Bug#318285: CAN-2005-2240 symlink attack in xpvm.tcl

2005-09-04 Thread Matej Vela 
tag 318285 patch
thanks

Hi,

Here's the CAN-2005-2240 fix for woody and sarge (sid upload is already
in incoming).

Cheers,

Matej
diff -u xpvm-1.2.5/src/xpvm.tcl xpvm-1.2.5/src/xpvm.tcl
--- xpvm-1.2.5/src/xpvm.tcl
+++ xpvm-1.2.5/src/xpvm.tcl
@@ -831,7 +831,7 @@
 
 set tfck [ info exists trace_file ]
 
-if { $tfck == 0 } { set trace_file /tmp/xpvm.trace.$user }
+if { $tfck == 0 } { set trace_file [ file join [ glob ~ ] .xpvm_trace ] }
 
 $CTRL.file_entry insert 0 $trace_file
 
diff -u xpvm-1.2.5/debian/changelog xpvm-1.2.5/debian/changelog
--- xpvm-1.2.5/debian/changelog
+++ xpvm-1.2.5/debian/changelog
@@ -1,3 +1,14 @@
+xpvm (1.2.5-7.2woody1) oldstable-security; urgency=high
+
+  * QA upload.
+  * Use ~/.xpvm_trace instead of /tmp/xpvm.trace.$USER to prevent symlink
+attacks.  (Trace files are meant to be semi-persistent, so this is more
+in line with user expectations than creating unique temporary files.)
+[src/xpvm.tcl, src/help/traces.help, debian/xpvm.1, CAN-2005-2240]
+Closes: #318285.
+
+ -- Matej Vela [EMAIL PROTECTED]  Sun,  4 Sep 2005 14:44:07 +0200
+
 xpvm (1.2.5-7.2) unstable; urgency=low
 
   * NMU
diff -u xpvm-1.2.5/debian/xpvm.1 xpvm-1.2.5/debian/xpvm.1
--- xpvm-1.2.5/debian/xpvm.1
+++ xpvm-1.2.5/debian/xpvm.1
@@ -64,7 +64,7 @@
 .BI \-T\  trace
 .B xpvm
 will normally create and store a trace file in the 
-.I /tmp
+user's home
 directory. To have the 
 .I trace
 file stored in some other location, use this option.
only in patch2:
unchanged:
--- xpvm-1.2.5.orig/src/help/traces.help
+++ xpvm-1.2.5/src/help/traces.help
@@ -13,7 +13,7 @@
 { to have a valid, writable trace file to work with, and so XPVM }
 { assumes a default trace file name: }
 {}
-{  /tmp/xpvm.trace.$(USER) }
+{  ~/.xpvm_trace }
 {}
 { On the first execution of XPVM, this trace file will not yet exist, }
 { and so XPVM will proceed to write traces into this file and read }
diff -u xpvm-1.2.5/src/xpvm.tcl xpvm-1.2.5/src/xpvm.tcl
--- xpvm-1.2.5/src/xpvm.tcl
+++ xpvm-1.2.5/src/xpvm.tcl
@@ -831,7 +831,7 @@
 
 set tfck [ info exists trace_file ]
 
-if { $tfck == 0 } { set trace_file /tmp/xpvm.trace.$user }
+if { $tfck == 0 } { set trace_file [ file join [ glob ~ ] .xpvm_trace ] }
 
 $CTRL.file_entry insert 0 $trace_file
 
diff -u xpvm-1.2.5/debian/changelog xpvm-1.2.5/debian/changelog
--- xpvm-1.2.5/debian/changelog
+++ xpvm-1.2.5/debian/changelog
@@ -1,3 +1,14 @@
+xpvm (1.2.5-7.3sarge1) stable-security; urgency=high
+
+  * QA upload.
+  * Use ~/.xpvm_trace instead of /tmp/xpvm.trace.$USER to prevent symlink
+attacks.  (Trace files are meant to be semi-persistent, so this is more
+in line with user expectations than creating unique temporary files.)
+[src/xpvm.tcl, src/help/traces.help, debian/xpvm.1, CAN-2005-2240]
+Closes: #318285.
+
+ -- Matej Vela [EMAIL PROTECTED]  Sun,  4 Sep 2005 14:44:07 +0200
+
 xpvm (1.2.5-7.3) unstable; urgency=low
 
   * Uploading with maintainer set to QA Group
diff -u xpvm-1.2.5/debian/xpvm.1 xpvm-1.2.5/debian/xpvm.1
--- xpvm-1.2.5/debian/xpvm.1
+++ xpvm-1.2.5/debian/xpvm.1
@@ -64,7 +64,7 @@
 .BI \-T\  trace
 .B xpvm
 will normally create and store a trace file in the 
-.I /tmp
+user's home
 directory. To have the 
 .I trace
 file stored in some other location, use this option.
only in patch2:
unchanged:
--- xpvm-1.2.5.orig/src/help/traces.help
+++ xpvm-1.2.5/src/help/traces.help
@@ -13,7 +13,7 @@
 { to have a valid, writable trace file to work with, and so XPVM }
 { assumes a default trace file name: }
 {}
-{  /tmp/xpvm.trace.$(USER) }
+{  ~/.xpvm_trace }
 {}
 { On the first execution of XPVM, this trace file will not yet exist, }
 { and so XPVM will proceed to write traces into this file and read }

Processed: Bug#318285: CAN-2005-2240 symlink attack in xpvm.tcl

2005-09-04 Thread Debian Bug Tracking System 
Processing commands for [EMAIL PROTECTED]:

 tag 318285 patch
Bug#318285: CAN-2005-2240 symlink attack in xpvm.tcl
Tags were: security
Tags added: patch

 thanks
Stopping processing here.

Please contact me if you need assistance.

Debian bug tracking system administrator
(administrator, Debian Bugs database)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#318285: CAN-2005-2240 symlink attack in xpvm.tcl

2005-07-15 Thread Frank Lichtenheld 
On Thu, Jul 14, 2005 at 05:27:33PM +0300, Joey Hess wrote:
 According to http://secunia.com/advisories/16040:

Some investigation on it:
There is a tempfile procedure available in tcllib, one could either
use that or copypaste (since it isn't available in tcllib in woody)

@security team: Should I cook up a patch for that?

Gruesse,
-- 
Frank Lichtenheld [EMAIL PROTECTED]
www: http://www.djpig.de/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#318285: CAN-2005-2240 symlink attack in xpvm.tcl

2005-07-14 Thread Joey Hess 
Package: xpvm
Severity: serious
Tags: security

According to http://secunia.com/advisories/16040:

  Eric Romang has reported a vulnerability in xpvm, which can be exploited by
  malicious, local users to perform certain actions on a vulnerable system with
  escalated privileges.

  The vulnerability is caused due to the temporary file /tmp/xpvm.trace.$user
  being created insecurely by src/xpvm.tcl. This can be exploited via symlink
  attacks to create or overwrite arbitrary files with the privileges of the user
  running the affected application.

This is CAN-2005-2240.

-- 
see shy jo


signature.asc
Description: Digital signature