Bug 150264 - dev-lang/mono - insecure temp file usage (CVE-2006-5072)
Bug#: 150264 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: minor Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: carlo@gentoo.org
Component: Vulnerabilities
URL:  http://www.ubuntu.com/usn/usn-357-1
Summary: dev-lang/mono - insecure temp file usage (CVE-2006-5072)
Keywords:  
Status Whiteboard: B3 [glsa]
Opened: 2006-10-06 06:17 0000
Description:   Opened: 2006-10-06 06:17 0000 
from USN-357-1:

Sebastian Krahmer of the SuSE security team discovered that the
System.CodeDom.Compiler classes used temporary files in an insecure
way. This could allow a symbolic link attack to create or overwrite
arbitrary files with the privileges of the user invoking the program.
Under some circumstances, a local attacker could also exploit this to
inject arbitrary code into running Mono processes.


http://www.ubuntu.com/usn/usn-357-1

------- Comment #1 From Matthias Geerdsen 2006-10-11 05:39:18 0000 ------- 
dotnet, pls patch/bump

------- Comment #2 From Peter Johanson (RETIRED) 2006-10-11 09:15:01 0000 ------- 
Wonderful of ubuntu/CVE to actually link to an open ximian bugzilla bug, or a
SVN revision that fixes, it, etc. I will dig into SVN to try to find the fix
for us.

------- Comment #3 From Peter Johanson (RETIRED) 2006-10-15 17:05:37 0000 ------- 
Ok, added both 1.1.13.8.1 and 1.1.18. I suggest 1.1.13.8.1 for stabalisation,
1.1.17 and newer have some breakages that aren't properly handed in stable arch
yet. Should I CC arches now?

------- Comment #4 From Matthias Geerdsen 2006-10-17 04:24:34 0000 ------- 
thanks Peter

arches, pls test dev-lang/mono-1.1.13.8.1 and mark stable if possible

------- Comment #5 From Christian Faulhammer 2006-10-17 05:21:16 0000 ------- 
1) emerges fine, apart from bug #131569
2) passes collision test
3) works (media-sound/last-exit emerges fine and works)

Portage 2.1.1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3,
2.6.17-gentoo-r8 i686)
=================================================================
System uname: 2.6.17-gentoo-r8 i686 AMD Athlon(tm) XP 2500+
Gentoo Base System version 1.12.5
Last Sync: Tue, 17 Oct 2006 04:20:01 +0000
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config
/usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/
/usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/
/usr/share/texmf/xdvi/"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf
/etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer
parallel-fetch sandbox sfperms strict test"
GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo/"
LANG="de_DE@euro"
LC_ALL="de_DE@euro"
LINGUAS="de"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.informatik.rwth-aachen.de/gentoo-portage"
USE="x86 3dnow 3dnowext X Xaw3d a52 aiglx alsa artworkextra asf audiofile
bash-completion beagle berkdb bidi bitmap-fonts bootsplash branding bzip2 cairo
cdda cddb cdparanoia cdr cli cracklib crypt css cups curl custom-cflags dbus
dga directfb divx4linux dlloader dri dts dvd dvdr dvdread dvi eds elibc_glibc
emacs emboss encode esd evo exif expat fam fat fbcon ffmpeg firefox fortran ftp
gb gcj gdbm gif gnome gpm gstreamer gtk gtk2 gtkhtml hal icq idn imagemagick
imap input_devices_keyboard input_devices_mouse ipv6 isdnlog java javascript
jikes jpeg jpeg2k kde kernel_linux ldap leim libg++ linguas_de lm_sensors mad
maildir matroska mbox mhash mikmod mime mmx mmxext mng mono mp3 mpeg mpeg2 mule
mysql nautilus ncurses nforce2 nls nocardbus nptl nptlonly nsplugin nvidia objc
ogg opengl pam pcre pdf perl plotutils pmu png ppds pppd preview-latex print
python qt3 qt4 quicktime readline reflection reiserfs samba sdk session slang
spell spl sse ssl svg svga t1lib tcltk tcpd tetex theora thunderbird tiff
truetype truetype-fonts type1-fonts udev usb userland_GNU vcd video_cards_fbdev
video_cards_radeon video_cards_vesa videos vorbis win32codecs wmf wxwindows
xine xml xorg xosd xv xvid zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS,
PORTAGE_RSYNC_EXTRA_OPTS

------- Comment #6 From Markus Meier 2006-10-17 11:38:03 0000 ------- 
1. emerges fine on x86
2. passes collision test
3. works as all mono-dependent packages rebuilt (and worked) fine. (some
gnome/evolution stuff)

emerge --info
Portage 2.1.1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3,
2.6.18.1 i686)
=================================================================
System uname: 2.6.18.1 i686 Genuine Intel(R) CPU           T2300  @ 1.66GHz
Gentoo Base System version 1.12.5
Last Sync: Tue, 17 Oct 2006 16:50:01 +0000
ccache version 2.3 [disabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config
/usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/
/usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/
/usr/share/texmf/xdvi/"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf
/etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="autoconfig collision-protect distlocks metadata-transfer
parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://distfiles.gentoo.org
http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LINGUAS="en de en_GB de_CH"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="x86 X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom
cli cracklib crypt cups dbus divx dlloader dri dts dvd dvdr dvdread eds
elibc_glibc emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm
gstreamer gtk hal input_devices_keyboard input_devices_mouse ipv6 isdnlog java
jpeg kde kernel_linux ldap libg++ linguas_de linguas_de_CH linguas_en
linguas_en_GB mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl
oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection
rtsp samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex
theora threads truetype truetype-fonts type1-fonts udev unicode userland_GNU
vcd video_cards_fbdev video_cards_i810 video_cards_vesa vorbis win32codecs
wxwindows x264 xine xml xorg xprint xv xvid zlib"
Unset:  CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS,
PORTDIR_OVERLAY

------- Comment #7 From Tobias Scherbaum 2006-10-21 15:43:37 0000 ------- 
Fails on ppc,

make[8]: Entering directory
`/var/tmp/portage/mono-1.1.13.8.1/work/mono-1.1.13.8.1/mcs/class/Mono.Security'
MONO_PATH="../../class/lib/net_2_0_bootstrap:$MONO_PATH"
/var/tmp/portage/mono-1.1.13.8.1/work/mono-1.1.13.8.1/runtime/mono-wrapper 
../../class/lib/net_2_0_bootstrap/mcs.exe /codepage:28591   -d:NET_1_1
-d:BOOTSTRAP_NET_2_0 -debug /noconfig -r:System.dll -unsafe -target:library
-out:Mono.Security.dll  @Mono.Security.dll.sources

** (../../class/lib/net_2_0_bootstrap/mcs.exe:2495): WARNING **: The class
System.Text.EncoderFallbackBuffer could not be loaded, used in mscorlib,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

=================================================================
Got a SIGSEGV while executing native code. This usually indicates
a fatal error in the mono runtime or one of the native libraries
used by your application.
=================================================================

------- Comment #8 From Christian Faulhammer 2006-10-21 23:16:59 0000 ------- 
(In reply to comment #7)
> Fails on ppc,

 Unmerge and then emerge.

------- Comment #9 From Tobias Scherbaum 2006-10-22 07:03:52 0000 ------- 
Ok, works then ... *sigh* .... Shouldn't that info be put in an einfo|ewarn in
src_unpack?

------- Comment #10 From Christian Faulhammer 2006-10-27 09:23:16 0000 ------- 
x86 stable, though a notice about the unmerge->emerge cycle would be nice.

------- Comment #11 From Tobias Scherbaum 2006-10-27 10:37:46 0000 ------- 
(In reply to comment #9)
> Ok, works then ... *sigh* .... Shouldn't that info be put in an einfo|ewarn in
> src_unpack?
> 

ping?

------- Comment #12 From Michael Weyershäuser 2006-10-31 11:26:09 0000 ------- 
emerges fine on amd64, passes tests, good to go...

emerge --info
Portage 2.1.1-r1 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3,
2.6.18-suspend2-Dudebox-Edition x86_64)
=================================================================
System uname: 2.6.18-suspend2-Dudebox-Edition x86_64 AMD Athlon(tm) 64
Processor 3200+
Gentoo Base System version 1.12.5
Last Sync: Tue, 31 Oct 2006 04:50:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632)
[enabled]
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: [Not Present]
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r3
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8 -msse3 -Os -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=k8 -msse3 -Os -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig buildpkg ccache collision-protect distcc distlocks
metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test"
GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/
ftp:///ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/"
LDFLAGS="-Wl,-O1"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage_overlay"
SYNC="rsync://server/gentoo-portage"
USE="amd64 X alsa apache2 berkdb bitmap-fonts cairo cdr cli cracklib crypt cups
dbus dlloader dri dvd dvdr eds elibc_glibc emboss encode esd fam firefox
fortran gcj gdbm gif gpm gstreamer gtk gtk2 hal iconv imap
input_devices_keyboard input_devices_mouse isdnlog jpeg kde kdeenablefinal
kdehiddenvisibility kernel_linux libg++ mad mikmod mp3 mpeg mysql ncurses nls
nptl nptlonly objc objc++ ogg oss pam pcre perl png ppds pppd python qt3 qt4
quicktime readline reflection sdl session spell spl sqlite ssl tcpd test
truetype truetype-fonts type1-fonts udev unicode userland_GNU
video_cards_radeon vorbis xml xorg xv zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LINGUAS,
PORTAGE_RSYNC_EXTRA_OPTS

------- Comment #13 From Malcolm Lashley (RETIRED) 2006-11-01 16:31:29 0000 ------- 
Stable on amd64... though Kugelfang beat me to the commit...

------- Comment #14 From Raphael Marichez 2006-11-03 05:36:18 0000 ------- 
Usually we treat the insecure file creation vulnerabilities as *3   -->
rerating


"This could allow a symbolic link attack to create or overwrite
arbitrary files with the privileges of the user invoking the program."

normally this is not run as root



"Under some circumstances, a local attacker could also exploit this to
inject arbitrary code into running Mono processes."

"local attacker" --> i would vote for no glsa.

------- Comment #15 From Tobias Scherbaum 2006-11-03 05:44:20 0000 ------- 
Err, shall we ignore that "just updating" won't work? If it's that way I'm ok
with stabling the package, but i would've expect to get at least an answer to
my question.

------- Comment #16 From Tobias Scherbaum 2006-11-04 07:03:57 0000 ------- 
As noone else seems to be interested in that ... ppc stable.

------- Comment #17 From Raphael Marichez 2006-11-06 01:37:24 0000 ------- 
i vote for noglsa because the impact is weak: a *local* attacker could perform
a symlink attack, possibly leading to the execution of arbitrary code with the
rights of the user running mono.

------- Comment #18 From Raphael Marichez 2006-11-20 07:49:25 0000 ------- 
sec team please make a sign of life

------- Comment #19 From Sune Kloppenborg Jeppesen 2006-11-20 08:21:15 0000 ------- 
I vote YES.

------- Comment #20 From Matthias Geerdsen 2006-11-23 13:38:30 0000 ------- 
voting yes too

------- Comment #21 From Sune Kloppenborg Jeppesen 2006-11-24 01:48:59 0000 ------- 
Let's have a GLSA then.

------- Comment #22 From Raphael Marichez 2006-11-28 12:32:16 0000 ------- 
GLSA 200611-23