Hi, on systems with e.g. noexec on /tmp, qgit can't run without telling it to use QProcess. This relies in src/dataloader.c. The README file says: In case of portability issues it is possible to fallback on a standard QProcess based interface. To do this uncomment USE_QPROCESS define in 'src/dataloader.h' before to compile. BTW i would say it is the expected behaviour in a Qt app. Furthermore, the way /tmp is handled is insecure since qgit open() a /tmp file (pattern: /tmp/qgit_135422384.txt and /tmp/qgit_135422384.sh) and follows symlinks without checking for prior existence. Eventually, it unlink() the symlinks. I am separately emailing qgit upstream (Macro Costalba).
Did you check 2.0_rc versions as well? Maybe it's fixed there already...
(In reply to comment #1) > Did you check 2.0_rc versions as well? Maybe it's fixed there already... > I only checked the source code. I was just checking it out and compiling it.
(In reply to comment #1) > Did you check 2.0_rc versions as well? Maybe it's fixed there already... > git4 (which is not in portage). It has been fixed on 2007-04-22 13:21:28 between the 2pre1 and 2pre2 versions: http://git.kernel.org/?p=qgit/qgit4.git;a=commitdiff;h=64749feedb5ece1b3ea9cc462ab61b0dc7051975 The upstream qgit git repository is still affected: http://git.kernel.org/?p=qgit/qgit.git;a=blob_plain;f=src/dataloader.cpp;hb=HEAD
This is about qgit instead of git
(In reply to comment #4) > This is about qgit instead of git > of course, one letter seems to have vanished :)
Dan Horák of Fedora has noticed a further impact: QGit then executes /tmp/qgit_XXXXXXX.sh, which could have been changed by the attacker (I haven't tested this second issue). Thanks to him. This rises the bug severity. Marco (upstream) has acknowledged the issue and he will provide a patch very soon.
Upstream fixed this issue in version 1.5.7 which has been released a few days ago.
ebuild in CVS
Thanks Jokey. Arches, please test and stabilize qgit-1.5.7. Targets are: "amd64 ppc ppc64 x86"
x86 stable
ppc stable
1. Emerges on AMD64. 2. No collisions. 3. Test phase ok. 4. Works. Portage 2.1.3.9 (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.5-r4, 2.6.22-gentoo-r5 x86_64) ================================================================= System uname: 2.6.22-gentoo-r5 x86_64 Intel(R) Pentium(R) D CPU 3.00GHz Timestamp of tree: Tue, 18 Sep 2007 20:50:01 +0000 ccache version 2.4 [enabled] app-shells/bash: 3.2_p17 dev-java/java-config: 1.3.7, 2.0.33-r1 dev-lang/python: 2.4.4-r4 dev-python/pycrypto: 2.0.1-r6 dev-util/ccache: 2.4-r7 sys-apps/baselayout: 1.12.9-r2 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.17-r1 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.21 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=nocona -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/init.d /etc/pam.d /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-O2 -march=nocona -pipe" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="-k" FEATURES="ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch userpriv usersandbox" GENTOO_MIRRORS="http://thor ftp://mirrors1.netvisao.pt/gentoo http://darkstar.ist.utl.pt/pub/gentoo http://distfiles.gentoo.org http://www.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://thor/gentoo-portage" USE="X acl acpi alsa amd64 arts bash-completion bitmap-fonts branding cairo cdr cli cracklib crypt dbus dri dts dvd dvdr dvdread eds emboss encode evo fam firefox flac gdbm gif gpm hal iconv ipv6 isdnlog jpeg kde kdeenablefinal kdehiddenvisibility mad midi mikmod mmx mp3 mpeg mudflap musepack musicbrainz ncurses nptl nptlonly offensive ogg opengl openmp pam pcre pdf perl png postgres pppd python qt3 qt3support qt4 quicktime readline reflection sdl session spell spl sse sse2 ssl svg tcpd test tiff truetype truetype-fonts type1-fonts unicode vorbis xcomposite xinerama xml xorg xscreensaver xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="i810" Unset: CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
amd64 stable
ppc64 stable
last arch, ready for glsa.
glsa request filed.
GLSA 200710-05, thanks everyone.