484211 – (CVE-2009-0035) CVE-2009-0035 alsa-utils: Insecure temporary file use in /usr/bin/alsa-info(.sh)

Bug 484211 (CVE-2009-0035) - CVE-2009-0035 alsa-utils: Insecure temporary file use in /usr/bin/alsa-info(.sh)

Summary: CVE-2009-0035 alsa-utils: Insecure temporary file use in /usr/bin/alsa-info(.sh)

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2009-0035
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-02-05 13:33 UTC by Jan Lieskovsky
Modified:	2023-09-07 18:34 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-08-22 16:06:39 UTC
Embargoed:

Attachments	(Terms of Use)

Description Jan Lieskovsky 2009-02-05 13:33:00 UTC

alsa-utils-1.0.19 and later allows local users to overwrite
arbitrary files via a symlink attack via the 1), /usr/bin/alsa-info
and 2, /usr/bin/alsa-info.sh scripts.

Comment 1 Jan Lieskovsky 2009-02-05 13:38:14 UTC

Credit for discovering this vulnerability goes to: Ville Skyttä

Relevant files, on which the symlink attack is possible:

44:     wget -O /tmp/alsa-info.sh "http://www.alsa-project.org/alsa-info.sh" >/dev/null 2>&1
45:     REMOTE_VERSION=`grep SCRIPT_VERSION /tmp/alsa-info.sh |head -n1 |sed 's/.*=//'`
60:                                     cp /tmp/alsa-info.sh $0
63:                                     rm /tmp/alsa-info.sh 2>/dev/null
65:                                     echo "ALSA-Info script has been downloaded as /tmp/alsa-info.sh."
70:                             rm /tmp/alsa-info.sh 2>/dev/null
76:                             cp /tmp/alsa-info.sh $0
78:                             rm /tmp/alsa-info.sh 2>/dev/null
80:                             echo "ALSA-Info script has been downloaded as /tmp/alsa-info.sh."
86:             rm /tmp/alsa-info.sh 2>/dev/null
123:    CARD_NAME=`grep "^ *$i " /tmp/alsainfo/alsacards.tmp|awk {'print $2'}`
147:    $exe -f /tmp/alsainfo/alsactl.tmp store
149:    cat /tmp/alsainfo/alsactl.tmp >> $FILE
285:TEMPDIR="/tmp/alsainfo/"
286:FILE="/tmp/alsa-info.txt"
309:VENDOR_ID=`lspci -vn |grep 040[1-3] | awk -F':' '{print $3}'|awk {'print substr($0, 2);}' >/tmp/alsainfo/vendor_id.tmp`
310:DEVICE_ID=`lspci -vn |grep 040[1-3] | awk -F':' '{print $4}'|awk {'print $1'} >/tmp/alsainfo/device_id.tmp`
312:cat /proc/asound/modules 2>/dev/null|awk {'print $2'}>/tmp/alsainfo/alsamodules.tmp
313:cat /proc/asound/cards >/tmp/alsainfo/alsacards.tmp
314:lspci |grep -i "multi\|audio">/tmp/alsainfo/lspci.tmp
317:cat /proc/asound/card*/codec\#* > /tmp/alsainfo/alsa-hda-intel.tmp 2> /dev/null
320:cat /proc/asound/card*/codec97\#0/ac97\#0-0 > /tmp/alsainfo/alsa-ac97.tmp 2> /dev/null
321:cat /proc/asound/card*/codec97\#0/ac97\#0-0+regs > /tmp/alsainfo/alsa-ac97-regs.tmp 2> /dev/null
327:echo "name=$USER&type=33&description=/tmp/alsa-info.txt&expiry=&s=Submit+Post&content=" > $FILE
363:cat /tmp/alsainfo/alsamodules.tmp >> $FILE
369:cat /tmp/alsainfo/alsacards.tmp >> $FILE
375:cat /tmp/alsainfo/lspci.tmp >> $FILE
408:if [ -s "/tmp/alsainfo/alsa-hda-intel.tmp" ] 
414:    cat /tmp/alsainfo/alsa-hda-intel.tmp >> $FILE
420:if [ -s "/tmp/alsainfo/alsa-ac97.tmp" ]
426:        cat /tmp/alsainfo/alsa-ac97.tmp >> $FILE
428:        cat /tmp/alsainfo/alsa-ac97-regs.tmp >> $FILE
586:    wget -O - --tries=5 --timeout=60 --post-file=/tmp/alsa-info.txt "http://www.alsa-project.org/cardinfo-db/" &>/tmp/alsainfo/wget.tmp || echo "U
pload failed; exit"
593:    wget -O - --tries=5 --timeout=60 --post-file=/tmp/alsa-info.txt "http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY&encrypt=t&encryptpw=blahb
lah" &>/tmp/alsainfo/wget.tmp || echo "Upload failed; exit"
606:    wget -O - --tries=5 --timeout=60 --post-file=/tmp/alsa-info.txt http://www.alsa-project.org/cardinfo-db/ &>/tmp/alsainfo/wget.tmp &
609:    wget -O - --tries=5 --timeout=60 --post-file=/tmp/alsa-info.txt http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY &>/tmp/alsainfo/wget.tmp &
630:                    FINAL_URL=`tput setaf 1; grep "SUCCESS:" /tmp/alsainfo/wget.tmp | cut -d ' ' -f 2 ; tput sgr0`
632:                    FINAL_URL=`tput setaf 1; grep "SUCCESS:" /tmp/alsainfo/wget.tmp |sed -n 's/.*\:\([0-9]\+\).*/http:\/\/pastebin.ca\/\1/p';tput 
sgr0`
636:                    FINAL_URL=`grep "SUCCESS:" /tmp/alsainfo/wget.tmp | cut -d ' ' -f 2`
638:                    FINAL_URL=`grep "SUCCESS:" /tmp/alsainfo/wget.tmp |sed -n 's/.*\:\([0-9]\+\).*/http:\/\/pastebin.ca\/\1/p'`
665:            grep -v "alsa-info.txt" /tmp/alsa-info.txt >/tmp/alsainfo/uploaded.txt
666:            dialog --backtitle "$BGTITLE" --textbox /tmp/alsainfo/uploaded.txt 0 0

Comment 2 Jan Lieskovsky 2009-02-05 13:41:28 UTC

This issue does NOT affect the versions of the alsa-utils package, as shipped
with Red Hat Enterprise Linux 4 and 5.

This issue does NOT affect the version of the alsa-utils package, as shipped
with Fedora release of 9.

This issue affects the versions of the alsa-utils package, as shipped
with Fedora releses of 10 and devel.

Comment 3 Ville Skyttä 2009-02-05 17:49:45 UTC

I'm wondering why alsa-info in alsa-utils-1.0.17-2.fc9.x86_64 for Fedora 9 would NOT be affected.  Regarding handling files in /tmp, it seems essentially the same to me as later versions.

Other remarks:

The initial comment and summary of this bug refer to alsa-info and alsa-info.sh.  I'm unaware of a package that would contain alsa-info.sh.

The summary of this bug refers to /bin/alsa-info{,.sh}, I believe it should be /usr/bin/alsa-info.

Comment 4 Tomas Hoger 2009-02-05 18:12:46 UTC

(In reply to comment #3)
> The initial comment and summary of this bug refer to alsa-info and
> alsa-info.sh.  I'm unaware of a package that would contain alsa-info.sh.

$ rpm -q alsa-utils
alsa-utils-1.0.19-1.fc10.x86_64

$ ll /usr/bin/alsa-info*
-rwxr-xr-x 1 root root 23283 Nov  4 10:46 /usr/bin/alsa-info
lrwxrwxrwx 1 root root     9 Jan 27 15:13 /usr/bin/alsa-info.sh -> alsa-info

> The summary of this bug refers to /bin/alsa-info{,.sh}, I believe it should be
> /usr/bin/alsa-info.

Yeah, apparently only one of those should be mentioned.

Comment 5 Jaroslav Kysela 2009-02-06 09:28:57 UTC

Note that all collected information can be obtained by any user with default priviledges.

Also, before any action, the script asks user for confirmation with information what the script will try to do.

The possible security impact is very low in my eyes.

If you provide a patch against alsa-info.sh to make it more robust, I'll commit it to upstream repository, of course. Thanks.

Comment 6 Ville Skyttä 2009-02-06 16:19:55 UTC

Note that this bug is about insecure temporary file handling which allows local users to cause overwriting or appending to arbitrary files to which the user who runs alsa-info has write access to.  The nature of the collected information is not relevant to this issue.

Comment 7 Jaroslav Kysela 2009-02-09 13:52:32 UTC

OK, I see the problem now. The script version 0.4.54 uses mktemp to avoid this problem. Only 'mv $tempfile /tmp/alsa-info.txt' is used at the end of operation which should be safe for symlink attacks and keeps filename nice for users.

I included this fix to 1.0.19-2 F10 package and to 1.0.19-3 rawhide package.

Comment 8 Ville Skyttä 2009-02-09 17:19:05 UTC

Version 0.4.54 of the script looks better on a quick peek, however I think the script should be made to abort if any of the introduced mktemp's fail - currently it seems to me that it simply continues on.

Please also note that alsa-utils-1.0.17-2.fc9 in the F-9 updates repository is affected as well, and needs an update.

Comment 9 Tomas Hoger 2009-08-28 12:02:43 UTC

Outstanding issues mentioned in previous commit should now be fixed in upstream git in version 0.4.58 via patches from Takashi Iwai:

http://git.alsa-project.org/?p=alsa-driver.git;a=history;f=utils/alsa-info.sh

Original commit from Jaroslav, just for posterity:

http://git.alsa-project.org/?p=alsa-driver.git;a=commitdiff;h=8cd38484c40300b1fa61fde1c1187023e637b9b9

Making this bug public, finally.

Comment 10 Ville Skyttä 2011-11-13 23:01:17 UTC

F-14 and newer Fedora releases ship a version that I suppose is fixed, maybe this bug can be closed now?

Note You need to log in before you can comment on or make changes to this bug.