Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Wed, 10 Jun 2009 21:23:11 +0200
From: Tomas Hoger <thoger@...hat.com>
To: oss-security@...ts.openwall.com
Cc: krahmer@...e.de
Subject: Re: xfig-3.2.5 diff (CVE-2009-1962)

Hi Sebastian!

On Mon, 8 Jun 2009 12:49:48 +0200 Sebastian Krahmer <krahmer@...e.de>
wrote:

> just in case you need it, our maintainer asked me to forward
> a patch for $SUBJECT which has been fixed in our xfig
> for quite some time.

Looks like the patch you attached does not differ much from what we use
for some time too and seems to have an origin here:

  https://bugzilla.redhat.com/show_bug.cgi?id=67351

And it does not differ much from what Nico previously posted:

  http://thread.gmane.org/gmane.comp.security.oss.general/1609

However, Nico's patch, probably taken from Fedora XFig packages, has
one hunk missing for:

u_print.c:    sprintf(tmp_fig_file, "%s/%s%06d", TMPDIR, "xfig-fig", getpid());

that seem to have been lost during 3.2.4 -> 3.2.5 patch
forward-porting.  This code is reached e.g. when you select File ->
Print -> Print figure to batch.

I've also grepped source for other obvious TMPDIR uses and here's my
list:

d_text.c:  sprintf(preedit_filename, "%s/%s%06d", TMPDIR, "xfig-preedit", getpid());

- This code if #ifdef I18N_USE_PREEDIT, though I do not see
  I18N_USE_PREEDIT defined anywhere.  Does not seem to be used in our
  builds.

f_util.c:     sprintf(tmpfile, "%s%s", TMPDIR, c);
f_util.c:     sprintf(tmpfile, "%s/%s", TMPDIR, plainname);

- This can be triggered if user tries to open zipped file in some
  directory where she can not write (it is used as "gunzip -c >
  tmpfile").  Warning is printed when TMPDIR is used, but it's still
  possible to perform symlink attack when victim can be tricked to open
  some attacker chosen file.

u_error.c:      if (emergency_save(strcat(TMPDIR,"/SAVE.fig")) == -1)

- This is emergency auto-save feature, executed when xfig is signaled
  or detect some X error.  Current directory is tried first, TMPDIR is
  fallback when current directory fails.

The latter two are not really temp files, so mkstemp may not be the
right fix here.

-- 
Tomas Hoger / Red Hat Security Response Team

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux