Bug#289560: marked as done (vim: Race conditions and symlink attacks in vim (tcltags and vimspell))
Debian Bug Tracking System
owner@bugs.debian.org
Sun, 03 Apr 2005 06:03:25 -0700
Your message dated Sun, 03 Apr 2005 08:32:09 -0400
with message-id <E1DI4Gv-00056l-00@newraff.debian.org>
and subject line Bug#289560: fixed in vim 6.1.018-1woody1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 9 Jan 2005 20:05:29 +0000
>From jfs@dat.etsit.upm.es Sun Jan 09 12:05:29 2005
Return-path: <jfs@dat.etsit.upm.es>
Received: from tornado.dat.etsit.upm.es (dat.etsit.upm.es) [138.100.17.73]
by spohr.debian.org with smtp (Exim 3.35 1 (Debian))
id 1CnjJY-0000xF-00; Sun, 09 Jan 2005 12:05:28 -0800
Received: (qmail 5683 invoked by uid 1013); 9 Jan 2005 20:05:26 -0000
Date: Sun, 9 Jan 2005 21:05:26 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <jfs@computer.org>
To: submit@bugs.debian.org
Cc: Bram Moolenaar <Bram@vim.org>
Subject: vim: Race conditions and symlink attacks in vim (tcltags and vimspell)
Message-ID: <20050109200526.GA2889@dat.etsit.upm.es>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="2B/JsCI69OhZNC5r"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--2B/JsCI69OhZNC5r
Content-Type: multipart/mixed; boundary="AhhlLboLdkugWU4S"
Content-Disposition: inline
--AhhlLboLdkugWU4S
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: vim
Version: 1:6.3-046+1
Severity: minor
Tags: patch security sid woody sarge
Hi there,
Reviewing vim as part of the security audit the Audit team [1] is=20
conducting I've found what I believe are some race conditions and symlink=
=20
attacks through temporary files in vim. They appear in two scripts which=20
are not installed in Debian in binary locations (they are installed under
/usr/share/doc/vim/tools/) but are provided with execute permissions.
That's mainly why I'm opening this bug up in Debian's BTS and not=20
contacting the security team directly although the code is present in all=
=20
vim releases in Debian.
These appear in:
1.- the tcltags script (runtime/tools/tcltags):
(...)
11 tmp_tagfile=3D/tmp/${program_name}.$$
(...)
130 sed -e "/^!_TAG_FILE_SORTED/s/ [01] / $sorted /"=
=20
\
131 -e "/^!_TAG_FILE_FORMAT/s/ 1 / $format /"=
=20
\
132 $tagfile > $tmp_tagfile
2.- the vimspell script (runtime/tools/vimspell.sh)
16 OUTFILE=3D/tmp/vimspell.$$
17 # if you have "tempfile", use the following line
18 #OUTFILE=3D`tempfile`
(...)
30 spell $SPELL_ARGS $INFILE | sort -u |
31 awk '
32 {
33 printf "syntax match SpellErrors \"\\<%s\\>\"\n", $0 ;
34 }
35
36 END {
37 printf "highlight link SpellErrors ErrorMsg\n\n" ;
38 }
39 ' > $OUTFILE
40 echo "!rm $OUTFILE" >> $OUTFILE
41 echo $OUTFILE
Since these are tools that are run from vim, an attacker can get a=20
good-enough approximation of the PIDs that will be used in these temporary=
=20
files and can conduct a symlink attack if these tools are used.
The attached patch should fix both of these issues, I've taken the=20
approach implemented in vimtutor, but modified it slightly for vimspell as=
=20
the temporary file cannot be removed by the script (vim removes it) when=20
mktemp and tempfile are not avilable, there will still be a race condition=
=20
in the script. Since most GNU/Linux and UNIX operating systems seem to=20
have either one I don't think it's a big issue, however.
Best regards
Javier
--AhhlLboLdkugWU4S
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="vim-6.3.diff"
Content-Transfer-Encoding: quoted-printable
diff -Nru vim-6.3.old/vim63/runtime/tools/tcltags vim-6.3/vim63/runtime/too=
ls/tcltags
--- vim-6.3.old/vim63/runtime/tools/tcltags 1999-08-01 14:01:46.000000000 +=
0200
+++ vim-6.3/vim63/runtime/tools/tcltags 2005-01-09 20:41:41.000000000 +0100
@@ -8,7 +8,31 @@
program_version=3D"0.3"
program_author=3D"Darren Hiebert"
author_email=3D"darren@hiebert.com"
-tmp_tagfile=3D/tmp/${program_name}.$$
+tmp=3D"${TMPDIR-/tmp}"
+tmp_tagfile=3D`mktemp -t $tmp/tcltagXXXXXX || tempfile -p tclag || echo no=
ne`
+
+# If the standard commands failed then create a directory to put the copy =
in.
+# That is a secure way to make a temp file.
+if test "$tmp_tagfile" =3D none; then
+ tmpdir=3D$tmp/tcltag$$
+ OLD_UMASK=3D`umask`
+ umask 077
+ getout=3Dno
+ mkdir $tmpdir || getout=3Dyes
+ umask $OLD_UMASK
+ if test $getout =3D yes; then
+ echo "Could not create directory for tcltag, exiting."
+ exit 1
+ fi
+ tmp_tagfile=3D$tmpdir/tcltag
+ touch $tmp_tagfile
+ TODELETE=3D$tmpdir
+else
+ TODELETE=3D$tmp_tagfile
+fi
+# remove the copy of the tcltag file on exit
+trap "rm -rf $TODELETE" 0 1 2 3 9 11 13 15
+
=20
usage=3D"\
Usage: $program_name [-au] [-{f|o} tagfile] [--format=3Dn] file(s)
@@ -154,6 +178,5 @@
else
cp $tmp_tagfile $tagfile
fi
-rm $tmp_tagfile
=20
exit 0
diff -Nru vim-6.3.old/vim63/runtime/tools/vimspell.sh vim-6.3/vim63/runtime=
/tools/vimspell.sh
--- vim-6.3.old/vim63/runtime/tools/vimspell.sh 1999-08-01 14:01:46.0000000=
00 +0200
+++ vim-6.3/vim63/runtime/tools/vimspell.sh 2005-01-09 20:51:18.000000000 +=
0100
@@ -13,9 +13,20 @@
# March 1999
=20
INFILE=3D$1
-OUTFILE=3D/tmp/vimspell.$$
-# if you have "tempfile", use the following line
-#OUTFILE=3D`tempfile`
+tmp=3D"${TMPDIR-/tmp}"
+OUTFILE=3D`mktemp -t vimspellXXXXXX || tempfile -p vimspell || echo none`
+# If the standard commands failed then create the file
+# since we cannot create a directory (we cannot remove it on exit)
+# create a file in the safest way possible.
+if test "$OUTFILE" =3D none; then
+ OUTFILE=3D$tmp/vimspell$$
+ [ -e $OUTFILE ] && { echo "Cannot use temporary file $OUTFILE, it already=
exists!; exit 1 ; }=20
+ (umask 077; touch $OUTFILE)
+fi
+# Note the copy of vimspell cannot be deleted on exit since it is
+# used by vim, otherwise it should do this:
+# trap "rm -f $OUTFILE" 0 1 2 3 9 11 13 15
+
=20
#
# local spellings
--AhhlLboLdkugWU4S--
--2B/JsCI69OhZNC5r
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFB4Y6Gi4sehJTrj0oRAj6UAJ0aSUf4pjG3D/5O/X62tJ1gtzGX0gCgwNqo
FZIKf6HleDHHBtxzRqs3oW0=
=0KeP
-----END PGP SIGNATURE-----
--2B/JsCI69OhZNC5r--
---------------------------------------
Received: (at 289560-close) by bugs.debian.org; 3 Apr 2005 12:46:43 +0000
>From katie@ftp-master.debian.org Sun Apr 03 05:46:43 2005
Return-path: <katie@ftp-master.debian.org>
Received: from gluck.debian.org [192.25.206.10]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DI4V1-0002Nl-00; Sun, 03 Apr 2005 05:46:43 -0700
Received: from newraff.debian.org [208.185.25.31] (mail)
by gluck.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DI4V0-0007P4-00; Sun, 03 Apr 2005 06:46:42 -0600
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DI4Gv-00056l-00; Sun, 03 Apr 2005 08:32:09 -0400
From: Norbert Tretkowski <nobse@debian.org>
To: 289560-close@bugs.debian.org
X-Katie: $Revision: 1.55 $
Subject: Bug#289560: fixed in vim 6.1.018-1woody1
Message-Id: <E1DI4Gv-00056l-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Sun, 03 Apr 2005 08:32:09 -0400
Delivered-To: 289560-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 2
Source: vim
Source-Version: 6.1.018-1woody1
We believe that the bug you reported is fixed in the latest version of
vim, which is due to be installed in the Debian FTP archive:
vim-gtk_6.1.018-1woody1_i386.deb
to pool/main/v/vim/vim-gtk_6.1.018-1woody1_i386.deb
vim-perl_6.1.018-1woody1_i386.deb
to pool/main/v/vim/vim-perl_6.1.018-1woody1_i386.deb
vim-python_6.1.018-1woody1_i386.deb
to pool/main/v/vim/vim-python_6.1.018-1woody1_i386.deb
vim-ruby_6.1.018-1woody1_i386.deb
to pool/main/v/vim/vim-ruby_6.1.018-1woody1_i386.deb
vim-tcl_6.1.018-1woody1_i386.deb
to pool/main/v/vim/vim-tcl_6.1.018-1woody1_i386.deb
vim_6.1.018-1woody1.diff.gz
to pool/main/v/vim/vim_6.1.018-1woody1.diff.gz
vim_6.1.018-1woody1.dsc
to pool/main/v/vim/vim_6.1.018-1woody1.dsc
vim_6.1.018-1woody1_i386.deb
to pool/main/v/vim/vim_6.1.018-1woody1_i386.deb
vim_6.1.018.orig.tar.gz
to pool/main/v/vim/vim_6.1.018.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 289560@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Norbert Tretkowski <nobse@debian.org> (supplier of updated vim package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 3 Apr 2005 12:35:25 +0200
Source: vim
Binary: vim-python vim-gtk vim-ruby vim vim-tcl vim-perl
Architecture: source i386
Version: 6.1.018-1woody1
Distribution: stable
Urgency: medium
Maintainer: Debian VIM Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>
Changed-By: Norbert Tretkowski <nobse@debian.org>
Description:
vim - Vi IMproved - enhanced vi editor
vim-gtk - Vi IMproved - GTK version
vim-perl - Vi IMproved, with perl scripting support
vim-python - Vi IMproved, with python scripting support
vim-ruby - Vi IMproved, with ruby scripting support
vim-tcl - Vi IMproved, with tcl scripting support
Closes: 286223 289560 291125
Changes:
vim (6.1.018-1woody1) stable; urgency=medium
.
* CAN-2004-1138: Backported and applied patch 6.3.045 which fixes several
vulnerabilities related to the use of options in modelines.
(closes: #286223)
* CAN-2005-0069: Use mktemp instead of insecure $$ construction to create
temporary files in vimspell.sh and tcltags. (closes: #289560, #291125)
* Set maintainer address to project mailinglist on alioth and added myself to
uploaders.
Files:
1cfdd09715be69c8df993ad9e662b92f 804 editors optional vim_6.1.018-1woody1.dsc
a72ece837a192262ef9daf29566fd6c1 4430373 editors optional vim_6.1.018.orig.tar.gz
776f9a74f34ba52f9d4040323657d7df 30282 editors optional vim_6.1.018-1woody1.diff.gz
e7e1230281e4d71f7e6c51011ea6a426 3751082 editors optional vim_6.1.018-1woody1_i386.deb
fb8c979819a1699b50b12840d2ddb243 552054 editors optional vim-gtk_6.1.018-1woody1_i386.deb
992e0ee6c3ad8156a35a8767b9fb354e 562010 editors optional vim-perl_6.1.018-1woody1_i386.deb
f58e67bf101ae8aa3139f30c7948ff56 559472 editors optional vim-python_6.1.018-1woody1_i386.deb
b45ce4151f0877ad52c7f65dd38d622a 556476 editors optional vim-ruby_6.1.018-1woody1_i386.deb
5692dbb7cdf79c4e9f346c72d605c76d 559632 editors optional vim-tcl_6.1.018-1woody1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCT99Cr/RnCw96jQERArr/AJ0WFx40y2sGLzF6eSat3Ta/PS5adgCgik7T
MjjF6BRIAGXVK1fxNnCqtPg=
=ZUIQ
-----END PGP SIGNATURE-----