949682 – (CVE-2015-7758) VUL-0: CVE-2015-7758: gummi: predictable filenames in /tmp based on basename

Bug 949682 (CVE-2015-7758) - VUL-0: CVE-2015-7758: gummi: predictable filenames in /tmp based on basename

Summary: VUL-0: CVE-2015-7758: gummi: predictable filenames in /tmp based on basename

Status:	RESOLVED FIXED

Alias:	CVE-2015-7758

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other openSUSE 13.2

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Atri Bhattacharya
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/157488/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2015-10-09 08:55 UTC by Andreas Stieger
Modified:	2016-02-25 10:12 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Stieger 2015-10-09 08:55:20 UTC

/tmp file race.

> Opening a file called thesis.tex in gummi, this created the following
> files in /tmp:
> 
> -rw-r--r--  1 jak  jak    3196 Jul 29 21:39 .thesis.tex.aux
> -rw-r--r--  1 jak  jak   42672 Jul 29 21:39 .thesis.tex.log
> -rw-r--r--  1 jak  jak     559 Jul 29 21:39 .thesis.tex.out
> -rw-r--r--  1 jak  jak  266755 Jul 29 21:39 .thesis.tex.pdf
> -rw-r--r--  1 jak  jak     885 Jul 29 21:39 .thesis.tex.toc
> 
> Obviously, this has serious implications for multi-user systems, because
> two users editing a file with the same name would write to the same files
> in /tmp. 

Mitre:

> Note that the discussion referenced by the bug report suggests that
> Linux exploitability depends on the /proc/sys/fs/protected_symlinks
> file.

Affects openSUSE 13.1, 13.2, Publishing/gummi, Tumblewee and Leap.

References:
https://bugs.debian.org/756432
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7758
http://seclists.org/oss-sec/2015/q4/51

Comment 1 Swamp Workflow Management 2015-10-09 22:00:27 UTC

bugbot adjusting priority

Comment 2 Atri Bhattacharya 2015-11-15 18:43:17 UTC

I will fix this as soon as upstream has a solution:
https://github.com/alexandervdm/gummi/issues/20

Comment 3 Atri Bhattacharya 2015-12-17 02:46:00 UTC

Submitted to update channel
https://build.opensuse.org/request/show/349269

Comment 4 Atri Bhattacharya 2015-12-18 23:42:39 UTC

Update about to be released (13.1, 13.2, Leap:42.1) and fix submitted also for TW, so closing this as fixed before the holidays get in my way...

Comment 5 Swamp Workflow Management 2015-12-27 00:11:53 UTC

openSUSE-SU-2015:2369-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 949682
CVE References: CVE-2015-7758
Sources used:
openSUSE Leap 42.1 (src):    gummi-0.7.1-5.1
openSUSE 13.2 (src):    gummi-0.6.5-5.3.1
openSUSE 13.1 (src):    gummi-0.6.5-2.4.1

Comment 6 Bernhard Wiedemann 2016-02-17 01:00:10 UTC

This is an autogenerated message for OBS integration:
This bug (949682) was mentioned in
https://build.opensuse.org/request/show/359881 42.1+13.2 / gummi

Comment 7 Swamp Workflow Management 2016-02-25 10:12:00 UTC

openSUSE-SU-2016:0574-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 949682
CVE References: CVE-2015-7758
Sources used:
openSUSE Leap 42.1 (src):    gummi-0.7.1-8.1
openSUSE 13.2 (src):    gummi-0.6.5-5.6.1