Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 104566 - app-admin/gwcc: tmpfile vulnerability
Summary: app-admin/gwcc: tmpfile vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High enhancement (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [ebuild+ removed] jaervosz
Keywords:
: 106185 (view as bug list)
Depends on:
Blocks:
 
Reported: 2005-09-02 02:27 UTC by Romang
Modified: 2006-03-22 12:33 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
security fix (gwcc-security.diff,2.35 KB, patch)
2005-09-02 06:25 UTC, Tavis Ormandy (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Romang 2005-09-02 02:27:11 UTC
Hello,

Take a look at : src/callbacks.c

1702     // Pipe print command and voila!, the doc is printed.
1703     strcat(print_command, " /tmp/gwcc_out.txt");

And also into : src/utils.c

94     else if (strcmp(operation, "temp") == 0) {
95         strcat(file_name, "/tmp/gwcc_out.txt");

Regards.
Comment 1 Tavis Ormandy (RETIRED) gentoo-dev 2005-09-02 06:24:33 UTC
yes, confirmed.
Comment 2 Tavis Ormandy (RETIRED) gentoo-dev 2005-09-02 06:25:07 UTC
Created attachment 67477 [details, diff]
security fix

suggested quick fix.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-09-03 02:50:28 UTC
Let us know when upstream is aware.
Comment 4 Romang 2005-09-05 01:09:25 UTC
Hello,

Email send to upstream : sfbrent@users.sourceforge.net

Regards.
Comment 5 Romang 2005-09-13 02:39:13 UTC
Hello,

No upstream response.

Disclosure the 30/09/2005

Send to vendor-sec@lst.de

Regards.
Comment 6 Tavis Ormandy (RETIRED) gentoo-dev 2005-09-16 06:50:24 UTC
opening
Comment 7 Jean-François Brunette (RETIRED) gentoo-dev 2005-09-16 06:56:50 UTC
*** Bug 106185 has been marked as a duplicate of this bug. ***
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-09-16 13:50:02 UTC
Gnome team: please apply patch (or make your own)

=================================================
Candidate: CAN-2005-2944
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2944
Reference: VULNWATCH:20050916 gwcc insecure temporary file creation
Reference: MISC:http://www.zataz.net/adviso/gwcc-09052005.txt
Reference: CONFIRM:http://bugs.gentoo.org/show_bug.cgi?id=104566
Reference: SECUNIA:16833
Reference: URL:http://secunia.com/advisories/16833

The perform_file_save function in GNOME Workstation Command Center
(gwcc) allows local users to create and overwrite arbitrary files via
a symlink attack on the gwcc_out.txt temporary file.
Comment 9 Daniel Gryniewicz (RETIRED) gentoo-dev 2005-09-18 17:07:50 UTC
Two possible solutions here:  Either a security bug for all arches to bump 0.9.8
to stable, or removing the package entirely.  It is unmaintained, and has not
been updated upstream for 3 years.  I see no reason to patch the 4 year old
stable version, rather than bump the 3 year old ~ version or remove the package
entirely.
Comment 10 Mike Gardiner (RETIRED) gentoo-dev 2005-09-18 18:05:10 UTC
gwcc-0.9.8 has been marked stable on x86. Could other archs please do the same,
then we'll remove the vulnerable version as suggested by Daniel.
Comment 11 Daniel Gryniewicz (RETIRED) gentoo-dev 2005-09-18 18:08:53 UTC
CCing arches with ~ keywords
Comment 12 postmodern 2005-09-18 18:15:33 UTC
app-admin/gwcc-0.9.8 works on amd64.
Comment 13 Daniel Gryniewicz (RETIRED) gentoo-dev 2005-09-18 18:23:57 UTC
stable on amd64
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2005-09-19 01:07:58 UTC
I don't think 0.9.8 is unaffected... In fact it contains the exact same
vulnerable code... We need either to patch it or remove it (or prove me wrong)

Unccing arches.
Comment 15 Mike Gardiner (RETIRED) gentoo-dev 2005-09-19 02:03:00 UTC
Then I'm in favour of removing it, mostly due to the fact that's it's been
unmaintained for 3+ years. John and dang?
Comment 16 John N. Laliberte (RETIRED) gentoo-dev 2005-09-19 09:46:15 UTC
I think removing it is the best option.
Comment 17 Daniel Gryniewicz (RETIRED) gentoo-dev 2005-09-19 20:42:07 UTC
I agree, it should be removed.  I've masked it for the moment, and we can remove it.
Comment 18 Thierry Carrez (RETIRED) gentoo-dev 2005-09-20 00:29:25 UTC
Keeping the bug open to remember to remove it sometime in the future.
Comment 19 solar (RETIRED) gentoo-dev 2005-09-22 11:59:02 UTC
the attached patch has what looks like an unchecked strcpy()/strcat() ater a
previous getenv() call. correct me if I am wrong but this looks like it fixes
one problem and indirectly adds another. 
Comment 20 Tavis Ormandy (RETIRED) gentoo-dev 2005-09-22 12:07:17 UTC
gwcc is not suid or sgid, so its not an issue.
Comment 21 solar (RETIRED) gentoo-dev 2005-09-22 12:11:14 UTC
tavis true, just qa wise it's a little under par.
Comment 22 Daniel Gryniewicz (RETIRED) gentoo-dev 2005-09-22 13:31:22 UTC
Doesn't matter, we're going to remove it rather than apply the patch anyway.
Comment 23 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-03-22 12:33:02 UTC
This appears to have been removed at some point so I'm just closing this one.