First Last Prev Next    This bug is not in your last search results.
Bug 1134722 - ps2epsi tempfile handling is insecure
ps2epsi tempfile handling is insecure
Status: RESOLVED UPSTREAM
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Printing
Current
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Johannes Meixner
Johannes Meixner
https://bugs.ghostscript.com/show_bug...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-05-10 12:20 UTC by Christian Boltz
Modified: 2020-05-18 07:34 UTC (History)
0 users

See Also:
Found By: Community User
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Boltz 2019-05-10 12:20:58 UTC 
When looking at ps2epsi, I noticed some details in the tempfile creation that should be improved:

if which mktemp >/dev/null 2>/dev/null; then
    tmpfile="`mktemp $TMPDIR/ps2epsi.XXXXXX`"

adding   || exit 1   might be a good idea so that ps2epsi exits if it can't create a tempfile. (mktemp should print an error message in this case, no need to print another one.)

else
    tmpdir=$TMPDIR/ps2epsi.$$
    (umask 077 && mkdir "$tmpdir")
    if test ! -d "$tmpdir"; then
        echo "failed: could not create temporary file"
        exit 1
    fi
    tmpfile="$tmpdir"/ps2epsi$$
fi

The fallback (if mktemp can't be found) isn't terribly bad, but still insecure. In theory someone could create /tmp/ps2epsi.$$ before (one for each possible pid) and create a ps2epsi$$ symlink in it to overwrite an attacker-chosen file (aka "symlink attack").

The good thing is that mkdir errors out if a directory already exists, so all you need is to check its exit code:

    (umask 077 && mkdir "$tmpdir") || { 
        echo "$tmpdir can't be created or unexpectedly already exists, 
             abortingfor security reasons" >&2 ; 
        exit 1 ;
    }

(You can also test for $? != 0 if you don't like the "||" syntax.)

In theory checking $? should make the "test ! -d" superfluous, but in practise it can't hurt to keep it.


For completeness: "mkdir -p" will not error out on existing directories, so better don't use it in scripts ;-)
Comment 1 Johannes Meixner 2020-05-15 12:47:13 UTC 
I am afraid in the foreseeable future I won't find any time
to have a closer look what actually goes on here
so all _I_ can do is to close it as "wontfix"
which does of course not mean someone else at openSUSE
could not help here and continue to work on this issue ;-)
Comment 2 Christian Boltz 2020-05-15 22:09:16 UTC 
bugtracker_accounts++ ;-)

Forwarded to upstream - https://bugs.ghostscript.com/show_bug.cgi?id=702416
Comment 3 Johannes Meixner 2020-05-18 07:34:13 UTC 
Christian Boltz,
thank you so much!
Even relatively small things like upstream reports
help a lot when I must not do them myself.
The main thing with upstream reporting is not the initial report
but being responsive if upstream has questions and things like that.
First Last Prev Next    This bug is not in your last search results.