Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 41253 - [security] xscreensaver 4.14 makes file in /tmp, symlink attack
Summary: [security] xscreensaver 4.14 makes file in /tmp, symlink attack
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-02-11 07:59 UTC by Toni DiBoulda
Modified: 2011-10-30 22:39 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
removes the part where "/tmp/analogtv.size" is written (xscreensaver-4.14.bug_41253.patch,539 bytes, patch)
2004-02-13 14:26 UTC, plasmagunman
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Toni DiBoulda 2004-02-11 07:59:05 UTC
Reproducible: Always
Steps to Reproduce:
1. cd /tmp
2. ln -sf ~/.bashrc analogtv.size
3. start /usr/lib/xscreensaver/xanalogtv
4. log out
5. log in


Actual Results:  
bogus .bashrc

Expected Results:  
corrupting files should not be made that easy
Comment 1 plasmagunman 2004-02-13 14:26:28 UTC
Created attachment 25561 [details, diff]
removes the part where "/tmp/analogtv.size" is written

grepping through the code i found only one place where this file is touched.
that's when something is written into. the program doesn't seem to open this
file another time and the data is never read. so this patch removes the
file-writing part and it seems to work.

i only tested this patch on the standalone-hacks, not with the
xscreensaver-configuration window.
Comment 2 solar (RETIRED) gentoo-dev 2004-02-15 10:21:53 UTC
This surely seems to be your standard symlink . I'm a little 
nervous about adding this patch without any type of testing being done.
I would prefer if somebody could touch base with the people that coded
analogtv portion of xscreensaver and confirm that said section of code
was only used for their own DEBUGGING or whatever.

Till then how do the rest of us feel? package.mask xscreensaver all together or #ifdef WANT_BUGGY_LINK_CODE our way around the code in question or simply use
the patch as provided by plasmagunman?
Comment 3 plasmagunman 2004-02-15 15:39:03 UTC
i already sent this patch to the xscreensaver-coder. actually i don't know if he did the xanalogtv-part. anyway, i didn't receive any answer yet, but will inform you when i get some.
Comment 4 Alastair Tse (RETIRED) gentoo-dev 2004-02-16 07:33:55 UTC
i don't think this is serious enough to warrant a hard mask right now. we could disable the analogtv hack until we get a suitable patch from the maintainers. i'm just not qualified or have the time to audit the creation of files and symlink type attacks.

if that is sufficient, then i'll prepare a -r1 that has the analogtv hack disabled.
Comment 5 Toni DiBoulda 2004-02-18 20:08:44 UTC
<rant>

Okay, since nobody really seems to know what /tmp symlink attack means, here's
a clue: it means that any user with write access to /tmp can corrupt arbritary
files owned by any other user. And no, hardmasking won't do anything because it
will not change already installed base. I don't want to sound impolite, but this
still an issue after one week seems very weak.

Hello, gentoo enterprise!

</rant>
Comment 6 solar (RETIRED) gentoo-dev 2004-02-18 22:50:42 UTC
thanks for the useless rant.
Comment 7 Alastair Tse (RETIRED) gentoo-dev 2004-02-19 03:38:15 UTC
i find it ridiculous that the reporter has just ranted about nothing being done, yet did not help us with providing a patch or analysing the problem. a clear flamebait in my book.

thanks to plasmagunman, who provided us with a patch and also contacted the author, i've committed xscreensaver-4.14-r2 that removes the creation of the symlink. and masked all the older xscreensaver versions.

security team, what else do we need to do? 

plasmagunman, did jwz respond to the patch you submitted to him?
Comment 8 plasmagunman 2004-02-19 03:52:13 UTC
no response yet. it's strange, once i had a problem with opengl and my graphics-card and i got an answer after 10 minutes. perhaps he's on vacation..?
Comment 9 Alastair Tse (RETIRED) gentoo-dev 2004-02-19 04:18:29 UTC
before i get shafted for my mistake, i meant i removed the creation of the temporary file that could possibly be used in a symlink attack.
Comment 10 Toni DiBoulda 2004-02-19 07:13:11 UTC
Sorry sorry sorry! And a thank you to plasmagunman from me too. But I thought 
since patch was already provided and it is clear offending file is only used
for debugging, no further analysis is required. Issue here is, no action after
problem is public for one week can cause massive data loss and I'm feeling very
uncomfortable for this report already. I'll be quiet now.
Comment 11 plasmagunman 2004-02-23 14:18:37 UTC
anybody wants to close this bug? i don't think i can do that, must be the reporter or a developer, no?
Comment 12 Jon Portnoy (RETIRED) gentoo-dev 2004-04-03 19:52:17 UTC
Old bug, apparently still needs to be closed