119316 – media-gfx/tuxpaint - insecure temporary file creation

Bug 119316 - media-gfx/tuxpaint - insecure temporary file creation

Summary: media-gfx/tuxpaint - insecure temporary file creation

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [noglsa] jaervosz
Keywords:

Depends on:
Blocks:

Reported:	2006-01-17 10:47 UTC by Carsten Lohrke (RETIRED)
Modified:	2006-01-30 13:53 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Carsten Lohrke (RETIRED) gentoo-dev

2006-01-17 10:47:41 UTC

from USN-243-1: 

Javier Fern

Comment 1 Carsten Lohrke (RETIRED) gentoo-dev

2006-01-17 10:47:41 UTC

from USN-243-1: 

Javier Fernández-Sanguino Peña discovered that the tuxpaint-import.sh
script created a temporary file in an insecure way. This could allow a
symlink attack to create or overwrite arbitrary files with the
privileges of the user running tuxpaint.


http://security.ubuntu.com/ubuntu/pool/main/t/tuxpaint/tuxpaint_0.9.14-2ubuntu0.1.diff.gz

Comment 2 Marcelo Goes (RETIRED) gentoo-dev

2006-01-17 11:08:07 UTC

I took a look at this patch and it has a lot of stuff we don't need/want. We obviously don't care for stuff in the debian/ folder, but we should be aware of the way they are hardcoding defines in tuxpaint.c ("Debian's build dependencies guarantee all headers have been included"). The changes to the Makefile are simply cosmetic, too.

My two cents: apply only what is relevant to this bug.

--- tuxpaint-0.9.14.orig/src/tuxpaint-import.sh
+++ tuxpaint-0.9.14/src/tuxpaint-import.sh
@@ -12,8 +12,8 @@
 # September 21, 2002 - June 17, 2003


-TMPDIR=/tmp
-SAVEDIR=$HOME/.tuxpaint/saved
+SAVEDIR="$HOME/.tuxpaint/saved"
+TMPDIR="$SAVEDIR"

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-01-17 11:53:55 UTC

Graphics please provide an updated ebuild.

Comment 4 Marcelo Goes (RETIRED) gentoo-dev

2006-01-17 12:03:41 UTC

This patch is already in 0.9.15b's sources (first thing I should have checked, doh). It is just a matter of keywording.

Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-01-17 12:33:44 UTC

Arches please test and mark stable.

Comment 6 Andrej Kacian (RETIRED) gentoo-dev

2006-01-17 16:40:49 UTC

x86 done - and i have drawn a nice picture full of wonderful graphical effects :)

The tuxpaint-import script doesn't work here at all, though, but it didn't work here in 0.9.14 either, so it doesn't stop .15b from going stable.

Comment 7 Andrej Kacian (RETIRED) gentoo-dev

2006-01-17 17:07:59 UTC

(In reply to comment #5)
> The tuxpaint-import script doesn't work here at all, though, but it didn't work
> here in 0.9.14 either, so it doesn't stop .15b from going stable.
> 

I found out that it works nicely with media-libs/netpbm-10.31-r1, which is currently unstable for all arches (except m68k, ppc-macos and s390). I have opened bug #119357 for this.

Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev

2006-01-18 08:44:57 UTC

ppc stable

Comment 9 Simon Stelling (RETIRED) gentoo-dev

2006-01-18 12:05:15 UTC

amd64 stable

Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-01-18 14:26:17 UTC

Not sure this is worth a GLSA but otoh I never use tuxpaint.

Comment 11 Thierry Carrez (RETIRED) gentoo-dev

2006-01-23 01:01:56 UTC

Using malicious symbolic links against children using tuxpaint is evil. It's not the kind of software you use on multiuser systems, so I tend to vote no.

Comment 12 rob holland (RETIRED) gentoo-dev

2006-01-25 13:24:09 UTC

No from me.

Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-01-30 13:53:20 UTC

I tend to say NO as well, so closing without GLSA.