Bug 892299
| Summary: | CVE-2013-0159 predictable file name used in /tmp to generate pdf output [fedora-all] | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Michael S. <misc> | ||||
| Component: | fedora-business-cards | Assignee: | Ian Weller <ian> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 18 | CC: | security-response-team | ||||
| Target Milestone: | --- | Keywords: | Security, SecurityTracking | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Release Note | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2013-09-09 07:58:38 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 892815 | ||||||
| Attachments: |
|
||||||
Ugh, did you really have to make this private? I'll put this on the list of things to do for the next release that I've been working off and on for about two years now. Sorry if that caused trouble, I prefer to be on the safe side since I do not know where fedora-business-cards is used. I think I can lift the restriction later if you prefer once that's patched and corrected. There is nothing secret or private per se, and I am all for being public as much as possible. Thanks for this report. I've made this bug public and filed bug #892815 as a top-level security bug (CVE-2013-0159). Thanks, Vincent. I'll see about getting this fixed in the 0.3.x branch and pushing a release for that ASAP. Actually I'm going to go ahead and apply this patch to f-b-c in the releases I can apply it to, and then push it out. Thanks for the patch, Michael. Hey Michael, I ended up having to modify your patch just a bit -- svg_to_file() does still need a filename argument for exporting directly to SVG. http://git.fedorahosted.org/cgit/fedora-business-cards.git/commit/?id=331fc987cf1d1ee2f3fcd23803c915b8d1c138b7 With this patch, is there any security issue? As far as I can tell, the only time this is called with a filename is with the argument "front.svg" or "back.svg". I do not see any obvious problem, as long as no one use a filename in /tmp as 2nd argument. https://admin.fedoraproject.org/updates/fedora-business-cards-1-0.1.beta1.fc18 https://admin.fedoraproject.org/updates/fedora-business-cards-1-0.1.beta1.fc17 Security team, This bug still isn't marked as public. Can I get that fixed? (In reply to comment #9) > This bug still isn't marked as public. Can I get that fixed? Done. Version 1 beta 1 is in F19 now. F18 update is still in testing: https://admin.fedoraproject.org/updates/fedora-business-cards-1-0.1.beta1.fc18 which got a complaint a while ago: patches (proventesters) - 2013-08-04 03:15:11 This *security* update has been in updates-testing for over a month! Please push it stable or remove it if it is obsolete. Requested stable. |
Created attachment 673347 [details] use a proper temporary random filename, and clean file after fedora-business-cards use a temporary file named /tmp/fedora-business-cards-buffer.svg. Since /tmp is world writable, anyone could either block the script with a suitable file ( ie, the same filename, with restrictive permission ), or using symlink, could overwrite one of the file of someone else running the script ( ln -s ~yourlogin/.ssh/id_rsa.pub /tmp/fedora-business-cards-buffer.svg ) ( for the record, the last case should be blocked on Linux with 3.6 and fs.protected_symlinks turned on ). Here is a patch that should fix the issue against latest HEAD. No CVE have been assigned so far, and AFAIK, packager is also upstream developer.