subject:"Bug#462838\: comix\: insecure temporary file creation"

Bug#462838: comix: insecure temporary file creation

2008-04-01 Thread hhaamu

On Mon, 31 Mar 2008 14:52:50 +0200
Nico Golde [EMAIL PROTECTED] wrote:
 * [EMAIL PROTECTED] [EMAIL PROTECTED] [2008-01-27 20:32]:
  Completely predictable filenames and chmodding after creation open this up
  for symlink attack.
 
 I just had a look at this issue and can not confirm what you 
 said. Can you please come up with an exploit scenario?
 
 You are right, the directory names are predictable and there 
 is of course a race condition between if not os.path.exists 
 and the mkdir call. But if the name is a dangling symlink 
 mkdir will fail because the file already exist.

 Did you test this?

Ah, no, I did not. I just checked python's behaviour and it refused to
create a directory on a symlink. I assumed that it would just follow
the symlink like touch(1) does on files.

I guess it is not exploitable, then.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#462838: comix: insecure temporary file creation

2008-03-31 Thread Nico Golde

Hi,
* [EMAIL PROTECTED] [EMAIL PROTECTED] [2008-01-27 20:32]:
 /usr/bin/comix, line 10494:
 # ===
 # Create the temporary directory used in this Comix session.
 # The dir is /tmp/comix/num where num is 1 or higher
 # depending on the number of Comix sessions opened.
 # ===
 if not os.path.exists('/tmp/comix/'):
 os.makedirs('/tmp/comix/')
 os.chmod('/tmp/comix/', 0700)
 dir_number = 1
 while 1:
 if not os.path.exists('/tmp/comix/' + str(dir_number)):
 os.mkdir('/tmp/comix/' + str(dir_number))
 os.chmod('/tmp/comix/' + str(dir_number), 0700)
 self.base_dir = '/tmp/comix/' + str(dir_number) + '/'
 break
 dir_number += 1
 
 Completely predictable filenames and chmodding after creation open this up
 for symlink attack.

I just had a look at this issue and can not confirm what you 
said. Can you please come up with an exploit scenario?

You are right, the directory names are predictable and there 
is of course a race condition between if not os.path.exists 
and the mkdir call. But if the name is a dangling symlink 
mkdir will fail because the file already exist.

chmodding after creation open this up for symlink attack.
I also don't see why this should be true here, what would an 
attacker gain by that? I might be wrong but I don't see any 
action that is done with that directory that can be 
exploited via a symlink. Did you test this?

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.


pgpbFahVBn7Nz.pgp
Description: PGP signature

Bug#462838: comix: insecure temporary file creation

2008-01-27 Thread hhaamu

Package: comix
Version: 3.6.4-1
Severity: grave
Justification: user security hole
Tags: security

*** Please type your report below this line ***

/usr/bin/comix, line 10494:
# ===
# Create the temporary directory used in this Comix session.
# The dir is /tmp/comix/num where num is 1 or higher
# depending on the number of Comix sessions opened.
# ===
if not os.path.exists('/tmp/comix/'):
os.makedirs('/tmp/comix/')
os.chmod('/tmp/comix/', 0700)
dir_number = 1
while 1:
if not os.path.exists('/tmp/comix/' + str(dir_number)):
os.mkdir('/tmp/comix/' + str(dir_number))
os.chmod('/tmp/comix/' + str(dir_number), 0700)
self.base_dir = '/tmp/comix/' + str(dir_number) + '/'
break
dir_number += 1

Completely predictable filenames and chmodding after creation open this up
for symlink attack.

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (700, 'testing'), (500, 'stable'), (400, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.22-3-686 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages comix depends on:
ii  gconf22.20.1-2   GNOME configuration database syste
ii  python2.4.4-6An interactive high-level object-o
ii  python-gtk2   2.12.1-1   Python bindings for the GTK+ widge
ii  python-imaging1.1.6-1Python Imaging Library

comix recommends no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#462838: comix: insecure temporary file creation

2008-01-27 Thread hhaamu

Same issue for /usr/bin/comicthumb, although reading the code, I
believe the temporary directory is only used for archives-inside-
archives.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#462838: comix: insecure temporary file creation

Bug#462838: comix: insecure temporary file creation

Bug#462838: comix: insecure temporary file creation

Bug#462838: comix: insecure temporary file creation

4 matches

Site Navigation

Mail list logo

Footer information