Seems like there might be problems with the patch on bug #106105 It looks like the fix for CAN-2005-3011 (texinfo predictable temporary files issue) being used by ubuntu and others is incorrect (see below). Does anyone have a better and/or officially blessed (does texinfo have a maintainer?) patch for this? Colin Percival -------- Original Message -------- Subject: [csjp@FreeBSD.org: Re: Ubuntu patch for texinfo (CAN-2005-3011)] Date: Sat, 3 Dec 2005 19:11:12 +0000 From: Christian S.J. Peron <csjp@freebsd.org> To: secteam@freebsd.org Colin / team I sent this message to Martin Pitt a while ago, but I have not recieved any response. Who owns texinfo? I am sure we can roll our own fix but I would rather whoever maintains this program provide a security fix. Any ideas? ----- Forwarded message from "Christian S.J. Peron" <csjp@FreeBSD.org> ----- From: "Christian S.J. Peron" <csjp@FreeBSD.org> To: martin.pitt@canonical.com Date: Sun, 13 Nov 2005 05:43:34 +0000 Subject: Re: Ubuntu patch for texinfo (CAN-2005-3011) On Don, 06 Okt 2005, Martin Pitt wrote: > Since the previously proposed patch is very intrusive and not really > appropriate for a security update, I created my own minimal patch: > > http://patches.ubuntu.com/patches/texinfo.CAN-2005-3011.diff After discussing this fix with some of my colleagues, it appears that your fix makes it impossible to unlink the temporary files. void flush_tempfiles (int to_count) { if (keep_tempfiles) return; while (last_deleted_tempcount < to_count) unlink (maketempname (++last_deleted_tempcount)); } flush_tempfiles would result in texindex exiting via EEXIST, because now maketempname actually creates the files with the O_EXCL flag. Although this fixes the race condition, it changes the behavior of the program. Was this intentional or am I missing something here? -- Christian S.J. Peron csjp@FreeBSD.ORG FreeBSD Committer FreeBSD Security Team ----- End forwarded message ----- -- Christian S.J. Peron csjp@FreeBSD.ORG FreeBSD Committer FreeBSD Security Team _______________________________________________________ Please think twice when forwarding, cc:ing, or bcc:ing security-team messages. Ask if you are unsure.
http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/texinfo/ texinfo-4.8-owl-texindex-tmp.diff is our current patch. Older versions of it (for older versions of texinfo) may be found in the Attic. Originally, this was a part of texinfo-4.0-owl-tmp.diff, which I entered with this comment: * Wed Jan 03 2001 Solar Designer <solar-at-owl.openwall.com> - Patch to create temporary files safely. - Give offline sorting in texindex a chance to work (fixed a bug in there; did anyone ever test that code, it certainly looks like not). This patch has the disadvantage of producing a spurious link-time warning about mktemp() (although the surrounding code makes this call safe). This is because we still had glibc 2.1.3 at the time. This should be updated to use mkdtemp() now (the change is trivial). -- /sd
Ccing vapier so that he doublechecks Gentoo's status on this.
vapier: any hint on our vulnerability status here ?
We use a patch based on Martin Pitt's one. Apparently would be better to use the patch from Openwall, which I'll attach here. Note that this is not a security issue, since Martin Pitt's patch solves the security problem, it just changes the way texindex is supposed to work, so it would be a bug.
Created attachment 75188 [details, diff] texinfo-4.8-owl-texindex-tmp.diff New patch, from Owl
4.8-r3 uses the patch here