Insecure temporary file creation in

Bug #793502 reported by Emanuel Bronshtein
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Ubuntu One Client
Fix Released
ubuntuone-client (Ubuntu)
Fix Released

Bug Description

Binary package hint: python-ubuntuone-client

ubuntuone-client/ubuntuone/syncdaemon/fsm/ create temporary file with fixed name "graph.debug" under /tmp .

test case :
emanuel@emanuel-desktop:~$ export PYTHONPATH=/usr/share/xdot/
emanuel@emanuel-desktop:~$ python /usr/share/pyshared/ubuntuone-client/ubuntuone/syncdaemon/fsm/ /usr/share/pyshared/ubuntuone-client/ubuntuone/syncdaemon/
Parsing file... (Mon Jun 6 15:32:14 2011)
Building graph... (Mon Jun 6 15:32:16 2011)
Drawing... (Mon Jun 6 15:32:16 2011)
emanuel@emanuel-desktop:~$ ls -laF /tmp/graph.debug
-rw-r--r-- 1 emanuel emanuel 13587 2011-06-06 15:32 /tmp/graph.debug

the bug can be found at :
    dotcode = graph_base % "\n".join(graph_lines)
    if debug:
        a = open("/tmp/graph.debug", "w")

fix : use mkstemp alike functionality.

Related branches

Steve Beattie (sbeattie)
security vulnerability: no → yes
dobey (dobey)
Changed in ubuntuone-client:
assignee: nobody → Rodney Dawes (dobey)
importance: Undecided → Medium
status: New → In Progress
Changed in ubuntuone-client:
status: In Progress → Fix Committed
dobey (dobey)
Changed in ubuntuone-client:
milestone: none → 1.7.1
Changed in ubuntuone-client (Ubuntu):
importance: Undecided → Medium
milestone: none → oneiric-alpha-3
status: New → In Progress
Revision history for this message
Kees Cook (kees) wrote :

While good to fix this, I should point out that Maverick and later are not vulnerable to symlink attacks in /tmp.

Changed in ubuntuone-client (Ubuntu):
milestone: oneiric-alpha-3 → ubuntu-11.10-beta-1
dobey (dobey)
Changed in ubuntuone-client:
status: Fix Committed → Fix Released
Changed in ubuntuone-client (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.