Bug 217229 - sys-devel/m4 <1.4.11 mkstemp quoting and "-F" format string issue (CVE-2008-{1687,1688})
Bug#: 217229 (CVE-2008-1687) Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: minor Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: rbu@gentoo.org
Component: Vulnerabilities
URL: 
Summary: sys-devel/m4 <1.4.11 mkstemp quoting and "-F" format string issue (CVE-2008-{1687,1688})
Keywords:  
Status Whiteboard: A4 [noglsa]
Opened: 2008-04-10 22:52 0000
Description:   Opened: 2008-04-10 22:52 0000 
CVE-2008-1687 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1687):
  The (1) maketemp and (2) mkstemp builtin functions in GNU m4 before 1.4.11 do
  not quote their output when a file is created, which might allow
  context-dependent attackers to trigger a macro expansion, leading to
  unspecified use of an incorrect filename.

CVE-2008-1688 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1688):
  Unspecified vulnerability in GNU m4 before 1.4.11 might allow
  context-dependent attackers to execute arbitrary code, related to improper
  handling of filenames specified with the -F option.  NOTE: it is not clear
  when this issue crosses privilege boundaries.

------- Comment #1 From Robert Buchholz 2008-04-10 23:02:36 0000 ------- 
CVE-2008-1687
http://git.sv.gnu.org/gitweb/?p=m4.git;a=commit;h=5345bb49077bfda9fabd048e563f9e7077fe335d

CVE-2008-1688
http://git.sv.gnu.org/gitweb/?p=m4.git;a=commit;h=035998112737e52cb229e342913ef404e5a51040

There have been concerns whether these would qualify for security
vulnerabilities:
* For CVE-2008-1687, it requires that mkstemp will create a filename that
matches a macro. An attacker could not influence that name, so it would lead to
unspecified behaviour, which might lead to a vulnerability.
* For CVE-2008-1688, see the note on the CVE description.

We might want to go stable with 1.4.11 anyway, but I would consider this a low
priority.
base-system, what do you think? Also, is 1.4.11 good to go?

------- Comment #2 From SpanKY 2008-04-11 01:16:25 0000 ------- 
stabilizing m4-1.4.11 should be fine

------- Comment #3 From Robert Buchholz 2008-04-11 01:21:57 0000 ------- 
Arches, please test and mark stable:
=sys-devel/m4-1.4.11
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh
sparc x86"

------- Comment #4 From Raúl Porcel 2008-04-11 09:50:46 0000 ------- 
alpha/ia64/sparc/x86 stable

------- Comment #5 From Santiago M. Mola 2008-04-11 10:02:13 0000 ------- 
amd64 stable

------- Comment #6 From Markus Rothe 2008-04-11 15:25:15 0000 ------- 
ppc64 stable

------- Comment #7 From Jeroen Roovers 2008-04-12 15:13:58 0000 ------- 
test-strtod.c:667: assertion failed
test-strtod.c:668: assertion failed
test-strtod.c:688: assertion failed
test-strtod.c:717: assertion failed
test-strtod.c:718: assertion failed
FAIL: test-strtod

Lines 667 and 668:
# if 0
    /* Sign bits of NaN is a portability sticking point, not worth
       worrying about.  */
    ASSERT (!!signbit (result1) != !!signbit (result2)); /* glibc-2.3.6, IRIX
6.
5, OSF/1 5.1, mingw */
# endif
    ASSERT (ptr1 == input + 6);         /* glibc-2.3.6, MacOS X 10.3, FreeBSD
6.
2, OpenBSD 4.0, AIX 5.1, HP-UX 11.11, IRIX 6.5, OSF/1 5.1, mingw */
    ASSERT (ptr2 == input + 6);         /* glibc-2.3.6, MacOS X 10.3, FreeBSD
6.
2, OpenBSD 4.0, AIX 5.1, HP-UX 11.11, IRIX 6.5, OSF/1 5.1, mingw */

Line 688:
    ASSERT (ptr == input + 6);          /* glibc-2.3.6, MacOS X 10.3, FreeBSD
6.2, OpenBSD 4.0, AIX 5.1, HP-UX 11.11, IRIX 6.5, OSF/1 5.1, mingw */

Lines 717 and 718:
# if 0
    /* Sign bits of NaN is a portability sticking point, not worth
       worrying about.  */
    ASSERT (!!signbit (result1) != !!signbit (result2)); /* glibc-2.3.6, IRIX
6.5, OSF/1 5.1, mingw */                                                       
  # endif
    ASSERT (ptr1 == input + 7);         /* glibc-2.3.6, OpenBSD 4.0, AIX 5.1,
HP-UX 11.11, IRIX 6.5, OSF/1 5.1, mingw */
    ASSERT (ptr2 == input + 7);         /* glibc-2.3.6, OpenBSD 4.0, AIX 5.1,
HP-UX 11.11, IRIX 6.5, OSF/1 5.1, mingw */

It says not to worry, but then you find yourself doing it anyway. Any comments
from base-system?

Sat Apr 12 17:09:05 CEST 2008
Portage 2.1.5_rc2 (default-linux/hppa/2007.0, gcc-4.1.2, glibc-2.7-r2,
2.6.24-gentoo-r3-JeR parisc)
=================================================================
System uname: 2.6.24-gentoo-r3-JeR parisc PA8700 (PCX-W2)
Timestamp of tree: Sat, 12 Apr 2008 04:22:01 +0000
distcc 2.18.3 hppa2.0-unknown-linux-gnu (protocols 1 and 2) (default port 3632)
[disabled]
ccache version 2.4 [disabled]
app-shells/bash:     3.2_p17-r1
dev-lang/python:     2.4.4-r9
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/baselayout: 2.0.0
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
ACCEPT_KEYWORDS="hppa"
CBUILD="hppa2.0-unknown-linux-gnu"
CFLAGS="-O2 -pipe -mschedule=8000 -march=2.0 -g -ggdb -Wall"
CHOST="hppa2.0-unknown-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/bind
/var/spool/torque /var/www/localhost/htdocs/wordpress/wp-config.php"
CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf
/etc/gentoo-release /etc/php/apache2-php5/ext-active/
/etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild
/etc/terminfo /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2 -pipe -mschedule=8000 -march=2.0 -g -ggdb -Wall"
DISTDIR="/keeps/gentoo/distfiles"
FEATURES="autoaddcvs buildpkg cvs distlocks fixpackages notitles parallel-fetch
sandbox sfperms splitdebug strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://ftp.snt.utwente.nl/pub/os/linux/gentoo
http://mirror.muntinternet.net/pub/gentoo/ http://gentoo.tiscali.nl/"
LC_ALL="en_US.UTF-8"
LDFLAGS=""
LINGUAS="en nl he"
MAKEOPTS="-j4"
PKGDIR="/keeps/gentoo/packages/elmer"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --stats --timeout=180 --exclude=/distfiles
--exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/mnt/alt/portage-tmp"
PORTDIR="/keeps/gentoo/portage"
PORTDIR_OVERLAY="/keeps/gentoo/local"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="7zip X Xaw3d a52 aac aalib accessibility ads alsa amr amrnb amrwb ao aoss
apache2 ares arts asf async asyncns audiofile audit automount avfs
bash-completion berkdb bidi bittorrent bl bluetooth bzip2 c++ cairo caps
catalogs cblas cdb cddb cdparanoia cdr chardet cjk cli cpudetection cracklib
crypt cups curl custom-cflags dbtool dbus device-mapper dga dia directfb djbfft
domainkeys dts dv dvd dvdr dvdread dxr3 edl elf emacs enca encode esd examples
exif expat fam fame fastbuild fastcgi fbcon ffmpeg filter flac fontconfig
foomaticdb fortran ftp gadu galago gd gdbm geoip ggi gif gimp gimpprint glep
glib glut gmp gnome gnutls gphoto2 gpm gs gsl gtk gtk2 gtkhtml hal hesiod hppa
ical icecast iconv idea idn imagemagick imlib immqt-bc inquisitio ipv6 isdnlog
jack javascript jingle jpeg jpeg2k kde kerberos lapack lcms ldap leim libcaca
libnotify libsamplerate libwww live logrotate logwatch lua lzo mad matroska
memcache mhash midi mikmod mmap mng modplug motif mozbranding mp3 mpi mssql
mudflap musepack mysql nas ncurses netpbm network-cron nfconntrack nfs nls nntp
nptl nptlonly nsplugin offensive ogg openexr opengl openmp oss ots overlays pam
pango pbs pch pcre pdf pdo-external perl php pic plotutils plugins png portage
portaudio postgres povray ppds pppd pulseaudio python pyzord qdbm qt3
qt3support quotas raw readline recode reflection rpc rrdtool rtc ruby samba
sasl scanner scim sdl seamonkey server session sid slang slp sms sndfile snmp
soundex speex spell spl sqlite ssl startup-notification suhosin svg swat sysfs
syslog talkfilters tcl tcpd test tga theora threads thunar-vfs tidy tiff
timidity tk tools truetype twolame udev unicode unzip urandom usb userlocales
utempter utf v4l v4l2 vanim vcd vidix vim-syntax vorbis wavpack webdav
webinstall winbind wlan wma wmf xanim xattr xchattext xcomposite xface xml xml2
xmpi xorg xpm xrandr xscreensaver xsettings xulrunner xv xvid xvmc zip
zip-external zlib" ALSA_CARDS="ad1889 usb-audio" ALSA_PCM_PLUGINS="adpcm alaw
asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa
lfloat linear meter mulaw multi null plug rate route share shm softvol"
APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd
authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile
authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd
deflate dir disk_cache env expires ext_filter file_cache filter headers ident
imagemap include info log_config logio mem_cache mime mime_magic negotiation
proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so
speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc"
INPUT_DEVICES="keyboard mouse evdev joystick" KERNEL="linux"
LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses
text" LINGUAS="en nl he" USERLAND="GNU" VIDEO_CARDS="stifb fbdev matrox"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG,
PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

------- Comment #8 From Tobias Scherbaum 2008-04-12 17:59:37 0000 ------- 
ppc stable

------- Comment #9 From SpanKY 2008-04-12 18:30:24 0000 ------- 
that isnt a bug in m4, so it should be fine to stabilize

------- Comment #10 From Jeroen Roovers 2008-04-13 05:09:15 0000 ------- 
(In reply to comment #9)
> that isnt a bug in m4, so it should be fine to stabilize

OK. Want a new bug for that? Oh, and after tests, it of course wouldn't ever do
make check through src_test() this way...

Stable for HPPA.

------- Comment #11 From Robert Buchholz 2008-04-14 01:05:17 0000 ------- 
GLSA vote: I vote NO based on the fact that the vulnerabilities are probably
not exploitable, see comment 2.

------- Comment #12 From Pierre-Yves Rofes 2008-04-14 08:51:48 0000 ------- 
no too, and closing.

------- Comment #13 From Peter Volkov 2008-04-21 08:03:02 0000 ------- 
Fixed in release snapshot.