Bug 676389 (CVE-2011-0702)

Summary: CVE-2011-0702 feh: arbitrary file overwrite vulnerability
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: agpotter, ivazqueznet
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: feh 1.11.2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-09-11 15:39:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 676390    
Bug Blocks:    

Description Vincent Danen 2011-02-09 17:29:49 UTC
A Debian bug report [1],[2] indicated that feh is vulnerable to an
arbitrary file overwrite flaw.  If a user could guess the PID of the feh
process and create a symlink in /tmp, they could cause the overwrite of any
file that the user running feh has write access to via wget overwriting the file.  In
src/imlib.c we have:

235 char *feh_http_load_image(char *url)
236 {
237     char *tmpname;
238     char *basename;
239     char *path = NULL;
240 
241     if (opt.keep_http) {
242         if (opt.output_dir)
243             path = opt.output_dir;
244         else 
245             path = "";
246     } else
247         path = "/tmp/";
248
249     basename = strrchr(url, '/') + 1;
250     tmpname = feh_unique_filename(path, basename);
...
455             execlp("wget", "wget", "--cache=off", "-O", tmpname, url, quiet, NULL);

and in src/utils.c we have:

162 char *feh_unique_filename(char *path, char *basename)
163 {
...
170 
171     /* Massive paranoia ;) */
172     if (i > 999998)
173         i = 1;
174 
175     ppid = getpid();
176     snprintf(cppid, sizeof(cppid), "%06ld", (long) ppid);
177 
178     /* make sure file doesn't exist */
179     do {
180         snprintf(num, sizeof(num), "%06ld", i++);
181         tmpname = estrjoin("", path, "feh_", cppid, "_", num, "_", basename, NULL);
182     }
18     while (stat(tmpname, &st) == 0);
184     return(tmpname);
185 }

feh_unique_filename() has some attempt at randomness, but I don't think it's enough.  i always starts at 1, so unless the same process is creating multiple temporary files, you're almost guaranteed to have that extra randomness being '1'; it's also just as easy to create a bunch of symlinks to account for the "randomness" provided you know the PID.  Using mkstemp would be a much better solution.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=612035
[2] https://bugs.launchpad.net/ubuntu/+source/feh/+bug/607328

Comment 1 Vincent Danen 2011-02-09 17:31:10 UTC
Created feh tracking bugs for this issue

Affects: fedora-all [bug 676390]

Comment 2 Vincent Danen 2011-02-09 22:19:28 UTC
This was assigned the name CVE-2011-0702:

http://www.openwall.com/lists/oss-security/2011/02/09/14

Comment 3 Vincent Danen 2011-02-09 22:19:56 UTC
*** Bug 675811 has been marked as a duplicate of this bug. ***

Comment 4 Tomas Hoger 2011-02-10 09:41:43 UTC
Upstream bug:
https://github.com/derf/feh/issues/#issue/32

The fix that was applied upstream that makes wget run with --no-clobber:
https://derf.homelinux.org/git/feh/commit/?id=23421a86cc826dd30f3dc4f62057fafb04b3ac40

Limitations of the fix are mentioned in the commit message.

Comment 5 Vincent Danen 2012-09-11 15:39:19 UTC
This was fixed in 1.11.2:

http://feh.finalrewind.org/archive/

And fixed in Fedora via the update to 1.14.1:

http://koji.fedoraproject.org/koji/buildinfo?buildID=250264