Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 111990

Summary: media-sound/gnump3d more issues (CVE-2005-33{49|55})
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: eradicator
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa] jaervosz
Package list:
Runtime testing required: ---
Attachments:
Description Flags
index.lok.diff
none
tmpfile.diff
none
gnump3d-traversal.diff
none
gnump3d-index.lok.diff
none
gnump3d-tmpfile.diff
none
gnump3d-traversal.diff
none
gnump3d-2.9.7-r1.ebuild none

Description Sune Kloppenborg Jeppesen gentoo-dev 2005-11-09 11:47:26 UTC
Reported by Ludwig Nussel from SUSE: 
 
There is still another directory traversal bug that allows to escape 
the theme directory. Our package installs to /usr/share/gnump3d so 
you can access the whole /usr tree: 
http://localhost:8888/include/zlib.h?theme=../.. 
 
cu 
Ludwig 
 
--- 
And while we are already at it ... 
 
$ grepr -w /tmp 
./bin/gnump3d-index:  $lockfile = &getConfig( "lockfile",  "/tmp/index.lok" ); 
./bin/gnump3d-index:  $cache    = &getConfig( "tag_cache", 
"/tmp/tags.cache" ); 
./bin/gnump3d2:  $tag_cache   = getConfig( "tag_cache", "/tmp/tags.cache" ); 
./lib/gnump3d/plugins/search.pm:    my $tagCache = &getConfig( "tag_cache", 
"/tmp/tags.cache" ); 
./lib/gnump3d/tagcache.pm:    $tagCache->setCacheFile( '/tmp/tags.cache' ); 
 
cu 
Ludwig
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2005-11-13 22:45:52 UTC
Fixes for the /tmp issues attached. 
 
tmpfile.diff - Change fallback default for tag cache to "". 
index.lok.diff - Remove unsafe /tmp lockfile usage. 
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2005-11-13 22:46:31 UTC
Created attachment 72860 [details, diff]
index.lok.diff
Comment 3 Sune Kloppenborg Jeppesen gentoo-dev 2005-11-13 22:47:07 UTC
Created attachment 72861 [details, diff]
tmpfile.diff
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2005-11-13 22:48:16 UTC
CVE-2005-3349 for the insecure files 
Comment 5 Sune Kloppenborg Jeppesen gentoo-dev 2005-11-14 02:02:32 UTC
CVE-2005-3355 for the directory traversal  
Comment 6 Sune Kloppenborg Jeppesen gentoo-dev 2005-11-14 14:16:29 UTC
Jeremy we're still waiting for the directory traversal issue but the patch 
should probably be available by tomorrow. CC'ing you already so you can be 
ready for disclosure on the 17th.  
Comment 7 Sune Kloppenborg Jeppesen gentoo-dev 2005-11-14 22:44:30 UTC
Created attachment 72928 [details, diff]
gnump3d-traversal.diff

Patch for the directory traversal.
Comment 8 Sune Kloppenborg Jeppesen gentoo-dev 2005-11-14 22:45:17 UTC
Jeremy please attach an updated ebuild to this bug. Do NOT commit anything to 
Portage at this time. 
Comment 9 Jeremy Huddleston (RETIRED) gentoo-dev 2005-11-16 09:24:59 UTC
Created attachment 73012 [details, diff]
gnump3d-index.lok.diff
Comment 10 Jeremy Huddleston (RETIRED) gentoo-dev 2005-11-16 09:25:19 UTC
Created attachment 73013 [details, diff]
gnump3d-tmpfile.diff
Comment 11 Jeremy Huddleston (RETIRED) gentoo-dev 2005-11-16 09:25:35 UTC
Created attachment 73014 [details, diff]
gnump3d-traversal.diff
Comment 12 Jeremy Huddleston (RETIRED) gentoo-dev 2005-11-16 09:25:52 UTC
Created attachment 73015 [details]
gnump3d-2.9.7-r1.ebuild
Comment 13 Sune Kloppenborg Jeppesen gentoo-dev 2005-11-16 12:01:30 UTC
Arch security liaisons please test and report back on this bug. 
Comment 14 Olivier Crete (RETIRED) gentoo-dev 2005-11-16 12:34:01 UTC
Adding halcy0n for x86 because I dont have my x86 box close.
Comment 15 Markus Rothe (RETIRED) gentoo-dev 2005-11-16 12:45:12 UTC
this looks on ppc64? 
 
Error 
The requested file /include/zlib.h couldn't be found. Please try returning to 
the index. 
Comment 16 Gustavo Zacarias (RETIRED) gentoo-dev 2005-11-16 13:08:09 UTC
sparc looks ok.
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2005-11-17 01:57:53 UTC
Now public with the release of upstream 2.9.8
http://www.gnu.org/software/gnump3d/

Jeremy: please commit the 2.9.7-r1 with already-tested keywords (or if you
prefer push 2.9.8 as ~ and we'll have arch retest this one)
Comment 18 Simon Stelling (RETIRED) gentoo-dev 2005-11-17 11:40:21 UTC
with 2.9.7-r1, when starting it, i get the following:

 * Caching service dependencies ...                                       [ ok ]
* Starting gnump3d ...
 * Updating index of music files (may take a while for the first time) ...
Undefined subroutine &main::removeLock called at /usr/bin/gnump3d-index line
194.                                                                         [ ok ]

other than that, it seems to work fine on amd64
Comment 19 Jeremy Huddleston (RETIRED) gentoo-dev 2005-11-17 17:35:30 UTC
2.9.7-r1 and 2.9.8 are both in portage now
Comment 20 Sune Kloppenborg Jeppesen gentoo-dev 2005-11-17 22:10:11 UTC
CC'ing remaining arches to mark stable (alpha and ppc64) and unCC'ing arch 
security liaisons. 
Comment 21 Markus Rothe (RETIRED) gentoo-dev 2005-11-18 00:54:56 UTC
stable on ppc64
Comment 22 Fernando J. Pereda (RETIRED) gentoo-dev 2005-11-18 02:09:34 UTC
alpha done
Comment 23 Sune Kloppenborg Jeppesen gentoo-dev 2005-11-18 02:41:26 UTC
Time for GLSA decision. We did a similar one in the past so I vote YES. 
Comment 24 Thierry Carrez (RETIRED) gentoo-dev 2005-11-18 04:35:00 UTC
Yes, we need one. And it's more than just an update since the issues changed
(tmpfile vulns in).
Comment 25 Thierry Carrez (RETIRED) gentoo-dev 2005-11-21 05:12:49 UTC
GLSA 200511-16