Bug#612033: marked as done (vulnerability: rewrite arbitrary user file)

[Debian Bug Tracking System]

Your message dated Tue, 05 Apr 2011 13:47:19 +0000
with message-id <e1q76bh-0006l7...@franck.debian.org>
and subject line Bug#612033: fixed in conky 1.8.0-1.1
has caused the Debian Bug report #612033,
regarding vulnerability: rewrite arbitrary user file
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
612033: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=612033
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: conky
Version: 1.8.0-1ubuntu1
Severity: grave
Tags: security
Justification: user security hole
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu natty

This bug report was also filed in Ubuntu and can be found at
http://launchpad.net/bugs/607309
The description, from segooon, follows:

Binary package hint: conky

Hi, I've just discovered that conky is vulnerable to rewriting any user file:

char *getSkillname(const char *file, int skillid)
....
        if (!file_exists(file)) {
                skilltree = getXmlFromAPI(NULL, NULL, NULL, EVEURL_SKILLTREE);
                writeSkilltree(skilltree, file);
                free(skilltree);
        }

getXmlFromAPI() can be executed for a long time (e.g. bad connection), so 
between file_exists() and write_file() attacker can create link to any user 
file named "/tmp/.cesf". Attacker can choose the time when to create the link 
by watching for network connections.

Thanks.

-- System Information:
Debian Release: squeeze/sid
  APT prefers natty
  APT policy: (500, 'natty')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.37-12-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

--- End Message ---

--- Begin Message ---

Source: conky
Source-Version: 1.8.0-1.1

We believe that the bug you reported is fixed in the latest version of
conky, which is due to be installed in the Debian FTP archive:

conky-all_1.8.0-1.1_amd64.deb
  to contrib/c/conky/conky-all_1.8.0-1.1_amd64.deb
conky-cli_1.8.0-1.1_amd64.deb
  to contrib/c/conky/conky-cli_1.8.0-1.1_amd64.deb
conky-std_1.8.0-1.1_amd64.deb
  to contrib/c/conky/conky-std_1.8.0-1.1_amd64.deb
conky_1.8.0-1.1.debian.tar.bz2
  to contrib/c/conky/conky_1.8.0-1.1.debian.tar.bz2
conky_1.8.0-1.1.dsc
  to contrib/c/conky/conky_1.8.0-1.1.dsc
conky_1.8.0-1.1_all.deb
  to contrib/c/conky/conky_1.8.0-1.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 612...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luca Falavigna <dktrkr...@debian.org> (supplier of updated conky package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 03 Apr 2011 15:17:39 +0200
Source: conky
Binary: conky conky-std conky-cli conky-all
Architecture: source all amd64
Version: 1.8.0-1.1
Distribution: unstable
Urgency: medium
Maintainer: Cesare Tirabassi <norse...@ubuntu.com>
Changed-By: Luca Falavigna <dktrkr...@debian.org>
Description: 
 conky      - highly configurable system monitor (transitional package)
 conky-all  - highly configurable system monitor (all features enabled)
 conky-cli  - highly configurable system monitor (basic version)
 conky-std  - highly configurable system monitor (default version)
Closes: 612033
Changes: 
 conky (1.8.0-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * debian/patches/70b6f35a.patch:
     - Cherrypick a patch from upstream to avoid rewriting an arbitrary
       user file (Closes: #612033).
Checksums-Sha1: 
 52f1ba03aa869ba955100e52b7fb5dea5e974ee0 2253 conky_1.8.0-1.1.dsc
 d0f4ca26b18450e01e04ce9a897fff0e2cbeb0d3 15706 conky_1.8.0-1.1.debian.tar.bz2
 4ba652f7b78052b3a1094d242f26efb48cb145e0 32386 conky_1.8.0-1.1_all.deb
 7257f8d9bf0db5095d1671ddd44cd6ba1bec1be0 296410 conky-std_1.8.0-1.1_amd64.deb
 d612483ace6ff1c47db1927159201f53e839ef36 258042 conky-cli_1.8.0-1.1_amd64.deb
 5471b8d4946652d96099b8820d27a28e8fe75749 416234 conky-all_1.8.0-1.1_amd64.deb
Checksums-Sha256: 
 f073f5fcb9a5a984ad10390a45d7c992d743331422e42604b4323551c1e68ad0 2253 
conky_1.8.0-1.1.dsc
 8001c4550878a99848039c262fef5c93d1a77d7e9ee822093657d0aee587ca17 15706 
conky_1.8.0-1.1.debian.tar.bz2
 f1e6d6a2df767f7e99f38a2f495767e6c857ecc711cb7885850bca3abc40d871 32386 
conky_1.8.0-1.1_all.deb
 f498420369d77895c818509960ae36a0ef9bbe13e48da487f5b3ffc96d0dc340 296410 
conky-std_1.8.0-1.1_amd64.deb
 bbff95ceac38926d0ee1be6f69fdf0caf7180eb86a5c9c761f7c3f9226e2fa9f 258042 
conky-cli_1.8.0-1.1_amd64.deb
 6c257591e4bfa78963be708d8eaa309e10ff1996fa99caf764b3031c7b4c4669 416234 
conky-all_1.8.0-1.1_amd64.deb
Files: 
 3cbb53c2e837376618f832639758d939 2253 contrib/utils optional 
conky_1.8.0-1.1.dsc
 5cd8f743e084a57d189bd86ab8090ef6 15706 contrib/utils optional 
conky_1.8.0-1.1.debian.tar.bz2
 13a6c7948c1ef87546d814e971711c88 32386 contrib/utils extra 
conky_1.8.0-1.1_all.deb
 43a4c00a31d303cf6a41d0fac39e287e 296410 contrib/utils optional 
conky-std_1.8.0-1.1_amd64.deb
 6898324d4fabce24a2ee0bf24d1c37ed 258042 contrib/utils optional 
conky-cli_1.8.0-1.1_amd64.deb
 21dad76658192a2303bad46adbdbb679 416234 contrib/utils optional 
conky-all_1.8.0-1.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJNmHXDAAoJEEkIatPr4vMfmGkP/3eE3vuv/Bj0zYM5MYEJsBB/
ICHzUpUxcLRbZvetRdRpzCRnCf0dvfElAjOZVXXm6j0RQHK5vmzFB+2+KD8DEhVn
uB+3/ClT4TP7XrAKcejzCBn9IaWcYDWyrxYEgd/d07QVVwlqRfaV2xtx6q/RAaUj
1yEj46Y3hvin6Kl+pi7+YhYRkNZMNwFk0d2jUA+SG6JFlvr1u/ensD7JhDaPsFla
hPPf4lUZVikuUE4i60Ho0DhMqRJltNMSTjtpqjz6XCjaE5QrdJN0qdJ4WuCEudIR
Qu0iPOHw5RQqYlq/ltIpl0Lp3Rj8N50ipYMTnbIfYw6/n9TPlPZ7n2KQZqb122Tn
AyH8wjznH3s3vOit5bOK3ycGTV8VQPqCEZHFzn/0Gk81EOWK5d4jxGq3fbFLBgWg
pb5z/8iFv+UFqwFV+d7h/At1wxyvaP5ejoObBrpOf3r8OmfP3Uiv28nBln/FcsNb
4cdyQ0EwGUrVZz+rY/NYRMfhknJo7f9kg540gOzamOF0+Vta2Jay644eaRJEGsQ+
FJjwly4yvOsy38L36hZzzdK2vCJbpaUQJ2GJbBndgZT8hJ2POzqiLhQ/xj8tNWLc
p5OKDHOCnyqXlvJTg7SmmWw8aAZkWS69dkveIVb3mhgCRmUVCZ1lViXkuOtaaJ1f
0JXYAhUZllSzgkVbvwtn
=GId/
-----END PGP SIGNATURE-----

--- End Message ---