Bug 160130 - sci-astronomy/predict: Insecure /tmp file usage in files/predict-update
|
Bug#:
160130
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: normal
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: shellsage@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
|
|
Summary: sci-astronomy/predict: Insecure /tmp file usage in files/predict-update
|
|
Keywords:
|
|
Status Whiteboard: B3? [noglsa]
|
|
Opened: 2007-01-04 15:51 0000
|
The file files/predict-update that is distributed with the
sci-astronomy/predict ebuild insecurely writes to files in /tmp. If the files
were to exist, or be created by a local attacker in a race condition with wget,
as symlinks, arbitrary files could possibly be overwritten upon the
installation of sci-astronomy/predict. wget should not be used to write to
files in /tmp, and even otherwise, the existence of files in wget should be
checked for existence before data is written to them.
Hi Vic,
Thanks for pointing this out! Unfortunately, I am not familiar with this
package, but it seems that the predict-update script is provided
by gentoo rather than being part of the upstream package. It was committed
by phosphan, so maybe he can advise on what to do.
There are two options I can think of right now to resolve this issue:
(1) We add "-nc" to wget to prevent it from overwriting already existing files.
(2) We remove the script altogether and provide the user with a brief set of
instructions on how to update his database "by hand".
If (1) would be fine and sufficient with the security folks I could do that
right away.
Thanks,
Markus
Hi Markus, an easy way to use /tmp securely from a shellscript is like so:
mkdir /tmp/predict-$$ || exit 1
cd /tmp/predict-$$
now you can use wget safely, then just rm -rf the directory when finished...the
imnportant part is you _must_ abort if mkdir returns error. If you dont mind
making this minor change, that would be fine from a security perspective!
Created an attachment (id=105965) [details]
proposed patch to remove insecure file handling
Hi Tavis,
Thanks for the tip and this should work perfectly!
I've attached a proposed patch for predict-update.
If this looks fine to the security team I'll apply it asap and
revision bump the ebuild.
Thanks,
Markus
@security folks:
I've just bumped predict to version 2.2.3 which will pull in
the updated predict-update script (see the posted patch).
This should fix the insecure /tmp file handling, unless there
are additional concerns with the updated version.
The bumped ebuild is currently in ~amd64 and ~x86
and needs to be stabled on both arches to get the insecure
version of predict-update off of user's systems.
Please let me know if there's anything else you would like
me to do.
Thanks,
Markus
thanks Markus
amd64/x86, pls test predict-2.2.3 and mark stable if possible
security please vote on glsa publication
I vote yes; there were a bunch of these packages we found, we should probably
do GLSAs for all of them.
Well if we can bundle a lot of similar issues it would be fine. Otherwise I
tend to vote NO.
(In reply to comment #11)
> Well if we can bundle a lot of similar issues it would be fine. Otherwise I
> tend to vote NO.
>
IMHO it should depend on the package, the severity and if the exploitation if
easy. Here it's only during emerge, so i vote NO, and i close the bug. Feel
free to reopen if you disagree
