Bug 129470 - media-gfx/fbida: insecure temp. file creation (CVE-2006-1695)
Bug#: 129470 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: minor Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: falco@gentoo.org
Component: Vulnerabilities
URL:  http://secunia.com/advisories/19559/
Summary: media-gfx/fbida: insecure temp. file creation (CVE-2006-1695)
Keywords:  
Status Whiteboard: B3 [glsa] Falco
Opened: 2006-04-10 05:34 0000
Description:   Opened: 2006-04-10 05:34 0000 
Description:
Jan Braun has reported a vulnerability in fbida, which can be exploited by
malicious, local users to perform certain actions on a vulnerable system with
escalated privileges.

The "fbgs" script creates temporary files insecurely in the "/var/tmp"
directory when the "TMPDIR" environment variable isn't defined. This can be
exploited to create or overwrite arbitrary files via symlink attacks with the
privileges of a user running the vulnerable script.

The vulnerability has been reported in versions 2.01 and 2.03. Other versions
may also be affected.


see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=361370

------- Comment #1 From Raphael Marichez 2006-04-10 05:43:25 0000 ------- 
patch proposed from debian
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=361370

>  # tmp dir
> -DIR="${TMPDIR-/var/tmp}/fbps-$$"
> -mkdir -p $DIR	|| exit 1
> +DIR=`mktemp -dtp /tmp fbgs-XXXXXX`
> +[ -d $DIR ]  || exit 1

------- Comment #2 From Thierry Carrez (RETIRED) 2006-04-15 05:26:54 0000 ------- 
spock, please bump with provided patch

------- Comment #3 From Michal Januszewski 2006-04-15 14:43:24 0000 ------- 
Done, the patch is included in -r3.

------- Comment #4 From Sune Kloppenborg Jeppesen 2006-04-15 21:32:20 0000 ------- 
x86 please test and mark stable.

------- Comment #5 From Raphael Marichez 2006-04-16 03:47:45 0000 ------- 
i might be wrong, but fbida-2.03-r2 is marked stable for ppc64, and -r2 is
vulnerable.

So ppc64 has to test fbida-2.03-r3 and mark it stable too, thanks you in
advance.

------- Comment #6 From Markus Rothe 2006-04-16 12:31:52 0000 ------- 
it was commited staight so stable on ppc64...

anyway.. seems to build and run just fine.

------- Comment #7 From Raphael Marichez 2006-04-17 08:51:17 0000 ------- 
np, thank you corsair

------- Comment #8 From Joshua Jackson 2006-04-17 20:42:10 0000 ------- 
x86 is done \(^.^)/

------- Comment #9 From Raphael Marichez 2006-04-18 12:07:38 0000 ------- 
OK; glsa?

i tend to vote "yes" (we have already provided several glsas concerning such
symlink attacks and B3)

------- Comment #10 From Sune Kloppenborg Jeppesen 2006-04-18 21:09:42 0000 ------- 
I tend to vote YES.

------- Comment #11 From Thierry Carrez (RETIRED) 2006-04-19 10:44:33 0000 ------- 
Half yes here too. One more look please

------- Comment #12 From Stefan Cornelius (RETIRED) 2006-04-21 08:52:13 0000 ------- 
another half yes

------- Comment #13 From Raphael Marichez 2006-04-23 02:20:01 0000 ------- 
thanks to jaervosz for the CVE reference

------- Comment #14 From Sune Kloppenborg Jeppesen 2006-04-23 12:59:46 0000 ------- 
Thx Falco. GLSA 200604-13 is out.