Package: pycode-browser Version: 20120614+git+b041dd2-8 Severity: normal Tags: security
pycode-browser has a predictable temporary file vulnerability. When following the below steps, it uses the predictable temporary file /tmp/pycode-0007-0007.py and will overwrite its contents. You can reproduce this with the attached script by running "./test-pycode-browser pycode-browser" and following the steps. * Launch pycode-browser (with or without the script). * Open one of the test programs. * Modify it in some way. * Do not save the file. * Click the Execute button. The program will write the contents to the temporary file. Upon exiting, the script will report that the program is vulnerable. The vulnerability is ameliorated by fs.protected_symlinks, but systems running without that enabled are vulnerable to a symlink attack. The Debian Security Team has allocated CVE-2015-0849 to this vulnerability. I sent an email to upstream but have received no response, so I'm filing this bug. No DSA will be issued for this vulnerability. -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.0.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=es_US.UTF-8, LC_CTYPE=es_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
#!/bin/sh # test-pycode-browser: set up temporary file vuln testing # # Usage: test-pycode-browser pycode-browser TEMPDIR=`mktemp -d` [ -n "$TEMPDIR" ] || exit 1 printf '%d exploit test\n' $$ > "$TEMPDIR/exploit" sha384sum "$TEMPDIR/exploit" > "$TEMPDIR/hash" ln -s "$TEMPDIR/exploit" "/tmp/pycode-0007-0007.py" "$@" if sha384sum -c "$TEMPDIR/hash" >/dev/null 2>&1 then printf "Program is not vulnerable.\n" else printf "Program is VULNERABLE!\n" fi rm -r -- "$TEMPDIR"
signature.asc
Description: Digital signature