Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 155613 - app-editors/kile: permissions on backups not copied from original (CVE-2005-1920)
Summary: app-editors/kile: permissions on backups not copied from original (CVE-2005-1...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa] jaervosz
Depends on:
Reported: 2006-11-18 13:04 UTC by Tavis Ormandy (RETIRED)
Modified: 2006-11-27 01:12 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Tavis Ormandy (RETIRED) gentoo-dev 2006-11-18 13:04:53 UTC
- Don't use default permissions for backup file (CVE CAN-2005-1920 also applies to kile)

Flameeyes is going to check if a backport of the fix is feasible.
Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-11-18 13:29:51 UTC
1.9.2-r1 in tree, backporting the fix.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-20 00:09:35 UTC
Thx Tavis/Diego.

Arches please test and mark stable. Target keywords are:

kile-1.9.2-r1.ebuild:KEYWORDS="amd64 hppa ppc ppc64 sparc x86"
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2006-11-20 00:51:37 UTC
Most secure and best editing experience for people who aren't smart enough for Emacs on x86.
Comment 5 Michael Weyershäuser 2006-11-20 01:19:34 UTC
Emerges and works fine on amd64.

Portage 2.1.1-r2 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18-suspend2-Dudebox-Edition x86_64)
System uname: 2.6.18-suspend2-Dudebox-Edition x86_64 AMD Athlon(tm) 64 Processor 3200+
Gentoo Base System version 1.12.6
Last Sync: Mon, 20 Nov 2006 05:00:02 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: [Not Present]
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
CFLAGS="-march=k8 -msse3 -Os -pipe"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/alias /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=k8 -msse3 -Os -pipe"
FEATURES="autoconfig ccache collision-protect distcc distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
USE="amd64 X alsa apache2 berkdb bitmap-fonts cairo cdr cli cracklib crypt cups dbus dlloader dri dvd dvdr eds elibc_glibc emboss encode esd fam firefox fortran gcj gdbm gif gpm gstreamer gtk gtk2 hal iconv imap input_devices_keyboard input_devices_mouse isdnlog jpeg kde kdeenablefinal kdehiddenvisibility kernel_linux libg++ mad mikmod mp3 mpeg mysql ncurses nls nptl nptlonly objc objc++ ogg oss pam pcre perl png ppds pppd python qt3 quicktime readline reflection sdl session spell spl sqlite ssl tcpd test truetype truetype-fonts type1-fonts udev unicode userland_GNU video_cards_radeon vorbis xml xorg xv zlib"
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2006-11-20 05:47:51 UTC
Stable for HPPA.
Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2006-11-20 05:53:23 UTC
sparc stable.
Comment 8 Brent Baude (RETIRED) gentoo-dev 2006-11-20 07:19:06 UTC
ppc64 stable
Comment 9 Danny van Dyk (RETIRED) gentoo-dev 2006-11-20 14:55:19 UTC
amd64 done.
Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev 2006-11-23 09:35:21 UTC
ppc stable, this one is ready for GLSA voting.
Comment 11 Wolf Giesen (RETIRED) gentoo-dev 2006-11-23 14:22:57 UTC
Hm ... anybody got more flesh on this?

Sure, the apps are "network transparent" in the sense of using kio_slaves; but those usually can't set permissions directy (like fish://, which has to use whatever it gets on the remote side). I'm probably not recognizing the true impact here, though. This is basically in information leakage problem, right? In that case it only applies to configurations where the backups are stored in some non-private area. Meaning, if I edit my /var/lib/samba/private/supercredentials with k*, I'm fucked since my users will know my credentials.


When in doubt, shove it out :P

glsa++ (catch-all rule)
Comment 12 Tavis Ormandy (RETIRED) gentoo-dev 2006-11-23 15:34:20 UTC
Wolf for example (the output here is just made up, I dont have kde here :)

$ ls -l .fetchmailrc 
-rw------- 1 taviso users 716 2006-11-23 20:09 .fetchmailrc
$ kile .fetchmailrc &
[1] 1234
$ ls -l .fetchmailrc~
-rw-r--r-- 1 taviso users 716 2006-11-23 20:09 .fetchmailrc~

# ie, my fetchmail login credentials are now exposed.

I would vote yes.
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-24 02:25:39 UTC
Let's have a GLSA then.

Security, please review the draft.
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-27 01:12:46 UTC
GLSA 200611-21