Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 197578 (CVE-2007-5718) - media-video/vobcopy < 1.1.0 Insecure temporary file creation (CVE-2007-5718)
Summary: media-video/vobcopy < 1.1.0 Insecure temporary file creation (CVE-2007-5718)
Status: RESOLVED FIXED
Alias: CVE-2007-5718
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://bugs.debian.org/cgi-bin/bugrep...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-10-31 01:02 UTC by Robert Buchholz (RETIRED)
Modified: 2008-03-05 22:21 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Relevant parts of vobcopy_1.0.2-1.diff (vobcopy_1.0.2-1.diff,7.90 KB, patch)
2007-12-24 00:25 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2007-10-31 01:02:05 UTC
CVE-2007-5718 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5718):
  vobcopy 0.5.14 allows local users to append data to an arbitrary file, or
  create an arbitrary new file, via a symlink attack on the (1)
  /tmp/vobcopy.bla or (2) /tmp/vobcopy_0.5.14.log temporary file.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-10-31 01:06:49 UTC
The bug is confirmed in the 0.5 series, we have 1.0.0 stable. The code has changed there, but it still does:

./vobcopy-1.0.0/vobcopy.c:    if ( freopen( "/tmp/vobcopy.bla" , "a" , stderr ) == NULL )

I'm not a C expert, but that doesn't look right, or does freopen do some magic?
Comment 2 nion 2007-10-31 17:57:51 UTC
(In reply to comment #1)
> The bug is confirmed in the 0.5 series, we have 1.0.0 stable. The code has
> changed there, but it still does:
> 
> ./vobcopy-1.0.0/vobcopy.c:    if ( freopen( "/tmp/vobcopy.bla" , "a" , stderr )
> == NULL )
> 
> I'm not a C expert, but that doesn't look right, or does freopen do some magic?

No, freopen internally uses fopen so this is no fix for the security issue (haven't looked at the rest of the code). You can use 'x' as mode to open with O_EXCL but this is a gnu extension, so I propose doing this with open and use fdopen if you really need a FILE stream.
Cheers
nion
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2007-12-24 00:25:20 UTC
Debian applied the attached patch to 1.0.2, not sure about upstream inclusion. A discussion with upstream can be found at $URL.

Media-video, please apply.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2007-12-24 00:25:46 UTC
Created attachment 139225 [details, diff]
Relevant parts of vobcopy_1.0.2-1.diff
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-01-10 19:17:28 UTC
(In reply to comment #3)
> Debian applied the attached patch to 1.0.2, not sure about upstream inclusion.
> A discussion with upstream can be found at $URL.
> 
> Media-video, please apply.
> 

*ping*
Comment 6 Steve Dibb (RETIRED) gentoo-dev 2008-01-11 00:14:42 UTC
Okay so I'm slightly confused.  Is it fixed in 1.0.2 or not?
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-01-11 00:43:29 UTC
No, 1.0.2 is still affected, the attached patch was applied to the vanilla 1.0.2 tarball as shipped in Debian. Sorry if I was unclear.
Comment 8 Jon Malachowski 2008-02-13 08:53:38 UTC
vobcopy 1.1.0 is out and it looks like he fixed it.
"This release fixes the debian bug #448319 which got retitled CVE-2007-5718...."
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-02-13 12:03:46 UTC
media-video, if some of you can bump this, it's greatly appreciated.
Comment 10 Alexis Ballier gentoo-dev 2008-02-13 22:59:40 UTC
1.1.0 in the tree
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-14 18:59:59 UTC
Arches please test and mark stable. Target keywords are:

vobcopy-1.1.0.ebuild:KEYWORDS="amd64 ppc ppc64 sparc x86"
Comment 12 Christian Faulhammer (RETIRED) gentoo-dev 2008-02-14 20:00:33 UTC
x86 stable
Comment 13 Brent Baude (RETIRED) gentoo-dev 2008-02-15 01:50:26 UTC
ppc64 stable
Comment 14 Ferris McCormick (RETIRED) gentoo-dev 2008-02-15 16:06:35 UTC
Sparc done.
Comment 15 Tobias Scherbaum (RETIRED) gentoo-dev 2008-02-16 18:44:05 UTC
ppc stable
Comment 16 Christoph Mende (RETIRED) gentoo-dev 2008-02-17 14:02:05 UTC
amd64 stable
Comment 17 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-20 08:26:50 UTC
This one is ready for GLSA vote. I tend to vote YES.
Comment 18 Peter Volkov (RETIRED) gentoo-dev 2008-02-25 10:50:11 UTC
Fixed in release snapshot.
Comment 19 Robert Buchholz (RETIRED) gentoo-dev 2008-03-04 14:25:55 UTC
YES, filed.
Comment 20 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-05 22:21:57 UTC
GLSA 200803-11