Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 190697 - dev-util/qgit < 1.5.7: Insecure temp file creation and/or "qprocess" USE-flag feature request (CVE-2007-4631)
Summary: dev-util/qgit < 1.5.7: Insecure temp file creation and/or "qprocess" USE-fla...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2? [glsa] Falco
Depends on:
Reported: 2007-08-29 20:41 UTC by Raphael Marichez (Falco) (RETIRED)
Modified: 2007-10-07 21:33 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-08-29 20:41:44 UTC

on systems with e.g. noexec on /tmp, qgit can't run without telling it to use QProcess. This relies in src/dataloader.c. The README file says:

 In case of portability issues it is possible to fallback
 on a standard QProcess based interface. To do this uncomment USE_QPROCESS
 define in 'src/dataloader.h' before to compile.

BTW i would say it is the expected behaviour in a Qt app.

Furthermore, the way /tmp is handled is insecure since qgit open() a /tmp file (pattern: /tmp/qgit_135422384.txt and /tmp/ and follows symlinks without checking for prior existence. Eventually, it unlink() the symlinks.

I am separately emailing qgit upstream (Macro Costalba).
Comment 1 Markus Ullmann (RETIRED) gentoo-dev 2007-08-29 20:44:12 UTC
Did you check 2.0_rc versions as well? Maybe it's fixed there already...
Comment 2 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-08-29 21:07:10 UTC
(In reply to comment #1)
> Did you check 2.0_rc versions as well? Maybe it's fixed there already...

I only checked the source code. I was just checking it out and compiling it.
Comment 3 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-08-29 22:03:45 UTC
(In reply to comment #1)
> Did you check 2.0_rc versions as well? Maybe it's fixed there already...

git4 (which is not in portage). It has been fixed on 2007-04-22 13:21:28 between the 2pre1 and 2pre2 versions:;a=commitdiff;h=64749feedb5ece1b3ea9cc462ab61b0dc7051975

The upstream qgit git repository is still affected:;a=blob_plain;f=src/dataloader.cpp;hb=HEAD
Comment 4 Fernando J. Pereda (RETIRED) gentoo-dev 2007-08-29 22:43:24 UTC
This is about qgit instead of git
Comment 5 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-08-31 00:35:38 UTC
(In reply to comment #4)
> This is about qgit instead of git

of course, one letter seems to have vanished :)
Comment 6 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-08-31 12:51:28 UTC
Dan Horák of Fedora has noticed a further impact: QGit then executes
/tmp/, which could have been changed by the attacker (I
haven't tested this second issue). Thanks to him.

This rises the bug severity. Marco (upstream) has acknowledged the issue and he will provide a patch very soon.
Comment 7 Tobias Heinlein (RETIRED) gentoo-dev 2007-09-10 16:24:08 UTC
Upstream fixed this issue in version 1.5.7 which has been released a few days ago.
Comment 8 Markus Ullmann (RETIRED) gentoo-dev 2007-09-17 11:15:26 UTC
ebuild in CVS
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2007-09-17 11:50:55 UTC
Thanks Jokey. Arches, please test and stabilize qgit-1.5.7.
Targets are: "amd64 ppc ppc64 x86"
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2007-09-17 15:32:48 UTC
x86 stable
Comment 11 Tobias Scherbaum (RETIRED) gentoo-dev 2007-09-17 17:30:10 UTC
ppc stable
Comment 12 Tiago Cunha (RETIRED) gentoo-dev 2007-09-19 05:13:09 UTC
1. Emerges on AMD64.
2. No collisions.
3. Test phase ok.
4. Works.

Portage (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.5-r4, 2.6.22-gentoo-r5 x86_64)
System uname: 2.6.22-gentoo-r5 x86_64 Intel(R) Pentium(R) D CPU 3.00GHz
Timestamp of tree: Tue, 18 Sep 2007 20:50:01 +0000
ccache version 2.4 [enabled]
app-shells/bash:     3.2_p17
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/baselayout: 1.12.9-r2
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17-r1
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.21
CFLAGS="-O2 -march=nocona -pipe"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/init.d /etc/pam.d /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-O2 -march=nocona -pipe"
FEATURES="ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch userpriv usersandbox"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
USE="X acl acpi alsa amd64 arts bash-completion bitmap-fonts branding cairo cdr cli cracklib crypt dbus dri dts dvd dvdr dvdread eds emboss encode evo fam firefox flac gdbm gif gpm hal iconv ipv6 isdnlog jpeg kde kdeenablefinal kdehiddenvisibility mad midi mikmod mmx mp3 mpeg mudflap musepack musicbrainz ncurses nptl nptlonly offensive ogg opengl openmp pam pcre pdf perl png postgres pppd python qt3 qt3support qt4 quicktime readline reflection sdl session spell spl sse sse2 ssl svg tcpd test tiff truetype truetype-fonts type1-fonts unicode vorbis xcomposite xinerama xml xorg xscreensaver xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="i810"
Comment 13 Christoph Mende (RETIRED) gentoo-dev 2007-09-19 12:10:11 UTC
amd64 stable
Comment 14 Brent Baude (RETIRED) gentoo-dev 2007-09-20 21:00:08 UTC
ppc64 stable
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2007-09-20 21:27:57 UTC
last arch, ready for glsa.
Comment 16 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-24 08:56:09 UTC
glsa request filed.
Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2007-10-07 21:33:54 UTC
GLSA 200710-05, thanks everyone.