Your message dated Wed, 19 Jan 2005 02:17:20 -0500
with message-id <[EMAIL PROTECTED]>
and subject line Bug#289560: fixed in vim 1:6.3-058+1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 9 Jan 2005 20:05:29 +0000
>From [EMAIL PROTECTED] Sun Jan 09 12:05:29 2005
Return-path: <[EMAIL PROTECTED]>
Received: from tornado.dat.etsit.upm.es (dat.etsit.upm.es) [138.100.17.73]
by spohr.debian.org with smtp (Exim 3.35 1 (Debian))
id 1CnjJY-0000xF-00; Sun, 09 Jan 2005 12:05:28 -0800
Received: (qmail 5683 invoked by uid 1013); 9 Jan 2005 20:05:26 -0000
Date: Sun, 9 Jan 2005 21:05:26 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Cc: Bram Moolenaar <[EMAIL PROTECTED]>
Subject: vim: Race conditions and symlink attacks in vim (tcltags and vimspell)
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="2B/JsCI69OhZNC5r"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--2B/JsCI69OhZNC5r
Content-Type: multipart/mixed; boundary="AhhlLboLdkugWU4S"
Content-Disposition: inline
--AhhlLboLdkugWU4S
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: vim
Version: 1:6.3-046+1
Severity: minor
Tags: patch security sid woody sarge
Hi there,
Reviewing vim as part of the security audit the Audit team [1] is=20
conducting I've found what I believe are some race conditions and symlink=
=20
attacks through temporary files in vim. They appear in two scripts which=20
are not installed in Debian in binary locations (they are installed under
/usr/share/doc/vim/tools/) but are provided with execute permissions.
That's mainly why I'm opening this bug up in Debian's BTS and not=20
contacting the security team directly although the code is present in all=
=20
vim releases in Debian.
These appear in:
1.- the tcltags script (runtime/tools/tcltags):
(...)
11 tmp_tagfile=3D/tmp/${program_name}.$$
(...)
130 sed -e "/^!_TAG_FILE_SORTED/s/ [01] / $sorted /"=
=20
\
131 -e "/^!_TAG_FILE_FORMAT/s/ 1 / $format /"=
=20
\
132 $tagfile > $tmp_tagfile
2.- the vimspell script (runtime/tools/vimspell.sh)
16 OUTFILE=3D/tmp/vimspell.$$
17 # if you have "tempfile", use the following line
18 #OUTFILE=3D`tempfile`
(...)
30 spell $SPELL_ARGS $INFILE | sort -u |
31 awk '
32 {
33 printf "syntax match SpellErrors \"\\<%s\\>\"\n", $0 ;
34 }
35
36 END {
37 printf "highlight link SpellErrors ErrorMsg\n\n" ;
38 }
39 ' > $OUTFILE
40 echo "!rm $OUTFILE" >> $OUTFILE
41 echo $OUTFILE
Since these are tools that are run from vim, an attacker can get a=20
good-enough approximation of the PIDs that will be used in these temporary=
=20
files and can conduct a symlink attack if these tools are used.
The attached patch should fix both of these issues, I've taken the=20
approach implemented in vimtutor, but modified it slightly for vimspell as=
=20
the temporary file cannot be removed by the script (vim removes it) when=20
mktemp and tempfile are not avilable, there will still be a race condition=
=20
in the script. Since most GNU/Linux and UNIX operating systems seem to=20
have either one I don't think it's a big issue, however.
Best regards
Javier
--AhhlLboLdkugWU4S
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="vim-6.3.diff"
Content-Transfer-Encoding: quoted-printable
diff -Nru vim-6.3.old/vim63/runtime/tools/tcltags vim-6.3/vim63/runtime/too=
ls/tcltags
--- vim-6.3.old/vim63/runtime/tools/tcltags 1999-08-01 14:01:46.000000000 +=
0200
+++ vim-6.3/vim63/runtime/tools/tcltags 2005-01-09 20:41:41.000000000 +0100
@@ -8,7 +8,31 @@
program_version=3D"0.3"
program_author=3D"Darren Hiebert"
author_email=3D"[EMAIL PROTECTED]"
-tmp_tagfile=3D/tmp/${program_name}.$$
+tmp=3D"${TMPDIR-/tmp}"
+tmp_tagfile=3D`mktemp -t $tmp/tcltagXXXXXX || tempfile -p tclag || echo no=
ne`
+
+# If the standard commands failed then create a directory to put the copy =
in.
+# That is a secure way to make a temp file.
+if test "$tmp_tagfile" =3D none; then
+ tmpdir=3D$tmp/tcltag$$
+ OLD_UMASK=3D`umask`
+ umask 077
+ getout=3Dno
+ mkdir $tmpdir || getout=3Dyes
+ umask $OLD_UMASK
+ if test $getout =3D yes; then
+ echo "Could not create directory for tcltag, exiting."
+ exit 1
+ fi
+ tmp_tagfile=3D$tmpdir/tcltag
+ touch $tmp_tagfile
+ TODELETE=3D$tmpdir
+else
+ TODELETE=3D$tmp_tagfile
+fi
+# remove the copy of the tcltag file on exit
+trap "rm -rf $TODELETE" 0 1 2 3 9 11 13 15
+
=20
usage=3D"\
Usage: $program_name [-au] [-{f|o} tagfile] [--format=3Dn] file(s)
@@ -154,6 +178,5 @@
else
cp $tmp_tagfile $tagfile
fi
-rm $tmp_tagfile
=20
exit 0
diff -Nru vim-6.3.old/vim63/runtime/tools/vimspell.sh vim-6.3/vim63/runtime=
/tools/vimspell.sh
--- vim-6.3.old/vim63/runtime/tools/vimspell.sh 1999-08-01 14:01:46.0000000=
00 +0200
+++ vim-6.3/vim63/runtime/tools/vimspell.sh 2005-01-09 20:51:18.000000000 +=
0100
@@ -13,9 +13,20 @@
# March 1999
=20
INFILE=3D$1
-OUTFILE=3D/tmp/vimspell.$$
-# if you have "tempfile", use the following line
-#OUTFILE=3D`tempfile`
+tmp=3D"${TMPDIR-/tmp}"
+OUTFILE=3D`mktemp -t vimspellXXXXXX || tempfile -p vimspell || echo none`
+# If the standard commands failed then create the file
+# since we cannot create a directory (we cannot remove it on exit)
+# create a file in the safest way possible.
+if test "$OUTFILE" =3D none; then
+ OUTFILE=3D$tmp/vimspell$$
+ [ -e $OUTFILE ] && { echo "Cannot use temporary file $OUTFILE, it
already=
exists!; exit 1 ; }=20
+ (umask 077; touch $OUTFILE)
+fi
+# Note the copy of vimspell cannot be deleted on exit since it is
+# used by vim, otherwise it should do this:
+# trap "rm -f $OUTFILE" 0 1 2 3 9 11 13 15
+
=20
#
# local spellings
--AhhlLboLdkugWU4S--
--2B/JsCI69OhZNC5r
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFB4Y6Gi4sehJTrj0oRAj6UAJ0aSUf4pjG3D/5O/X62tJ1gtzGX0gCgwNqo
FZIKf6HleDHHBtxzRqs3oW0=
=0KeP
-----END PGP SIGNATURE-----
--2B/JsCI69OhZNC5r--
---------------------------------------
Received: (at 289560-close) by bugs.debian.org; 19 Jan 2005 07:25:31 +0000
>From [EMAIL PROTECTED] Tue Jan 18 23:25:31 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CrADb-0000gs-00; Tue, 18 Jan 2005 23:25:31 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1CrA5g-0005d8-00; Wed, 19 Jan 2005 02:17:20 -0500
From: Norbert Tretkowski <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#289560: fixed in vim 1:6.3-058+1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Wed, 19 Jan 2005 02:17:20 -0500
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Source: vim
Source-Version: 1:6.3-058+1
We believe that the bug you reported is fixed in the latest version of
vim, which is due to be installed in the Debian FTP archive:
kvim-perl_6.3-058+1_alpha.deb
to pool/main/v/vim/kvim-perl_6.3-058+1_alpha.deb
kvim-python_6.3-058+1_alpha.deb
to pool/main/v/vim/kvim-python_6.3-058+1_alpha.deb
kvim-ruby_6.3-058+1_alpha.deb
to pool/main/v/vim/kvim-ruby_6.3-058+1_alpha.deb
kvim-tcl_6.3-058+1_alpha.deb
to pool/main/v/vim/kvim-tcl_6.3-058+1_alpha.deb
kvim_6.3-058+1_alpha.deb
to pool/main/v/vim/kvim_6.3-058+1_alpha.deb
vim-common_6.3-058+1_all.deb
to pool/main/v/vim/vim-common_6.3-058+1_all.deb
vim-doc_6.3-058+1_all.deb
to pool/main/v/vim/vim-doc_6.3-058+1_all.deb
vim-gnome_6.3-058+1_alpha.deb
to pool/main/v/vim/vim-gnome_6.3-058+1_alpha.deb
vim-gtk_6.3-058+1_alpha.deb
to pool/main/v/vim/vim-gtk_6.3-058+1_alpha.deb
vim-lesstif_6.3-058+1_alpha.deb
to pool/main/v/vim/vim-lesstif_6.3-058+1_alpha.deb
vim-perl_6.3-058+1_alpha.deb
to pool/main/v/vim/vim-perl_6.3-058+1_alpha.deb
vim-python_6.3-058+1_alpha.deb
to pool/main/v/vim/vim-python_6.3-058+1_alpha.deb
vim-ruby_6.3-058+1_alpha.deb
to pool/main/v/vim/vim-ruby_6.3-058+1_alpha.deb
vim-tcl_6.3-058+1_alpha.deb
to pool/main/v/vim/vim-tcl_6.3-058+1_alpha.deb
vim_6.3-058+1.diff.gz
to pool/main/v/vim/vim_6.3-058+1.diff.gz
vim_6.3-058+1.dsc
to pool/main/v/vim/vim_6.3-058+1.dsc
vim_6.3-058+1_alpha.deb
to pool/main/v/vim/vim_6.3-058+1_alpha.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Norbert Tretkowski <[EMAIL PROTECTED]> (supplier of updated vim package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 18 Jan 2005 20:12:25 +0100
Source: vim
Binary: vim-lesstif vim-common vim-doc vim-gnome kvim-ruby vim vim-gtk
kvim-perl vim-perl kvim-tcl vim-tiny vim-ruby vim-python vim-tcl kvim-python
kvim
Architecture: source alpha all
Version: 1:6.3-058+1
Distribution: unstable
Urgency: high
Maintainer: Norbert Tretkowski <[EMAIL PROTECTED]>
Changed-By: Norbert Tretkowski <[EMAIL PROTECTED]>
Description:
kvim - Vi IMproved - KDE 3.x version
kvim-perl - Vi IMproved - KDE 3.x version with Perl scripting support
kvim-python - Vi IMproved - KDE 3.x version with Python scripting support
kvim-ruby - Vi IMproved - KDE 3.x version with Ruby scripting support
kvim-tcl - Vi IMproved - KDE 3.x version with TCL scripting support
vim - Vi IMproved - enhanced vi editor
vim-common - Vi IMproved - Common files
vim-doc - Vi IMproved - Documentation files
vim-gnome - Vi IMproved - GNOME2 Version
vim-gtk - Vi IMproved - GTK2 Version
vim-lesstif - Vi IMproved - LessTif Version
vim-perl - Vi IMproved, with perl scripting support
vim-python - Vi IMproved, with python scripting support
vim-ruby - Vi IMproved, with ruby scripting support
vim-tcl - Vi IMproved, with tcl scripting support
Closes: 289560
Changes:
vim (1:6.3-058+1) unstable; urgency=high
.
* new upstream patches (055 to 058), see README.gz for details
* added a new patch (stolen from Ubuntu) which modifies vimspell.sh and
tcltags.sh so they use mktemp instead of insecure $$ construction to
create temporary files (CAN-2005-0069) (closes: #289560)
Files:
40905ece508f1000b53e1cb0b1a0b679 1114 editors optional vim_6.3-058+1.dsc
2a764ada0d4dd2892216d998ee424257 459960 editors optional vim_6.3-058+1.diff.gz
3be4f39ae87c85af51774b43842f852a 1599902 editors optional
vim-doc_6.3-058+1_all.deb
aa8f4256bcea255a870d42f41095f54f 3422002 editors extra
vim-common_6.3-058+1_all.deb
f98fcfb0ac9f26668d2b9c50c8b8b431 899984 editors optional
vim_6.3-058+1_alpha.deb
57c868841b4003df54d6f987c4bbdac4 1071112 editors extra
kvim-perl_6.3-058+1_alpha.deb
05337f051d46820de859772559c78139 958048 editors extra
vim-perl_6.3-058+1_alpha.deb
de1bd16ca6ec536da4957e12101a2970 1065922 editors extra
kvim-python_6.3-058+1_alpha.deb
104772252250acd9e35eb16e1b46e395 952474 editors extra
vim-python_6.3-058+1_alpha.deb
f035d0ca05939a17677acfa333e48fb4 1059382 editors extra
kvim-ruby_6.3-058+1_alpha.deb
f4d69d869fda4e6fd655b9d4229fd792 947204 editors extra
vim-ruby_6.3-058+1_alpha.deb
7ab3e529cbd43991d48c8dda291116a8 1023598 editors extra
kvim-tcl_6.3-058+1_alpha.deb
5dc0fafa0034556186a396c14a99274a 952276 editors extra
vim-tcl_6.3-058+1_alpha.deb
bc9d36d4e37c120fa30b37ef5f6a66ba 941254 editors extra
vim-gtk_6.3-058+1_alpha.deb
f32726f0b47e5c361b2aa21f16f2e118 881260 editors extra
vim-lesstif_6.3-058+1_alpha.deb
d0c6f0b0576fc1861f5f8cc92e63bd19 944624 editors extra
vim-gnome_6.3-058+1_alpha.deb
c6c1d71c24df7a1aeea026905a3e09d5 1013734 editors extra kvim_6.3-058+1_alpha.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFB7gZvr/RnCw96jQERAhWYAJ9UkUmPjUQDlvNVCfJSKDP03U7JxQCgoqhG
mJk6cJVq2LlVKW2RgSZ/NrM=
=djsk
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
