Bug 332401 - (CVE-2007-5200) CVE-2007-5200 hugin unsafe temporary file usage
CVE-2007-5200 hugin unsafe temporary file usage
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
Fedora Extras Quality Assurance
source=vendorsec,reported=20071002,pu...
: Security
Depends On: 295521 362851 362861 362871
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-15 09:50 EDT by Tomas Hoger
Modified: 2007-11-09 18:38 EST (History)
3 users (show)

See Also:
Fixed In Version: 0.6.1-11.fc7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-09 18:38:57 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Patch to fix CVE-2007-5200 (1.92 KB, patch)
2007-10-24 16:00 EDT, Bruno Postle
no flags Details | Diff

  None (edit)
Description Tomas Hoger 2007-10-15 09:50:58 EDT
Hugin was reported to create temporary / debug files in unsafe manner.  During
the optimizer run, it creates debug output file with pre-defined name:
/tmp/hugin_debug_optim_results.txt .  If file was already created by other user,
hugin gives an error message.

This problem can be abused by malicious local user to perform symlink attack
against user running hugin, which will result in overwrite of arbitrary file
writable by user running hugin with panorama optimizer output.

There does not seem to be any upstream patch at the moment.  Updated package was
released for openSuSE, which resolves this problem by disabling creation of
debug file.
Comment 1 Bruno Postle 2007-10-15 12:25:27 EDT
There isn't an upstream patch because nobody at opensuse bothered to contact
upstream before creating a CVE.  The fix however is a simple one-liner:

  sed -i 's/define DEBUG_WRITE_OPTIM_OUTPUT$/undef DEBUG_WRITE_OPTIM_OUTPUT/' \
  src/Panorama/PTOptimise.cpp

Though currently hugin isn't buildable for either f7 or f8 due to #295521 so
this one is stucked.
Comment 2 Tomas Hoger 2007-10-16 03:21:55 EDT
Yes, this is probably the easiest way to fix this.  However, upstream may want
to develop other fix, which does not sacrifice some functionality (I'm not
trying to say fix above is wrong ;).

According to comments in huginApp.cpp, there is some intention to fix temp file
usage:

  // FIXME, make secure against some symlink attacks
Comment 3 Bruno Postle 2007-10-24 16:00:11 EDT
Created attachment 236541 [details]
Patch to fix CVE-2007-5200

This is the upstream patch to fix this and another similar bug.  Note that
releasing a new hugin still depends on bug #295521
Comment 4 Lubomir Kundrak 2007-11-01 12:37:10 EDT
This is well over a month and still not resolved. Do you need any help other
than oneliner fix in rebuilding wxGTK?
Comment 6 Bruno Postle 2007-11-05 17:24:58 EST
The patch and updated hugin.spec files for FC-6, F-7, F-8 and devel are in CVS.
 I can't actually run `make tag` so I'm giving up on this one:

[bruno@moo FC-6]$ cd ../F-7
[bruno@moo F-7]$ make tag
cvs tag  -c hugin-0_6_1-11_fc7
cvs tag: Tagging .
T .cvsignore
T Makefile
T branch
T hugin-0.6.1-CVE-2007-5200.patch
T hugin.spec
T sources
Tagged with: hugin-0_6_1-11_fc7

[bruno@moo F-7]$ cd ../F-8/
[bruno@moo F-8]$ make tag
error: Macro %dist has empty body
error: Macro %dist has empty body
error: Macro % has illegal name (%define)
error: Macro % has illegal name (%define)
error: Macro %dist has empty body
error: Macro %dist has empty body
error: Macro % has illegal name (%define)
error: Macro % has illegal name (%define)
error: Macro %dist has empty body
error: Macro %dist has empty body
error: Macro % has illegal name (%define)
error: Macro % has illegal name (%define)
error: Macro %dist has empty body
error: Macro %dist has empty body
error: Macro % has illegal name (%define)
error: Macro % has illegal name (%define)
error: Macro %dist has empty body
error: Macro %dist has empty body
error: Macro % has illegal name (%define)
error: Macro % has illegal name (%define)
error: Macro %dist has empty body
error: Macro %dist has empty body
error: Macro % has illegal name (%define)
error: Macro % has illegal name (%define)
error: Macro %dist has empty body
error: Macro %dist has empty body
error: Macro % has illegal name (%define)
error: Macro % has illegal name (%define)
error: Macro %dist has empty body
error: Macro %dist has empty body
error: Macro % has illegal name (%define)
error: Macro % has illegal name (%define)
cvs tag  -c hugin-0_6_1-11_fc7
ERROR: The tag hugin-0_6_1-11_fc7 is already applied on a different branch
ERROR: You can not forcibly move tags between branches
hugin-0_6_1-5_fc6:devel:bpostle:1174424717
hugin-0_6_1-5_fc5:FC-5:bpostle:1174425164
hugin-0_6_1-6_fc7:devel:bpostle:1174425968
hugin-0_6_1-6_fc5:FC-5:bpostle:1174425980
hugin-0_6_1-6_fc6:FC-6:bpostle:1174425991
hugin-0_6_1-7_fc7:F-7:bpostle:1187035915
hugin-0_6_1-7_fc8:devel:bpostle:1187035930
hugin-0_6_1-8_fc8:devel:bpostle:1187730420
hugin-0_6_1-9_fc8:devel:bpostle:1187814430
hugin-0_6_1-10_fc8:devel:bpostle:1194300775
hugin-0_6_1-10_fc7:F-8:bpostle:1194300791
hugin-0_6_1-11_fc6:FC-6:bpostle:1194301109
hugin-0_6_1-11_fc7:F-7:bpostle:1194301120
cvs tag: Pre-tag check failed
cvs [tag aborted]: correct the above errors first!
make: *** [tag] Error 1
Comment 7 Lubomir Kundrak 2007-11-06 03:00:31 EST
Bruno: No idea what your issue was (you had up-to date CVS checked out?), but
seems like there were no changes to Makefiles. Anyways, thanks for the patch I
was able to successfully tag and build all affected branches.
Comment 8 Fedora Update System 2007-11-06 11:06:34 EST
hugin-0.6.1-11.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Bruno Postle 2007-11-06 18:54:22 EST
(In reply to comment #7)
> Bruno: No idea what your issue was (you had up-to date CVS checked out?)

I hadn't updated 'common', this has happened to me before...

> I was able to successfully tag and build all affected branches.

Thanks, there was no wxGTK release, is bug #295521 local to my system only?
Comment 10 Lubomir Kundrak 2007-11-07 07:49:46 EST
(In reply to comment #9)

> > I was able to successfully tag and build all affected branches.
> Thanks, there was no wxGTK release, is bug #295521 local to my system only?

Huh, I even forgot about that :) Anyways, as you can see, the package built.
That can mean that either some other build root change (gcc or whatever) solved
that or it is really specific to your configuration. Which version do you run,
are you completly up-to-date?
Comment 11 Bruno Postle 2007-11-07 16:07:49 EST
I am/was up to date, the system is x86_64.  I can switch between the two wxGTK
packages and reproduce, though it looks like I need to try this in mock and
update the bug report as necessary.
Comment 12 Fedora Update System 2007-11-09 18:38:54 EST
hugin-0.6.1-11.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.