Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 111990 - media-sound/gnump3d more issues (CVE-2005-33{49|55})
Summary: media-sound/gnump3d more issues (CVE-2005-33{49|55})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-11-09 11:47 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2005-11-21 05:12 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
index.lok.diff (index.lok.diff,3.17 KB, patch)
2005-11-13 22:46 UTC, Sune Kloppenborg Jeppesen (RETIRED)
no flags Details | Diff
tmpfile.diff (tmpfile.diff,1.16 KB, patch)
2005-11-13 22:47 UTC, Sune Kloppenborg Jeppesen (RETIRED)
no flags Details | Diff
gnump3d-traversal.diff (gnump3d-traversal.diff,693 bytes, patch)
2005-11-14 22:44 UTC, Sune Kloppenborg Jeppesen (RETIRED)
no flags Details | Diff
gnump3d-index.lok.diff (gnump3d-index.lok.diff,3.17 KB, patch)
2005-11-16 09:24 UTC, Jeremy Huddleston (RETIRED)
no flags Details | Diff
gnump3d-tmpfile.diff (gnump3d-tmpfile.diff,1.17 KB, patch)
2005-11-16 09:25 UTC, Jeremy Huddleston (RETIRED)
no flags Details | Diff
gnump3d-traversal.diff (gnump3d-traversal.diff,702 bytes, patch)
2005-11-16 09:25 UTC, Jeremy Huddleston (RETIRED)
no flags Details | Diff
gnump3d-2.9.7-r1.ebuild (gnump3d-2.9.7-r1.ebuild,2.18 KB, text/plain)
2005-11-16 09:25 UTC, Jeremy Huddleston (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-09 11:47:26 UTC
Reported by Ludwig Nussel from SUSE: 
 
There is still another directory traversal bug that allows to escape 
the theme directory. Our package installs to /usr/share/gnump3d so 
you can access the whole /usr tree: 
http://localhost:8888/include/zlib.h?theme=../.. 
 
cu 
Ludwig 
 
--- 
And while we are already at it ... 
 
$ grepr -w /tmp 
./bin/gnump3d-index:  $lockfile = &getConfig( "lockfile",  "/tmp/index.lok" ); 
./bin/gnump3d-index:  $cache    = &getConfig( "tag_cache", 
"/tmp/tags.cache" ); 
./bin/gnump3d2:  $tag_cache   = getConfig( "tag_cache", "/tmp/tags.cache" ); 
./lib/gnump3d/plugins/search.pm:    my $tagCache = &getConfig( "tag_cache", 
"/tmp/tags.cache" ); 
./lib/gnump3d/tagcache.pm:    $tagCache->setCacheFile( '/tmp/tags.cache' ); 
 
cu 
Ludwig
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-13 22:45:52 UTC
Fixes for the /tmp issues attached. 
 
tmpfile.diff - Change fallback default for tag cache to "". 
index.lok.diff - Remove unsafe /tmp lockfile usage. 
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-13 22:46:31 UTC
Created attachment 72860 [details, diff]
index.lok.diff
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-13 22:47:07 UTC
Created attachment 72861 [details, diff]
tmpfile.diff
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-13 22:48:16 UTC
CVE-2005-3349 for the insecure files 
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-14 02:02:32 UTC
CVE-2005-3355 for the directory traversal  
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-14 14:16:29 UTC
Jeremy we're still waiting for the directory traversal issue but the patch 
should probably be available by tomorrow. CC'ing you already so you can be 
ready for disclosure on the 17th.  
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-14 22:44:30 UTC
Created attachment 72928 [details, diff]
gnump3d-traversal.diff

Patch for the directory traversal.
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-14 22:45:17 UTC
Jeremy please attach an updated ebuild to this bug. Do NOT commit anything to 
Portage at this time. 
Comment 9 Jeremy Huddleston (RETIRED) gentoo-dev 2005-11-16 09:24:59 UTC
Created attachment 73012 [details, diff]
gnump3d-index.lok.diff
Comment 10 Jeremy Huddleston (RETIRED) gentoo-dev 2005-11-16 09:25:19 UTC
Created attachment 73013 [details, diff]
gnump3d-tmpfile.diff
Comment 11 Jeremy Huddleston (RETIRED) gentoo-dev 2005-11-16 09:25:35 UTC
Created attachment 73014 [details, diff]
gnump3d-traversal.diff
Comment 12 Jeremy Huddleston (RETIRED) gentoo-dev 2005-11-16 09:25:52 UTC
Created attachment 73015 [details]
gnump3d-2.9.7-r1.ebuild
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-16 12:01:30 UTC
Arch security liaisons please test and report back on this bug. 
Comment 14 Olivier Crete (RETIRED) gentoo-dev 2005-11-16 12:34:01 UTC
Adding halcy0n for x86 because I dont have my x86 box close.
Comment 15 Markus Rothe (RETIRED) gentoo-dev 2005-11-16 12:45:12 UTC
this looks on ppc64? 
 
Error 
The requested file /include/zlib.h couldn't be found. Please try returning to 
the index. 
Comment 16 Gustavo Zacarias (RETIRED) gentoo-dev 2005-11-16 13:08:09 UTC
sparc looks ok.
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2005-11-17 01:57:53 UTC
Now public with the release of upstream 2.9.8
http://www.gnu.org/software/gnump3d/

Jeremy: please commit the 2.9.7-r1 with already-tested keywords (or if you
prefer push 2.9.8 as ~ and we'll have arch retest this one)
Comment 18 Simon Stelling (RETIRED) gentoo-dev 2005-11-17 11:40:21 UTC
with 2.9.7-r1, when starting it, i get the following:

 * Caching service dependencies ...                                       [ ok ]
* Starting gnump3d ...
 * Updating index of music files (may take a while for the first time) ...
Undefined subroutine &main::removeLock called at /usr/bin/gnump3d-index line
194.                                                                         [ ok ]

other than that, it seems to work fine on amd64
Comment 19 Jeremy Huddleston (RETIRED) gentoo-dev 2005-11-17 17:35:30 UTC
2.9.7-r1 and 2.9.8 are both in portage now
Comment 20 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-17 22:10:11 UTC
CC'ing remaining arches to mark stable (alpha and ppc64) and unCC'ing arch 
security liaisons. 
Comment 21 Markus Rothe (RETIRED) gentoo-dev 2005-11-18 00:54:56 UTC
stable on ppc64
Comment 22 Fernando J. Pereda (RETIRED) gentoo-dev 2005-11-18 02:09:34 UTC
alpha done
Comment 23 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-18 02:41:26 UTC
Time for GLSA decision. We did a similar one in the past so I vote YES. 
Comment 24 Thierry Carrez (RETIRED) gentoo-dev 2005-11-18 04:35:00 UTC
Yes, we need one. And it's more than just an update since the issues changed
(tmpfile vulns in).
Comment 25 Thierry Carrez (RETIRED) gentoo-dev 2005-11-21 05:12:49 UTC
GLSA 200511-16