Comment 1 Stefan Behte (RETIRED) 2008-11-05 22:15:15 UTC

DEBIAN: http://bugs.debian.org/496391
FILES: find_flags
CODE: http://dev.gentoo.org/~rbu/security/debiantemp/gccxml

Comment 2 Mark Loeser (RETIRED) 2008-11-12 01:06:06 UTC

Would it be sufficient to just remove the .cxx at the end?  It generates the tempfile name from the following:

TESTFILE="find_flags_temp$GCCXML_PID"

Comment 3 Stefan Behte (RETIRED) 2008-11-12 10:58:31 UTC

No, that would make it even worse. I'll have look into it later.

Comment 4 Stefan Behte (RETIRED) 2008-11-12 19:55:09 UTC

Mark, you could still symlink a .cxx-less file to /etc/passwd.
Instead, I'd check if the file belongs to us, and if so, it's safe to use it (if an attacker can create that file with our user account, we're already owned...)

touch /tmp/$TESTFILE.cxx
if [ ! -O /tmp/$TESTFILE.cxx ]
then
        echo "Something nasty is happening here. Quitting."
        exit -1
fi

I don't know if there is a patch upstream (yet).

Comment 5 Stefan Behte (RETIRED) 2008-11-12 20:34:09 UTC

No patch in CVS.
There are more symlink issues, also see bug: http://www.gccxml.org/Bug/view.php?id=8083

Comment 6 Christian Hoffmann (RETIRED) 2008-11-12 22:33:53 UTC

(In reply to comment #4)
> Mark, you could still symlink a .cxx-less file to /etc/passwd.
> Instead, I'd check if the file belongs to us, and if so, it's safe to use it
> (if an attacker can create that file with our user account, we're already
> owned...)
> 
> touch /tmp/$TESTFILE.cxx
> if [ ! -O /tmp/$TESTFILE.cxx ]
> then
>         echo "Something nasty is happening here. Quitting."
>         exit -1
> fi
I'm not entirely sure whether this is race condition safe, so I'd rather play safe and use mktemp (or maybe mktemp -d and place all temp files in there).

Comment 7 Stefan Behte (RETIRED) 2008-11-12 22:42:26 UTC

It's not a race condition; if the file belongs to you, you're not entering the if statement, if the file does not belong to you, the code snippet will exit; the touching does not change ownership.

Still, mktemp is surely the right way to go.

Comment 8 Christian Hoffmann (RETIRED) 2008-11-12 22:57:19 UTC

(In reply to comment #7)
> It's not a race condition;
Right, found that out now as well, but ...

> if the file belongs to you, you're not entering the
> if statement
This assumption seems to be false...
> if the file does not belong to you, the code snippet will exit;
But it will always be owned by the user, except for the case where there is an ordinary file (i.e. not a symlink) which is more than user-writable. Uninteresting case, though.

My testings:

# somebody who is not me creates a symlink before the program is run
$ sudo ln -s foo bar
$ ls -la
lrwxrwxrwx  1 root      root         3 2008-11-12 23:47 bar -> foo
 
# program is run and uses your "checking code", i.e. calling touch
$ touch bar
$ ls -la
lrwxrwxrwx  1 root      root         3 2008-11-12 23:47 bar -> foo
-rw-r--r--  1 christian christian    0 2008-11-12 23:47 foo
 
$ [[ -O bar ]] && echo "Yes, file is owned by me (err... wait.. it isn't....)"
Yes, file is owned by me (err... wait.. it isn't....)

As you can see, both touch and -O do dereference symlinks. Checking for symlinks first would introduce a race condition though... so... I don't see any simple solution besides mktemp.

BTW: As there is no patch, this is rather [upstream] than [ebuild], imo.

Comment 9 Stefan Behte (RETIRED) 2008-11-13 21:33:03 UTC

Epic fail for me.
OF COURSE the file is owned by the current user, as the "evil user" links to it so that the current user will destroy it. My test case was crap, we would need an additional statement to check for symlinking; no need to discuss this further as we both already agreed before that using mktemp is the way to go. As said before in our IRC conversation, I was awfully tired, too. Sorry. :(

Comment 10 Stefan Behte (RETIRED) 2008-11-30 16:28:42 UTC

cpp: *ping*

Comment 11 Mark Loeser (RETIRED) 2008-11-30 19:58:41 UTC

(In reply to comment #10)
> cpp: *ping*
> 

I'm waiting for upstream and a solution:  http://www.gccxml.org/Bug/view.php?id=8083

Comment 12 Stefan Behte (RETIRED) 2009-01-05 22:50:25 UTC

They've got a fix now, changing status whiteboard to [ebuild].

Comment 13 Mark Loeser (RETIRED) 2009-05-16 23:05:05 UTC

Sorry, this took so long.

I just added gccxml-0.9.0_pre20090516 to the tree, which has the fix and other goodies.

Comment 14 Robert Buchholz (RETIRED) 2009-05-17 18:27:12 UTC

It seems gccxml_find_flags has been obsoleted (since it is missing from the latest source file). The MIPS script is not fixed, as stated in the upstream report. Is it being used on our mips architecture?

Arches, please test and mark stable:
=dev-cpp/gccxml-0.9.0_pre20090516
Target keywords : "amd64 arm ia64 ppc s390 sh x86"

Comment 15 Christian Faulhammer (RETIRED) 2009-05-18 15:08:04 UTC

x86 stable

Comment 16 Brent Baude (RETIRED) 2009-05-18 20:24:51 UTC

ppc done

Comment 17 Tobias Heinlein (RETIRED) 2009-05-22 10:10:16 UTC

amd64 stable

Comment 18 Tobias Heinlein (RETIRED) 2009-05-22 10:45:06 UTC

All supported arches done, entering [glsa?]. I vote YES.

Comment 19 Raúl Porcel (RETIRED) 2009-05-25 13:49:25 UTC

arm/ia64/s390/sh stable

Comment 20 Robert Buchholz (RETIRED) 2009-05-25 20:29:48 UTC

mips / cpp herd, can you please give some feedback regarding comment 14.  Is the MIPSpro/find_flags being used on mips?

Comment 21 Robert Buchholz (RETIRED) 2009-05-25 20:38:56 UTC

YES as well, filed request

Comment 22 Alex Legler (RETIRED) 2009-09-09 13:35:36 UTC

GLSA 200909-11