Your message dated Wed, 26 Jun 2013 15:04:38 +0200 with message-id <[email protected]> and subject line Re: yacas: Plot2D broken tmpfile handling has caused the Debian Bug report #425029, regarding yacas: Plot2D broken tmpfile handling to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 425029: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=425029 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message --------BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Package: yacas Version: 1.0.57-3 Severity: important The Plot2D function of yacas communicates with gnuplot through temporary files. The name of the files is hard-wired into yacas, as follows: A new directory /tmp/plot.tmp is created, if it does not yet exist. And files gnuplot.in and data1 under that directory are used for the temporary files. This opens up a "tmp file vulnerability" and is simply not appropriate for a mutliuser system like Linux. For one, it is not mutliuser - safe. Try this: As one user, start yacas, and type, at the prompt, Plot2D(Sin(x), 0:10) ("Sin", not "sin") Assuming you also have gnuplot installed, a nice sin graph will pop up. A second user trying the same, while the first is still looking at the nice graph, will not suceed. The /tmp/plot.tmp directory is owned by the first user, and the files can not be written by the second. There is even a race condition problem if only one user has several instances of yacas up and running in parallel (as I sometimes do). And, this stuff is outright dangerous: If someone maliciously sets up /tmp/plot.tmp/data1 as a symbolic link pointing to any old file somewhere in the file system, yacas will happily overwrite that file with the plot data. So if I know you're using yacas' Print2D, I can set things up in the /tmp directory so that yacas will trash any of your files (e.g., your mailbox, or your GPG key, or your ssh key (or even /etc/passwd, if you are root). It is because of this danger I've decided to file this with severity "important". In my opinion, to create a new directory is a good idea. But yacas should make sure nothing of that name already exists beforehand. And there should be no time wasted: The check and the file creation must happen atomically. In other words, it must not even theoretically be possible to set things up maliciously between the existence check and the creation. If the directory already does exists, a fresh directory name (preferably unpredictable) should be used. Compare the Debian policy: http://www.debian.org/doc/debian-policy/ch-files.html which has a little remark on temp files in 10.4. Regards, and thank you for providing fine software Andreas - -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-4-vserver-686 Locale: LANG=de_DE.UTF-8@euro, LC_CTYPE=de_DE.UTF-8@euro (charmap=UTF-8) Versions of packages yacas depends on: ii debianutils 2.17 Miscellaneous utilities specific t ii dillo [www-browser] 0.8.5-4.1 Small and fast web browser ii freeglut3 2.4.0-5 OpenGL Utility Toolkit ii iceweasel [www-browser 2.0.0.3-1 lightweight web browser based on M ii konqueror [www-browser 4:3.5.5a.dfsg.1-6 KDE's advanced file manager, web b ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries ii libgcc1 1:4.1.1-21 GCC support library ii libgl1-mesa-glx [libgl 6.5.1-0.6 A free implementation of the OpenG ii libglu1-mesa [libglu1] 6.5.1-0.6 The OpenGL utility library (GLU) ii libgsl0 1.8-2 GNU Scientific Library (GSL) -- li ii libice6 1:1.0.1-2 X11 Inter-Client Exchange library ii libsm6 1:1.0.1-3 X11 Session Management library ii libstdc++6 4.1.1-21 The GNU Standard C++ Library v3 ii libx11-6 2:1.0.3-7 X11 client-side library ii libxext6 1:1.0.1-2 X11 miscellaneous extension librar ii libxi6 1:1.0.1-4 X11 Input extension library ii libxmu6 1:1.0.2-2 X11 miscellaneous utility library ii libxt6 1:1.0.2-2 X11 toolkit intrinsics library ii lynx [www-browser] 2.8.5-2sarge2.2 Text-mode WWW Browser ii w3m [www-browser] 0.5.1-5.1 WWW browsable pager with excellent ii yacas-doc 1.0.57-3 Documentation for Yacas yacas recommends no packages. - -- no debconf information -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGTca+nWrlKaIH40ARAoPwAJwJZFZrFHxqS6cTiRkCj9R0xQggnQCeJHig XItxDC5/jQ0aeUcc4gD+wxU= =K8Ch -----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---Package: yacas Followup-For: Bug #425029 I am proceeding to close this bug report since it's not present in latest yacas version. If you consider that I'm wrong you could re-open this bug. I tried to reproduce the problem you described in your bug report, and it is not present anymore such behavior. Regards, -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.9-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages yacas depends on: ii gnuplot 4.6.3-2 ii google-chrome-unstable [www-browser] 29.0.1547.0-r208345 ii iceweasel [www-browser] 17.0.7esr-1 ii libc6 2.17-5 ii libgcc1 1:4.8.1-4 ii libstdc++6 4.8.1-4 ii lynx 2.8.8dev.15-2 ii lynx-cur [www-browser] 2.8.8dev.15-2 ii w3m [www-browser] 0.5.3-8 ii yacas-doc 1.3.3-2 yacas recommends no packages. Versions of packages yacas suggests: pn texmacs <none> -- no debconf information -- Muammar El Khatib. Linux user: 403107. Key fingerprint = 90B8 BFC4 4A75 B881 39A3 1440 30EB 403B 1270 29F1 http://muammar.me | http://proyectociencia.org ,''`. : :' : `. `' `-
--- End Message ---
