Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 245765 (CVE-2008-4957) - <dev-cpp/gccxml-0.9.0_pre20090516 symlink attack (CVE-2008-4957)
Summary: <dev-cpp/gccxml-0.9.0_pre20090516 symlink attack (CVE-2008-4957)
Status: RESOLVED FIXED
Alias: CVE-2008-4957
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://bugs.debian.org/496391
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks: debian-tempfile
  Show dependency tree
 
Reported: 2008-11-05 22:14 UTC by Stefan Behte (RETIRED)
Modified: 2020-04-06 20:48 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2008-11-05 22:14:32 UTC
CVE-2008-4957 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4957):
  find_flags in gccxml 0.9.0 allows local users to overwrite arbitrary
  files via a symlink attack on a /tmp/*.cxx temporary file.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-05 22:15:15 UTC
DEBIAN: http://bugs.debian.org/496391
FILES: find_flags
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/gccxml
Comment 2 Mark Loeser (RETIRED) gentoo-dev 2008-11-12 01:06:06 UTC
Would it be sufficient to just remove the .cxx at the end?  It generates the tempfile name from the following:

TESTFILE="find_flags_temp$GCCXML_PID"
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-12 10:58:31 UTC
No, that would make it even worse. I'll have look into it later.
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-12 19:55:09 UTC
Mark, you could still symlink a .cxx-less file to /etc/passwd.
Instead, I'd check if the file belongs to us, and if so, it's safe to use it (if an attacker can create that file with our user account, we're already owned...)

touch /tmp/$TESTFILE.cxx
if [ ! -O /tmp/$TESTFILE.cxx ]
then
        echo "Something nasty is happening here. Quitting."
        exit -1
fi

I don't know if there is a patch upstream (yet).
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-12 20:34:09 UTC
No patch in CVS.
There are more symlink issues, also see bug: http://www.gccxml.org/Bug/view.php?id=8083
Comment 6 Christian Hoffmann (RETIRED) gentoo-dev 2008-11-12 22:33:53 UTC
(In reply to comment #4)
> Mark, you could still symlink a .cxx-less file to /etc/passwd.
> Instead, I'd check if the file belongs to us, and if so, it's safe to use it
> (if an attacker can create that file with our user account, we're already
> owned...)
> 
> touch /tmp/$TESTFILE.cxx
> if [ ! -O /tmp/$TESTFILE.cxx ]
> then
>         echo "Something nasty is happening here. Quitting."
>         exit -1
> fi
I'm not entirely sure whether this is race condition safe, so I'd rather play safe and use mktemp (or maybe mktemp -d and place all temp files in there).
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-12 22:42:26 UTC
It's not a race condition; if the file belongs to you, you're not entering the if statement, if the file does not belong to you, the code snippet will exit; the touching does not change ownership.

Still, mktemp is surely the right way to go.
Comment 8 Christian Hoffmann (RETIRED) gentoo-dev 2008-11-12 22:57:19 UTC
(In reply to comment #7)
> It's not a race condition;
Right, found that out now as well, but ...

> if the file belongs to you, you're not entering the
> if statement
This assumption seems to be false...
> if the file does not belong to you, the code snippet will exit;
But it will always be owned by the user, except for the case where there is an ordinary file (i.e. not a symlink) which is more than user-writable. Uninteresting case, though.

My testings:

# somebody who is not me creates a symlink before the program is run
$ sudo ln -s foo bar
$ ls -la
lrwxrwxrwx  1 root      root         3 2008-11-12 23:47 bar -> foo
 
# program is run and uses your "checking code", i.e. calling touch
$ touch bar
$ ls -la
lrwxrwxrwx  1 root      root         3 2008-11-12 23:47 bar -> foo
-rw-r--r--  1 christian christian    0 2008-11-12 23:47 foo
 
$ [[ -O bar ]] && echo "Yes, file is owned by me (err... wait.. it isn't....)"
Yes, file is owned by me (err... wait.. it isn't....)

As you can see, both touch and -O do dereference symlinks. Checking for symlinks first would introduce a race condition though... so... I don't see any simple solution besides mktemp.

BTW: As there is no patch, this is rather [upstream] than [ebuild], imo.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-13 21:33:03 UTC
Epic fail for me.
OF COURSE the file is owned by the current user, as the "evil user" links to it so that the current user will destroy it. My test case was crap, we would need an additional statement to check for symlinking; no need to discuss this further as we both already agreed before that using mktemp is the way to go. As said before in our IRC conversation, I was awfully tired, too. Sorry. :(
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-30 16:28:42 UTC
cpp: *ping*
Comment 11 Mark Loeser (RETIRED) gentoo-dev 2008-11-30 19:58:41 UTC
(In reply to comment #10)
> cpp: *ping*
> 

I'm waiting for upstream and a solution:  http://www.gccxml.org/Bug/view.php?id=8083
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-05 22:50:25 UTC
They've got a fix now, changing status whiteboard to [ebuild].
Comment 13 Mark Loeser (RETIRED) gentoo-dev 2009-05-16 23:05:05 UTC
Sorry, this took so long.

I just added gccxml-0.9.0_pre20090516 to the tree, which has the fix and other goodies.
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2009-05-17 18:27:12 UTC
It seems gccxml_find_flags has been obsoleted (since it is missing from the latest source file). The MIPS script is not fixed, as stated in the upstream report. Is it being used on our mips architecture?

Arches, please test and mark stable:
=dev-cpp/gccxml-0.9.0_pre20090516
Target keywords : "amd64 arm ia64 ppc s390 sh x86"
Comment 15 Christian Faulhammer (RETIRED) gentoo-dev 2009-05-18 15:08:04 UTC
x86 stable
Comment 16 Brent Baude (RETIRED) gentoo-dev 2009-05-18 20:24:51 UTC
ppc done
Comment 17 Tobias Heinlein (RETIRED) gentoo-dev 2009-05-22 10:10:16 UTC
amd64 stable
Comment 18 Tobias Heinlein (RETIRED) gentoo-dev 2009-05-22 10:45:06 UTC
All supported arches done, entering [glsa?]. I vote YES.
Comment 19 Raúl Porcel (RETIRED) gentoo-dev 2009-05-25 13:49:25 UTC
arm/ia64/s390/sh stable
Comment 20 Robert Buchholz (RETIRED) gentoo-dev 2009-05-25 20:29:48 UTC
mips / cpp herd, can you please give some feedback regarding comment 14.  Is the MIPSpro/find_flags being used on mips?
Comment 21 Robert Buchholz (RETIRED) gentoo-dev 2009-05-25 20:38:56 UTC
YES as well, filed request
Comment 22 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-09-09 13:35:36 UTC
GLSA 200909-11