Bug 108690 - media-gfx/graphviz insecure temp file issue
|
Bug#:
108690
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: minor
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: jaervosz@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
http://www.debian.org/security/2005/dsa-857
|
|
Summary: media-gfx/graphviz insecure temp file issue
|
|
Keywords:
|
|
Status Whiteboard: B3 [noglsa]
|
|
Opened: 2005-10-10 00:05 0000
|
Not sure wether we're affected.
Javier Fern
Not sure wether we're affected.
Javier Fernández-Sanguino Peña discovered insecure tmporary file creation.
Can't tell where the patch is in the Debian diff. Maybe better to ask Ulf about
it.
I asked Javier about this bug.
I checked, current stable (1.16) is affected (probably latest ~ also is).
graphics herd: please bump with supplied patch...
I dont recognise that language, but that seems like a fairly poor fix.
creating ten thousand symbolic links is not out of the question, and theres no
race condition i need to win.
This may be the best they can do in that language ?
yeah, i suppose they could do system("mktemp.."), but if this is the best
that's
possible i guess i will have to live with it :)
sekretarz should have a look at it later today
sekretarz any progress on this one?
patch committed, amd64 should stabilize at least to the 1.16
I assume that the 2.6 is safe, isn't it?
Yes, 2.6 is already fixed.
Luca: we'll need a revbump to 1.16-r1 so that it can be picked up in upgrades,
and you'll be done.
I'd just call for having 2.6 stable and remove all versions but 2.6 and add
1.16-r1 (if is still needed)
Hm. Too many arches don't even have it as ~ so I think it's much quicker to
bump
to 1.16-r1 and ask arches to mark 1.16-r1 stable and 2.6 ~.
revbump committed, please notice amd64 that the older versions will be removed
soon.
amd64: please test and mark 1.16-r1 stable
alpha hppa ia64 mips ppc-macos: please add ~ keyword to 2.6
KillerFox added ~hppa, thanks to him.
Tested media-gfx/graphviz-1.16-r1 for amd64. Builds and loads. Able to
render
several sample .dot files.
No extensive regression testing, but as this is a security bump, tests stable
for amd64.
Portage 2.0.53_rc6 (default-linux/amd64/2005.1, gcc-3.4.4, glibc-2.3.5-r3,
2.6.1
3-gentoo-r4 x86_64)
=================================================================
System uname: 2.6.13-gentoo-r4 x86_64 AMD Athlon(tm) 64 Processor 3500+
Gentoo Base System version 1.12.0_pre9
ccache version 2.4 [enabled]
dev-lang/python: 2.3.5, 2.4.2
sys-apps/sandbox: 1.2.13
sys-devel/autoconf: 2.13, 2.59-r7
sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils: 2.16.1
sys-devel/libtool: 1.5.20
virtual/os-headers: 2.6.11-r2
ACCEPT_KEYWORDS="amd64 ~amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8 -O2 -pipe -fweb -ftracer"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.3/env
/usr/kde/3.3/share
/config /usr/kde/3.3/shutdown /usr/kde/3.4/env /usr/kde/3.4/share/config
/usr/kd
e/3.4/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb
/usr/lib64/mozilla/defau
lts/pref /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/texmf/web2c /etc/env.d"
CXXFLAGS="-march=k8 -O2 -pipe -fweb -ftracer"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache distlocks multilib-strict sandbox sfperms strict
tes
ting"
GENTOO_MIRRORS="http://distfiles.gentoo.org
http://distro.ibiblio.org/pub/linux/
distributions/gentoo"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/etc/portage/overlay"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="amd64 X alsa apache2 avi berkdb bitmap-fonts cddb cdr cli crypt cups curl
d
ba directfb dts dv dvd dvdr dvdread eds emacs emboss encode esd fam fame fbcon
f
fmpeg firefox foomaticdb gcj gd gdbm gif gpm gstreamer gtk gtk2 ieee1394
imagema
gick imlib ipv6 java jikes jpeg junit ldap libwww lirc live lzw lzw-tiff mad
mjp
eg mozilla mp3 mpeg mysql ncurses nls nptl nptlonly nsplugin nvidia ogg
oggvorbi
s opengl pam pcre pdflib perl png python qt quicktime readline real rtc ruby
sdl
spell ssl tcpd tetex theora tiff truetype-fonts type1-fonts udev unicode usb
us
erlocales v4l v4l2 vorbis xine xml2 xmms xpm xv xvid zlib userland_GNU
kernel_li
nux elibc_glibc"
Unset: ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS
amd64 would be happy, but:
RepoMan scours the neighborhood...
DEPEND.bad 1
media-gfx/graphviz/graphviz-2.6.ebuild: ~hppa(default-linux/hppa/2004.3)
['>=x11-libs/libsvg-cairo-0.1.3']
RDEPEND.bad 1
media-gfx/graphviz/graphviz-2.6.ebuild: ~hppa(default-linux/hppa/2004.3)
['>=x11-libs/libsvg-cairo-0.1.3']
digest.assumed 11
digest-graphviz-1.10::graphviz-1.10.tar.gz
digest-graphviz-1.12::graphviz-1.12.tar.gz
digest-graphviz-1.12-r1::graphviz-1.12.tar.gz
digest-graphviz-1.12-r1::graphviz-1.12-configure.ac.bz2
digest-graphviz-1.16::graphviz-1.16-panic.patch.tar.bz2
digest-graphviz-2.2::graphviz-2.2.tar.gz
digest-graphviz-2.2.1::graphviz-2.2.1.tar.gz
digest-graphviz-2.2.1-r1::graphviz-2.2.1.tar.gz
digest-graphviz-2.4::graphviz-2.4.tar.gz
digest-graphviz-2.6::graphviz-2.6.tar.gz
digest-graphviz-1.16-r1::graphviz-1.16-panic.patch.tar.bz2
Please fix these important QA issues first.
RepoMan sez: "Make your QA payment on time and you'll never see the likes of me."
If I've botched something, please smack me with it, but I don't see how anyone
could of commited with those errors.
(In reply to comment #18)
> amd64 would be happy, but:
>
> RepoMan scours the neighborhood...
>
> DEPEND.bad 1
> media-gfx/graphviz/graphviz-2.6.ebuild: ~hppa(default-linux/hppa/2004.3)
> ['>=x11-libs/libsvg-cairo-0.1.3']
How about a "cvs up" in x11-libs/libsvg-cairo? repoman scan doesn't complain
here, and libsvg-cairo-0.1.6 is ~hppa.
repoman doesn't bitch here either, so amd64 is happy. sorry for the delay
Still waiting on alpha, ia64, mips and ppc-macos to add the ~ keyword to
graphviz-2.6
FYI:
there is a compilation issue that first needs to be resolved on ppc-macos before
it can be marked ~ppc-macos.
Kloeri did alpha and ia64
If the main script is affected I vote YES.
Testing ppc-macos. Sorry for the long wait -- we had undefined symbol problems.
looking at the patch again, i dont think this is an acceptable fix. making
10000
symlinks is not a serious obstacle to explanation, and even if for some reason
that is infeasible, just creating 1000 gives you a 1:10 chance of getting it.
As
s there is no race conditon, you can create 1000 of them, and just wait, sooner
or later it will be hit.
I think we will have to use system('mktemp') or similar.
s/explanation/exploitation/
It's not easy to securely create tmpfiles in that "lefty" language (you just
have "system" and apparently no way of getting stdout of commands). For those
who want to try :
http://www.graphviz.org/Documentation/leftyguide.pdf
If you reduce the thing to a race condition, we'll take it.
Tavis: I guess the only way out is to limit files in HOME or current
directory... or expand the random to a few million possibilities. Would that be
better ?
using $HOME sounds fine to me
Luca: care to update the graphviz patch withe the attached one ?
This one seems ready for GLSA decision. I tend to vote YES.
This patch breaks my compilation.
>>> Unpacking graphviz-1.16.tar.gz to /var/tmp/portage/graphviz-1.16-r1/work
* Applying graphviz-1.16-build.patch ... [ ok ]
* Applying graphviz-1.16-tempdir.patch ...
* Failed Patch: graphviz-1.16-tempdir.patch !
* ( /usr/portage/media-gfx/graphviz/files/graphviz-1.16-tempdir.patch )
*
* Include in your bugreport the contents of:
*
* /var/tmp/portage/graphviz-1.16-r1/temp/graphviz-1.16-tempdir.patch-21313.ou
cn400 ~ # cat
/var/tmp/portage/graphviz-1.16-r1/temp/graphviz-1.16-tempdir.patch-21313.out
***** graphviz-1.16-tempdir.patch *****
=======================================
PATCH COMMAND: patch -p0 -g0 --no-backup-if-mismatch <
/usr/portage/media-gfx/graphviz/files/graphviz-1.16-tempdir.patch
=======================================
can't find file to patch at input line 3
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|--- graphviz-2.2.1.orig/dotty/dotty.lefty
|+++ graphviz-2.2.1/dotty/dotty.lefty
--------------------------
No file to patch. Skipping patch.
patch: **** malformed patch at line 12: @@ -768,5 +771,5 @@
=======================================
PATCH COMMAND: patch -p1 -g0 --no-backup-if-mismatch <
/usr/portage/media-gfx/graphviz/files/graphviz-1.16-tempdir.patch
=======================================
patching file dotty/dotty.lefty
patch: **** malformed patch at line 12: @@ -768,5 +771,5 @@
=======================================
PATCH COMMAND: patch -p2 -g0 --no-backup-if-mismatch <
/usr/portage/media-gfx/graphviz/files/graphviz-1.16-tempdir.patch
=======================================
can't find file to patch at input line 3
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|--- graphviz-2.2.1.orig/dotty/dotty.lefty
|+++ graphviz-2.2.1/dotty/dotty.lefty
--------------------------
No file to patch. Skipping patch.
patch: **** malformed patch at line 12: @@ -768,5 +771,5 @@
=======================================
PATCH COMMAND: patch -p3 -g0 --no-backup-if-mismatch <
/usr/portage/media-gfx/graphviz/files/graphviz-1.16-tempdir.patch
=======================================
missing header for unified diff at line 3 of patch
can't find file to patch at input line 3
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|--- graphviz-2.2.1.orig/dotty/dotty.lefty
|+++ graphviz-2.2.1/dotty/dotty.lefty
--------------------------
No file to patch. Skipping patch.
patch: **** malformed patch at line 12: @@ -768,5 +771,5 @@
=======================================
PATCH COMMAND: patch -p4 -g0 --no-backup-if-mismatch <
/usr/portage/media-gfx/graphviz/files/graphviz-1.16-tempdir.patch
=======================================
missing header for unified diff at line 3 of patch
can't find file to patch at input line 3
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|--- graphviz-2.2.1.orig/dotty/dotty.lefty
|+++ graphviz-2.2.1/dotty/dotty.lefty
--------------------------
No file to patch. Skipping patch.
patch: **** malformed patch at line 12: @@ -768,5 +771,5 @@
Note to self: newer check a patch by reading it.
Note to self :
Try to find the time to test patches I submit.
I tend to vote no, as dotty is not the main program and this is typically run
as
user... but feel free to disagree.
Since this affects only dotty I revert my vote to a full NO and closing. Feel
free to reopen if you disagree.
