94473 – net-im/everybuddy <= 0.4.3 insecure temporary file creation

Bug 94473 - net-im/everybuddy <= 0.4.3 insecure temporary file creation

Summary: net-im/everybuddy <= 0.4.3 insecure temporary file creation

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	High enhancement (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	C3? [upstream+ masked] jaervosz
Keywords:

Depends on:
Blocks:

Reported:	2005-05-30 01:23 UTC by Romang
Modified:	2006-05-27 22:31 UTC (History)
CC List:	5 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Romang 2005-05-30 01:23:54 UTC

Hello,

modules/utility/autotrans.c

258   g_snprintf(buf, 2048, "rm /tmp/.eb.%s.translator -f ; wget -O /tmp/.eb.%s.translator 'http://w        orld.altavista.com/sites/gben/pos/babelfish/tr?tt=urltext&lp=%s_%s&urltext=%s'",
259     getenv("USER"), getenv("USER"), from, to, string);
260 
261   printf("Running command line:\n%s\n", buf);
262 
263   if(system(buf)!=0)
264   {
265     printf("COULD NOT TRANSLATE: %s\n", ostring);
266     free(string);
267     return strdup(ostring);
268   }
269 
270   g_snprintf(buf, 2048, "/tmp/.eb.%s.translator", getenv("USER"));
271 
272   if((dat=fopen(buf, "r"))==NULL)
273   {
274     printf("COULD NOT TRANSLATE: %s\n", ostring);
275     free(string);
276     return strdup(ostring);
277   }
278 
279   pos=0;
280 
281   while(!feof(dat))
282   {
283     for(a=0; a<3; a++)
284     {
285       lastfew[a]=lastfew[a+1];
286     }
287     lastfew[3]=(char)getc(dat);
288 
289     if(printing>=1)
290     {
291       buf[pos++]=lastfew[3];
292       if(pos==1023) { buf[pos]='\0'; break; }
293     }
294 
295     if(!strcmp(lastfew, "</TE"))
296     {
297       printf("Found end\n");
298       if (pos >= 5) {
299         buf[pos-4]='\0';
300         printing++;
301         while(pos>=5 && (buf[pos-5]=='\n' || buf[pos-5]=='\r'))
302         {
303           buf[pos-5]='\0';
304           pos--;
305         }
306       }
307       break;
308     }

Maybe could permit overwrite off arbitrary files with the right of the user using centericq. Symlink attack.

A TOCTOU could also be exploitable to inject arbitrary codes ?

Regards.

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-05-30 08:28:28 UTC

Auditors please verify.

Comment 2 Tavis Ormandy (RETIRED) gentoo-dev

2005-05-30 13:54:45 UTC

no TOCTOU, just an insecure use of a predictable temp filename. The ebuild has 
no metadata and has had no meaningful meaningful modification for over 2 years, 
I was unable to connect to any supported network to test the application. 

upstream site is down, and looks like this project has been abandoned, I would 
suggest masking.

Comment 3 Romang 2005-05-30 15:32:02 UTC

ok for masking :)

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-05-30 22:23:49 UTC

Gustavo/Don any comments or should it just be masked prior to complete 
removal?

Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-06-04 00:48:49 UTC

Oliver/Karol please advise.

Comment 6 Olivier Crete (RETIRED) gentoo-dev

2005-06-04 09:24:00 UTC

go for the masking

Comment 7 Karol Wojtaszek (RETIRED) gentoo-dev

2005-06-05 02:08:24 UTC

it should go for the masking

Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-06-05 06:33:00 UTC

Patchers/maintainers please mask.

Comment 9 Thierry Carrez (RETIRED) gentoo-dev

2005-06-08 01:31:48 UTC

MAsked prior to complete removal

Comment 10 Olivier Crete (RETIRED) gentoo-dev

2005-08-07 11:12:39 UTC

what are we waiting for to completely remove it ?

Comment 11 Thierry Carrez (RETIRED) gentoo-dev

2005-08-08 02:27:11 UTC

We usually wait a few months... But the herd can remove it anytime.

Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-12-18 12:21:16 UTC

A few months has passed now...

Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-03-22 12:40:21 UTC

Any news on this one?

Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-04-20 09:08:33 UTC

Any news on this one?

Comment 15 Alec Warner (RETIRED) archtester

2006-05-27 22:31:27 UTC

Punted