Not sure wether we're affected. Javier Fern
Not sure wether we're affected. Javier Fernández-Sanguino Peña discovered insecure tmporary file creation.
Can't tell where the patch is in the Debian diff. Maybe better to ask Ulf about it.
I asked Javier about this bug.
I checked, current stable (1.16) is affected (probably latest ~ also is). graphics herd: please bump with supplied patch...
Created attachment 70362 [details, diff] patch.CAN-2005-2965.graphviz Patch from Javier.
I dont recognise that language, but that seems like a fairly poor fix. creating ten thousand symbolic links is not out of the question, and theres no race condition i need to win.
This may be the best they can do in that language ?
yeah, i suppose they could do system("mktemp.."), but if this is the best that's possible i guess i will have to live with it :)
sekretarz should have a look at it later today
sekretarz any progress on this one?
patch committed, amd64 should stabilize at least to the 1.16 I assume that the 2.6 is safe, isn't it?
Yes, 2.6 is already fixed. Luca: we'll need a revbump to 1.16-r1 so that it can be picked up in upgrades, and you'll be done.
I'd just call for having 2.6 stable and remove all versions but 2.6 and add 1.16-r1 (if is still needed)
Hm. Too many arches don't even have it as ~ so I think it's much quicker to bump to 1.16-r1 and ask arches to mark 1.16-r1 stable and 2.6 ~.
revbump committed, please notice amd64 that the older versions will be removed soon.
amd64: please test and mark 1.16-r1 stable alpha hppa ia64 mips ppc-macos: please add ~ keyword to 2.6
KillerFox added ~hppa, thanks to him.
Tested media-gfx/graphviz-1.16-r1 for amd64. Builds and loads. Able to render several sample .dot files. No extensive regression testing, but as this is a security bump, tests stable for amd64. Portage 2.0.53_rc6 (default-linux/amd64/2005.1, gcc-3.4.4, glibc-2.3.5-r3, 2.6.1 3-gentoo-r4 x86_64) ================================================================= System uname: 2.6.13-gentoo-r4 x86_64 AMD Athlon(tm) 64 Processor 3500+ Gentoo Base System version 1.12.0_pre9 ccache version 2.4 [enabled] dev-lang/python: 2.3.5, 2.4.2 sys-apps/sandbox: 1.2.13 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.20 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64 ~amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -O2 -pipe -fweb -ftracer" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.3/env /usr/kde/3.3/share /config /usr/kde/3.3/shutdown /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kd e/3.4/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/lib64/mozilla/defau lts/pref /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/texmf/web2c /etc/env.d" CXXFLAGS="-march=k8 -O2 -pipe -fweb -ftracer" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache distlocks multilib-strict sandbox sfperms strict tes ting" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/ distributions/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/etc/portage/overlay" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="amd64 X alsa apache2 avi berkdb bitmap-fonts cddb cdr cli crypt cups curl d ba directfb dts dv dvd dvdr dvdread eds emacs emboss encode esd fam fame fbcon f fmpeg firefox foomaticdb gcj gd gdbm gif gpm gstreamer gtk gtk2 ieee1394 imagema gick imlib ipv6 java jikes jpeg junit ldap libwww lirc live lzw lzw-tiff mad mjp eg mozilla mp3 mpeg mysql ncurses nls nptl nptlonly nsplugin nvidia ogg oggvorbi s opengl pam pcre pdflib perl png python qt quicktime readline real rtc ruby sdl spell ssl tcpd tetex theora tiff truetype-fonts type1-fonts udev unicode usb us erlocales v4l v4l2 vorbis xine xml2 xmms xpm xv xvid zlib userland_GNU kernel_li nux elibc_glibc" Unset: ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS
amd64 would be happy, but: RepoMan scours the neighborhood... DEPEND.bad 1 media-gfx/graphviz/graphviz-2.6.ebuild: ~hppa(default-linux/hppa/2004.3) ['>=x11-libs/libsvg-cairo-0.1.3'] RDEPEND.bad 1 media-gfx/graphviz/graphviz-2.6.ebuild: ~hppa(default-linux/hppa/2004.3) ['>=x11-libs/libsvg-cairo-0.1.3'] digest.assumed 11 digest-graphviz-1.10::graphviz-1.10.tar.gz digest-graphviz-1.12::graphviz-1.12.tar.gz digest-graphviz-1.12-r1::graphviz-1.12.tar.gz digest-graphviz-1.12-r1::graphviz-1.12-configure.ac.bz2 digest-graphviz-1.16::graphviz-1.16-panic.patch.tar.bz2 digest-graphviz-2.2::graphviz-2.2.tar.gz digest-graphviz-2.2.1::graphviz-2.2.1.tar.gz digest-graphviz-2.2.1-r1::graphviz-2.2.1.tar.gz digest-graphviz-2.4::graphviz-2.4.tar.gz digest-graphviz-2.6::graphviz-2.6.tar.gz digest-graphviz-1.16-r1::graphviz-1.16-panic.patch.tar.bz2 Please fix these important QA issues first. RepoMan sez: "Make your QA payment on time and you'll never see the likes of me." If I've botched something, please smack me with it, but I don't see how anyone could of commited with those errors.
(In reply to comment #18) > amd64 would be happy, but: > > RepoMan scours the neighborhood... > > DEPEND.bad 1 > media-gfx/graphviz/graphviz-2.6.ebuild: ~hppa(default-linux/hppa/2004.3) > ['>=x11-libs/libsvg-cairo-0.1.3'] How about a "cvs up" in x11-libs/libsvg-cairo? repoman scan doesn't complain here, and libsvg-cairo-0.1.6 is ~hppa.
repoman doesn't bitch here either, so amd64 is happy. sorry for the delay
Still waiting on alpha, ia64, mips and ppc-macos to add the ~ keyword to graphviz-2.6
FYI: there is a compilation issue that first needs to be resolved on ppc-macos before it can be marked ~ppc-macos.
Kloeri did alpha and ia64
Ready for GLSA vote
If the main script is affected I vote YES.
Testing ppc-macos. Sorry for the long wait -- we had undefined symbol problems.
looking at the patch again, i dont think this is an acceptable fix. making 10000 symlinks is not a serious obstacle to explanation, and even if for some reason that is infeasible, just creating 1000 gives you a 1:10 chance of getting it. As s there is no race conditon, you can create 1000 of them, and just wait, sooner or later it will be hit. I think we will have to use system('mktemp') or similar.
s/explanation/exploitation/
It's not easy to securely create tmpfiles in that "lefty" language (you just have "system" and apparently no way of getting stdout of commands). For those who want to try : http://www.graphviz.org/Documentation/leftyguide.pdf If you reduce the thing to a race condition, we'll take it.
Tavis: I guess the only way out is to limit files in HOME or current directory... or expand the random to a few million possibilities. Would that be better ?
using $HOME sounds fine to me
Created attachment 72582 [details, diff] graphviz-1.16-tempdir.patch Taviso: like this ?
Luca: care to update the graphviz patch withe the attached one ?
Patch updated
This one seems ready for GLSA decision. I tend to vote YES.
This patch breaks my compilation. >>> Unpacking graphviz-1.16.tar.gz to /var/tmp/portage/graphviz-1.16-r1/work * Applying graphviz-1.16-build.patch ... [ ok ] * Applying graphviz-1.16-tempdir.patch ... * Failed Patch: graphviz-1.16-tempdir.patch ! * ( /usr/portage/media-gfx/graphviz/files/graphviz-1.16-tempdir.patch ) * * Include in your bugreport the contents of: * * /var/tmp/portage/graphviz-1.16-r1/temp/graphviz-1.16-tempdir.patch-21313.ou cn400 ~ # cat /var/tmp/portage/graphviz-1.16-r1/temp/graphviz-1.16-tempdir.patch-21313.out ***** graphviz-1.16-tempdir.patch ***** ======================================= PATCH COMMAND: patch -p0 -g0 --no-backup-if-mismatch < /usr/portage/media-gfx/graphviz/files/graphviz-1.16-tempdir.patch ======================================= can't find file to patch at input line 3 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |--- graphviz-2.2.1.orig/dotty/dotty.lefty |+++ graphviz-2.2.1/dotty/dotty.lefty -------------------------- No file to patch. Skipping patch. patch: **** malformed patch at line 12: @@ -768,5 +771,5 @@ ======================================= PATCH COMMAND: patch -p1 -g0 --no-backup-if-mismatch < /usr/portage/media-gfx/graphviz/files/graphviz-1.16-tempdir.patch ======================================= patching file dotty/dotty.lefty patch: **** malformed patch at line 12: @@ -768,5 +771,5 @@ ======================================= PATCH COMMAND: patch -p2 -g0 --no-backup-if-mismatch < /usr/portage/media-gfx/graphviz/files/graphviz-1.16-tempdir.patch ======================================= can't find file to patch at input line 3 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |--- graphviz-2.2.1.orig/dotty/dotty.lefty |+++ graphviz-2.2.1/dotty/dotty.lefty -------------------------- No file to patch. Skipping patch. patch: **** malformed patch at line 12: @@ -768,5 +771,5 @@ ======================================= PATCH COMMAND: patch -p3 -g0 --no-backup-if-mismatch < /usr/portage/media-gfx/graphviz/files/graphviz-1.16-tempdir.patch ======================================= missing header for unified diff at line 3 of patch can't find file to patch at input line 3 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |--- graphviz-2.2.1.orig/dotty/dotty.lefty |+++ graphviz-2.2.1/dotty/dotty.lefty -------------------------- No file to patch. Skipping patch. patch: **** malformed patch at line 12: @@ -768,5 +771,5 @@ ======================================= PATCH COMMAND: patch -p4 -g0 --no-backup-if-mismatch < /usr/portage/media-gfx/graphviz/files/graphviz-1.16-tempdir.patch ======================================= missing header for unified diff at line 3 of patch can't find file to patch at input line 3 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |--- graphviz-2.2.1.orig/dotty/dotty.lefty |+++ graphviz-2.2.1/dotty/dotty.lefty -------------------------- No file to patch. Skipping patch. patch: **** malformed patch at line 12: @@ -768,5 +771,5 @@
Note to self: newer check a patch by reading it.
Note to self : Try to find the time to test patches I submit.
I tend to vote no, as dotty is not the main program and this is typically run as user... but feel free to disagree.
Mhhh, tend to say no
Since this affects only dotty I revert my vote to a full NO and closing. Feel free to reopen if you disagree.