Bug 536720

Summary:	<app-text/djvu-3.5.27-r2: insecure use of /tmp
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	alexander, tex
Priority:	Normal	Flags:	nattka: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775193
See Also:	https://github.com/gentoo/gentoo/pull/16210 https://github.com/gentoo/gentoo/pull/16423
Whiteboard:	B4 [glsa+]
Package list:	=app-text/djvu-3.5.27-r2	Runtime testing required:	---
Bug Depends on:
Bug Blocks:	718552

Description Agostino Sarubbo gentoo-dev

2015-01-15 17:01:24 UTC

From ${URL} :

This is how djvudigital uses temporary files:

           djvutext="/tmp/dj$$.ps"
           trap "rm 2>/dev/null $djvutext" 0
           cat > $djvutext <<\EOF
(ps2utf8.ps) runlibfile currentglobal /setglobal load true setglobal
.ps2utf8 begin /onpage { } bind def /onfont { pop pop pop } bind def
/onmark { pop pop pop pop currentx currenty currentpoint
.djvutextmark } bind def end exec
EOF


This is insecure because the filename is predictable and, more 
importantly, the program doesn't fail atomically if the file already 
exists.

Please use mktemp(1) for creating temporary files.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2016-12-01 18:48:29 UTC

Upstream fix: https://sourceforge.net/p/djvu/djvulibre-git/ci/66647db87653477014b345aa5713969d4e48a071/ which was improved later via https://sourceforge.net/p/djvu/djvulibre-git/ci/4d679d4781118ea4e009eeeebb2ca0a658972d14/

$ git tag --contains 66647db87653477014b345aa5713969d4e48a071 | sort
debian/3.5.27.1-3
[...]


Hopefully the next upstream release will contain the fix.

Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-07-11 01:20:48 UTC

From $URL:

Fixed in versions djvulibre/3.5.27.1-1, djvulibre/3.5.27.1-3

Comment 3 Alexander Tsoy 2017-09-29 08:29:55 UTC

We need to stabilize app-text/djvu-3.5.27 for gcc-6 stabilization. So can we get a revbump for this security bug asap?

Comment 4 Aaron Bauman (RETIRED) gentoo-dev

2019-04-14 02:03:05 UTC

still not bumped...

Comment 5 John Helmert III archtester

2020-05-25 02:38:19 UTC

Quite a few tags upstream with 66647db at this point. At more than 5 years since last release, perhaps it would be useful to just fix this with a patch+revbump.

djvulibre-git $ git tag --contains 66647db
debian/3.5.27.1-11
debian/3.5.27.1-12
debian/3.5.27.1-13
debian/3.5.27.1-14
debian/3.5.27.1-3
debian/3.5.27.1-4
debian/3.5.27.1-5
debian/3.5.27.1-6
debian/3.5.27.1-7
debian/3.5.27.1-9

Comment 6 Larry the Git Cow gentoo-dev

2020-06-13 09:35:20 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=703e79f63d52413d37f850ca62c1cabcc1606d70

commit 703e79f63d52413d37f850ca62c1cabcc1606d70
Author:     John Helmert III <jchelmert3@posteo.net>
AuthorDate: 2020-06-13 06:56:45 +0000
Commit:     Mikle Kolyada <zlogene@gentoo.org>
CommitDate: 2020-06-13 09:35:02 +0000

    app-text/djvu: Security bump
    
    Bump to upstream tag debian/3.5.27.1-14, which includes fixes for
    numerous security issues.
    
    Bug: https://bugs.gentoo.org/536720
    Bug: https://bugs.gentoo.org/718552
    Package-Manager: Portage-2.3.100, Repoman-2.3.22
    Signed-off-by: John Helmert III <jchelmert3@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/16210
    Signed-off-by: Mikle Kolyada <zlogene@gentoo.org>

 app-text/djvu/Manifest              |  1 +
 app-text/djvu/djvu-3.5.27-r2.ebuild | 73 +++++++++++++++++++++++++++++++++++++
 2 files changed, 74 insertions(+)

Comment 7 Agostino Sarubbo gentoo-dev

2020-06-15 15:03:48 UTC

arm stable

Comment 8 Agostino Sarubbo gentoo-dev

2020-06-15 15:08:55 UTC

ppc64 stable

Comment 9 Agostino Sarubbo gentoo-dev

2020-06-15 15:12:19 UTC

sparc stable

Comment 10 Agostino Sarubbo gentoo-dev

2020-06-15 15:27:50 UTC

ppc stable

Comment 11 Agostino Sarubbo gentoo-dev

2020-06-17 07:07:52 UTC

amd64 stable

Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev

2020-06-20 13:49:31 UTC

x86 stable

Comment 13 Rolf Eike Beer archtester

2020-06-22 18:37:46 UTC

hppa stable

Comment 14 Sam James archtester

2020-06-22 19:11:32 UTC

arm64 stable

----
@maintainer(s), please cleanup

Comment 15 Larry the Git Cow gentoo-dev

2020-06-28 20:54:23 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3a13ebb61d94c615ab2c68de08ab95746c1996c5

commit 3a13ebb61d94c615ab2c68de08ab95746c1996c5
Author:     John Helmert III <jchelmert3@posteo.net>
AuthorDate: 2020-06-25 22:53:18 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2020-06-28 20:54:14 +0000

    app-text/djvu: Security cleanup
    
    Bug: https://bugs.gentoo.org/536720
    Bug: https://bugs.gentoo.org/718552
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: John Helmert III <jchelmert3@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/16423
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 app-text/djvu/Manifest              |  1 -
 app-text/djvu/djvu-3.5.27-r1.ebuild | 68 -------------------------------------
 2 files changed, 69 deletions(-)

Comment 16 Aaron Bauman (RETIRED) gentoo-dev

2020-06-28 20:55:54 UTC

glsa opened.

Comment 17 GLSAMaker/CVETool Bot gentoo-dev

2020-07-27 00:36:15 UTC

This issue was resolved and addressed in
 GLSA 202007-36 at https://security.gentoo.org/glsa/202007-36
by GLSA coordinator Sam James (sam_c).