Bug 1134722 - ps2epsi tempfile handling is insecure
ps2epsi tempfile handling is insecure
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Printing
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Johannes Meixner
Johannes Meixner
Depends on:
  Show dependency treegraph
Reported: 2019-05-10 12:20 UTC by Christian Boltz
Modified: 2020-05-18 07:34 UTC (History)
0 users

See Also:
Found By: Community User
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Christian Boltz 2019-05-10 12:20:58 UTC
When looking at ps2epsi, I noticed some details in the tempfile creation that should be improved:

if which mktemp >/dev/null 2>/dev/null; then
    tmpfile="`mktemp $TMPDIR/ps2epsi.XXXXXX`"

adding   || exit 1   might be a good idea so that ps2epsi exits if it can't create a tempfile. (mktemp should print an error message in this case, no need to print another one.)

    (umask 077 && mkdir "$tmpdir")
    if test ! -d "$tmpdir"; then
        echo "failed: could not create temporary file"
        exit 1

The fallback (if mktemp can't be found) isn't terribly bad, but still insecure. In theory someone could create /tmp/ps2epsi.$$ before (one for each possible pid) and create a ps2epsi$$ symlink in it to overwrite an attacker-chosen file (aka "symlink attack").

The good thing is that mkdir errors out if a directory already exists, so all you need is to check its exit code:

    (umask 077 && mkdir "$tmpdir") || { 
        echo "$tmpdir can't be created or unexpectedly already exists, 
             abortingfor security reasons" >&2 ; 
        exit 1 ;

(You can also test for $? != 0 if you don't like the "||" syntax.)

In theory checking $? should make the "test ! -d" superfluous, but in practise it can't hurt to keep it.

For completeness: "mkdir -p" will not error out on existing directories, so better don't use it in scripts ;-)
Comment 1 Johannes Meixner 2020-05-15 12:47:13 UTC
I am afraid in the foreseeable future I won't find any time
to have a closer look what actually goes on here
so all _I_ can do is to close it as "wontfix"
which does of course not mean someone else at openSUSE
could not help here and continue to work on this issue ;-)
Comment 2 Christian Boltz 2020-05-15 22:09:16 UTC
bugtracker_accounts++ ;-)

Forwarded to upstream - https://bugs.ghostscript.com/show_bug.cgi?id=702416
Comment 3 Johannes Meixner 2020-05-18 07:34:13 UTC
Christian Boltz,
thank you so much!
Even relatively small things like upstream reports
help a lot when I must not do them myself.
The main thing with upstream reporting is not the initial report
but being responsive if upstream has questions and things like that.