Bug 676367 (CVE-2011-3616) - CVE-2011-3616 conky: arbitrary file overwrite vulnerability
Summary: CVE-2011-3616 conky: arbitrary file overwrite vulnerability
Alias: CVE-2011-3616
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 676368
TreeView+ depends on / blocked
Reported: 2011-02-09 16:31 UTC by Vincent Danen
Modified: 2019-09-29 12:42 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2011-02-11 04:07:36 UTC

Attachments (Terms of Use)

Description Vincent Danen 2011-02-09 16:31:16 UTC
A Debian bug report [1],[2] indicated that conky is vulnerable to an arbitrary file overwrite flaw.  In the getSkillname() function of the Eve plugin, there is a race condition between when the plugin checks for the existence of /tmp/.cesf and when it writes to the file, easily beaten because getXmlFromAPI() is called in between (which can take time due to network latency, etc.).  If a user were able to beat the race and create a symlink of /tmp/.cesf to any file the user running conky had write access to, they could overwrite the contents of that file.  In src/eve.c we have:

275 static char *getSkillname(const char *file, int skillid)
276 {
283     if (!file_exists(file)) {
284         skilltree = getXmlFromAPI(NULL, NULL, NULL, EVEURL_SKILLTREE);
285         writeSkilltree(skilltree, file);
286         free(skilltree);
287     }
337 static char *eve(char *userid, char *apikey, char *charid)
338 {
339     Character *chr = NULL;
340     const char *skillfile = "/tmp/.cesf";
400         skill = getSkillname(skillfile, chr->skill);

The Debian bug report has a propsed patch [3].

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=612033
[2] https://bugs.launchpad.net/ubuntu/+source/conky/+bug/607309
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=612033#10

Comment 1 Vincent Danen 2011-02-09 16:33:49 UTC
Created conky tracking bugs for this issue

Affects: fedora-all [bug 676368]

Comment 2 Miroslav Lichvar 2011-02-10 09:07:26 UTC
Fedora conky packages are compiled without eve support.

Comment 3 Vincent Danen 2011-02-11 04:07:36 UTC
Ah, yes, it is.  Sorry about that.  ./configure is missing --with-eve indeed.

Thanks, I'll close the bugs.

Comment 4 Jan Lieskovsky 2011-10-12 13:05:30 UTC
The CVE identifier of CVE-2011-3616 has been assigned:
[4] http://www.openwall.com/lists/oss-security/2011/10/10/8

to this issue.

Note You need to log in before you can comment on or make changes to this bug.