Bug#462838: comix: insecure temporary file creation
On Mon, 31 Mar 2008 14:52:50 +0200 Nico Golde [EMAIL PROTECTED] wrote: * [EMAIL PROTECTED] [EMAIL PROTECTED] [2008-01-27 20:32]: Completely predictable filenames and chmodding after creation open this up for symlink attack. I just had a look at this issue and can not confirm what you said. Can you please come up with an exploit scenario? You are right, the directory names are predictable and there is of course a race condition between if not os.path.exists and the mkdir call. But if the name is a dangling symlink mkdir will fail because the file already exist. Did you test this? Ah, no, I did not. I just checked python's behaviour and it refused to create a directory on a symlink. I assumed that it would just follow the symlink like touch(1) does on files. I guess it is not exploitable, then. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#462838: comix: insecure temporary file creation
Hi, * [EMAIL PROTECTED] [EMAIL PROTECTED] [2008-01-27 20:32]: /usr/bin/comix, line 10494: # === # Create the temporary directory used in this Comix session. # The dir is /tmp/comix/num where num is 1 or higher # depending on the number of Comix sessions opened. # === if not os.path.exists('/tmp/comix/'): os.makedirs('/tmp/comix/') os.chmod('/tmp/comix/', 0700) dir_number = 1 while 1: if not os.path.exists('/tmp/comix/' + str(dir_number)): os.mkdir('/tmp/comix/' + str(dir_number)) os.chmod('/tmp/comix/' + str(dir_number), 0700) self.base_dir = '/tmp/comix/' + str(dir_number) + '/' break dir_number += 1 Completely predictable filenames and chmodding after creation open this up for symlink attack. I just had a look at this issue and can not confirm what you said. Can you please come up with an exploit scenario? You are right, the directory names are predictable and there is of course a race condition between if not os.path.exists and the mkdir call. But if the name is a dangling symlink mkdir will fail because the file already exist. chmodding after creation open this up for symlink attack. I also don't see why this should be true here, what would an attacker gain by that? I might be wrong but I don't see any action that is done with that directory that can be exploited via a symlink. Did you test this? Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpbFahVBn7Nz.pgp Description: PGP signature
Bug#462838: comix: insecure temporary file creation
Package: comix Version: 3.6.4-1 Severity: grave Justification: user security hole Tags: security *** Please type your report below this line *** /usr/bin/comix, line 10494: # === # Create the temporary directory used in this Comix session. # The dir is /tmp/comix/num where num is 1 or higher # depending on the number of Comix sessions opened. # === if not os.path.exists('/tmp/comix/'): os.makedirs('/tmp/comix/') os.chmod('/tmp/comix/', 0700) dir_number = 1 while 1: if not os.path.exists('/tmp/comix/' + str(dir_number)): os.mkdir('/tmp/comix/' + str(dir_number)) os.chmod('/tmp/comix/' + str(dir_number), 0700) self.base_dir = '/tmp/comix/' + str(dir_number) + '/' break dir_number += 1 Completely predictable filenames and chmodding after creation open this up for symlink attack. -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (700, 'testing'), (500, 'stable'), (400, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.22-3-686 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages comix depends on: ii gconf22.20.1-2 GNOME configuration database syste ii python2.4.4-6An interactive high-level object-o ii python-gtk2 2.12.1-1 Python bindings for the GTK+ widge ii python-imaging1.1.6-1Python Imaging Library comix recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#462838: comix: insecure temporary file creation
Same issue for /usr/bin/comicthumb, although reading the code, I believe the temporary directory is only used for archives-inside- archives. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]