Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 81652 - kde-base/kdelibs insecure temporary file creation
Summary: kde-base/kdelibs insecure temporary file creation
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.securityfocus.com/archive/...
Whiteboard: A3 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-02-11 11:57 UTC by Sune Kloppenborg Jeppesen
Modified: 2006-03-23 19:34 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
alternative solution (fix,624 bytes, patch)
2005-02-13 05:30 UTC, Tavis Ormandy (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2005-02-11 11:57:07 UTC
The `dcopidlng' script in the KDE library package 
(kdelibs-3.3.2/dcop/dcopidlng/dcopidlng)
creates temporary files in a unsecure manner.

This bug has been fixed in 32 minutes (!) by Stephan Kulow, the KDE team 
leader. Here you can found the official patch:
http://bugs.kde.org/show_bug.cgi?id=97608

Note: This bug has been find by `autospec', the work-in-progress tool used by 
the QiLinux team to (semi)automatically create specfiles from tarballs and 
update/check rpm packages. It's released under GPL and not QiLinux specific.
The latest release can be found at the URL:
ftp://ftp.qilinux.it/pub/QiLinux/devel/tools/autospec/
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2005-02-11 11:57:44 UTC
KDE please verify and bump.
Comment 2 Tavis Ormandy (RETIRED) gentoo-dev 2005-02-13 05:30:12 UTC
Created attachment 51120 [details, diff]
alternative solution

The fix suggested upstream does not look acceptable, it doesnt solve the issue
of predicatable temp files (what if the user executes the script in /tmp?), and
it would break if the user ran the script with a working directory they dont
have write permissions to.

This patch just moves the temp file into ~/ which solves both problems :)
Comment 3 Dan Armak (RETIRED) gentoo-dev 2005-02-18 05:43:22 UTC
> The fix suggested upstream does not look acceptable, it doesnt solve the
> issue of predicatable temp files (what if the user executes the script
> in /tmp?)
Maybe I'm misunderstanding the security risk here, but I don't see why the
upstream fix is problematic. The answer is simply 'don't run it in /tmp';
the Gentoo ebuilds won't, the user shouldn't either.
After all, lots of things create predictable or even fixed-named files in the
current dir, and we don't consider them to be security problems. All parts
of an autotools-based build process use predictable or fixed filenames -
run configure in an empty dir for an example.

> it would break if the user ran the script with a working directory they dont
> have write permissions to.
So would all the rest of the kde build process, or any autotools-based
build process. Using dcopidlng separately from a standard build environment is
rare.

As for creating temp files in ~, I really don't like that. If you're a real
user (not portage), you don't want to clutter your homedir with temp files that
might stick around if the process creating them dies abruptly.

Besides, some user accounts have no dedicated homedirs. Creating temp files in
~ wouldn't work if the running account had write access to a dedicated build
dir, but its homedir was some place writeable only by root, like a lot of the
system-created accounts I see in /etc/passwd.

Carsten: you seem to agree with Tavis? Let's resolve this quickly, one way or
the other.
Comment 4 Tavis Ormandy (RETIRED) gentoo-dev 2005-02-19 05:52:05 UTC
> The answer is simply 'don't run it in /tmp'; the Gentoo ebuilds won't, the user shouldn't either.

I admit I don't know much about kde, if you think that is an acceptable policy, I'll take your word for it.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-02-24 02:53:31 UTC
I agree we should stick with how upstream does it.
KDE team: are you going to apply upstream patch to the currently available releases ?
Comment 6 Carsten Lohrke (RETIRED) gentoo-dev 2005-03-01 15:32:28 UTC
>Carsten: you seem to agree with Tavis? Let's resolve this quickly, one way or
the other.

Sorry that I'm coming back to this so late. :( The problem is ideed negligible. I still feel a bit uncomfortable with the possibility to let joe stupid do, what he shouldn't do, though. Afaik there's no good reason for a world writable /tmp. /tmp/~user would do it as well. But this is not specific to this bug.



arch herds: I know you love to compile kdelibs to be sure it works fine, but have a look at the patch. Maybe you want to mark it straight stable, this time. ;)

<<< kdelibs-3.2.3-r6.ebuild
<<< kdelibs-3.3.2-r4.ebuild

Comment 7 Marcus D. Hanwell (RETIRED) gentoo-dev 2005-03-02 06:23:33 UTC
Stable on amd64.
Comment 8 Bryan Østergaard (RETIRED) gentoo-dev 2005-03-02 13:52:57 UTC
Stable on alpha.
Comment 9 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-03-02 14:46:01 UTC
Stable on ppc.
Comment 10 Gustavo Zacarias (RETIRED) gentoo-dev 2005-03-03 06:38:16 UTC
stable on the sparc domain.
Comment 11 Chris Gianelloni (RETIRED) gentoo-dev 2005-03-03 07:50:43 UTC
I know they weren't listed here, but stable on ppc64 per Tom Gall.
Comment 12 Carsten Lohrke (RETIRED) gentoo-dev 2005-03-03 09:36:06 UTC
Chris: Sorry, my fault. The lines looked the same to me and I took the first. Need to write a better script.
Comment 13 Carsten Lohrke (RETIRED) gentoo-dev 2005-03-04 03:42:16 UTC
Um, full stop! When I made the patch, I took it from the bug report and not from kde cvs, since it was down. trap missed signals...

<<< kdelibs-3.2.3-r7.ebuild
<<< kdelibs-3.3.2-r5.ebuild

Sorry for that. :(
Comment 14 Sune Kloppenborg Jeppesen gentoo-dev 2005-03-04 03:54:47 UTC
Arches please test and mark stable.
Comment 15 Carsten Lohrke (RETIRED) gentoo-dev 2005-03-04 09:08:23 UTC
kde.org just released patches for bug 81110, -rX+1 pending
Comment 16 Carsten Lohrke (RETIRED) gentoo-dev 2005-03-04 09:20:08 UTC
Forget the above comment, "disclosure" date is March 16.
Comment 17 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-03-04 13:19:42 UTC
Stable on ppc.
Comment 18 Markus Rothe (RETIRED) gentoo-dev 2005-03-04 14:06:33 UTC
stable on ppc64
Comment 19 Bryan Østergaard (RETIRED) gentoo-dev 2005-03-04 22:17:06 UTC
Stable on alpha.
Comment 20 Marcus D. Hanwell (RETIRED) gentoo-dev 2005-03-05 06:29:55 UTC
Stable on amd64 again.
Comment 21 Jason Wever (RETIRED) gentoo-dev 2005-03-05 20:10:26 UTC
Stable on sparc.
Comment 22 Sune Kloppenborg Jeppesen gentoo-dev 2005-03-07 12:43:25 UTC
GLSA 200503-14

ia64 please remember to mark stable.
Comment 23 Eric 2005-03-08 08:42:22 UTC
I am also having an issue that looks like it could be resolved by this ...how do I apply this patch?
Comment 24 Gregorio Guidi (RETIRED) gentoo-dev 2005-03-08 09:16:27 UTC
> I am also having an issue that looks like it could be resolved by this ...how do I apply this patch?

Just emerge kdelibs-3.3.2-r5
Comment 25 Eric 2005-03-10 11:38:11 UTC
This works, however kdenetwork was unable to emerge following kdelibs-3.3.2-r5.

Here's the error:

checking for KDE... libraries /usr/kde/3.3/lib, headers /usr/kde/3.3/include
checking if UIC has KDE plugins available... no
configure: error: you need to install kdelibs first.

!!! ERROR: kde-base/kdenetwork-3.3.2 failed.
!!! Function kde_src_compile, Line 154, Exitcode 1
!!! died running ./configure, kde_src_compile:configure
!!! If you need support, post the topmost build error, NOT this status message.

*  kde-base/kdelibs
      Latest version available: 3.3.2-r5
      Latest version installed: 3.3.2-r5

So I DO hve kdelibs installed ...it just feels like kdenetwork does not care for the version ...any ideas?
Comment 26 Gregorio Guidi (RETIRED) gentoo-dev 2005-03-10 11:49:11 UTC
> checking for KDE... libraries /usr/kde/3.3/lib, headers /usr/kde/3.3/include
> checking if UIC has KDE plugins available... no
> configure: error: you need to install kdelibs first.

That's bug 81066
Comment 27 Hardave Riar (RETIRED) gentoo-dev 2005-03-14 11:02:10 UTC
Stable on mips.
Comment 28 René Nussbaumer (RETIRED) gentoo-dev 2005-06-26 05:56:44 UTC
Already stable on hppa