Bug#289560: marked as done (vim: Race conditions and symlink attacks in vim (tcltags and vimspell))

Debian Bug Tracking System owner@bugs.debian.org
Sun, 03 Apr 2005 06:03:25 -0700


Your message dated Sun, 03 Apr 2005 08:32:09 -0400
with message-id <E1DI4Gv-00056l-00@newraff.debian.org>
and subject line Bug#289560: fixed in vim 6.1.018-1woody1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 9 Jan 2005 20:05:29 +0000
>From jfs@dat.etsit.upm.es Sun Jan 09 12:05:29 2005
Return-path: <jfs@dat.etsit.upm.es>
Received: from tornado.dat.etsit.upm.es (dat.etsit.upm.es) [138.100.17.73] 
	by spohr.debian.org with smtp (Exim 3.35 1 (Debian))
	id 1CnjJY-0000xF-00; Sun, 09 Jan 2005 12:05:28 -0800
Received: (qmail 5683 invoked by uid 1013); 9 Jan 2005 20:05:26 -0000
Date: Sun, 9 Jan 2005 21:05:26 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <jfs@computer.org>
To: submit@bugs.debian.org
Cc: Bram Moolenaar <Bram@vim.org>
Subject: vim: Race conditions and symlink attacks in vim (tcltags and vimspell)
Message-ID: <20050109200526.GA2889@dat.etsit.upm.es>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="2B/JsCI69OhZNC5r"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no 
	version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 


--2B/JsCI69OhZNC5r
Content-Type: multipart/mixed; boundary="AhhlLboLdkugWU4S"
Content-Disposition: inline


--AhhlLboLdkugWU4S
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: vim
Version: 1:6.3-046+1
Severity: minor
Tags: patch security sid woody sarge

Hi there,

Reviewing vim as part of the security audit the Audit team [1] is=20
conducting I've found what I believe are some race conditions and symlink=
=20
attacks through temporary files in vim. They appear in two scripts which=20
are not installed in Debian in binary locations (they are installed under
/usr/share/doc/vim/tools/) but are provided with execute permissions.

That's mainly why I'm opening this bug up in Debian's BTS and not=20
contacting the security team directly although the code is present in all=
=20
vim releases in Debian.

These appear in:

1.- the tcltags script (runtime/tools/tcltags):
    (...)
    11 tmp_tagfile=3D/tmp/${program_name}.$$
    (...)
    130         sed -e "/^!_TAG_FILE_SORTED/s/  [01]    /       $sorted /"=
=20
\
    131             -e "/^!_TAG_FILE_FORMAT/s/  1       /       $format /"=
=20
\
    132             $tagfile > $tmp_tagfile


2.- the vimspell script (runtime/tools/vimspell.sh)

     16 OUTFILE=3D/tmp/vimspell.$$
     17 # if you have "tempfile", use the following line
     18 #OUTFILE=3D`tempfile`
(...)
     30 spell $SPELL_ARGS $INFILE | sort -u |
     31 awk '
     32       {
     33         printf "syntax match SpellErrors \"\\<%s\\>\"\n", $0 ;
     34       }
     35
     36 END   {
     37         printf "highlight link SpellErrors ErrorMsg\n\n" ;
     38       }
     39 ' > $OUTFILE
     40 echo "!rm $OUTFILE" >> $OUTFILE
     41 echo $OUTFILE

Since these are tools that are run from vim, an attacker can get a=20
good-enough approximation of the PIDs that will be used in these temporary=
=20
files and can conduct a symlink attack if these tools are used.

The attached patch should fix both of these issues, I've taken the=20
approach implemented in vimtutor, but modified it slightly for vimspell as=
=20
the temporary file cannot be removed by the script (vim removes it) when=20
mktemp and tempfile are not avilable, there will still be a race condition=
=20
in the script. Since most GNU/Linux and UNIX  operating systems seem to=20
have either one I don't think it's a big issue, however.

Best regards

Javier

--AhhlLboLdkugWU4S
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="vim-6.3.diff"
Content-Transfer-Encoding: quoted-printable

diff -Nru vim-6.3.old/vim63/runtime/tools/tcltags vim-6.3/vim63/runtime/too=
ls/tcltags
--- vim-6.3.old/vim63/runtime/tools/tcltags	1999-08-01 14:01:46.000000000 +=
0200
+++ vim-6.3/vim63/runtime/tools/tcltags	2005-01-09 20:41:41.000000000 +0100
@@ -8,7 +8,31 @@
 program_version=3D"0.3"
 program_author=3D"Darren Hiebert"
 author_email=3D"darren@hiebert.com"
-tmp_tagfile=3D/tmp/${program_name}.$$
+tmp=3D"${TMPDIR-/tmp}"
+tmp_tagfile=3D`mktemp -t $tmp/tcltagXXXXXX || tempfile -p tclag || echo no=
ne`
+
+# If the standard commands failed then create a directory to put the copy =
in.
+# That is a secure way to make a temp file.
+if test "$tmp_tagfile" =3D none; then
+        tmpdir=3D$tmp/tcltag$$
+        OLD_UMASK=3D`umask`
+        umask 077
+        getout=3Dno
+        mkdir $tmpdir || getout=3Dyes
+        umask $OLD_UMASK
+        if test $getout =3D yes; then
+                echo "Could not create directory for tcltag, exiting."
+                exit 1
+        fi
+        tmp_tagfile=3D$tmpdir/tcltag
+        touch $tmp_tagfile
+        TODELETE=3D$tmpdir
+else
+        TODELETE=3D$tmp_tagfile
+fi
+# remove the copy of the tcltag file on exit
+trap "rm -rf $TODELETE" 0 1 2 3 9 11 13 15
+
=20
 usage=3D"\
 Usage: $program_name [-au] [-{f|o} tagfile] [--format=3Dn] file(s)
@@ -154,6 +178,5 @@
 else
     cp $tmp_tagfile $tagfile
 fi
-rm $tmp_tagfile
=20
 exit 0
diff -Nru vim-6.3.old/vim63/runtime/tools/vimspell.sh vim-6.3/vim63/runtime=
/tools/vimspell.sh
--- vim-6.3.old/vim63/runtime/tools/vimspell.sh	1999-08-01 14:01:46.0000000=
00 +0200
+++ vim-6.3/vim63/runtime/tools/vimspell.sh	2005-01-09 20:51:18.000000000 +=
0100
@@ -13,9 +13,20 @@
 # March 1999
=20
 INFILE=3D$1
-OUTFILE=3D/tmp/vimspell.$$
-# if you have "tempfile", use the following line
-#OUTFILE=3D`tempfile`
+tmp=3D"${TMPDIR-/tmp}"
+OUTFILE=3D`mktemp -t vimspellXXXXXX || tempfile -p vimspell || echo none`
+# If the standard commands failed then create the file
+# since we cannot create a directory (we cannot remove it on exit)
+# create a file in the safest way possible.
+if test "$OUTFILE" =3D none; then
+        OUTFILE=3D$tmp/vimspell$$
+	[ -e $OUTFILE ] && { echo "Cannot use temporary file $OUTFILE, it already=
 exists!; exit 1 ; }=20
+        (umask 077; touch $OUTFILE)
+fi
+# Note the copy of vimspell cannot be deleted on exit since it is
+# used by vim, otherwise it should do this:
+# trap "rm -f $OUTFILE" 0 1 2 3 9 11 13 15
+
=20
 #
 # local spellings

--AhhlLboLdkugWU4S--

--2B/JsCI69OhZNC5r
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB4Y6Gi4sehJTrj0oRAj6UAJ0aSUf4pjG3D/5O/X62tJ1gtzGX0gCgwNqo
FZIKf6HleDHHBtxzRqs3oW0=
=0KeP
-----END PGP SIGNATURE-----

--2B/JsCI69OhZNC5r--

---------------------------------------
Received: (at 289560-close) by bugs.debian.org; 3 Apr 2005 12:46:43 +0000
>From katie@ftp-master.debian.org Sun Apr 03 05:46:43 2005
Return-path: <katie@ftp-master.debian.org>
Received: from gluck.debian.org [192.25.206.10] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DI4V1-0002Nl-00; Sun, 03 Apr 2005 05:46:43 -0700
Received: from newraff.debian.org [208.185.25.31] (mail)
	by gluck.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DI4V0-0007P4-00; Sun, 03 Apr 2005 06:46:42 -0600
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
	id 1DI4Gv-00056l-00; Sun, 03 Apr 2005 08:32:09 -0400
From: Norbert Tretkowski <nobse@debian.org>
To: 289560-close@bugs.debian.org
X-Katie: $Revision: 1.55 $
Subject: Bug#289560: fixed in vim 6.1.018-1woody1
Message-Id: <E1DI4Gv-00056l-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Sun, 03 Apr 2005 08:32:09 -0400
Delivered-To: 289560-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 
X-CrossAssassin-Score: 2

Source: vim
Source-Version: 6.1.018-1woody1

We believe that the bug you reported is fixed in the latest version of
vim, which is due to be installed in the Debian FTP archive:

vim-gtk_6.1.018-1woody1_i386.deb
  to pool/main/v/vim/vim-gtk_6.1.018-1woody1_i386.deb
vim-perl_6.1.018-1woody1_i386.deb
  to pool/main/v/vim/vim-perl_6.1.018-1woody1_i386.deb
vim-python_6.1.018-1woody1_i386.deb
  to pool/main/v/vim/vim-python_6.1.018-1woody1_i386.deb
vim-ruby_6.1.018-1woody1_i386.deb
  to pool/main/v/vim/vim-ruby_6.1.018-1woody1_i386.deb
vim-tcl_6.1.018-1woody1_i386.deb
  to pool/main/v/vim/vim-tcl_6.1.018-1woody1_i386.deb
vim_6.1.018-1woody1.diff.gz
  to pool/main/v/vim/vim_6.1.018-1woody1.diff.gz
vim_6.1.018-1woody1.dsc
  to pool/main/v/vim/vim_6.1.018-1woody1.dsc
vim_6.1.018-1woody1_i386.deb
  to pool/main/v/vim/vim_6.1.018-1woody1_i386.deb
vim_6.1.018.orig.tar.gz
  to pool/main/v/vim/vim_6.1.018.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 289560@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Norbert Tretkowski <nobse@debian.org> (supplier of updated vim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun,  3 Apr 2005 12:35:25 +0200
Source: vim
Binary: vim-python vim-gtk vim-ruby vim vim-tcl vim-perl
Architecture: source i386
Version: 6.1.018-1woody1
Distribution: stable
Urgency: medium
Maintainer: Debian VIM Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>
Changed-By: Norbert Tretkowski <nobse@debian.org>
Description: 
 vim        - Vi IMproved - enhanced vi editor
 vim-gtk    - Vi IMproved - GTK version
 vim-perl   - Vi IMproved, with perl scripting support
 vim-python - Vi IMproved, with python scripting support
 vim-ruby   - Vi IMproved, with ruby scripting support
 vim-tcl    - Vi IMproved, with tcl scripting support
Closes: 286223 289560 291125
Changes: 
 vim (6.1.018-1woody1) stable; urgency=medium
 .
   * CAN-2004-1138: Backported and applied patch 6.3.045 which fixes several
     vulnerabilities related to the use of options in modelines.
     (closes: #286223)
   * CAN-2005-0069: Use mktemp instead of insecure $$ construction to create
     temporary files in vimspell.sh and tcltags. (closes: #289560, #291125)
   * Set maintainer address to project mailinglist on alioth and added myself to
     uploaders.
Files: 
 1cfdd09715be69c8df993ad9e662b92f 804 editors optional vim_6.1.018-1woody1.dsc
 a72ece837a192262ef9daf29566fd6c1 4430373 editors optional vim_6.1.018.orig.tar.gz
 776f9a74f34ba52f9d4040323657d7df 30282 editors optional vim_6.1.018-1woody1.diff.gz
 e7e1230281e4d71f7e6c51011ea6a426 3751082 editors optional vim_6.1.018-1woody1_i386.deb
 fb8c979819a1699b50b12840d2ddb243 552054 editors optional vim-gtk_6.1.018-1woody1_i386.deb
 992e0ee6c3ad8156a35a8767b9fb354e 562010 editors optional vim-perl_6.1.018-1woody1_i386.deb
 f58e67bf101ae8aa3139f30c7948ff56 559472 editors optional vim-python_6.1.018-1woody1_i386.deb
 b45ce4151f0877ad52c7f65dd38d622a 556476 editors optional vim-ruby_6.1.018-1woody1_i386.deb
 5692dbb7cdf79c4e9f346c72d605c76d 559632 editors optional vim-tcl_6.1.018-1woody1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCT99Cr/RnCw96jQERArr/AJ0WFx40y2sGLzF6eSat3Ta/PS5adgCgik7T
MjjF6BRIAGXVK1fxNnCqtPg=
=ZUIQ
-----END PGP SIGNATURE-----