Bug 111990

Summary:

media-sound/gnump3d more issues (CVE-2005-33{49|55})

Product:

Gentoo Security

Reporter:

Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>

Component:

Vulnerabilities

Assignee:

Gentoo Security <security>

Status:

RESOLVED FIXED

Severity:

minor

CC:

eradicator

Priority:

High

Version:

unspecified

Hardware:

All

OS:

Linux

Whiteboard:

B3 [glsa] jaervosz

Package list:

Runtime testing required:

---

Attachments:

Description	Flags
index.lok.diff	none
tmpfile.diff	none
gnump3d-traversal.diff	none
gnump3d-index.lok.diff	none
gnump3d-tmpfile.diff	none
gnump3d-traversal.diff	none
gnump3d-2.9.7-r1.ebuild	none

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-11-09 11:47:26 UTC

Reported by Ludwig Nussel from SUSE: 
 
There is still another directory traversal bug that allows to escape 
the theme directory. Our package installs to /usr/share/gnump3d so 
you can access the whole /usr tree: 
http://localhost:8888/include/zlib.h?theme=../.. 
 
cu 
Ludwig 
 
--- 
And while we are already at it ... 
 
$ grepr -w /tmp 
./bin/gnump3d-index:  $lockfile = &getConfig( "lockfile",  "/tmp/index.lok" ); 
./bin/gnump3d-index:  $cache    = &getConfig( "tag_cache", 
"/tmp/tags.cache" ); 
./bin/gnump3d2:  $tag_cache   = getConfig( "tag_cache", "/tmp/tags.cache" ); 
./lib/gnump3d/plugins/search.pm:    my $tagCache = &getConfig( "tag_cache", 
"/tmp/tags.cache" ); 
./lib/gnump3d/tagcache.pm:    $tagCache->setCacheFile( '/tmp/tags.cache' ); 
 
cu 
Ludwig

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-11-13 22:45:52 UTC

Fixes for the /tmp issues attached. 
 
tmpfile.diff - Change fallback default for tag cache to "". 
index.lok.diff - Remove unsafe /tmp lockfile usage.

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-11-13 22:46:31 UTC

Created attachment 72860 [details, diff]
index.lok.diff

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-11-13 22:47:07 UTC

Created attachment 72861 [details, diff]
tmpfile.diff

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-11-13 22:48:16 UTC

CVE-2005-3349 for the insecure files

Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-11-14 02:02:32 UTC

CVE-2005-3355 for the directory traversal

Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-11-14 14:16:29 UTC

Jeremy we're still waiting for the directory traversal issue but the patch 
should probably be available by tomorrow. CC'ing you already so you can be 
ready for disclosure on the 17th.

Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-11-14 22:44:30 UTC

Created attachment 72928 [details, diff]
gnump3d-traversal.diff

Patch for the directory traversal.

Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-11-14 22:45:17 UTC

Jeremy please attach an updated ebuild to this bug. Do NOT commit anything to 
Portage at this time.

Comment 9 Jeremy Huddleston (RETIRED) gentoo-dev

2005-11-16 09:24:59 UTC

Created attachment 73012 [details, diff]
gnump3d-index.lok.diff

Comment 10 Jeremy Huddleston (RETIRED) gentoo-dev

2005-11-16 09:25:19 UTC

Created attachment 73013 [details, diff]
gnump3d-tmpfile.diff

Comment 11 Jeremy Huddleston (RETIRED) gentoo-dev

2005-11-16 09:25:35 UTC

Created attachment 73014 [details, diff]
gnump3d-traversal.diff

Comment 12 Jeremy Huddleston (RETIRED) gentoo-dev

2005-11-16 09:25:52 UTC

Created attachment 73015 [details]
gnump3d-2.9.7-r1.ebuild

Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-11-16 12:01:30 UTC

Arch security liaisons please test and report back on this bug.

Comment 14 Olivier Crete (RETIRED) gentoo-dev

2005-11-16 12:34:01 UTC

Adding halcy0n for x86 because I dont have my x86 box close.

Comment 15 Markus Rothe (RETIRED) gentoo-dev

2005-11-16 12:45:12 UTC

this looks on ppc64? 
 
Error 
The requested file /include/zlib.h couldn't be found. Please try returning to 
the index.

Comment 16 Gustavo Zacarias (RETIRED) gentoo-dev

2005-11-16 13:08:09 UTC

sparc looks ok.

Comment 17 Thierry Carrez (RETIRED) gentoo-dev

2005-11-17 01:57:53 UTC

Now public with the release of upstream 2.9.8
http://www.gnu.org/software/gnump3d/

Jeremy: please commit the 2.9.7-r1 with already-tested keywords (or if you
prefer push 2.9.8 as ~ and we'll have arch retest this one)

Comment 18 Simon Stelling (RETIRED) gentoo-dev

2005-11-17 11:40:21 UTC

with 2.9.7-r1, when starting it, i get the following:

 * Caching service dependencies ...                                       [ ok ]
* Starting gnump3d ...
 * Updating index of music files (may take a while for the first time) ...
Undefined subroutine &main::removeLock called at /usr/bin/gnump3d-index line
194.                                                                         [ ok ]

other than that, it seems to work fine on amd64

Comment 19 Jeremy Huddleston (RETIRED) gentoo-dev

2005-11-17 17:35:30 UTC

2.9.7-r1 and 2.9.8 are both in portage now

Comment 20 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-11-17 22:10:11 UTC

CC'ing remaining arches to mark stable (alpha and ppc64) and unCC'ing arch 
security liaisons.

Comment 21 Markus Rothe (RETIRED) gentoo-dev

2005-11-18 00:54:56 UTC

stable on ppc64

Comment 22 Fernando J. Pereda (RETIRED) gentoo-dev

2005-11-18 02:09:34 UTC

alpha done

Comment 23 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-11-18 02:41:26 UTC

Time for GLSA decision. We did a similar one in the past so I vote YES.

Comment 24 Thierry Carrez (RETIRED) gentoo-dev

2005-11-18 04:35:00 UTC

Yes, we need one. And it's more than just an update since the issues changed
(tmpfile vulns in).

Comment 25 Thierry Carrez (RETIRED) gentoo-dev

2005-11-21 05:12:49 UTC

GLSA 200511-16