Bug 332401 (CVE-2007-5200) - CVE-2007-5200 hugin unsafe temporary file usage
Summary: CVE-2007-5200 hugin unsafe temporary file usage
Status: CLOSED ERRATA
Alias: CVE-2007-5200
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: source=vendorsec,reported=20071002,pu...
Keywords: Security
Depends On: 295521 362851 362861 362871
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-10-15 13:50 UTC by Tomas Hoger
Modified: 2007-11-09 23:38 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2007-11-09 23:38:57 UTC


Attachments (Terms of Use)
Patch to fix CVE-2007-5200 (1.92 KB, patch)
2007-10-24 20:00 UTC, Bruno Postle
no flags Details | Diff

Description Tomas Hoger 2007-10-15 13:50:58 UTC
Hugin was reported to create temporary / debug files in unsafe manner.  During
the optimizer run, it creates debug output file with pre-defined name:
/tmp/hugin_debug_optim_results.txt .  If file was already created by other user,
hugin gives an error message.

This problem can be abused by malicious local user to perform symlink attack
against user running hugin, which will result in overwrite of arbitrary file
writable by user running hugin with panorama optimizer output.

There does not seem to be any upstream patch at the moment.  Updated package was
released for openSuSE, which resolves this problem by disabling creation of
debug file.

Comment 1 Bruno Postle 2007-10-15 16:25:27 UTC
There isn't an upstream patch because nobody at opensuse bothered to contact
upstream before creating a CVE.  The fix however is a simple one-liner:

  sed -i 's/define DEBUG_WRITE_OPTIM_OUTPUT$/undef DEBUG_WRITE_OPTIM_OUTPUT/' \
  src/Panorama/PTOptimise.cpp

Though currently hugin isn't buildable for either f7 or f8 due to #295521 so
this one is stucked.

Comment 2 Tomas Hoger 2007-10-16 07:21:55 UTC
Yes, this is probably the easiest way to fix this.  However, upstream may want
to develop other fix, which does not sacrifice some functionality (I'm not
trying to say fix above is wrong ;).

According to comments in huginApp.cpp, there is some intention to fix temp file
usage:

  // FIXME, make secure against some symlink attacks


Comment 3 Bruno Postle 2007-10-24 20:00:11 UTC
Created attachment 236541 [details]
Patch to fix CVE-2007-5200

This is the upstream patch to fix this and another similar bug.  Note that
releasing a new hugin still depends on bug #295521

Comment 4 Lubomir Kundrak 2007-11-01 16:37:10 UTC
This is well over a month and still not resolved. Do you need any help other
than oneliner fix in rebuilding wxGTK?

Comment 6 Bruno Postle 2007-11-05 22:24:58 UTC
The patch and updated hugin.spec files for FC-6, F-7, F-8 and devel are in CVS.
 I can't actually run `make tag` so I'm giving up on this one:

[bruno@moo FC-6]$ cd ../F-7
[bruno@moo F-7]$ make tag
cvs tag  -c hugin-0_6_1-11_fc7
cvs tag: Tagging .
T .cvsignore
T Makefile
T branch
T hugin-0.6.1-CVE-2007-5200.patch
T hugin.spec
T sources
Tagged with: hugin-0_6_1-11_fc7

[bruno@moo F-7]$ cd ../F-8/
[bruno@moo F-8]$ make tag
error: Macro %dist has empty body
error: Macro %dist has empty body
error: Macro % has illegal name (%define)
error: Macro % has illegal name (%define)
error: Macro %dist has empty body
error: Macro %dist has empty body
error: Macro % has illegal name (%define)
error: Macro % has illegal name (%define)
error: Macro %dist has empty body
error: Macro %dist has empty body
error: Macro % has illegal name (%define)
error: Macro % has illegal name (%define)
error: Macro %dist has empty body
error: Macro %dist has empty body
error: Macro % has illegal name (%define)
error: Macro % has illegal name (%define)
error: Macro %dist has empty body
error: Macro %dist has empty body
error: Macro % has illegal name (%define)
error: Macro % has illegal name (%define)
error: Macro %dist has empty body
error: Macro %dist has empty body
error: Macro % has illegal name (%define)
error: Macro % has illegal name (%define)
error: Macro %dist has empty body
error: Macro %dist has empty body
error: Macro % has illegal name (%define)
error: Macro % has illegal name (%define)
error: Macro %dist has empty body
error: Macro %dist has empty body
error: Macro % has illegal name (%define)
error: Macro % has illegal name (%define)
cvs tag  -c hugin-0_6_1-11_fc7
ERROR: The tag hugin-0_6_1-11_fc7 is already applied on a different branch
ERROR: You can not forcibly move tags between branches
hugin-0_6_1-5_fc6:devel:bpostle:1174424717
hugin-0_6_1-5_fc5:FC-5:bpostle:1174425164
hugin-0_6_1-6_fc7:devel:bpostle:1174425968
hugin-0_6_1-6_fc5:FC-5:bpostle:1174425980
hugin-0_6_1-6_fc6:FC-6:bpostle:1174425991
hugin-0_6_1-7_fc7:F-7:bpostle:1187035915
hugin-0_6_1-7_fc8:devel:bpostle:1187035930
hugin-0_6_1-8_fc8:devel:bpostle:1187730420
hugin-0_6_1-9_fc8:devel:bpostle:1187814430
hugin-0_6_1-10_fc8:devel:bpostle:1194300775
hugin-0_6_1-10_fc7:F-8:bpostle:1194300791
hugin-0_6_1-11_fc6:FC-6:bpostle:1194301109
hugin-0_6_1-11_fc7:F-7:bpostle:1194301120
cvs tag: Pre-tag check failed
cvs [tag aborted]: correct the above errors first!
make: *** [tag] Error 1


Comment 7 Lubomir Kundrak 2007-11-06 08:00:31 UTC
Bruno: No idea what your issue was (you had up-to date CVS checked out?), but
seems like there were no changes to Makefiles. Anyways, thanks for the patch I
was able to successfully tag and build all affected branches.

Comment 8 Fedora Update System 2007-11-06 16:06:34 UTC
hugin-0.6.1-11.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Bruno Postle 2007-11-06 23:54:22 UTC
(In reply to comment #7)
> Bruno: No idea what your issue was (you had up-to date CVS checked out?)

I hadn't updated 'common', this has happened to me before...

> I was able to successfully tag and build all affected branches.

Thanks, there was no wxGTK release, is bug #295521 local to my system only?

Comment 10 Lubomir Kundrak 2007-11-07 12:49:46 UTC
(In reply to comment #9)

> > I was able to successfully tag and build all affected branches.
> Thanks, there was no wxGTK release, is bug #295521 local to my system only?

Huh, I even forgot about that :) Anyways, as you can see, the package built.
That can mean that either some other build root change (gcc or whatever) solved
that or it is really specific to your configuration. Which version do you run,
are you completly up-to-date?

Comment 11 Bruno Postle 2007-11-07 21:07:49 UTC
I am/was up to date, the system is x86_64.  I can switch between the two wxGTK
packages and reproduce, though it looks like I need to try this in mock and
update the bug report as necessary.

Comment 12 Fedora Update System 2007-11-09 23:38:54 UTC
hugin-0.6.1-11.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.