######################################################### cdrx config insecure temporary file creation Vendor: http://cdrx.sourceforge.net/ Advisory: http://www.zataz.net/adviso/cdrx-10042005.txt Vendor informed: yes Exploit available: yes Impact : low Exploitation : low ######################################################### The vulnerabilities ared due to insecure temporary files creations. They are symlink attacks to create arbitrary files with the privileges of the user running the affected script, sensitive informations disclosure, possible local or remote arbitrary commands execution. ########## Versions: ########## cdrx <= 0.3.1-r1 ########## Solution: ########## * Using File::Temp to create secure temporary files use File::Temp qw/ :mktemp /; my (%Config); my $TempDir = mkdtemp('cdrx.XXXXXXXX'); $Config{'pathtocdrecord'} = "/usr/bin/cdrecord"; $Config{'pathtomkisofs'} = "/usr/bin/mkisofs"; $Config{'pathtomount'} = "/bin/mount"; $Config{'burnerrorfile'} = "cdrx.burn.err"; $Config{'cdrxerrorfile'} = "cdrx.error"; $Config{'mounterrorfile'} = "cdrx.mount.err"; - For the first error : line 442 my $DestFile = $TempDir . $Config{'burnerrorfile'}; my $arguments = "dev=$cdrw_def blank=$option 2> $DestFile"; system("$Config{'pathtocdrecord'} $arguments"); Also need to change : line 443 and 450 (don't know if it's possible) $no_media = `cat $DestFile | grep cdrecord | grep 'output error'`; - For the second error : line 608 my $DestFile = $TempDir . $Config{'cdrxerrorfile'}; my $arguments = "-r -o $write_dir_def/$iso_name $burn_string 2> $DestFile"; system("$Config{'pathtomkisofs'} $arguments"); - For the third error : line 773 my $DestFile = $TempDir . $Config{'mounterrorfile'}; my $arguments = "-tiso9660 $read_cdrom_dev /mnt 2> $DestFile"; system("$Config{'pathtomount'} $arguments"); etc etc etc ######### Timeline: ######### Discovered : 2005-10-04 Vendor notified : Vendor response : Vendor fix : Vendor Sec report (vendor-sec@lst.de) : Disclosure : ##################### Technical details : ##################### Vulnerable code : ----------------- * In cdrx.pl : 442 system"cdrecord dev=$cdrw_def blank=$option 2>/tmp/cdrx.burn.err"; 443 $no_media = `cat /tmp/cdrx.burn.err | grep cdrecord | grep 'output error'`; 450 $no_media = `cat /tmp/cdrx.burn.err | grep cdrecord | grep 'output error'`; 608 system"mkisofs -r -o $write_dir_def/$iso_name $burn_string 2>/tmp/cdrx.error"; 767 system"mount -tiso9660 $read_cdrom_dev /mnt 2>/tmp/cdrx.mount.err"; 773 system"mount -tiso9660 $read_cdrom_dev /mnt 2>/tmp/cdrx.mount.err"; 791 system"cdrecord -v -eject dev=$cdrw_def speed=$write_speed -data $write_dir_def/$iso_name 2>/tmp/cdrx.burn.err"; 860 system"cdrecord -v -eject dev=$cdrw_def speed=$write_speed -data $iso_list{$iso_image_choice - 1} 2>/tmp/cdrx.burn.err"; 877 system"cdrecord -v -eject dev=$cdrw_def speed=$write_speed -data $write_dir_def/$iso_name 2>/tmp/ cdrx.burn.err"; 892 system"cdrecord -v -eject dev=$cdrw_def speed=$write_speed -data $write_dir_def/$iso_name 2>/tmp/ cdrx.burn.err"; 916 system"cdrecord -v -eject dev=$cdrw_def speed=$write_speed -data $write_dir_def/$iso_name 2>/tmp/cdrx.burn.err"; ######### Related : ######### Bug report : http://bugs.gentoo.org/show_bug.cgi?id= CVE : ##################### Credits : ##################### Eric Romang (eromang@zataz.net - ZATAZ Audit) - Gentoo Security Scout Thxs to Gentoo Security Team.
Been missing it because it was mis-categorized. Auditors, please double-check
confirmed.
Has upstream been informed?
Hello, No i have wait your auditing before. One thing how is important before sending this to upstream, is the solution good ? Regards.
We could ask the maintainer to test if only there was a maintainer to this.
Eric: fix looks ok to me... did you contact upstream yet ?
Hello, Notified today and vendor-sec also. Regards.
Upstream is dead, probably better to release this, then fix it. Eric, whenever you want.
Hello, Go ;) Regards and happy new year to all gentoo security staff !
Opening. I vote for masking/removal, this is unmaintained both upstream and downstream.
If it's dumped upstream (which it seems to be) I vote removal, should be plenty of alternatives for something like this.
+1 for removal.
Last rites warning sent to -dev, tomask in 48 hours.
media-optical doesn't have interest in taking this package since the upstream is dead go ahead remove the package :)
Masked, prior to complete removal.
This has been masked long enough. Solar / Vapier / Tigger / Taviso please do the magic.
Hi treecleaners, Matt has just told me that this bug is old and the package has been masked for a while... "Last rites" already sent. Who will remove it from the tree ?
Guess Alec really needs to follow his own guidelines ...
punted