Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 190697

Summary: dev-util/qgit < 1.5.7: Insecure temp file creation and/or "qprocess" USE-flag feature request (CVE-2007-4631)
Product: Gentoo Security Reporter: Raphael Marichez (Falco) (RETIRED) <falco>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: ferdy, jokey
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/26745/
Whiteboard: B2? [glsa] Falco
Package list:
Runtime testing required: ---

Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-08-29 20:41:44 UTC 
Hi,

on systems with e.g. noexec on /tmp, qgit can't run without telling it to use QProcess. This relies in src/dataloader.c. The README file says:

 In case of portability issues it is possible to fallback
 on a standard QProcess based interface. To do this uncomment USE_QPROCESS
 define in 'src/dataloader.h' before to compile.

BTW i would say it is the expected behaviour in a Qt app.

Furthermore, the way /tmp is handled is insecure since qgit open() a /tmp file (pattern: /tmp/qgit_135422384.txt and /tmp/qgit_135422384.sh) and follows symlinks without checking for prior existence. Eventually, it unlink() the symlinks.

I am separately emailing qgit upstream (Macro Costalba).
Comment 1 Markus Ullmann (RETIRED) gentoo-dev 2007-08-29 20:44:12 UTC 
Did you check 2.0_rc versions as well? Maybe it's fixed there already...
Comment 2 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-08-29 21:07:10 UTC 
(In reply to comment #1)
> Did you check 2.0_rc versions as well? Maybe it's fixed there already...
> 

I only checked the source code. I was just checking it out and compiling it.
Comment 3 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-08-29 22:03:45 UTC 
(In reply to comment #1)
> Did you check 2.0_rc versions as well? Maybe it's fixed there already...
> 

git4 (which is not in portage). It has been fixed on 2007-04-22 13:21:28 between the 2pre1 and 2pre2 versions:
http://git.kernel.org/?p=qgit/qgit4.git;a=commitdiff;h=64749feedb5ece1b3ea9cc462ab61b0dc7051975

The upstream qgit git repository is still affected:
http://git.kernel.org/?p=qgit/qgit.git;a=blob_plain;f=src/dataloader.cpp;hb=HEAD
Comment 4 Fernando J. Pereda (RETIRED) gentoo-dev 2007-08-29 22:43:24 UTC 
This is about qgit instead of git
Comment 5 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-08-31 00:35:38 UTC 
(In reply to comment #4)
> This is about qgit instead of git
> 

of course, one letter seems to have vanished :)
Comment 6 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-08-31 12:51:28 UTC 
Dan Horák of Fedora has noticed a further impact: QGit then executes
/tmp/qgit_XXXXXXX.sh, which could have been changed by the attacker (I
haven't tested this second issue). Thanks to him.

This rises the bug severity. Marco (upstream) has acknowledged the issue and he will provide a patch very soon.
Comment 7 Tobias Heinlein (RETIRED) gentoo-dev 2007-09-10 16:24:08 UTC 
Upstream fixed this issue in version 1.5.7 which has been released a few days ago.
Comment 8 Markus Ullmann (RETIRED) gentoo-dev 2007-09-17 11:15:26 UTC 
ebuild in CVS
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2007-09-17 11:50:55 UTC 
Thanks Jokey. Arches, please test and stabilize qgit-1.5.7.
Targets are: "amd64 ppc ppc64 x86"
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2007-09-17 15:32:48 UTC 
x86 stable
Comment 11 Tobias Scherbaum (RETIRED) gentoo-dev 2007-09-17 17:30:10 UTC 
ppc stable
Comment 12 Tiago Cunha (RETIRED) gentoo-dev 2007-09-19 05:13:09 UTC 
1. Emerges on AMD64.
2. No collisions.
3. Test phase ok.
4. Works.

Portage 2.1.3.9 (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.5-r4, 2.6.22-gentoo-r5 x86_64)
=================================================================
System uname: 2.6.22-gentoo-r5 x86_64 Intel(R) Pentium(R) D CPU 3.00GHz
Timestamp of tree: Tue, 18 Sep 2007 20:50:01 +0000
ccache version 2.4 [enabled]
app-shells/bash:     3.2_p17
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/baselayout: 1.12.9-r2
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17-r1
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.21
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -march=nocona -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/init.d /etc/pam.d /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-O2 -march=nocona -pipe"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="-k"
FEATURES="ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://thor ftp://mirrors1.netvisao.pt/gentoo http://darkstar.ist.utl.pt/pub/gentoo http://distfiles.gentoo.org http://www.ibiblio.org/pub/Linux/distributions/gentoo"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://thor/gentoo-portage"
USE="X acl acpi alsa amd64 arts bash-completion bitmap-fonts branding cairo cdr cli cracklib crypt dbus dri dts dvd dvdr dvdread eds emboss encode evo fam firefox flac gdbm gif gpm hal iconv ipv6 isdnlog jpeg kde kdeenablefinal kdehiddenvisibility mad midi mikmod mmx mp3 mpeg mudflap musepack musicbrainz ncurses nptl nptlonly offensive ogg opengl openmp pam pcre pdf perl png postgres pppd python qt3 qt3support qt4 quicktime readline reflection sdl session spell spl sse sse2 ssl svg tcpd test tiff truetype truetype-fonts type1-fonts unicode vorbis xcomposite xinerama xml xorg xscreensaver xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="i810"
Unset:  CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 13 Christoph Mende (RETIRED) gentoo-dev 2007-09-19 12:10:11 UTC 
amd64 stable
Comment 14 Brent Baude (RETIRED) gentoo-dev 2007-09-20 21:00:08 UTC 
ppc64 stable
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2007-09-20 21:27:57 UTC 
last arch, ready for glsa.
Comment 16 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-24 08:56:09 UTC 
glsa request filed.
Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2007-10-07 21:33:54 UTC 
GLSA 200710-05, thanks everyone.