|Summary:||CVE-2013-0159 predictable file name used in /tmp to generate pdf output [fedora-all]|
|Product:||[Fedora] Fedora||Reporter:||Michael S. <misc>|
|Component:||fedora-business-cards||Assignee:||Ian Weller <ian>|
|Status:||CLOSED CURRENTRELEASE||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Target Milestone:||---||Keywords:||Security, SecurityTracking|
|Fixed In Version:||Doc Type:||Release Note|
|Doc Text:||Story Points:||---|
|Last Closed:||2013-09-09 07:58:38 UTC||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:|
Description Michael S. 2013-01-06 12:56:14 UTC
Created attachment 673347 [details] use a proper temporary random filename, and clean file after fedora-business-cards use a temporary file named /tmp/fedora-business-cards-buffer.svg. Since /tmp is world writable, anyone could either block the script with a suitable file ( ie, the same filename, with restrictive permission ), or using symlink, could overwrite one of the file of someone else running the script ( ln -s ~yourlogin/.ssh/id_rsa.pub /tmp/fedora-business-cards-buffer.svg ) ( for the record, the last case should be blocked on Linux with 3.6 and fs.protected_symlinks turned on ). Here is a patch that should fix the issue against latest HEAD. No CVE have been assigned so far, and AFAIK, packager is also upstream developer.
Comment 1 Ian Weller 2013-01-06 20:59:15 UTC
Ugh, did you really have to make this private? I'll put this on the list of things to do for the next release that I've been working off and on for about two years now.
Comment 2 Michael S. 2013-01-06 21:19:35 UTC
Sorry if that caused trouble, I prefer to be on the safe side since I do not know where fedora-business-cards is used. I think I can lift the restriction later if you prefer once that's patched and corrected. There is nothing secret or private per se, and I am all for being public as much as possible.
Comment 3 Vincent Danen 2013-01-07 22:18:30 UTC
Thanks for this report. I've made this bug public and filed bug #892815 as a top-level security bug (CVE-2013-0159).
Comment 4 Ian Weller 2013-01-07 22:36:25 UTC
Thanks, Vincent. I'll see about getting this fixed in the 0.3.x branch and pushing a release for that ASAP.
Comment 5 Ian Weller 2013-01-07 22:38:04 UTC
Actually I'm going to go ahead and apply this patch to f-b-c in the releases I can apply it to, and then push it out. Thanks for the patch, Michael.
Comment 6 Ian Weller 2013-01-07 23:36:37 UTC
Hey Michael, I ended up having to modify your patch just a bit -- svg_to_file() does still need a filename argument for exporting directly to SVG. http://git.fedorahosted.org/cgit/fedora-business-cards.git/commit/?id=331fc987cf1d1ee2f3fcd23803c915b8d1c138b7 With this patch, is there any security issue? As far as I can tell, the only time this is called with a filename is with the argument "front.svg" or "back.svg".
Comment 7 Michael S. 2013-01-08 00:05:10 UTC
I do not see any obvious problem, as long as no one use a filename in /tmp as 2nd argument.
Comment 8 Ian Weller 2013-01-08 06:47:08 UTC
Comment 9 Ian Weller 2013-05-16 20:06:34 UTC
Security team, This bug still isn't marked as public. Can I get that fixed?
Comment 10 Tomas Hoger 2013-05-17 07:50:28 UTC
(In reply to comment #9) > This bug still isn't marked as public. Can I get that fixed? Done.
Comment 11 Ian Weller 2013-09-09 07:58:38 UTC
Version 1 beta 1 is in F19 now.
Comment 12 Tomas Hoger 2013-09-09 08:06:33 UTC
F18 update is still in testing: https://admin.fedoraproject.org/updates/fedora-business-cards-1-0.1.beta1.fc18 which got a complaint a while ago: patches (proventesters) - 2013-08-04 03:15:11 This *security* update has been in updates-testing for over a month! Please push it stable or remove it if it is obsolete.
Comment 13 Ian Weller 2013-09-09 15:39:35 UTC