[Bug 881541] Re: DistUpgrade/DistUpgradeViewKDE.py uses mktemp -- which is insecure
Marc Deslauriers
marc.deslauriers at canonical.com
Mon Nov 28 18:07:32 UTC 2011
** Visibility changed to: Public
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to update-manager in Ubuntu.
https://bugs.launchpad.net/bugs/881541
Title:
DistUpgrade/DistUpgradeViewKDE.py uses mktemp -- which is insecure
Status in “update-manager” package in Ubuntu:
Fix Released
Bug description:
The DistUpgradeViewKDE class performs a copy of "the xauthority file before it removes it when Adept is killed".
However, when it does this it uses the tempfile.mktemp function (which is insecure) when it (IMHO) should be using the tempfile.mkstemp function (secure).
The vulnerable code is the following:
#kdesu requires us to copy the xauthority file before it removes it when Adept is killed
copyXauth = tempfile.mktemp("", "adept")
if 'XAUTHORITY' in os.environ and os.environ['XAUTHORITY'] != copyXauth:
shutil.copy(os.environ['XAUTHORITY'], copyXauth)
os.environ["XAUTHORITY"] = copyXauth
<--- so if can attacker can win the race between the mktemp call to create a ~random file-name and before shutil.copy is called (if XAUTHORITY is in the user's environment and the tempfile isn't the same as the current XAUTHORITY file) they can obtain the contents of the user's XAUTHORITY file. (shutil.copy ends up writing to the destination file before copying over the permissions on the file, if this order was reversed then it probably wouldn't be vulnerable :-) ).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/881541/+subscriptions
More information about the foundations-bugs
mailing list