Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 104473

Summary: app-admin/apachetop <= 0.12.5 insecure tmp file creation (CAN-2005-2660)
Product: Gentoo Security Reporter: Romang <zataz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: C3 [noglsa] jaervosz
Package list:
Runtime testing required: ---
Attachments:
Description Flags
apachetop_CAN-2005-2660.patch none

Description Romang 2005-09-01 05:48:33 UTC
Hello,

Take a look at : src/apachetop.h

247 #define DEBUG_OUTPUT "/tmp/atop.debug"

Then in : src/apachetop.cc

85         cf.debug = true;

1103 int dprintf(const char *fmt, ...) /* {{{ */
1104 {
1105         FILE *d;
1106         va_list args;
1107 
1108         if (cf.debug && (d = fopen(DEBUG_OUTPUT, "a")))
1109         {
1110                 va_start(args, fmt);
1111                 vfprintf(d, fmt, args);
1112                 fclose(d);
1113                 va_end(args);
1114         }
1115 
1116         return 0;
1117 } /* }}} */

Regards
Comment 1 Tavis Ormandy (RETIRED) gentoo-dev 2005-09-01 11:21:59 UTC
confirmed, moving to vulnerabilities.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-09-02 02:54:43 UTC
Eric: tell us when upstream is warned.
Comment 3 Romang 2005-09-02 04:50:02 UTC
Hello,

I have send the adviso to upstream.

Chris Elsworth <chris@shagged.org>

Regards.
Comment 4 Romang 2005-09-13 02:35:06 UTC
Hello,

No upstream response.

Send to : vendor-sec@lst.de

Disclosure the : 30/09/2005

Regards
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-09-13 05:17:46 UTC
Spanky/solar/tigger anybody wants to patch? 
Comment 6 Tavis Ormandy (RETIRED) gentoo-dev 2005-09-13 05:38:03 UTC
you could just redefine DEBUG_OUPUT to "atop.debug", and perhaps turn off debug 
by default.
Comment 7 Romang 2005-09-15 00:25:58 UTC
Hello,

CVE : CAN-2005-2660

Steve Kemp for Debian is currently working on a patch.
Maybe you should have contact with him to got the same patch.

Planing release date : 30/09/2005

Regards.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-09-17 06:40:35 UTC
Waiting for a patch and to be closer to the release date
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-09-27 07:07:33 UTC
I asked Steve Kemp for his patch.
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-09-27 07:41:10 UTC
Created attachment 69342 [details, diff]
apachetop_CAN-2005-2660.patch

Patch from Steve Kemp (Debian)
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-09-27 07:43:10 UTC
Pulling rl03 in as web'apps security usual suspect.
We'll need to commit a patched version on 20050930 (not before), this is just a
warning so that you can prepare yourself.
Comment 12 Renat Lumpau (RETIRED) gentoo-dev 2005-09-27 09:43:31 UTC
/me prepares self
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2005-09-30 06:00:45 UTC
Now public,
rl03: feel free to bump now
Comment 14 Renat Lumpau (RETIRED) gentoo-dev 2005-09-30 10:23:31 UTC
bumped
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2005-09-30 13:44:01 UTC
Archs please test and mark 0.12.5-r1 stable
Comment 16 Mark Loeser (RETIRED) gentoo-dev 2005-09-30 18:07:11 UTC
x86 done
Comment 17 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-10-01 08:28:41 UTC
Stable on ppc.
Comment 18 Homer Parker (RETIRED) gentoo-dev 2005-10-01 13:12:23 UTC
Stable on amd64
Comment 19 Jason Wever (RETIRED) gentoo-dev 2005-10-01 15:39:49 UTC
Stable on SPARC.
Comment 20 Thierry Carrez (RETIRED) gentoo-dev 2005-10-02 01:57:35 UTC
Ready for GLSA vote
Comment 21 Thierry Carrez (RETIRED) gentoo-dev 2005-10-02 06:01:32 UTC
My vote all depends on whether this is enabled by default or not... Tavis/Eric,
could you enlighten us ?
Comment 22 Thierry Carrez (RETIRED) gentoo-dev 2005-10-03 02:15:23 UTC
src/apachetop.cc:       cf.debug = true;
src/apachetop.cc:       if (cf.debug && (d = fopen(DEBUG_OUTPUT, "a")))
src/apachetop.h:#define DEBUG_OUTPUT "/tmp/atop.debug"

Apparently this is enabled by default (?) so I vote YES.
Comment 23 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-06 08:05:48 UTC
Renat can you confirm that it is enabled per default? 
Comment 24 Tavis Ormandy (RETIRED) gentoo-dev 2005-10-07 10:33:24 UTC
vote YES, although it would require the adns USE flag to be set to be much 
chance of exploiting, so not very likely.
Comment 25 Thierry Carrez (RETIRED) gentoo-dev 2005-10-07 10:52:49 UTC
If it requires USE=adns, I'm not sure it's needed...
Comment 26 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-07 23:47:17 UTC
Never heard about adns, I tend to vote NO. 
Comment 27 Thierry Carrez (RETIRED) gentoo-dev 2005-10-09 09:38:24 UTC
Reverting to NO and closing. USE=adns just sounds a little unlikely to me. Feel
free to reopen if you disagree though.