Bug 97184 - sys-cluster/xpvm <= 1.2.5-r2 insecure tmp file creation
Bug#: 97184 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: All Status: RESOLVED Severity: minor Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: zataz@zataz.net
Component: Vulnerabilities
URL:  http://secunia.com/advisories/16040/
Summary: sys-cluster/xpvm <= 1.2.5-r2 insecure tmp file creation
Keywords:  
Status Whiteboard: B3 [noglsa] jaervosz
Opened: 2005-06-27 03:52 0000
Description:   Opened: 2005-06-27 03:52 0000 
Hello,

Take a look at

src/xpvm.tcl :

158 #
159 # Get User Name
160 #
161 
162 set user [ get_user_name ]

832 if { $tfck == 0 } { set trace_file "/tmp/xpvm.trace.$user" }

834 $CTRL.file_entry insert 0 $trace_file

Regards.

------- Comment #1 From rob holland (RETIRED) 2005-07-05 06:26:00 0000 ------- 
confirmed vulnerable.

------- Comment #2 From Romang 2005-07-12 00:37:07 0000 ------- 
Hello,

Vendor notified.

Regards.

------- Comment #3 From Tavis Ormandy (RETIRED) 2005-07-12 01:47:05 0000 ------- 
confirmed by rob, moving to vulnerabilities.

------- Comment #4 From Thierry Carrez (RETIRED) 2005-07-13 12:56:29 0000 ------- 
Leaked by Secunia, SA16040

------- Comment #5 From Thierry Carrez (RETIRED) 2005-07-18 05:25:52 0000 ------- 
Pulling in maintainer :

The project looks quite dead (upstream mail failed), should we patch it ? remove
it ?

------- Comment #6 From Sune Kloppenborg Jeppesen 2005-07-23 04:55:35 0000 ------- 
Tantive seems to be MIA, pulling in the rest of cluster.

------- Comment #7 From Michael Imhof 2005-07-28 14:50:34 0000 ------- 
If someone is able to fix it, then let's fix it, otherwise we have to remove or
mask it.
Personally i'd love to see a fix so it can stay in portage.

------- Comment #8 From Yuri Vasilevski 2005-07-29 00:02:46 0000 ------- 
It should be changes to use ns_tmpnam [1], something like may work:
832 if { $tfck == 0 } { set trace_file ns_tmpnam }

Yuri.

[1] http://www.panoptic.com/wiki/aolserver/686

------- Comment #9 From solar 2005-07-29 15:23:59 0000 ------- 
Yuri are you sure about that? I don't use wish much or xpvm at all but 
I've done a fair bit of tcl in my day and I've never seen ns_tmpnam. 
Perhaps it's an aolserver only function?

solar@simple xpvm $ wish
% ns_tmpnam
invalid command name "ns_tmpnam"
solar@simple xpvm $ tclsh
Loading module ptrace
8.4.6> ns_tmpnam
invalid command name "ns_tmpnam"
solar@simple xpvm $ tcl
tcl>ns_tmpnam
Error: invalid command name "ns_tmpnam"

------- Comment #10 From Yuri Vasilevski 2005-07-29 17:09:55 0000 ------- 
Created an attachment (id=64689) [details]
xpvmm-1.2.5-secure-temp.patch

a patch that should do fine until file tempfile ?template? ?namevar? [1] is
available in tcl 8.5

[1] http://www.tcl.tk/cgi-bin/tct/tip/210.html

------- Comment #11 From Yuri Vasilevski 2005-07-29 17:32:59 0000 ------- 
There is another way to solve this problem but it'll require
>=dev-tcltk/tcllib-1.7 to be added as dependency so "::fileutil::tempfile  ?
prefix ?" can be used, but I think it's not worth adding another dependency
considerings the before mentioned support for file tempfile subcommand is
expected to be added in tcl 8.5.

Also, in case the patch gets accepted, please credit solar@gentoo.org for it's
authorship as I my just cleaned it.

------- Comment #12 From Thierry Carrez (RETIRED) 2005-07-30 07:27:19 0000 ------- 
solar, you're the TCL expert, could you review the patch ? If you're OK with
it,
tantive can plug it in.

------- Comment #13 From solar 2005-08-01 22:02:14 0000 ------- 
The code is fine.
shell$ qfile /bin/tempfile
sys-apps/debianutils (/bin/tempfile) 

A dep would have to be added either way.

------- Comment #14 From Sune Kloppenborg Jeppesen 2005-08-01 22:03:44 0000 ------- 
Micheal please provide an updated ebuild.

------- Comment #15 From Michael Imhof 2005-08-09 13:59:28 0000 ------- 
I added a patched xpvm-1.2.5-r4 to the tree and removed the old ebuilds.
Thanks for your help.

------- Comment #16 From Sune Kloppenborg Jeppesen 2005-08-09 14:04:29 0000 ------- 
Thx Micheal. 
 
This one is ready for GLSA decision. I tend to vote NO.

------- Comment #17 From Thierry Carrez (RETIRED) 2005-08-10 00:46:57 0000 ------- 
Looks like a tool that would typically run as root, which would make me vote
yes, but I really don't know.

Michael, could you provide some insight on how the software is typically run,
and if it always uses the temporary file (vs. it only uses it if option
--verbosity=high is set)...

------- Comment #18 From Sune Kloppenborg Jeppesen 2005-08-15 09:50:14 0000 ------- 
Micheal/Cluster please advise.

------- Comment #19 From Thierry Carrez (RETIRED) 2005-08-21 08:36:30 0000 ------- 
OK; looks like we won't get input about this from the cluster herd, so security
members, make up your mind. In doubt I vote YES.

------- Comment #20 From Tavis Ormandy (RETIRED) 2005-08-23 02:07:09 0000 ------- 
i would vote NO

------- Comment #21 From Sune Kloppenborg Jeppesen 2005-08-23 22:06:17 0000 ------- 
Reverting my vote to full NO -> Closing without GLSA. Feel free to reopen if 
you disagree.