First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 197578
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
vobcopy_1.0.2-1.diff Relevant parts of vobcopy_1.0.2-1.diff patch Robert Buchholz 2007-12-24 00:25 0000 7.90 KB Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 197578 depends on: Show dependency tree
Bug 197578 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-10-31 01:02 0000 
CVE-2007-5718 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5718):
  vobcopy 0.5.14 allows local users to append data to an arbitrary file, or
  create an arbitrary new file, via a symlink attack on the (1)
  /tmp/vobcopy.bla or (2) /tmp/vobcopy_0.5.14.log temporary file.

------- Comment #1 From Robert Buchholz 2007-10-31 01:06:49 0000 ------- 
The bug is confirmed in the 0.5 series, we have 1.0.0 stable. The code has
changed there, but it still does:

./vobcopy-1.0.0/vobcopy.c:    if ( freopen( "/tmp/vobcopy.bla" , "a" , stderr )
== NULL )

I'm not a C expert, but that doesn't look right, or does freopen do some magic?

------- Comment #2 From nion 2007-10-31 17:57:51 0000 ------- 
(In reply to comment #1)
> The bug is confirmed in the 0.5 series, we have 1.0.0 stable. The code has
> changed there, but it still does:
> 
> ./vobcopy-1.0.0/vobcopy.c:    if ( freopen( "/tmp/vobcopy.bla" , "a" , stderr )
> == NULL )
> 
> I'm not a C expert, but that doesn't look right, or does freopen do some magic?

No, freopen internally uses fopen so this is no fix for the security issue
(haven't looked at the rest of the code). You can use 'x' as mode to open with
O_EXCL but this is a gnu extension, so I propose doing this with open and use
fdopen if you really need a FILE stream.
Cheers
nion

------- Comment #3 From Robert Buchholz 2007-12-24 00:25:20 0000 ------- 
Debian applied the attached patch to 1.0.2, not sure about upstream inclusion.
A discussion with upstream can be found at $URL.

Media-video, please apply.

------- Comment #4 From Robert Buchholz 2007-12-24 00:25:46 0000 ------- 
Created an attachment (id=139225) [details]
Relevant parts of vobcopy_1.0.2-1.diff

------- Comment #5 From Pierre-Yves Rofes 2008-01-10 19:17:28 0000 ------- 
(In reply to comment #3)
> Debian applied the attached patch to 1.0.2, not sure about upstream inclusion.
> A discussion with upstream can be found at $URL.
> 
> Media-video, please apply.
> 

*ping*

------- Comment #6 From Steve Dibb 2008-01-11 00:14:42 0000 ------- 
Okay so I'm slightly confused.  Is it fixed in 1.0.2 or not?

------- Comment #7 From Robert Buchholz 2008-01-11 00:43:29 0000 ------- 
No, 1.0.2 is still affected, the attached patch was applied to the vanilla
1.0.2 tarball as shipped in Debian. Sorry if I was unclear.

------- Comment #8 From Jon Malachowski 2008-02-13 08:53:38 0000 ------- 
vobcopy 1.1.0 is out and it looks like he fixed it.
"This release fixes the debian bug #448319 which got retitled
CVE-2007-5718...."

------- Comment #9 From Robert Buchholz 2008-02-13 12:03:46 0000 ------- 
media-video, if some of you can bump this, it's greatly appreciated.

------- Comment #10 From Alexis Ballier 2008-02-13 22:59:40 0000 ------- 
1.1.0 in the tree

------- Comment #11 From Sune Kloppenborg Jeppesen 2008-02-14 18:59:59 0000 ------- 
Arches please test and mark stable. Target keywords are:

vobcopy-1.1.0.ebuild:KEYWORDS="amd64 ppc ppc64 sparc x86"

------- Comment #12 From Christian Faulhammer 2008-02-14 20:00:33 0000 ------- 
x86 stable

------- Comment #13 From Brent Baude 2008-02-15 01:50:26 0000 ------- 
ppc64 stable

------- Comment #14 From Ferris McCormick 2008-02-15 16:06:35 0000 ------- 
Sparc done.

------- Comment #15 From Tobias Scherbaum 2008-02-16 18:44:05 0000 ------- 
ppc stable

------- Comment #16 From Christoph Mende 2008-02-17 14:02:05 0000 ------- 
amd64 stable

------- Comment #17 From Sune Kloppenborg Jeppesen 2008-02-20 08:26:50 0000 ------- 
This one is ready for GLSA vote. I tend to vote YES.

------- Comment #18 From Peter Volkov 2008-02-25 10:50:11 0000 ------- 
Fixed in release snapshot.

------- Comment #19 From Robert Buchholz 2008-03-04 14:25:55 0000 ------- 
YES, filed.

------- Comment #20 From Pierre-Yves Rofes 2008-03-05 22:21:57 0000 ------- 
GLSA 200803-11
First Last Prev Next    No search results available      Search page      Enter new bug