000 Hello, Take a look at src/xpvm.tcl : 158 # 159 # Get User Name 160 # 161 162 set user [ get_user_name ] 832 if { $tfck == 0 } { set trace_file "/tmp/xpvm.trace.$user" } 834 $CTRL.file_entry insert 0 $trace_file Regards. tigger@gentoo.org 2005-07-05 06:26:00 0000 confirmed vulnerable. zataz@zataz.net 2005-07-12 00:37:07 0000 Hello, Vendor notified. Regards. taviso@gentoo.org 2005-07-12 01:47:05 0000 confirmed by rob, moving to vulnerabilities. koon@gentoo.org 2005-07-13 12:56:29 0000 Leaked by Secunia, SA16040 koon@gentoo.org 2005-07-18 05:25:52 0000 Pulling in maintainer : The project looks quite dead (upstream mail failed), should we patch it ? remove it ? jaervosz@gentoo.org 2005-07-23 04:55:35 0000 Tantive seems to be MIA, pulling in the rest of cluster. tantive@gentoo.org 2005-07-28 14:50:34 0000 If someone is able to fix it, then let's fix it, otherwise we have to remove or mask it. Personally i'd love to see a fix so it can stay in portage. yvasilev@gentoo.org 2005-07-29 00:02:46 0000 It should be changes to use ns_tmpnam [1], something like may work: 832 if { $tfck == 0 } { set trace_file ns_tmpnam } Yuri. [1] http://www.panoptic.com/wiki/aolserver/686 solar@gentoo.org 2005-07-29 15:23:59 0000 Yuri are you sure about that? I don't use wish much or xpvm at all but I've done a fair bit of tcl in my day and I've never seen ns_tmpnam. Perhaps it's an aolserver only function? solar@simple xpvm $ wish % ns_tmpnam invalid command name "ns_tmpnam" solar@simple xpvm $ tclsh Loading module ptrace 8.4.6> ns_tmpnam invalid command name "ns_tmpnam" solar@simple xpvm $ tcl tcl>ns_tmpnam Error: invalid command name "ns_tmpnam" yvasilev@gentoo.org 2005-07-29 17:09:55 0000 Created an attachment (id=64689) xpvmm-1.2.5-secure-temp.patch a patch that should do fine until file tempfile ?template? ?namevar? [1] is available in tcl 8.5 [1] http://www.tcl.tk/cgi-bin/tct/tip/210.html yvasilev@gentoo.org 2005-07-29 17:32:59 0000 There is another way to solve this problem but it'll require >=dev-tcltk/tcllib-1.7 to be added as dependency so "::fileutil::tempfile ? prefix ?" can be used, but I think it's not worth adding another dependency considerings the before mentioned support for file tempfile subcommand is expected to be added in tcl 8.5. Also, in case the patch gets accepted, please credit solar@gentoo.org for it's authorship as I my just cleaned it. koon@gentoo.org 2005-07-30 07:27:19 0000 solar, you're the TCL expert, could you review the patch ? If you're OK with it, tantive can plug it in. solar@gentoo.org 2005-08-01 22:02:14 0000 The code is fine. shell$ qfile /bin/tempfile sys-apps/debianutils (/bin/tempfile) A dep would have to be added either way. jaervosz@gentoo.org 2005-08-01 22:03:44 0000 Micheal please provide an updated ebuild. tantive@gentoo.org 2005-08-09 13:59:28 0000 I added a patched xpvm-1.2.5-r4 to the tree and removed the old ebuilds. Thanks for your help. jaervosz@gentoo.org 2005-08-09 14:04:29 0000 Thx Micheal. This one is ready for GLSA decision. I tend to vote NO. koon@gentoo.org 2005-08-10 00:46:57 0000 Looks like a tool that would typically run as root, which would make me vote yes, but I really don't know. Michael, could you provide some insight on how the software is typically run, and if it always uses the temporary file (vs. it only uses it if option --verbosity=high is set)... jaervosz@gentoo.org 2005-08-15 09:50:14 0000 Micheal/Cluster please advise. koon@gentoo.org 2005-08-21 08:36:30 0000 OK; looks like we won't get input about this from the cluster herd, so security members, make up your mind. In doubt I vote YES. taviso@gentoo.org 2005-08-23 02:07:09 0000 i would vote NO jaervosz@gentoo.org 2005-08-23 22:06:17 0000 Reverting my vote to full NO -> Closing without GLSA. Feel free to reopen if you disagree. 64689 2005-07-29 17:09 0000 xpvmm-1.2.5-secure-temp.patch xpvmm-1.2.5-secure-temp.patch text/plain ZGlmZiAtTmF1ciB4cHZtLm9yaWcvc3JjL3hwdm0udGNsIHhwdm0vc3JjL3hwdm0udGNsCi0tLSB4 cHZtLm9yaWcvc3JjL3hwdm0udGNsCTE5OTgtMDQtMDkgMTY6MTI6MzIuMDAwMDAwMDAwIC0wNTAw CisrKyB4cHZtL3NyYy94cHZtLnRjbAkyMDA1LTA3LTI5IDE5OjAyOjMzLjc3NjU4ODg2NCAtMDUw MApAQCAtODI5LDcgKzgyOSwxNyBAQAogCiBzZXQgdGZjayBbIGluZm8gZXhpc3RzIHRyYWNlX2Zp bGUgXQogCi1pZiB7ICR0ZmNrID09IDAgfSB7IHNldCB0cmFjZV9maWxlICIvdG1wL3hwdm0udHJh Y2UuJHVzZXIiIH0KK2lmIHsgJHRmY2sgPT0gMCB9IHsKKwlpZiB7JHRjbF9wbGF0Zm9ybShwbGF0 Zm9ybSkgIT0gInVuaXgifSB7CisJCXB1dHMgc3RkZXJyICJmYXRhbCBlcnJvciwgc2VjdXJlIHRl bXAgZmlsZSBjcmVhdGlvbiBub3QgYXZhaWxhYmxlIgorCQlleGl0IDEKKwl9CisJY2F0Y2gge2V4 ZWMgL2Jpbi90ZW1wZmlsZX0gdHJhY2VfZmlsZQorCWlmIHtbZmlsZSBleGlzdCAkdHJhY2VfZmls ZV0gIT0gMX0geworCQlwdXRzIHN0ZGVyciAiZmF0YWwgZXJyb3IsIHNlY3VyZSB0ZW1wIGZpbGUg Y3JlYXRpb24gbm90IGF2YWlsYWJsZSIKKwkJZXhpdCAxCisJfQorfQogCiAkQ1RSTC5maWxlX2Vu dHJ5IGluc2VydCAwICR0cmFjZV9maWxlCiAK