Bug 676389 - (CVE-2011-0702) CVE-2011-0702 feh: arbitrary file overwrite vulnerability
CVE-2011-0702 feh: arbitrary file overwrite vulnerability
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
public=20100719,reported=20110208,sou...
: Security
: 675811 (view as bug list)
Depends On: 676390
Blocks:
  Show dependency treegraph
 
Reported: 2011-02-09 12:29 EST by Vincent Danen
Modified: 2012-09-11 11:39 EDT (History)
2 users (show)

See Also:
Fixed In Version: feh 1.11.2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-09-11 11:39:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2011-02-09 12:29:49 EST
A Debian bug report [1],[2] indicated that feh is vulnerable to an
arbitrary file overwrite flaw.  If a user could guess the PID of the feh
process and create a symlink in /tmp, they could cause the overwrite of any
file that the user running feh has write access to via wget overwriting the file.  In
src/imlib.c we have:

235 char *feh_http_load_image(char *url)
236 {
237     char *tmpname;
238     char *basename;
239     char *path = NULL;
240 
241     if (opt.keep_http) {
242         if (opt.output_dir)
243             path = opt.output_dir;
244         else 
245             path = "";
246     } else
247         path = "/tmp/";
248
249     basename = strrchr(url, '/') + 1;
250     tmpname = feh_unique_filename(path, basename);
...
455             execlp("wget", "wget", "--cache=off", "-O", tmpname, url, quiet, NULL);

and in src/utils.c we have:

162 char *feh_unique_filename(char *path, char *basename)
163 {
...
170 
171     /* Massive paranoia ;) */
172     if (i > 999998)
173         i = 1;
174 
175     ppid = getpid();
176     snprintf(cppid, sizeof(cppid), "%06ld", (long) ppid);
177 
178     /* make sure file doesn't exist */
179     do {
180         snprintf(num, sizeof(num), "%06ld", i++);
181         tmpname = estrjoin("", path, "feh_", cppid, "_", num, "_", basename, NULL);
182     }
18     while (stat(tmpname, &st) == 0);
184     return(tmpname);
185 }

feh_unique_filename() has some attempt at randomness, but I don't think it's enough.  i always starts at 1, so unless the same process is creating multiple temporary files, you're almost guaranteed to have that extra randomness being '1'; it's also just as easy to create a bunch of symlinks to account for the "randomness" provided you know the PID.  Using mkstemp would be a much better solution.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=612035
[2] https://bugs.launchpad.net/ubuntu/+source/feh/+bug/607328
Comment 1 Vincent Danen 2011-02-09 12:31:10 EST
Created feh tracking bugs for this issue

Affects: fedora-all [bug 676390]
Comment 2 Vincent Danen 2011-02-09 17:19:28 EST
This was assigned the name CVE-2011-0702:

http://www.openwall.com/lists/oss-security/2011/02/09/14
Comment 3 Vincent Danen 2011-02-09 17:19:56 EST
*** Bug 675811 has been marked as a duplicate of this bug. ***
Comment 4 Tomas Hoger 2011-02-10 04:41:43 EST
Upstream bug:
https://github.com/derf/feh/issues/#issue/32

The fix that was applied upstream that makes wget run with --no-clobber:
https://derf.homelinux.org/git/feh/commit/?id=23421a86cc826dd30f3dc4f62057fafb04b3ac40

Limitations of the fix are mentioned in the commit message.
Comment 5 Vincent Danen 2012-09-11 11:39:19 EDT
This was fixed in 1.11.2:

http://feh.finalrewind.org/archive/

And fixed in Fedora via the update to 1.14.1:

http://koji.fedoraproject.org/koji/buildinfo?buildID=250264

Note You need to log in before you can comment on or make changes to this bug.