Bug 460642 (CVE-2008-5007)

Summary: CVE-2008-5007 lazarus: Multiple insecure auxiliary /tmp files usage (symlink attack possible)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED RAWHIDE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: joost
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-10-28 10:36:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2008-08-29 11:52:05 UTC 
The lazarus package, as shipped within the Fedora releases of 9 and 10,
is prone to symlink attacks (various files).

Affected files and relevant parts of the code for each of them:

1, /usr/lib/lazarus/tools/convert_po_file_to_utf-8.sh

     15     iconv --from-code=$OldCharSet --to-code=UTF-8 $POFile > $POFile.tmp
     16     cat $POFile.tmp | sed -e 's/\(^".* charset\)='$OldCharSet'/\1=UTF-8/' > $POFile
     17     rm $POFile.tmp


2, /usr/lib/lazarus/tools/install/build_fpc_snaphot_rpm.sh

     54 # create a temporary copy of the fpc sources to patch it
     55 TmpDir=/tmp/`whoami`/fpc
     56 rm -rf $TmpDir

(And all occurences)


3, /usr/lib/lazarus/tools/install/check_fpc_dependencies.sh

     10 echo Testing fpc ...
     11 TmpDir=/tmp/fpc
     12 rm -rf $TmpDir
     13 mkdir -p $TmpDir


4, /usr/lib/lazarus/tools/install/create_fpc_deb.sh

 
     87 # create a temporary copy of the fpc sources to patch it
     88 
     89 TmpDir=/tmp/fpc_patchdir
     90 if [ "$WithTempDir" = "yes" ]; then
     91   if [ -d $TmpDir ]; then
     92     rm -rf $TmpDir/*
     93     rm -r $TmpDir
     94   fi
     95   mkdir -p $TmpDir


5, /usr/lib/lazarus/tools/install/create_fpc_export_tgz.sh

     23 if [ "x$Download" = "xyes" ]; then
     24   echo "downloading fpc svn ..."
     25   cd /tmp
     26   rm -rf /tmp/fpc
     27   svn export http://svn.freepascal.org/svn/fpc/trunk fpc
     28   cd -
     29 else
     30   echo "extracting fpc from local svn ..."
     31   rm -rf /tmp/fpc
     32   svn export $SourceDir /tmp/fpc
     33 fi
     34 
     35 cd /tmp
     36 echo "packing ..."
     37 tar cvzf /tmp/fpc.tgz fpc
     38 cd -
     39 mv /tmp/fpc.tgz $OutputFile
     40 rm -rf /tmp/fpc
     41 
     42 # end.
     43 

6, /usr/lib/lazarus/tools/install/create_fpc_rpm.sh

     53 # create a temporary copy of the fpc sources to patch it
     54 TmpDir=/tmp/fpc_patchdir
     55 if [ "$WithTempDir" = "yes" ]; then
     56   if [ -d $TmpDir ]; then
     57     rm -rf $TmpDir/*
     58     rm -r $TmpDir
     59   fi
     60   mkdir -p $TmpDir

7,   /usr/lib/lazarus/tools/install/create_fpc-src_rpm.sh

     56 # copy custom rpm scripts
     57 cp smart_strip.sh /tmp/smart_strip.sh
     58 chmod a+x /tmp/smart_strip.sh
     59 cp do_nothing.sh /tmp/do_nothing.sh
     60 chmod a+x /tmp/do_nothing.sh

8,   /usr/lib/lazarus/tools/install/create_fpc_tgz_from_local_dir.sh

     35 TmpBaseDir=/tmp
     36 TmpDir=$TmpBaseDir/fpc
     37 
     38 rm -rf $TmpDir

9,  /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh 

     20 if [ "x$Download" = "xyes" ]; then
     21   echo "downloading lazarus svn ..."
     22   cd /tmp
     23   rm -rf /tmp/lazarus
     24   svn export http://svn.freepascal.org/svn/lazarus/trunk lazarus
     25   cd -
     26 else
     27   echo "extracting lazarus from local svn ..."
     28   SourceDir=$(pwd | sed -e 's#lazarus[_0-9]*/tools.*$#lazarus#')
     29   rm -rf /tmp/lazarus
     30   svn export $SourceDir /tmp/lazarus
     31 fi

     33 # add ide/revision.inc
     34 Revision=$(svnversion /tmp/lazarus)
     35 echo "const RevisionStr = '$Revision';" > /tmp/lazarus/ide/revision.inc

     37 cd /tmp
     38 echo "packing ..."
     39 tar cvzf lazarus.tgz lazarus
     40 cd -
     41 mv /tmp/lazarus.tgz $OutputFile
     42 rm -rf /tmp/lazarus

     (More example to be added in next comments).

Description:

A malicious user could precreate a symlink to the some name, of the
'hardcoded' files in /tmp directory. Subsequent installation of the
lazarus package would allow him to destroy / truncate the target of
the symlink to zero size.

Affected lazarus versions:

This issue affects the versions of the lazarus package, as shipped with
Fedora releases of 9 and 10.
Comment 1 Jan Lieskovsky 2008-08-29 12:00:27 UTC 
Affected file:

/usr/lib/lazarus/tools/install/create_lazarus_snapshot_rpm.sh

Relevant part of the code:
 
     39 User=`whoami`
     40 TmpFPCDir=/tmp/$User/fpc
     41 if [ -e $TmpFPCDir ]; then
     42   rm -rf $TmpFPCDir
     43 fi
     44 mkdir -p $TmpFPCDir
 
     60 TmpDir=/tmp/`whoami`/lazarus
     61 
     62 rm -rf $TmpDir
     63 echo "extracting Lazarus source from local svn ..."
     64 svn export $LazSrcDir $TmpDir
     65 if [ ! -e ../svn2revisioninc ]; then
     66   make -C ../.. tools OPT="-n @$FPCCfg"
     67 fi
     68 ../svn2revisioninc $LazSrcDir $TmpDir/ide/revision.inc
     69 
     70 # create a source tar.gz
     71 cd $TmpDir/..
     72 tar -czf $RPMDIR/SOURCES/lazarus-$LazVersion-$Date.tar.gz lazarus
     73 
     74 # remove the tempdir
     75 cd -
     76 rm -rf $TmpDir

Affected file:

/usr/lib/lazarus/tools/install/cross_unix/create_linux_cross_win32_rpm.sh

Relevant part of the code:

    110   #----------------------------------------------------------------------------
    111   # create temporary directory
    112   #----------------------------------------------------------------------------
    113   TmpSrcDir=/tmp/fpc_crosswin32
    114   echo "create temporary directory $TmpSrcDir ..."
    115   rm -rf $TmpSrcDir
    116   mkdir -p $TmpSrcDir
Comment 2 Tomas Hoger 2008-08-29 13:18:31 UTC 
Most of the affected scripts seem to be some tools used by upstream to automate some package creation tasks.  If that's the case, they may not be needed to be included in Fedora packages at all.
Comment 3 Joost van der Sluis 2008-08-29 16:30:00 UTC 
I've mailed upstream and they fixed a few issues immediately, but others are somewhat more difficult. 

They also said: "Maybe the best solution is not to package these scripts in rpm/debs, so that they don't enter the dangerous wild where people are running 
scripts with root permissions and add symlinks in the tmp directory."

All scripts except the first one are indeed tools to automate package creation. 
I'll remove these scripts, and file bug-reports upstream so that they can fix these issues if they have time.

One question though: should I make an update for Fedora 9? Or is this not important enough, so that it can wait?
Comment 4 Tomas Hoger 2008-10-29 11:38:23 UTC 
(Sorry for the late reply!)

(In reply to comment #3)
> One question though: should I make an update for Fedora 9? Or is this not
> important enough, so that it can wait?

I noticed those scripts are no longer shipped with Rawhide / F10 version:
  http://koji.fedoraproject.org/koji/buildinfo?buildID=67836

As for F9, I'd say not to do an update just for this.  Scripts are not in PATH and are probably not very likely to be run anyway.  If there's update for F9 needed for some other reason, they can be removed.
Comment 5 Tomas Hoger 2008-11-10 14:12:45 UTC 
CVE id CVE-2008-5007 was assigned to this issue:

create_lazarus_export_tgz.sh in lazarus 0.9.24 allows local users to
overwrite or delete arbitrary files via a symlink attack on a (1)
/tmp/lazarus.tgz temporary file or a (2) /tmp/lazarus temporary
directory.