Package: apt
Version: 0.8.7
Severity: serious
Tags: security patch
Hi!
I've found an instance of insecure temporary filenames handling. The
problem is that the code correctly creates a temporary directory, but
then uses that name as just a prefix for the created changelog
filename, thus creating it alongside the tamporary directory (instead
of inside of it), and making it very much predictable. This is worsened
due to the time it takes apt-get to download the changelog from the net,
which gives a very huge window to use that pathname.
Attached a patch fixing this. This affects all versions starting from
the one in squeeze.
I'm not sure if this deserves a CVE or perhaps a lower severity?
Thanks,
Guillem
From 9df147f44d1a9f1fb245ae085b105ed271170ce8 Mon Sep 17 00:00:00 2001
From: Guillem Jover <guil...@debian.org>
Date: Thu, 2 Oct 2014 17:48:13 +0200
Subject: [PATCH] apt-get: Create the temporary downloaded changelog inside
tmpdir
The code is creating a secure temporary directory, but then creates
the changelog alongside the tmpdir in the same base directory. This
defeats the secure tmpdir creation, making the filename predictable.
Inject a '/' between the tmpdir and the changelog filename.
---
cmdline/apt-get.cc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cmdline/apt-get.cc b/cmdline/apt-get.cc
index 2e283da..cfa7933 100644
--- a/cmdline/apt-get.cc
+++ b/cmdline/apt-get.cc
@@ -1563,7 +1563,7 @@ static bool DoChangelog(CommandLine &CmdL)
{
string changelogfile;
if (downOnly == false)
- changelogfile.append(tmpname).append("changelog");
+ changelogfile.append(tmpname).append("/changelog");
else
changelogfile.append(Ver.ParentPkg().Name()).append(".changelog");
if (DownloadChangelog(Cache, Fetcher, Ver, changelogfile) && downOnly == false)
--
2.1.1.391.g7a54a76
