235828 – (CVE-2008-5007) dev-lang/lazarus-0.99.24 insecure temp file usage (CVE-2008-5007)

Bug 235828 (CVE-2008-5007) - dev-lang/lazarus-0.99.24 insecure temp file usage (CVE-2008-5007)

Summary: dev-lang/lazarus-0.99.24 insecure temp file usage (CVE-2008-5007)

Status:	RESOLVED FIXED

Alias:	CVE-2008-5007

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://code.google.com/p/bollin/sourc...
Whiteboard:	~3 [noglsa]
Keywords:

Depends on:
Blocks:	debian-tempfile
	Show dependency tree

Reported:	2008-08-26 18:42 UTC by Christian Hoffmann (RETIRED)
Modified:	2008-12-15 20:24 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christian Hoffmann (RETIRED) gentoo-dev

2008-08-26 18:42:11 UTC

See bug 235770.

Comment 1 Stefan Behte (RETIRED) gentoo-dev

2008-11-11 00:22:55 UTC

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5007
create_lazarus_export_tgz.sh in lazarus 0.9.24 allows local users to overwrite or delete arbitrary files via a symlink attack on a (1) /tmp/lazarus.tgz temporary file or a (2) /tmp/lazarus temporary directory.

Comment 2 Stefan Behte (RETIRED) gentoo-dev

2008-12-10 22:56:34 UTC

lang-misc, are you alive?

Comment 3 Harald van Dijk (RETIRED) gentoo-dev

2008-12-11 18:52:21 UTC

Yes. At the time lang-misc@g.o was added to the CC list, lazarus-0.9.26 was already in the tree, which doesn't use /tmp for temporary files (instead uses ~/tmp), and lazarus never had stable keywords, so I'm not sure what you want us to do. If you want to see the old version gone from the tree, then no objections from me, but I don't see the need.

Comment 4 Stefan Behte (RETIRED) gentoo-dev

2008-12-11 19:00:49 UTC

I'd personally prefer to see it removed, but your decision to keep it is ok, too. What I expected from you was feedback so that we can resolve the issue; as it's already fixed, and nothing left to do, I'm closing this. Thanks!

Comment 5 Robert Buchholz (RETIRED) gentoo-dev

2008-12-12 09:04:19 UTC

Is there any good reason to put temp files into ~/tmp ?

Comment 6 Harald van Dijk (RETIRED) gentoo-dev

2008-12-14 20:32:45 UTC

(In reply to comment #5)
> Is there any good reason to put temp files into ~/tmp ?

mktemp (or anything similar) is never mentioned in the mailing list thread about this issue, so I'd say upstream was either unaware of it or supports systems they know don't have mktemp. Without that, ~/tmp is more secure than /tmp. If you care, I can ask upstream about it.

Comment 7 Robert Buchholz (RETIRED) gentoo-dev

2008-12-15 10:00:08 UTC

(In reply to comment #6)
> (In reply to comment #5)
> > Is there any good reason to put temp files into ~/tmp ?
> 
> mktemp (or anything similar) is never mentioned in the mailing list thread
> about this issue, so I'd say upstream was either unaware of it or supports
> systems they know don't have mktemp. Without that, ~/tmp is more secure than
> /tmp.

I just feel like putting temp files into ~/tmp violates the FHS. If mktemp's existence is an issue, one could either check for it and otherwise fallback to using ~/tmp or simply depend on it. It should be present on modern unix systems.

> If you care, I can ask upstream about it.

Great, thanks.

Comment 8 Harald van Dijk (RETIRED) gentoo-dev

2008-12-15 20:24:26 UTC

Upstream wants to use a fixed location so that running the same script multiple times will reuse the previous temporary directory. A successful run will remove the tempdir, but after failure the tempdir is kept around and meant to be kept around. This seems a reasonable desire to me, and given the choice between a fixed location in /tmp and a fixed location in ~/tmp (or any other private location), the former is far more troublesome.