Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 155613

Summary: app-editors/kile: permissions on backups not copied from original (CVE-2005-1920)
Product: Gentoo Security Reporter: Tavis Ormandy (RETIRED) <taviso>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: flameeyes
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [glsa] jaervosz
Package list:
Runtime testing required: ---

Description Tavis Ormandy (RETIRED) gentoo-dev 2006-11-18 13:04:53 UTC
- Don't use default permissions for backup file (CVE CAN-2005-1920 also applies to kile)

Flameeyes is going to check if a backport of the fix is feasible.
Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-11-18 13:29:51 UTC
1.9.2-r1 in tree, backporting the fix.
Comment 3 Sune Kloppenborg Jeppesen gentoo-dev 2006-11-20 00:09:35 UTC
Thx Tavis/Diego.

Arches please test and mark stable. Target keywords are:

kile-1.9.2-r1.ebuild:KEYWORDS="amd64 hppa ppc ppc64 sparc x86"
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2006-11-20 00:51:37 UTC
Most secure and best editing experience for people who aren't smart enough for Emacs on x86.
Comment 5 Michael Weyershäuser 2006-11-20 01:19:34 UTC
Emerges and works fine on amd64.

Portage 2.1.1-r2 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18-suspend2-Dudebox-Edition x86_64)
System uname: 2.6.18-suspend2-Dudebox-Edition x86_64 AMD Athlon(tm) 64 Processor 3200+
Gentoo Base System version 1.12.6
Last Sync: Mon, 20 Nov 2006 05:00:02 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: [Not Present]
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
CFLAGS="-march=k8 -msse3 -Os -pipe"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/alias /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=k8 -msse3 -Os -pipe"
FEATURES="autoconfig ccache collision-protect distcc distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
USE="amd64 X alsa apache2 berkdb bitmap-fonts cairo cdr cli cracklib crypt cups dbus dlloader dri dvd dvdr eds elibc_glibc emboss encode esd fam firefox fortran gcj gdbm gif gpm gstreamer gtk gtk2 hal iconv imap input_devices_keyboard input_devices_mouse isdnlog jpeg kde kdeenablefinal kdehiddenvisibility kernel_linux libg++ mad mikmod mp3 mpeg mysql ncurses nls nptl nptlonly objc objc++ ogg oss pam pcre perl png ppds pppd python qt3 quicktime readline reflection sdl session spell spl sqlite ssl tcpd test truetype truetype-fonts type1-fonts udev unicode userland_GNU video_cards_radeon vorbis xml xorg xv zlib"
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2006-11-20 05:47:51 UTC
Stable for HPPA.
Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2006-11-20 05:53:23 UTC
sparc stable.
Comment 8 Brent Baude (RETIRED) gentoo-dev 2006-11-20 07:19:06 UTC
ppc64 stable
Comment 9 Danny van Dyk (RETIRED) gentoo-dev 2006-11-20 14:55:19 UTC
amd64 done.
Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev 2006-11-23 09:35:21 UTC
ppc stable, this one is ready for GLSA voting.
Comment 11 Wolf Giesen (RETIRED) gentoo-dev 2006-11-23 14:22:57 UTC
Hm ... anybody got more flesh on this?

Sure, the apps are "network transparent" in the sense of using kio_slaves; but those usually can't set permissions directy (like fish://, which has to use whatever it gets on the remote side). I'm probably not recognizing the true impact here, though. This is basically in information leakage problem, right? In that case it only applies to configurations where the backups are stored in some non-private area. Meaning, if I edit my /var/lib/samba/private/supercredentials with k*, I'm fucked since my users will know my credentials.


When in doubt, shove it out :P

glsa++ (catch-all rule)
Comment 12 Tavis Ormandy (RETIRED) gentoo-dev 2006-11-23 15:34:20 UTC
Wolf for example (the output here is just made up, I dont have kde here :)

$ ls -l .fetchmailrc 
-rw------- 1 taviso users 716 2006-11-23 20:09 .fetchmailrc
$ kile .fetchmailrc &
[1] 1234
$ ls -l .fetchmailrc~
-rw-r--r-- 1 taviso users 716 2006-11-23 20:09 .fetchmailrc~

# ie, my fetchmail login credentials are now exposed.

I would vote yes.
Comment 13 Sune Kloppenborg Jeppesen gentoo-dev 2006-11-24 02:25:39 UTC
Let's have a GLSA then.

Security, please review the draft.
Comment 14 Sune Kloppenborg Jeppesen gentoo-dev 2006-11-27 01:12:46 UTC
GLSA 200611-21