Unsafe temporary file creation

Bug #678665 reported by Bruno Postle
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Hugin
Fix Released
Critical
Unassigned

Bug Description

Pasted from the redhat bugzilla:

Hugin was reported to create temporary / debug files in unsafe manner. During the optimizer run, it creates debug output file with pre-defined name: /tmp/hugin_debug_optim_results.txt . If file was already created by other user, hugin gives an error message.

This problem can be abused by malicious local user to perform symlink attack against user running hugin, which will result in overwrite of arbitrary file writable by user running hugin with panorama optimizer output.

There does not seem to be any upstream patch at the moment. Updated package was released for openSuSE, which resolves this problem by disabling creation of debug file.

https://bugzilla.redhat.com/show_bug.cgi?id=332401

CVE References

Revision history for this message
Bruno Postle (brunopostle) wrote :

Logged In: YES
user_id=35360
Originator: YES

It has a very official looking CVE 'sponsored by the Department of Homeland Security':

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5200

Revision history for this message
Pablo d'Angelo (pablo.dangelo) wrote :

Logged In: YES
user_id=30308
Originator: NO

Fixed in SVN. the Ippei branch does not have this problem.

However, there is another place with a similar problem, the project filenames of the autopano call are also very predictable.
This is also fixed in the ippei branch/new trunk.
Do we need to release a new 0.6.1 version?

Here is the patch for the other remaining issue:

--- AutoCtrlPointCreator.cpp_orig 2007-10-24 14:41:16.000000000 +0200
+++ AutoCtrlPointCreator.cpp 2007-10-24 14:44:07.000000000 +0200
@@ -225,7 +225,7 @@
        }
 #endif

- wxString ptofile(wxT("autopano_result_tempfile.pto"));
+ wxString ptofile = wxFileName::CreateTempFileName(wxT("ap_res"));
     autopanoArgs.Replace(wxT("%o"), ptofile);
     wxString tmp;
     tmp.Printf(wxT("%d"), nFeatures);
@@ -415,7 +415,7 @@
         imgNr++;
     }

- wxString ptofile(wxT("autopano_result_tempfile"));
+ wxString ptofile = wxFileName::CreateTempFileName(wxT("ap_res"));
     autopanoArgs.Replace(wxT("%o"), ptofile);
     wxString tmp;
     tmp.Printf(wxT("%d"), nFeatures);

Revision history for this message
Bruno Postle (brunopostle) wrote :

Logged In: YES
user_id=35360
Originator: YES

I noticed that you created a 'stable' branch, we could bump this to 0.6.2 and do a tarball release, or just post the patch for packagers and say that this will be fixed in the 0.7 release.

rpm/deb packagers can easily add the patch to existing 0.6.1 releases - In fact this simplifies the QA somewhat.
File Added: hugin-0.6.1-CVE-2007-5200.patch

Revision history for this message
Bruno Postle (brunopostle) wrote :

The file hugin-0.6.1-CVE-2007-5200.patch was added: Patch to fix CVE-2007-5200

Revision history for this message
Pablo d'Angelo (pablo.dangelo) wrote :

Logged In: YES
user_id=30308
Originator: NO

Patch to all known temporary file problems reported to CVE, distributors will likely include this patch.
Also fixed in current SVN.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.