Your message dated Sat, 19 Feb 2005 09:39:30 -0500
with message-id <[EMAIL PROTECTED]>
and subject line Bug#287651: fixed in grass 5.7.0+6.0.0beta2-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 29 Dec 2004 11:01:19 +0000
>From [EMAIL PROTECTED] Wed Dec 29 03:01:19 2004
Return-path: <[EMAIL PROTECTED]>
Received: from tornado.dat.etsit.upm.es (dat.etsit.upm.es) [138.100.17.73]
by spohr.debian.org with smtp (Exim 3.35 1 (Debian))
id 1CjbZu-00028E-00; Wed, 29 Dec 2004 03:01:18 -0800
Received: (qmail 10639 invoked by uid 1013); 29 Dec 2004 11:01:16 -0000
Date: Wed, 29 Dec 2004 12:01:16 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: grass: Multiple vulnerabilities (symlink attacks) due to improper
temporary files use in scripts and source code
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="VrqPEDrXMn8OVzN4"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040722i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
--VrqPEDrXMn8OVzN4
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: grass
Version: 5.0.3-5.1
Priority: grave
Tags: security sarge sid
A lot of scripts provided withing Grass are vulnerable to race conditions
through symlink attacks in temporary files. Many of these scripts either
create temporary files in an insecure manner (shell scripts do not use 'set
-e' and 'set -C', for example) or/and are easily guessable.
Some examples include:
grass-5.0.3/src/scripts/contrib/i.oif/i.oif:
---------------------------------------------------------
(...)
# save the Stddev for TM bands
echo "Calculation Standarddeviations for all bands:"
$GISBASE/etc/i.oif/r.stddev $1 |tail -1 >/tmp/i.oif.stddev
(...)
---------------------------------------------------------
grass-5.0.3/src/CMD/generic/GISGEN.sh:
--------------------------------------------------------
case $# in
0)
tmp1=3D/tmp/GISGEN1.$$
tmp2=3D/tmp/GISGEN2.$$
tmp3=3D/tmp/GISGEN3.$$
rm -f $tmp1
touch $tmp1
(...)
rm -f $tmp2
rm -f $tmp3
echo "a =3D=3D 1 { print \$0 ; next }" > $tmp3
echo "\$0 =3D=3D \"$STEP\" { a =3D 1; print \$0 }" >> $tmp3
awk -f $tmp3 $tmp1 > $tmp2
rm -f $tmp3 $tmp1
----------------------------------------------------------
grass-5.0.3/src/mapdev/v.in.arc.poly/script/v.in.arc.poly
----------------------------------------------------------
bindir=3D$GISBASE/etc
tempfile=3D/tmp/temp.ply
(...)
echo 'start eliminating double nodes in ' $1
$bindir/permut $GISDBASE/$LOCATION_NAME/$MAPSET/arc/temp.ply $tempfile
rm $tempfile
(...)
----------------------------------------------------------
[Note: permut just opens this output file without further checks:
=2E/src/mapdev/v.in.arc.poly/permut/permut.c
(...)
if ((outfile =3D fopen (out_ply, "w")) =3D=3D NULL)
{
printf ("can't open tempfile %s\n", out_ply);
exit (1);
}
(...)
]
=2E/src/paint/Drivers/versatec/3236/DRIVER.sh
----------------------------------------------------------
(...)
TMPDIR1=3D/tmp/versatec
TMPDIR2=3D/tmp/versatec
(...)
RASTERFILE=3D$TMPDIR1/_paint
SPRINT=3D"/bin/sprint >&2"
SPRINT_COMMAND=3D"$SPRINT $RASTERFILE -v -p 3236 -w $TMPDIR2 -x $ZOOM -y=20
$ZOOM"
----------------------------------------------------------
grass-5.0.3/src/scripts/contrib/i.spectral/i.spectral
----------------------------------------------------------
=2Ewhere -1 |r.what input=3D$RASTERMAPS > /tmp/spectr.dum1
cat /tmp/spectr.dum1 | cut -d'|' -f4,5,6,7,8,9,10| tr '|' '\012' >=20
/tmp/spectr.dum2
----------------------------------------------------------
Now those are just exmaples of the "easily guessable" temporary files used.=
=20
But a lot of scripts make use of the $$ construct (either within shell=20
scripts or C code using getpid()) that is not directly guessable but can be=
=20
infered in a system where a given user is running grass more or less=20
accurately either:
- by looking at the /tmp/ directory and detecting when a given temporary
file is created and symlink the "next one". For example in
=2E/src/scripts/contrib/r.plane/r.plane the following tmp files are created
in succession: /tmp/$$, /tmp/$$dip, /tmp/$$, /tmp/$$ea, /tmp/$$, /tmp/$$no,
/tmp/$$ (removed and reused several times). So an attacker=20
- by bulk creating a huge number of temporary files using the current PID=
=20
of the grass program as a base
Just try a 'grep -r "/tmp/"' on the sources and you'll see what I mean.
I cannot determine, as I don't use grass, wether the scripts there are=20
actually used regularly by users. I would suggest however to patch those=20
either by:
a) Safely creating a per user temporary directory and have all scripts use=
=20
that as a location for all of the temporary files if defined. For example,=
=20
in a common startup script do:
TMPGRASS =3D `mktemp -dt grass-XXXXXX` || { echo "Cannot create temporary=
=20
directory"; exit 1 ; }
export TMPGRASS
and in auxiliary scripts do:
[ ! -n "TMPGRASS" ] && TMPGRASS=3D`mktemp -dt grass-XXXXXX` || { echo "Cann=
ot=20
create temporary directory"; exit 1 ; }
(...)
tempfile=3D"$TMPGRASS/tempfile"
b) Changing all shell scripts to use mktemp or tempfile (might=20
make those Debian-specific) when setting up temporary files.
All the C files, however, need to be modified so that they use mkstemp().=
=20
So, for example, instead of this:
(in grass-5.0.3/src/imagery/i.ask/popup.c):
char tempfile1[40], tempfile2[40];
(...)
sprintf (tempfile1, "/tmp/i.ask1.%d", getpid());
sprintf (tempfile2, "/tmp/i.ask2.%d", getpid());
it should use this:
int tempfd1; int tempfd2;
if ( ( tempfd1 =3D mkstemp("/tmp/i.ask1.XXXXXX") ) < 0 ) {
/* Do something if this breaks! */=20
}
if ( ( tempfd2 =3D mkstemp("/tmp/i.ask2.XXXXXX") ) < 0 ) {
/* Do something if this breaks! */=20
}
and pass the filedescriptor (instead of the filename) to functions later
on. This means that ./src/libes/raster/Panel.c needs to be rewritten (or
extended to use fd instead of names in its call.=20
BTW, what does this mean?
grass-5.0.3/src/libes/raster/Panel.c
(...)
/* make sure this file can be written by anybody */
num =3D umask(0);
close(creat(name,0666));
umask(num);
(...)
!!!
Doesn't look too safe to me.. What's the panel used for?
Now, I'm not sure I can provide a patch fixing all of those, but I'm=20
willing to provide a full patch (at least for the shell scripts) if time=20
permits.
However, IMHO this makes this software package unsuitable for release.
Regards
Javier
--VrqPEDrXMn8OVzN4
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFB0o57i4sehJTrj0oRAkc2AJ4jx0GQAg10uBDvD1D6mNyJZSO2WACfUm6C
JCEcuPw+dP9I0DbDheZEKc4=
=uPsG
-----END PGP SIGNATURE-----
--VrqPEDrXMn8OVzN4--
---------------------------------------
Received: (at 287651-close) by bugs.debian.org; 19 Feb 2005 14:45:38 +0000
>From [EMAIL PROTECTED] Sat Feb 19 06:45:38 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1D2VrW-0005gs-00; Sat, 19 Feb 2005 06:45:38 -0800
Received: from ajt by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1D2Vla-0005qk-00; Sat, 19 Feb 2005 09:39:30 -0500
From: Steve Halasz <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: lisa $Revision: 1.30 $
Subject: Bug#287651: fixed in grass 5.7.0+6.0.0beta2-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Anthony Towns <[EMAIL PROTECTED]>
Date: Sat, 19 Feb 2005 09:39:30 -0500
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 8
Source: grass
Source-Version: 5.7.0+6.0.0beta2-1
We believe that the bug you reported is fixed in the latest version of
grass, which is due to be installed in the Debian FTP archive:
grass-doc_5.7.0+6.0.0beta2-1_all.deb
to pool/main/g/grass/grass-doc_5.7.0+6.0.0beta2-1_all.deb
grass_5.7.0+6.0.0beta2-1.diff.gz
to pool/main/g/grass/grass_5.7.0+6.0.0beta2-1.diff.gz
grass_5.7.0+6.0.0beta2-1.dsc
to pool/main/g/grass/grass_5.7.0+6.0.0beta2-1.dsc
grass_5.7.0+6.0.0beta2-1_alpha.deb
to pool/main/g/grass/grass_5.7.0+6.0.0beta2-1_alpha.deb
grass_5.7.0+6.0.0beta2.orig.tar.gz
to pool/main/g/grass/grass_5.7.0+6.0.0beta2.orig.tar.gz
libgrass-dev_5.7.0+6.0.0beta2-1_alpha.deb
to pool/main/g/grass/libgrass-dev_5.7.0+6.0.0beta2-1_alpha.deb
libgrass_5.7.0+6.0.0beta2-1_alpha.deb
to pool/main/g/grass/libgrass_5.7.0+6.0.0beta2-1_alpha.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steve Halasz <[EMAIL PROTECTED]> (supplier of updated grass package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 4 Feb 2005 15:13:26 -0500
Source: grass
Binary: libgrass-dev grass libgrass grass-doc
Architecture: source alpha all
Version: 5.7.0+6.0.0beta2-1
Distribution: unstable
Urgency: high
Maintainer: Debian GIS Project <[EMAIL PROTECTED]>
Changed-By: Steve Halasz <[EMAIL PROTECTED]>
Description:
grass - Geographic Resources Analysis Support System
grass-doc - Geographic Resources Analysis Support System documentation
libgrass - GRASS GIS development libraries
libgrass-dev - GRASS GIS library development files
Closes: 234275 259655 261726 264566 282567 287590 287591 287651 287763 287764
Changes:
grass (5.7.0+6.0.0beta2-1) unstable; urgency=high
.
* New upstream release (Closes: #264566)
- Safe tmpdir creation (Closes: #287651)
- tcltkgrass replaced by d.m (Closes: #282567)
- r.in.gdal segfault fixed (Closes: #234275)
- r.in.bin segfault fixed (Closes: #259655)
- r.lags.1grass.gz: "name" section too long (removed) (Closes: #261726)
- raster.html: non explained commands (removed) (Closes: #287590)
- i.rectify.html: links to i.vpoints.html work (Closes: #287764)
- i.points.html: imagery.ps link fixed (Closes: #287763:)
* Help button doc path fixed (Closes: #287591)
* Change libgrass0 -> libgrass
Files:
c4c9302c14771ab6577fafde6980521a 1079 science optional
grass_5.7.0+6.0.0beta2-1.dsc
01b722319bdefe95a6525d769d564b5b 7676197 science optional
grass_5.7.0+6.0.0beta2.orig.tar.gz
4d6fd61a5e1597e7a5491722222a708a 24211 science optional
grass_5.7.0+6.0.0beta2-1.diff.gz
f077ff9b86c66c42b003347d2bed6559 5808222 science optional
grass_5.7.0+6.0.0beta2-1_alpha.deb
4c30d0c84fd5678ff494383819774535 381080 science optional
grass-doc_5.7.0+6.0.0beta2-1_all.deb
94363f4d5e0a2b8168938fcd5e4931ec 974758 libs optional
libgrass_5.7.0+6.0.0beta2-1_alpha.deb
4d76a06afd90ab15b6246bf2661bfb61 246992 libdevel optional
libgrass-dev_5.7.0+6.0.0beta2-1_alpha.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCDRVc0fhX0Y/ocz0RAsc1AKCWH69mEeDPc1Hhtv9zT9oREdeXigCeMojJ
Ky/4U2P+Y0VstZ0DwgT08XQ=
=ra2Z
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
