Bug#790365: marked as done (pycode-browser: CVE-2015-0849: predictable temporary file vulnerability)

[Debian Bug Tracking System]

Your message dated Fri, 31 Jul 2015 09:41:13 +0000
with message-id <e1zl6ot-0002nz...@franck.debian.org>
and subject line Bug#790365: fixed in libwmf 0.2.8.4-10.4
has caused the Debian Bug report #790365,
regarding pycode-browser: CVE-2015-0849: predictable temporary file 
vulnerability
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
790365: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=790365
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: pycode-browser
Version: 20120614+git+b041dd2-8
Severity: normal
Tags: security

pycode-browser has a predictable temporary file vulnerability.

When following the below steps, it uses the predictable
temporary file /tmp/pycode-0007-0007.py and will overwrite its contents.
You can reproduce this with the attached script by running
"./test-pycode-browser pycode-browser" and following the steps.

* Launch pycode-browser (with or without the script).
* Open one of the test programs.
* Modify it in some way.
* Do not save the file.
* Click the Execute button.

The program will write the contents to the temporary file.  Upon
exiting, the script will report that the program is vulnerable.  The
vulnerability is ameliorated by fs.protected_symlinks, but systems
running without that enabled are vulnerable to a symlink attack.

The Debian Security Team has allocated CVE-2015-0849 to this
vulnerability.  I sent an email to upstream but have received no
response, so I'm filing this bug.  No DSA will be issued for this
vulnerability.

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.0.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=es_US.UTF-8, LC_CTYPE=es_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

#!/bin/sh
# test-pycode-browser: set up temporary file vuln testing
#
# Usage: test-pycode-browser pycode-browser

TEMPDIR=`mktemp -d`

[ -n "$TEMPDIR" ] || exit 1

printf '%d exploit test\n' $$ > "$TEMPDIR/exploit"
sha384sum "$TEMPDIR/exploit" > "$TEMPDIR/hash"

ln -s "$TEMPDIR/exploit" "/tmp/pycode-0007-0007.py"

"$@"

if sha384sum -c "$TEMPDIR/hash" >/dev/null 2>&1
then
        printf "Program is not vulnerable.\n"
else
        printf "Program is VULNERABLE!\n"
fi
rm -r -- "$TEMPDIR"

signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

Source: libwmf
Source-Version: 0.2.8.4-10.4

We believe that the bug you reported is fixed in the latest version of
libwmf, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 790...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alessandro Ghedini <gh...@debian.org> (supplier of updated libwmf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 30 Jul 2015 17:10:05 +0200
Source: libwmf
Binary: libwmf0.2-7 libwmf-bin libwmf-dev libwmf-doc
Architecture: source amd64 all
Version: 0.2.8.4-10.4
Distribution: unstable
Urgency: high
Maintainer: Loïc Minier <l...@debian.org>
Changed-By: Alessandro Ghedini <gh...@debian.org>
Description:
 libwmf-bin - Windows metafile conversion tools
 libwmf-dev - Windows metafile conversion development
 libwmf-doc - Windows metafile documentation
 libwmf0.2-7 - Windows metafile conversion library
Closes: 784192 784205 787644 790365
Changes:
 libwmf (0.2.8.4-10.4) unstable; urgency=high
 .
   * NMU from the Security Team
   * Fix multiple vulnerabilities:
     - CVE-2015-0848 (Closes: #790365)
     - CVE-2015-4588 (Closes: #787644)
     - CVE-2015-4695 (Closes: #784205)
     - CVE-2015-4696 (Closes: #784192)
   * Fix lintian override
Checksums-Sha1:
 450540d3d66a311ce99cb082597dadaa0ffb1edc 2066 libwmf_0.2.8.4-10.4.dsc
 47d30a5d40b35d19fe13e95406833218b796f060 10720 
libwmf_0.2.8.4-10.4.debian.tar.xz
 c45e10aeae14667fdd9d7300be18cf15eecf33b2 33178 
libwmf-bin_0.2.8.4-10.4_amd64.deb
 16fa98ba6d9e767ad19960e864e0ff8e27fc8b89 185254 
libwmf-dev_0.2.8.4-10.4_amd64.deb
 97d9d25df72efab358720c44c0c6a084d04fc4c4 230988 libwmf-doc_0.2.8.4-10.4_all.deb
 530330cb97d0807ce41aabaf8110d58e5119866e 162992 
libwmf0.2-7_0.2.8.4-10.4_amd64.deb
Checksums-Sha256:
 91f1edacbc33e5414cc703556eb1b84e5903b128dc7e42e6dda612867d62886a 2066 
libwmf_0.2.8.4-10.4.dsc
 5fd6bbf1d9f6af8b02b8d8531b331c12dbcec4e0dc11a8b94e30ce45032e0e89 10720 
libwmf_0.2.8.4-10.4.debian.tar.xz
 1d5de3e28f9324167c344c6f5b54487f5886bd2a7177ccca50356b5a000a5d42 33178 
libwmf-bin_0.2.8.4-10.4_amd64.deb
 e179edacece3530112b93e2b6ad8833346433cc8dd71f13bc71316b4c6b83620 185254 
libwmf-dev_0.2.8.4-10.4_amd64.deb
 a3c23122f4fa0aa12981f7492fcec0633eaeb0364991e6d5e2404aeb59593b58 230988 
libwmf-doc_0.2.8.4-10.4_all.deb
 cfc43e06dfe1276e38b8c25e37f6a873437368794a4aa4c6c58e9aef16512e8f 162992 
libwmf0.2-7_0.2.8.4-10.4_amd64.deb
Files:
 3e42e8e78db503b77c617a1a55a6870b 2066 libs optional libwmf_0.2.8.4-10.4.dsc
 04815b571768138d80b1a41ce4073738 10720 libs optional 
libwmf_0.2.8.4-10.4.debian.tar.xz
 dd93758e6acec8489d45ced9fa916bbc 33178 graphics optional 
libwmf-bin_0.2.8.4-10.4_amd64.deb
 47806380e2379a35344122dd31d4195c 185254 libdevel optional 
libwmf-dev_0.2.8.4-10.4_amd64.deb
 7f8fea554b22dc39a4f7f6fb3a204d8b 230988 doc optional 
libwmf-doc_0.2.8.4-10.4_all.deb
 3c9b859bf279fcf201cc630da37690c1 162992 libs optional 
libwmf0.2-7_0.2.8.4-10.4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVuysGAAoJEK+lG9bN5XPLqasP/2E0NgkqguzR4wbexpantyXm
Ntgob/yva4MaYyj8FPARns/59UdzLKJ98vM9jzH+HBHbQ5o0nomGFBRLpMSZtloq
qfqbnL8tzvZtrMYTKuD9H55ZpVDIP7tIjEps7onKHPxMR+v0UB+SwD8E5jTZW1SX
hmgo+r1fNfaz3kg/X/eE/gitpyEY+5ca5XRJU5aCuujodi4GGsq14nxtWcycOm4q
xfVV65rD3cil9grZLCz7jK4U3FTibUylTAj9hBahu9w/D8/jCwn9dOL+cyjSYonB
0bzxLTWWSUge6aNw4xy5YEKvvdmEanj2PO3qkz1/1C72Eohgblk8kIHAygXb6TJi
b3vdqdk7jxITApgMK2uDjG69GVuxJQ0Gq6ce95k4x2EFEq1WtVI7x8QIT6DH563/
1Ie1EpRR03FGg6+j9HTRI/fyk4OEV41P3je+tGKHoqMb9HjQtVwvbxc7RVhjo2VS
Xqpl/uXQjicKsKEG7HnTEAr8HNrqW7P+LnDgiJDoKp5aNHO8uO1Q3yoB/It1mFIz
8XDkCRS+D8QZWGAKT8TJsYy3eRHZLZxplO5M9UAOu/IUCEOD/TupMdRpj5m40Oab
LgTWf9PIRQHJyYoLD4LuwQM+V2/3xlJGFNm+FfsDRzngZHwKEFAFc5AGOo6KlM8y
PVkgFYYr9lYxM1TCfElG
=VF5W
-----END PGP SIGNATURE-----

--- End Message ---