Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 235828 (CVE-2008-5007) - dev-lang/lazarus-0.99.24 insecure temp file usage (CVE-2008-5007)
Summary: dev-lang/lazarus-0.99.24 insecure temp file usage (CVE-2008-5007)
Status: RESOLVED FIXED
Alias: CVE-2008-5007
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor
Assignee: Gentoo Security
URL: http://code.google.com/p/bollin/sourc...
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks: debian-tempfile
  Show dependency tree
 
Reported: 2008-08-26 18:42 UTC by Christian Hoffmann (RETIRED)
Modified: 2008-12-15 20:24 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Hoffmann (RETIRED) gentoo-dev 2008-08-26 18:42:11 UTC
See bug 235770.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-11 00:22:55 UTC
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5007
create_lazarus_export_tgz.sh in lazarus 0.9.24 allows local users to overwrite or delete arbitrary files via a symlink attack on a (1) /tmp/lazarus.tgz temporary file or a (2) /tmp/lazarus temporary directory.
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2008-12-10 22:56:34 UTC
lang-misc, are you alive?
Comment 3 Harald van Dijk (RETIRED) gentoo-dev 2008-12-11 18:52:21 UTC
Yes. At the time lang-misc@g.o was added to the CC list, lazarus-0.9.26 was already in the tree, which doesn't use /tmp for temporary files (instead uses ~/tmp), and lazarus never had stable keywords, so I'm not sure what you want us to do. If you want to see the old version gone from the tree, then no objections from me, but I don't see the need.
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2008-12-11 19:00:49 UTC
I'd personally prefer to see it removed, but your decision to keep it is ok, too. What I expected from you was feedback so that we can resolve the issue; as it's already fixed, and nothing left to do, I'm closing this. Thanks!
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-12-12 09:04:19 UTC
Is there any good reason to put temp files into ~/tmp ?
Comment 6 Harald van Dijk (RETIRED) gentoo-dev 2008-12-14 20:32:45 UTC
(In reply to comment #5)
> Is there any good reason to put temp files into ~/tmp ?

mktemp (or anything similar) is never mentioned in the mailing list thread about this issue, so I'd say upstream was either unaware of it or supports systems they know don't have mktemp. Without that, ~/tmp is more secure than /tmp. If you care, I can ask upstream about it.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-12-15 10:00:08 UTC
(In reply to comment #6)
> (In reply to comment #5)
> > Is there any good reason to put temp files into ~/tmp ?
> 
> mktemp (or anything similar) is never mentioned in the mailing list thread
> about this issue, so I'd say upstream was either unaware of it or supports
> systems they know don't have mktemp. Without that, ~/tmp is more secure than
> /tmp.

I just feel like putting temp files into ~/tmp violates the FHS. If mktemp's existence is an issue, one could either check for it and otherwise fallback to using ~/tmp or simply depend on it. It should be present on modern unix systems.

> If you care, I can ask upstream about it.

Great, thanks.
Comment 8 Harald van Dijk (RETIRED) gentoo-dev 2008-12-15 20:24:26 UTC
Upstream wants to use a fixed location so that running the same script multiple times will reuse the previous temporary directory. A successful run will remove the tempdir, but after failure the tempdir is kept around and meant to be kept around. This seems a reasonable desire to me, and given the choice between a fixed location in /tmp and a fixed location in ~/tmp (or any other private location), the former is far more troublesome.