Bug#659379: uzbl: world-readable (and writable!) cookie jar
Dear maintainer, Recently you fixed one or more security problems and as a result you closed this bug. These problems were not serious enough for a Debian Security Advisory, so they are now on my radar for fixing in the following suites through point releases: squeeze (6.0.6) - use target stable Please prepare a minimal-changes upload targetting each of these suites, and submit a debdiff to the Release Team [0] for consideration. They will offer additional guidance or instruct you to upload your package. I will happily assist you at any stage if the patch is straightforward and you need help. Please keep me in CC at all times so I can track [1] the progress of this request. For details of this process and the rationale, please see the original announcement [2] and my blog post [3]. 0: debian-rele...@lists.debian.org 1: http://prsc.debian.net/tracker/659379/ 2: 201101232332.11736.th...@debian.org 3: http://deb.li/prsc Thanks, with his security hat on: -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#659379: uzbl: world-readable (and writable!) cookie jar
Dear maintainer, Recently you fixed one or more security problems and as a result you closed this bug. These problems were not serious enough for a Debian Security Advisory, so they are now on my radar for fixing in the following suites through point releases: squeeze (6.0.6) - use target stable Please prepare a minimal-changes upload targetting each of these suites, and submit a debdiff to the Release Team [0] for consideration. They will offer additional guidance or instruct you to upload your package. I will happily assist you at any stage if the patch is straightforward and you need help. Please keep me in CC at all times so I can track [1] the progress of this request. For details of this process and the rationale, please see the original announcement [2] and my blog post [3]. 0: debian-rele...@lists.debian.org 1: http://prsc.debian.net/tracker/659379/ 2: 201101232332.11736.th...@debian.org 3: http://deb.li/prsc Thanks, with his security hat on: -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#659379: uzbl: world-readable (and writable!) cookie jar
* Henri Salo he...@nerv.fi, 2012-02-11, 14:11: $ ls -ld ~/.local/{,share/{,uzbl/{,cookies.txt}}} drwxr-xr-x 3 user users 4096 Feb 9 23:29 /home/user/.local/ drwxr-xr-x 4 user users 4096 Feb 9 23:29 /home/user/.local/share/ drwxr-xr-x 2 user users 4096 Feb 9 23:29 /home/user/.local/share/uzbl/ -rw-rw-rw- 1 user users 732 Feb 9 23:29 /home/user/.local/share/uzbl/cookies.txt This allows local users to steal cookies (and tamper with them). Does this security-issue have CVE-identifier? I can request one from oss-security mailing list if ID hasn't been assigned. It's been already requested, but not assigned yet AFAICS: http://seclists.org/oss-sec/2012/q1/406 -- Jakub Wilk -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#659379: uzbl: world-readable (and writable!) cookie jar
On Sat, Feb 11, 2012 at 01:25:18PM +0100, Jakub Wilk wrote: * Henri Salo he...@nerv.fi, 2012-02-11, 14:11: $ ls -ld ~/.local/{,share/{,uzbl/{,cookies.txt}}} drwxr-xr-x 3 user users 4096 Feb 9 23:29 /home/user/.local/ drwxr-xr-x 4 user users 4096 Feb 9 23:29 /home/user/.local/share/ drwxr-xr-x 2 user users 4096 Feb 9 23:29 /home/user/.local/share/uzbl/ -rw-rw-rw- 1 user users 732 Feb 9 23:29 /home/user/.local/share/uzbl/cookies.txt This allows local users to steal cookies (and tamper with them). Does this security-issue have CVE-identifier? I can request one from oss-security mailing list if ID hasn't been assigned. It's been already requested, but not assigned yet AFAICS: http://seclists.org/oss-sec/2012/q1/406 -- Jakub Wilk Ok. Thank you for fast reply. Please contact me if you need testing or other help. - Henri Salo -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#659379: [Secure-testing-team] Bug#659379: uzbl: world-readable (and writable!) cookie jar
On Fri, Feb 10, 2012 at 05:09:13PM +0100, Jakub Wilk wrote: Package: uzbl Version: 0.0.0~git.20100403-3 Severity: grave Tags: security Justification: user security hole $ ls -ld ~/.local/{,share/{,uzbl/{,cookies.txt}}} drwxr-xr-x 3 user users 4096 Feb 9 23:29 /home/user/.local/ drwxr-xr-x 4 user users 4096 Feb 9 23:29 /home/user/.local/share/ drwxr-xr-x 2 user users 4096 Feb 9 23:29 /home/user/.local/share/uzbl/ -rw-rw-rw- 1 user users 732 Feb 9 23:29 /home/user/.local/share/uzbl/cookies.txt This allows local users to steal cookies (and tamper with them). -- Jakub Wilk Does this security-issue have CVE-identifier? I can request one from oss-security mailing list if ID hasn't been assigned. - Henri Salo -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#659379: uzbl: world-readable (and writable!) cookie jar
forwarded 659379 http://www.uzbl.org/bugs/index.php?do=detailstask_id=291project=1 thanks Henri Salo scrisse: This allows local users to steal cookies (and tamper with them). Does this security-issue have CVE-identifier? I can request one from oss-security mailing list if ID hasn't been assigned. It's been already requested, but not assigned yet AFAICS: http://seclists.org/oss-sec/2012/q1/406 Ok. Thank you for fast reply. Please contact me if you need testing or other help. Forwarded to upstream bugtracker and noticed on IRC, I'm waiting for comments on that side. Here's the report: http://www.uzbl.org/bugs/index.php?do=detailstask_id=291project=1 While waiting for the proper CVE-id, attached here is a tentative patch for the cookie plugin. Just umask setting and chmod on existing jar if any. Reviews appreciated as I'm not a great pythonista... Cheers, Luca -- .''`. ** Debian GNU/Linux ** | Luca Bruno (kaeso) : :' : The Universal O.S.| lucab (AT) debian.org `. `'` | GPG Key ID: 3BFB9FB3 `- http://www.debian.org | Debian GNU/Linux Developer commit 53d8dfbb6e4fc29be026672f4d3d43a17b3cfe5d Author: Luca Bruno lu...@debian.org Date: Sat Feb 11 15:23:14 2012 +0100 Restrict third-party access to cookie jar Make sure new cookie jar is created with no permission for others, and remove excessive rights on existing jar if any. Signed-off-by: Luca Bruno lu...@debian.org diff --git a/examples/data/plugins/cookies.py b/examples/data/plugins/cookies.py index e29ee36..3d81ebe 100644 --- a/examples/data/plugins/cookies.py +++ b/examples/data/plugins/cookies.py @@ -2,7 +2,7 @@ forwards cookies to all other instances connected to the event manager from collections import defaultdict -import os, re +import os, re, stat # these are symbolic names for the components of the cookie tuple symbolic = {'domain': 0, 'path':1, 'name':2, 'value':3, 'scheme':4, 'expires':5} @@ -32,6 +32,13 @@ class ListStore(list): class TextStore(object): def __init__(self, filename): self.filename = filename +try: + # make sure the cookie jar is not world-open + perm_mode = os.stat(self.filename).st_mode + if (perm_mode (stat.S_IROTH | stat.S_IWOTH | stat.S_IXOTH)) 0: + os.chmod(self.filename, (stat.S_IMODE(perm_mode) 3) 3) +except OSError: +pass def as_event(self, cookie): Convert cookie.txt row to uzbls cookie event format @@ -76,6 +83,11 @@ class TextStore(object): # delete equal cookies (ignoring expire time, value and secure flag) self.delete_cookie(None, cookie[:-3]) +# restrict umask before creating the cookie jar +curmask=os.umask(0) +print (curmask|(stat.S_IROTH | stat.S_IWOTH | stat.S_IXOTH)) +os.umask(curmask|(stat.S_IROTH | stat.S_IWOTH | stat.S_IXOTH)) + first = not os.path.exists(self.filename) with open(self.filename, 'a') as f: if first: @@ -86,6 +98,11 @@ class TextStore(object): if not os.path.exists(self.filename): return +# restrict umask before creating the cookie jar +curmask=os.umask(0) +print (curmask|(stat.S_IROTH | stat.S_IWOTH | stat.S_IXOTH)) +os.umask(curmask|(stat.S_IROTH | stat.S_IWOTH | stat.S_IXOTH)) + # read all cookies with open(self.filename, 'r') as f: cookies = f.readlines() signature.asc Description: PGP signature
Processed: Re: Bug#659379: uzbl: world-readable (and writable!) cookie jar
Processing commands for cont...@bugs.debian.org: forwarded 659379 http://www.uzbl.org/bugs/index.php?do=detailstask_id=291project=1 Bug #659379 [uzbl] uzbl: world-readable (and writable!) cookie jar Set Bug forwarded-to-address to 'http://www.uzbl.org/bugs/index.php?do=detailstask_id=291project=1'. thanks Stopping processing here. Please contact me if you need assistance. -- 659379: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659379 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#659379: uzbl: world-readable (and writable!) cookie jar
* Luca BRUNO lu...@debian.org, 2012-02-11, 15:33: +try: + # make sure the cookie jar is not world-open + perm_mode = os.stat(self.filename).st_mode + if (perm_mode (stat.S_IROTH | stat.S_IWOTH | stat.S_IXOTH)) 0: + os.chmod(self.filename, (stat.S_IMODE(perm_mode) 3) 3) +except OSError: +pass I'm not sure it's appropriate to change permissions of existing files. I certainly don't like when software do that. (On the other hand, it's not much different than removing a file and then recreating it.) What I did for another browser with similar vulnerability, was to leave permissions of existing files, and to ask (in NEWS.Debian) sysadmin to fix them manually. YMMV. I find ((... 3) 3 expression difficult to understand. I'm sure it could expressed in terms of S_* constants in a more readable way. +# restrict umask before creating the cookie jar +curmask=os.umask(0) +print (curmask|(stat.S_IROTH | stat.S_IWOTH | stat.S_IXOTH)) +os.umask(curmask|(stat.S_IROTH | stat.S_IWOTH | stat.S_IXOTH)) stat.S_IROTH | stat.S_IWOTH | stat.S_IXOTH could be written as stat.S_IRWXO. You revoke only read permissions for other, but having your cookie jar readable by group might be as bad. It's probably a good idea to restore umask to the original value once the private files have been opened. (The above remarks apply to other hunks as well.) -- Jakub Wilk -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#659379: uzbl: world-readable (and writable!) cookie jar
Package: uzbl Version: 0.0.0~git.20100403-3 Severity: grave Tags: security Justification: user security hole $ ls -ld ~/.local/{,share/{,uzbl/{,cookies.txt}}} drwxr-xr-x 3 user users 4096 Feb 9 23:29 /home/user/.local/ drwxr-xr-x 4 user users 4096 Feb 9 23:29 /home/user/.local/share/ drwxr-xr-x 2 user users 4096 Feb 9 23:29 /home/user/.local/share/uzbl/ -rw-rw-rw- 1 user users 732 Feb 9 23:29 /home/user/.local/share/uzbl/cookies.txt This allows local users to steal cookies (and tamper with them). -- Jakub Wilk -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org