oss-sec mailing list archives
CVE request: xcfa: Insecure use of temporary files, subject to race conditions
From: Salvatore Bonaccorso <carnil () debian org>
Date: Fri, 1 Aug 2014 16:13:46 +0200
Hi Steve Kemp discovered several problems in xcfa, a tool to extract audio CDs and convert files to various formats related to insecure use of temporary files possibly allowing arbitrary code execution. I'm full-quoting his findings from the Debian BTS: https://bugs.debian.org/756600
xcfa contains several insecure uses of temporary files. For example the file src/get_info.c has code to test that curl is present, in the function GetInfo_wget which essentially runs: wget --user-agent=\"Mozilla 22.0\" --directory-prefix=/tmp/ http://google.fr/ .. if [ -e /tmp/index.html ]; then rm /tmp/index.html fi This is probably safe, because wget will not follow symlinks, and will instead create "index.html.1" - but any existing file called /tmp/index.html will be removed regardless. More serious issues exist throughout the codebase. For example the code in dvdread_create_recap_audio, located in src/dvd_read.c contains this lovely function: // Suppression du fichier precedant si il existe g_unlink ("/tmp/get_infos_dvd.sh"); g_unlink ("/tmp/infos_dvd.txt"); fp = fopen ("/tmp/get_infos_dvd.sh", "w"); fprintf (fp, "#!/bin/sh\n"); fprintf (fp, "\n"); fprintf (fp, "set -e\n"); fprintf (fp, "\n"); .. .. system ("chmod +x /tmp/get_infos_dvd.sh"); system ("/tmp/get_infos_dvd.sh"); g_unlink ("/tmp/get_infos_dvd.sh"); Similarly the code which copies files to the trashbin, located in src/file_trash.c, has some nice code which runs: system ("env | grep \"KDE_FULL_SESSION\" > /tmp/tst_kde_full_session.txt"); if ((fp = fopen ("/tmp/tst_kde_full_session.txt", "r")) != NULL) { while (fgets (buf, MAX_CARS_KDE, fp) != NULL) { if (strcmp (buf, "KDE_FULL_SESSION") == 0) { if (strcmp (buf, "true") == 0 || strcmp (buf, "TRUE") == 0) { BoolRet = TRUE; break; } } } fclose (fp); } g_unlink ("/tmp/tst_kde_full_session.txt"); In short this codebase is rife with race-conditions allowing arbitrary shell executation, via /tmp/get_infos_dvd.sh, and file truncation/deletion. I'd strongly urge the maintainer to audit the codebase for additional issues, with the help of upstream.
Would one CVE suffice? Could you allocate a CVE for these issues in xcfa? Regards, Salvatore
Current thread:
- CVE request: xcfa: Insecure use of temporary files, subject to race conditions Salvatore Bonaccorso (Aug 01)