-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Package: yacas
Version: 1.0.57-3
Severity: important
The Plot2D function of yacas communicates with gnuplot through
temporary files. The name of the files is hard-wired into yacas, as
follows:
A new directory /tmp/plot.tmp is created, if it does not yet
exist. And files gnuplot.in and data1 under that directory are used
for the temporary files.
This opens up a "tmp file vulnerability" and is simply not appropriate
for a mutliuser system like Linux.
For one, it is not mutliuser - safe. Try this:
As one user, start yacas, and type, at the prompt,
Plot2D(Sin(x), 0:10)
("Sin", not "sin")
Assuming you also have gnuplot installed, a nice sin graph will pop
up.
A second user trying the same, while the first is still looking at the
nice graph, will not suceed. The /tmp/plot.tmp directory is owned by
the first user, and the files can not be written by the second.
There is even a race condition problem if only one user has several
instances of yacas up and running in parallel (as I sometimes do).
And, this stuff is outright dangerous: If someone maliciously sets up
/tmp/plot.tmp/data1 as a symbolic link pointing to any old file
somewhere in the file system, yacas will happily overwrite that file
with the plot data.
So if I know you're using yacas' Print2D, I can set things up in the
/tmp directory so that yacas will trash any of your files (e.g., your
mailbox, or your GPG key, or your ssh key (or even /etc/passwd, if you
are root).
It is because of this danger I've decided to file this with severity
"important".
In my opinion, to create a new directory is a good idea. But yacas
should make sure nothing of that name already exists beforehand. And
there should be no time wasted: The check and the file creation must
happen atomically. In other words, it must not even theoretically be
possible to set things up maliciously between the existence check and
the creation. If the directory already does exists, a fresh directory
name (preferably unpredictable) should be used.
Compare the Debian policy:
http://www.debian.org/doc/debian-policy/ch-files.html
which has a little remark on temp files in 10.4.
Regards, and thank you for providing fine software
Andreas
- -- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-vserver-686
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=UTF-8)
Versions of packages yacas depends on:
ii debianutils 2.17 Miscellaneous utilities
specific t
ii dillo [www-browser] 0.8.5-4.1 Small and fast web browser
ii freeglut3 2.4.0-5 OpenGL Utility Toolkit
ii iceweasel [www-browser 2.0.0.3-1 lightweight web browser
based on M
ii konqueror [www-browser 4:3.5.5a.dfsg.1-6 KDE's advanced file
manager, web b
ii libc6 2.3.6.ds1-13 GNU C Library: Shared
libraries
ii libgcc1 1:4.1.1-21 GCC support library
ii libgl1-mesa-glx [libgl 6.5.1-0.6 A free implementation of
the OpenG
ii libglu1-mesa [libglu1] 6.5.1-0.6 The OpenGL utility
library (GLU)
ii libgsl0 1.8-2 GNU Scientific Library
(GSL) -- li
ii libice6 1:1.0.1-2 X11 Inter-Client Exchange
library
ii libsm6 1:1.0.1-3 X11 Session Management
library
ii libstdc++6 4.1.1-21 The GNU Standard C++
Library v3
ii libx11-6 2:1.0.3-7 X11 client-side library
ii libxext6 1:1.0.1-2 X11 miscellaneous
extension librar
ii libxi6 1:1.0.1-4 X11 Input extension library
ii libxmu6 1:1.0.2-2 X11 miscellaneous utility
library
ii libxt6 1:1.0.2-2 X11 toolkit intrinsics
library
ii lynx [www-browser] 2.8.5-2sarge2.2 Text-mode WWW Browser
ii w3m [www-browser] 0.5.1-5.1 WWW browsable pager with
excellent
ii yacas-doc 1.0.57-3 Documentation for Yacas
yacas recommends no packages.
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGTca+nWrlKaIH40ARAoPwAJwJZFZrFHxqS6cTiRkCj9R0xQggnQCeJHig
XItxDC5/jQ0aeUcc4gD+wxU=
=K8Ch
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
