Bug 104565 - app-admin/gtkdiskfree <= 1.9.3 unsecure tmp file creation
Bug#: 104565 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: minor Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: zataz@zataz.net
Component: Vulnerabilities
URL: 
Summary: app-admin/gtkdiskfree <= 1.9.3 unsecure tmp file creation
Keywords:  
Status Whiteboard: B3 [glsa]
Opened: 2005-09-02 02:16 0000
Description:   Opened: 2005-09-02 02:16 0000 
Hello,

Take a look at : src/mount.h

23 #define TUBE_NAME                "/tmp/gtkdiskfree"

Then to : src/mount.c

32 open_cmd_tube (const gchar *cmd, const gchar *mount_point)
33 {
34         gint status;
35         gchar error[MAXLINE], *line;
36         FILE *sh, *tmp;
37 
38         setbuf(stdout, error);
39         line = g_strconcat(cmd, " ", mount_point, " &> ", TUBE_NAME, NULL);
40         sh = popen(line, "r");
41         g_free(line);
42         
43         status = pclose(sh);
44         
45         if (status == 0) {
46                 remove(TUBE_NAME);
47                 gui_list_main_update(GTK_TREE_VIEW(list_treeview));
48                 
49                 return;
50         } else {
51                 if ((tmp = fopen(TUBE_NAME, "r")) == NULL) {
52                         gui_list_main_update(GTK_TREE_VIEW(list_treeview));
53                         
54                         return;
55                 }          
56                 if (fgets(error, MAXLINE-1, tmp) == NULL) {
57                         fclose(tmp);
58                         remove(TUBE_NAME);
59                         gui_list_main_update(GTK_TREE_VIEW(list_treeview));
60                            
61                         return;
62                 }
63                 fclose(tmp);
64                 remove(TUBE_NAME);
65                 error_window(error);
66         }
67         gui_list_main_update(GTK_TREE_VIEW(list_treeview));
68 
69         return;
70 }

Regards

------- Comment #1 From Tavis Ormandy (RETIRED) 2005-09-02 05:12:37 0000 ------- 
Yes, obvious bug.

He doesnt need a temp file to do that, popen returns a stream anyway, suggested 
quick fix attached.

------- Comment #2 From Tavis Ormandy (RETIRED) 2005-09-02 05:12:58 0000 ------- 
Created an attachment (id=67471) [details]
temp file fix

------- Comment #3 From Thierry Carrez (RETIRED) 2005-09-03 02:43:18 0000 ------- 
Let us know when upstream is aware.

------- Comment #4 From Romang 2005-09-05 00:50:12 0000 ------- 
Hello,

Upstream seems to be down.

http://gtkdiskfree.tuxfamily.org/
or
http://gtkdiskfree.sourceforge.net/

Regards.

------- Comment #5 From Romang 2005-09-05 00:53:22 0000 ------- 
Hello,

Email sends to vendor-sec@lst.de

Regards.

------- Comment #6 From Thierry Carrez (RETIRED) 2005-09-07 07:36:14 0000 ------- 
Pulling in maintainer:
Daniel, this is still non-public. Since upstream is dead, would you be in favor
of patching or removing ?

------- Comment #7 From Romang 2005-09-15 00:22:49 0000 ------- 
Hello,

Released the 15/09/2005

You can open the bug.

Thxs for your time and help.

Regards.

------- Comment #8 From Sune Kloppenborg Jeppesen 2005-09-15 00:27:15 0000 ------- 
Opening

------- Comment #9 From Thierry Carrez (RETIRED) 2005-09-15 06:56:50 0000 ------- 
morfic, your opinion ?

------- Comment #10 From SpanKY 2005-09-15 15:23:53 0000 ------- 
at a glance the patch looks good to me

------- Comment #11 From Thierry Carrez (RETIRED) 2005-09-17 05:50:12 0000 ------- 
Not worth masking the package... Let's patch it, if we can find someone to do
it... vapier: feel like it ?

------- Comment #12 From SpanKY 2005-09-28 17:27:00 0000 ------- 
1.9.3-r1 now in portage

------- Comment #13 From Thierry Carrez (RETIRED) 2005-09-29 00:41:39 0000 ------- 
Archs, please test and mark stable...

------- Comment #14 From Michael Hanselmann (hansmi) (RETIRED) 2005-09-29 08:43:07 0000 ------- 
Stable on ppc.

------- Comment #15 From Thierry Carrez (RETIRED) 2005-09-30 01:01:05 0000 ------- 
This is CAN-2005-2918

------- Comment #16 From Markus Rothe 2005-09-30 11:17:21 0000 ------- 
stable on ppc64

------- Comment #17 From Paul Varner 2005-09-30 12:56:56 0000 ------- 
stable on x86

------- Comment #18 From Simon Stelling (RETIRED) 2005-09-30 12:59:16 0000 ------- 
stable on amd64

------- Comment #19 From Thierry Carrez (RETIRED) 2005-09-30 13:45:08 0000 ------- 
Ready for GLSA vote

------- Comment #20 From Thierry Carrez (RETIRED) 2005-10-01 03:38:35 0000 ------- 
I tend to vote yes.

------- Comment #21 From Sune Kloppenborg Jeppesen 2005-10-02 10:09:00 0000 ------- 
I tend to vote NO.

------- Comment #22 From Tavis Ormandy (RETIRED) 2005-10-02 10:44:54 0000 ------- 
I would vote YES, as it's so easy to exploit.

------- Comment #23 From Thierry Carrez (RETIRED) 2005-10-02 11:06:46 0000 ------- 
Let there be a GLSA.

------- Comment #24 From Thierry Carrez (RETIRED) 2005-10-03 09:02:51 0000 ------- 
GLSA 200510-01