Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 217229 (CVE-2008-1687) - sys-devel/m4 <1.4.11 mkstemp quoting and "-F" format string issue (CVE-2008-{1687,1688})
Summary: sys-devel/m4 <1.4.11 mkstemp quoting and "-F" format string issue (CVE-2008-{...
Alias: CVE-2008-1687
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: A4 [noglsa]
Depends on:
Reported: 2008-04-10 22:52 UTC by Robert Buchholz (RETIRED)
Modified: 2008-04-21 08:03 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-04-10 22:52:36 UTC
CVE-2008-1687 (
  The (1) maketemp and (2) mkstemp builtin functions in GNU m4 before 1.4.11 do
  not quote their output when a file is created, which might allow
  context-dependent attackers to trigger a macro expansion, leading to
  unspecified use of an incorrect filename.

CVE-2008-1688 (
  Unspecified vulnerability in GNU m4 before 1.4.11 might allow
  context-dependent attackers to execute arbitrary code, related to improper
  handling of filenames specified with the -F option.  NOTE: it is not clear
  when this issue crosses privilege boundaries.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-04-10 23:02:36 UTC


There have been concerns whether these would qualify for security vulnerabilities:
* For CVE-2008-1687, it requires that mkstemp will create a filename that matches a macro. An attacker could not influence that name, so it would lead to unspecified behaviour, which might lead to a vulnerability.
* For CVE-2008-1688, see the note on the CVE description.

We might want to go stable with 1.4.11 anyway, but I would consider this a low priority.
base-system, what do you think? Also, is 1.4.11 good to go?
Comment 2 SpanKY gentoo-dev 2008-04-11 01:16:25 UTC
stabilizing m4-1.4.11 should be fine
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-04-11 01:21:57 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh sparc x86"
Comment 4 Raúl Porcel (RETIRED) gentoo-dev 2008-04-11 09:50:46 UTC
alpha/ia64/sparc/x86 stable
Comment 5 Santiago M. Mola (RETIRED) gentoo-dev 2008-04-11 10:02:13 UTC
amd64 stable
Comment 6 Markus Rothe (RETIRED) gentoo-dev 2008-04-11 15:25:15 UTC
ppc64 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2008-04-12 15:13:58 UTC
test-strtod.c:667: assertion failed
test-strtod.c:668: assertion failed
test-strtod.c:688: assertion failed
test-strtod.c:717: assertion failed
test-strtod.c:718: assertion failed
FAIL: test-strtod

Lines 667 and 668:
# if 0
    /* Sign bits of NaN is a portability sticking point, not worth
       worrying about.  */
    ASSERT (!!signbit (result1) != !!signbit (result2)); /* glibc-2.3.6, IRIX 6.
5, OSF/1 5.1, mingw */
# endif
    ASSERT (ptr1 == input + 6);         /* glibc-2.3.6, MacOS X 10.3, FreeBSD 6.
2, OpenBSD 4.0, AIX 5.1, HP-UX 11.11, IRIX 6.5, OSF/1 5.1, mingw */
    ASSERT (ptr2 == input + 6);         /* glibc-2.3.6, MacOS X 10.3, FreeBSD 6.
2, OpenBSD 4.0, AIX 5.1, HP-UX 11.11, IRIX 6.5, OSF/1 5.1, mingw */

Line 688:
    ASSERT (ptr == input + 6);          /* glibc-2.3.6, MacOS X 10.3, FreeBSD 6.2, OpenBSD 4.0, AIX 5.1, HP-UX 11.11, IRIX 6.5, OSF/1 5.1, mingw */

Lines 717 and 718:
# if 0
    /* Sign bits of NaN is a portability sticking point, not worth
       worrying about.  */
    ASSERT (!!signbit (result1) != !!signbit (result2)); /* glibc-2.3.6, IRIX 6.5, OSF/1 5.1, mingw */                                                          # endif
    ASSERT (ptr1 == input + 7);         /* glibc-2.3.6, OpenBSD 4.0, AIX 5.1, HP-UX 11.11, IRIX 6.5, OSF/1 5.1, mingw */
    ASSERT (ptr2 == input + 7);         /* glibc-2.3.6, OpenBSD 4.0, AIX 5.1, HP-UX 11.11, IRIX 6.5, OSF/1 5.1, mingw */

It says not to worry, but then you find yourself doing it anyway. Any comments from base-system?

Sat Apr 12 17:09:05 CEST 2008
Portage 2.1.5_rc2 (default-linux/hppa/2007.0, gcc-4.1.2, glibc-2.7-r2, 2.6.24-gentoo-r3-JeR parisc)
System uname: 2.6.24-gentoo-r3-JeR parisc PA8700 (PCX-W2)
Timestamp of tree: Sat, 12 Apr 2008 04:22:01 +0000
distcc 2.18.3 hppa2.0-unknown-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
ccache version 2.4 [disabled]
app-shells/bash:     3.2_p17-r1
dev-lang/python:     2.4.4-r9
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/baselayout: 2.0.0
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
CFLAGS="-O2 -pipe -mschedule=8000 -march=2.0 -g -ggdb -Wall"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/bind /var/spool/torque /var/www/localhost/htdocs/wordpress/wp-config.php"
CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2 -pipe -mschedule=8000 -march=2.0 -g -ggdb -Wall"
FEATURES="autoaddcvs buildpkg cvs distlocks fixpackages notitles parallel-fetch sandbox sfperms splitdebug strict unmerge-orphans userfetch"
LINGUAS="en nl he"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
USE="7zip X Xaw3d a52 aac aalib accessibility ads alsa amr amrnb amrwb ao aoss apache2 ares arts asf async asyncns audiofile audit automount avfs bash-completion berkdb bidi bittorrent bl bluetooth bzip2 c++ cairo caps catalogs cblas cdb cddb cdparanoia cdr chardet cjk cli cpudetection cracklib crypt cups curl custom-cflags dbtool dbus device-mapper dga dia directfb djbfft domainkeys dts dv dvd dvdr dvdread dxr3 edl elf emacs enca encode esd examples exif expat fam fame fastbuild fastcgi fbcon ffmpeg filter flac fontconfig foomaticdb fortran ftp gadu galago gd gdbm geoip ggi gif gimp gimpprint glep glib glut gmp gnome gnutls gphoto2 gpm gs gsl gtk gtk2 gtkhtml hal hesiod hppa ical icecast iconv idea idn imagemagick imlib immqt-bc inquisitio ipv6 isdnlog jack javascript jingle jpeg jpeg2k kde kerberos lapack lcms ldap leim libcaca libnotify libsamplerate libwww live logrotate logwatch lua lzo mad matroska memcache mhash midi mikmod mmap mng modplug motif mozbranding mp3 mpi mssql mudflap musepack mysql nas ncurses netpbm network-cron nfconntrack nfs nls nntp nptl nptlonly nsplugin offensive ogg openexr opengl openmp oss ots overlays pam pango pbs pch pcre pdf pdo-external perl php pic plotutils plugins png portage portaudio postgres povray ppds pppd pulseaudio python pyzord qdbm qt3 qt3support quotas raw readline recode reflection rpc rrdtool rtc ruby samba sasl scanner scim sdl seamonkey server session sid slang slp sms sndfile snmp soundex speex spell spl sqlite ssl startup-notification suhosin svg swat sysfs syslog talkfilters tcl tcpd test tga theora threads thunar-vfs tidy tiff timidity tk tools truetype twolame udev unicode unzip urandom usb userlocales utempter utf v4l v4l2 vanim vcd vidix vim-syntax vorbis wavpack webdav webinstall winbind wlan wma wmf xanim xattr xchattext xcomposite xface xml xml2 xmpi xorg xpm xrandr xscreensaver xsettings xulrunner xv xvid xvmc zip zip-external zlib" ALSA_CARDS="ad1889 usb-audio" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev joystick" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en nl he" USERLAND="GNU" VIDEO_CARDS="stifb fbdev matrox"
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2008-04-12 17:59:37 UTC
ppc stable
Comment 9 SpanKY gentoo-dev 2008-04-12 18:30:24 UTC
that isnt a bug in m4, so it should be fine to stabilize
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2008-04-13 05:09:15 UTC
(In reply to comment #9)
> that isnt a bug in m4, so it should be fine to stabilize

OK. Want a new bug for that? Oh, and after tests, it of course wouldn't ever do make check through src_test() this way...

Stable for HPPA.
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2008-04-14 01:05:17 UTC
GLSA vote: I vote NO based on the fact that the vulnerabilities are probably not exploitable, see comment 2.
Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-04-14 08:51:48 UTC
no too, and closing.
Comment 13 Peter Volkov (RETIRED) gentoo-dev 2008-04-21 08:03:02 UTC
Fixed in release snapshot.