Bug 599621 (CVE-2010-2056)

Summary: CVE-2010-2056 gv: Insecure (predictable) temporary file use
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: orion
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583316#10
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-07-15 16:02:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 599165    
Bug Blocks:    

Description Jan Lieskovsky 2010-06-03 15:57:22 UTC 
Paul Szabo reported:
  [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583316#10

a deficiency in the way gv handled temporary file creation,
when used for opening Portable Document Format (PDF) files.
A local attacker could use this flaw to conduct symlink attacks,
potentially leading to denial of service (un-athorized overwrite
of file content).

References:
  [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=89;filename=004.diff;att=1;bug=583668
  [3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583668#100

Just for the record from [2]:

<begin quote>

This bug was fixed upstream in 3.6.5.90-1, the first version
after lenny. :-(

Attached is a simplified version (without the configure changes
as Debian has mkstemp) that should fix this in lenny.

	Bernhard R. Link

<end quote>

and from [3]:

<begin quote>

Just for the records: In 3.6.5.90 (upstream) the configure-script was 
broken. Commit 73bb88a65dc1c6c9dc309b60b5454d9475cfccd9 repaired the 
defect (and changed other things):

--- a/gv/configure.ac
+++ b/gv/configure.ac
@@ -92,7 +92,7 @@ AC_CHECK_LIB(Xinerama, main, , , $X_LIBS)

 opt_mkstemp=false

-AC_CHECK_FUNCS([mkstemp],[opt_setenv_code=true],[opt_setenv_code=false])
+AC_CHECK_FUNCS([mkstemp],[opt_mkstemp=true],[opt_mkstemp=false])
 AM_CONDITIONAL(HAVE_MKSTEMP, test x$opt_mkstemp = xtrue)


So the bugfix was disfunctional until configure.ac has been fixed. :-(  
And even worse: Nobody noticed that a rather long time.

<end quote>
Comment 1 Jan Lieskovsky 2010-06-03 16:02:14 UTC 
Relevant upstream changesets are:
  [4] http://git.savannah.gnu.org/cgit/gv.git/commit/?id=a17416c462e5b6c9cc7c98c5ea01f580152f2da9 (for change mentioned in [2])
  [5] http://git.savannah.gnu.org/cgit/gv.git/commit/?id=73bb88a65dc1c6c9dc309b60b5454d9475cfccd9 (for change mentioned in [3])
Comment 2 Jan Lieskovsky 2010-06-03 16:05:58 UTC 
This issue affects the versions of the gv package, as shipped
with Fedora release of 11, 12, and 13 (they contains upstream
changeset from [4], but don't contain upstream changeset from
[5], which prevents [4] from proper function).

This issue affects the versions of the gv package, as shipped
within EPEL-4 and EPEL-5 repositories (versions here are missing
both [4], [5] changes).

Please fix.
Comment 3 Fedora Update System 2010-06-03 18:18:51 UTC 
gv-3.6.91-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/gv-3.6.91-1.fc11
Comment 4 Fedora Update System 2010-06-03 18:19:06 UTC 
gv-3.6.91-1.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/gv-3.6.91-1.el5
Comment 5 Fedora Update System 2010-06-03 18:19:17 UTC 
gv-3.6.91-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/gv-3.6.91-1.fc13
Comment 6 Fedora Update System 2010-06-03 18:19:29 UTC 
gv-3.6.91-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/gv-3.6.91-1.fc12
Comment 7 Fedora Update System 2010-06-03 18:19:46 UTC 
gv-3.6.91-1.el4 has been submitted as an update for Fedora EPEL 4.
http://admin.fedoraproject.org/updates/gv-3.6.91-1.el4
Comment 8 Fedora Update System 2010-06-30 17:12:48 UTC 
gv-3.7.1-1.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/gv-3.7.1-1.el5
Comment 9 Fedora Update System 2010-06-30 17:13:15 UTC 
gv-3.7.1-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/gv-3.7.1-1.fc12
Comment 10 Fedora Update System 2010-06-30 17:13:38 UTC 
gv-3.7.1-1.el4 has been submitted as an update for Fedora EPEL 4.
http://admin.fedoraproject.org/updates/gv-3.7.1-1.el4
Comment 11 Fedora Update System 2010-06-30 17:14:01 UTC 
gv-3.7.1-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/gv-3.7.1-1.fc13
Comment 12 Fedora Update System 2010-07-08 18:12:07 UTC 
gv-3.7.1-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2010-07-08 18:25:23 UTC 
gv-3.7.1-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2010-07-09 05:58:29 UTC 
gv-3.7.1-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2010-07-09 06:00:54 UTC 
gv-3.7.1-1.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.