Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 94473 - net-im/everybuddy <= 0.4.3 insecure temporary file creation
Summary: net-im/everybuddy <= 0.4.3 insecure temporary file creation
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High enhancement (vote)
Assignee: Gentoo Security
URL:
Whiteboard: C3? [upstream+ masked] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-05-30 01:23 UTC by Romang
Modified: 2006-05-27 22:31 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Romang 2005-05-30 01:23:54 UTC
Hello,

modules/utility/autotrans.c

258   g_snprintf(buf, 2048, "rm /tmp/.eb.%s.translator -f ; wget -O /tmp/.eb.%s.translator 'http://w        orld.altavista.com/sites/gben/pos/babelfish/tr?tt=urltext&lp=%s_%s&urltext=%s'",
259     getenv("USER"), getenv("USER"), from, to, string);
260 
261   printf("Running command line:\n%s\n", buf);
262 
263   if(system(buf)!=0)
264   {
265     printf("COULD NOT TRANSLATE: %s\n", ostring);
266     free(string);
267     return strdup(ostring);
268   }
269 
270   g_snprintf(buf, 2048, "/tmp/.eb.%s.translator", getenv("USER"));
271 
272   if((dat=fopen(buf, "r"))==NULL)
273   {
274     printf("COULD NOT TRANSLATE: %s\n", ostring);
275     free(string);
276     return strdup(ostring);
277   }
278 
279   pos=0;
280 
281   while(!feof(dat))
282   {
283     for(a=0; a<3; a++)
284     {
285       lastfew[a]=lastfew[a+1];
286     }
287     lastfew[3]=(char)getc(dat);
288 
289     if(printing>=1)
290     {
291       buf[pos++]=lastfew[3];
292       if(pos==1023) { buf[pos]='\0'; break; }
293     }
294 
295     if(!strcmp(lastfew, "</TE"))
296     {
297       printf("Found end\n");
298       if (pos >= 5) {
299         buf[pos-4]='\0';
300         printing++;
301         while(pos>=5 && (buf[pos-5]=='\n' || buf[pos-5]=='\r'))
302         {
303           buf[pos-5]='\0';
304           pos--;
305         }
306       }
307       break;
308     }

Maybe could permit overwrite off arbitrary files with the right of the user using centericq. Symlink attack.

A TOCTOU could also be exploitable to inject arbitrary codes ?

Regards.
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2005-05-30 08:28:28 UTC
Auditors please verify. 
Comment 2 Tavis Ormandy (RETIRED) gentoo-dev 2005-05-30 13:54:45 UTC
no TOCTOU, just an insecure use of a predictable temp filename. The ebuild has 
no metadata and has had no meaningful meaningful modification for over 2 years, 
I was unable to connect to any supported network to test the application. 

upstream site is down, and looks like this project has been abandoned, I would 
suggest masking.
Comment 3 Romang 2005-05-30 15:32:02 UTC
ok for masking :)
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2005-05-30 22:23:49 UTC
Gustavo/Don any comments or should it just be masked prior to complete 
removal? 
Comment 5 Sune Kloppenborg Jeppesen gentoo-dev 2005-06-04 00:48:49 UTC
Oliver/Karol please advise. 
Comment 6 Olivier Crete (RETIRED) gentoo-dev 2005-06-04 09:24:00 UTC
go for the masking
Comment 7 Karol Wojtaszek (RETIRED) gentoo-dev 2005-06-05 02:08:24 UTC
it should go for the masking
Comment 8 Sune Kloppenborg Jeppesen gentoo-dev 2005-06-05 06:33:00 UTC
Patchers/maintainers please mask. 
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-06-08 01:31:48 UTC
MAsked prior to complete removal
Comment 10 Olivier Crete (RETIRED) gentoo-dev 2005-08-07 11:12:39 UTC
what are we waiting for to completely remove it ?
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-08-08 02:27:11 UTC
We usually wait a few months... But the herd can remove it anytime.
Comment 12 Sune Kloppenborg Jeppesen gentoo-dev 2005-12-18 12:21:16 UTC
A few months has passed now...
Comment 13 Sune Kloppenborg Jeppesen gentoo-dev 2006-03-22 12:40:21 UTC
Any news on this one?
Comment 14 Sune Kloppenborg Jeppesen gentoo-dev 2006-04-20 09:08:33 UTC
Any news on this one?
Comment 15 Alec Warner archtester Gentoo Infrastructure gentoo-dev Security 2006-05-27 22:31:27 UTC
Punted