Package: xfe
Version: 1.32.5-2
Severity: normal
Tags: patch upstream
I'm re-submitting this to upstream and I kindly ask the maintainer to fix
this in stable and re-upload the fixed package.
Lately, I was playing around with ACLs on Samba and NFS shares when I
discoved that the 'File New' dialog always creates files with the mask of
the user (default 0022), instead of applying the rights determined by the
default ACL set on the particular directory (wich is the default behavior
of 'touch'). This is problematic because the admin sets ACLs because he/she
most likely wants to restrict foreign access to this file and the default
behavior of xfe ignores this, giving unpreviliged users read access in
possibly right sensitive areas (e.g. xfe invoked by root and creating a new
file and afterwards adding a private key to it). Furthermore, changing the
default umask can expand the problem to a more severe security impact.
The problem could be reproduced in stable (wheezy), testing (jessie) and
unstable (sid) also with local ACLs. The responsible code is located in
function FilePanel::onCmdNewFile in FilePanel.cpp (lines 2763-2775 in
version 1.32.5-2 [stable]; 2944-2956 in version 1.37-1 [testing, unstable]).
The attached patches fix this vulnerability in all versions by removing
these lines and thus restore the linux default bevahior. Intense testing
of the patched version showed no recurrence of the issue.
-- System Information:
Debian Release: 7.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.13.1 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages xfe depends on:
ii libc6 2.13-38+deb7u1
ii libfox-1.6-0 1.6.45-1
ii libfreetype6 2.4.9-1.1
ii libgcc1 1:4.7.2-5
ii libpng12-0 1.2.49-1
ii libstdc++6 4.7.2-5
ii libx11-6 2:1.5.0-1+deb7u1
ii libxft2 2.3.1-1
ii xfe-themes 1.32.5-2lv4261
ii zlib1g 1:1.2.7.dfsg-13
Versions of packages xfe recommends:
ii audacious 3.2.4-1
ii xarchiver 1:0.5.2+20090319+dfsg-4.1
ii xfe-i18n 1.32.5-2lv4261
ii xterm 278-4
Versions of packages xfe suggests:
ii rpm 4.10.0-5+deb7u1
pn xine-ui <none>
pn xpdf <none>
-- no debconf information
--- s13/src/FilePanel.cpp 2014-02-18 20:52:09.545258341 +0100
+++ s14/src/FilePanel.cpp 2014-02-18 20:53:42.545235420 +0100
@@ -2759,20 +2759,6 @@
MessageBox::error(this,BOX_OK_SU,_("Error"),"Can't create file %s",filename.text());
return 0;
}
- // Change the file permissions according to the current umask
- FXint mask;
- mask=umask(0);
- umask(mask);
- errno=0;
- FXint rc=chmod(filename.text(), 438 & ~mask);
- FXint errcode=errno;
- if (rc)
- {
- if (errcode)
- MessageBox::error(this,BOX_OK_SU,_("Error"),"Can't set permissions in %s: %s",filename.text(),strerror(errcode));
- else
- MessageBox::error(this,BOX_OK_SU,_("Error"),"Can't set permissions in %s",filename.text());
- }
}
}
--- s13/src/FilePanel.cpp 2014-02-19 10:26:10.660455500 +0100
+++ s14/src/FilePanel.cpp 2014-02-19 10:30:01.064448693 +0100
@@ -2940,20 +2940,6 @@
MessageBox::error(this,BOX_OK_SU,_("Error"),_("Can't create file %s"),filename.text());
return 0;
}
- // Change the file permissions according to the current umask
- int mask;
- mask=umask(0);
- umask(mask);
- errno=0;
- int rc=chmod(filename.text(), 438 & ~mask);
- int errcode=errno;
- if (rc)
- {
- if (errcode)
- MessageBox::error(this,BOX_OK_SU,_("Error"),_("Can't set permissions in %s: %s"),filename.text(),strerror(errcode));
- else
- MessageBox::error(this,BOX_OK_SU,_("Error"),_("Can't set permissions in %s"),filename.text());
- }
}
}
