Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 94475 - net-im/kpopper <= 1.0 insecure temporary file creation
Summary: net-im/kpopper <= 1.0 insecure temporary file creation
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High enhancement
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa masked] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-05-30 01:26 UTC by Romang
Modified: 2006-03-26 13:16 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Romang 2005-05-30 01:26:28 UTC
Hello,

popper/popper-send.sh

#!/bin/sh
echo "$2" > /tmp/.popper-new
echo `date +"%a %l:%m %p"` >> /tmp/.popper-new
cat "$1" >> /tmp/.popper-new
mv -f /tmp/.popper-new /tmp/.popper

The .popper is also used into :

popper/popper.cpp

Possible to overwrite or create arbitrary files with the right off the user using kpopper.

Regards.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-30 08:29:07 UTC
Auditors please verify. 
Comment 2 Tavis Ormandy (RETIRED) gentoo-dev 2005-06-11 09:26:15 UTC
yep, clear cut.
Comment 3 Romang 2005-06-13 07:36:43 UTC
Hello,

I contact upstream

Regards.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-06-24 06:03:45 UTC
Pulling in carlo from KDE for an advice on that kde-herd package.
We'll probably have to patch it ourselves if upstream doesn't react.
Comment 5 Carsten Lohrke (RETIRED) gentoo-dev 2005-06-26 17:25:25 UTC
Unmaintained for three years and there's net-im/kpopup as alternative. Why not
just bury this package?

btw. Maybe someone from the security herd would be so nice and have a look at
kpopup as well. There was a problem once, solved by the author via a world wide
writeable directory for messages. I don't think smb messaging is safe at all,
but you may think about other attack vectors in conjunction with possible holes
in samba's message handling. Maybe i'm just too suspicious. 

Please excuse, that I do not like to make my fingers dirty with instant
messaging sh*t... ;)
Comment 6 Romang 2005-06-27 00:44:16 UTC
Hello,

Published on vendor-sec@lst.de

Regards.
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-06-27 00:54:49 UTC
carlo, feel free to mask it, prior to complete removal
Comment 8 Carsten Lohrke (RETIRED) gentoo-dev 2005-06-27 04:45:29 UTC
Konn: Masked

Romang: Thanks for your report.
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-06-27 07:28:10 UTC
Masked, going public on 20050604.
Comment 10 Carsten Lohrke (RETIRED) gentoo-dev 2005-07-10 13:40:05 UTC
>  going public on 20050604

I'm not sure, if we passed the date by month or year given the date you wrote
this. ;) Just would like to ask, if it's when I remove the package from the
repository before the this issue will be public!? 
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-07-11 04:49:10 UTC
Hmm forgot that one :)
Comment 12 Carsten Lohrke (RETIRED) gentoo-dev 2005-10-07 10:48:52 UTC
(In reply to comment #11)
> Hmm forgot that one :)

Yes, I think so. ;)
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-12-18 12:22:49 UTC
A few months more has passed on this one...
Comment 14 Carsten Lohrke (RETIRED) gentoo-dev 2006-02-21 11:02:03 UTC
Thierry, since you're active today, could you revisit this bug please? It's a minor one, but more than half a year, know.
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2006-02-22 10:05:32 UTC
The idea would be to remove it after a last rites email. Can't do it right now, but anybody else can do it...
Comment 16 Stefan Cornelius (RETIRED) gentoo-dev 2006-02-23 07:29:14 UTC
I sent a last-rites mail to gentoo-dev.
Comment 17 Carsten Lohrke (RETIRED) gentoo-dev 2006-02-23 08:14:55 UTC
(In reply to comment #15)
> The idea would be to remove it after a last rites email. Can't do it right now,
> but anybody else can do it...
> 

The point is that you said something about "going public" so I'm still waiting for the GLSA. Otherwise I'd have purged the package months ago.
Comment 18 Stefan Cornelius (RETIRED) gentoo-dev 2006-02-23 08:26:45 UTC
Well, I think sending a GLSA half a year later is pretty embarrasing and probably useless, so I'd say that we just let this package die in peace ...
Comment 19 Carsten Lohrke (RETIRED) gentoo-dev 2006-02-23 08:51:32 UTC
(In reply to comment #18)
> Well, I think sending a GLSA half a year later is pretty embarrasing and
> probably useless, so I'd say that we just let this package die in peace ...
> 

In short: You want to be as dishonest as lots of vendors of prorietary products...
Comment 20 Thierry Carrez (RETIRED) gentoo-dev 2006-02-23 10:05:01 UTC
It's not really that. Our security policy states that security masks for level B3 (minor) do not generate maskGLSAs, that's why we didn't issue one back then. It's like a GLSA vote that automatically says "no"...

About the "going public" it was about opening this bug (which was restricted in te first place). It's already been done, see Bug activity, what happened 2005-07-11. This bug stayed open just so that sometime in the future we remember to remove it completely.
Comment 21 Carsten Lohrke (RETIRED) gentoo-dev 2006-02-26 13:07:08 UTC
Thierry, that's a different statement than "Uh, the bug is quite old, so let's drop it behind the curtain." and I won't disagree that this isn't a big issue, it's just that comment #9 sound otherwise. Also looking at the previous GLSAs, this sort of bug usually was announced.
Comment 22 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-03-22 12:39:43 UTC
KDE any news on this one?
Comment 23 Carsten Lohrke (RETIRED) gentoo-dev 2006-03-26 07:57:12 UTC
The package is masked since June last year and can be removed any day. It's only up to the security herd how to deal with it. Close or GLSA.
Comment 24 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-03-26 12:54:57 UTC
Carlo please remove kpopper from the tree and I'll close this bug.
Comment 25 Carsten Lohrke (RETIRED) gentoo-dev 2006-03-26 13:04:49 UTC
buried
Comment 26 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-03-26 13:16:57 UTC
Thx, package removed, now it's time to close this one.