Last Comment Bug 304330 - CVE-2005-2353 run-mozilla.sh temporary file issue
: CVE-2005-2353 run-mozilla.sh temporary file issue
Status: RESOLVED FIXED
[sg:low local]
: fixed-aviary1.0.8, fixed1.7.13, fixed1.8
Product: Core Graveyard
Classification: Graveyard
Component: Cmd-line Features (show other bugs)
: Trunk
: x86 Linux
: -- minor (vote)
: ---
Assigned To: Daniel Veditz [:dveditz]
:
Mentors:
http://www.ubuntulinux.org/support/do...
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-08-11 08:52 PDT by Josh Bressers
Modified: 2009-09-17 13:47 PDT (History)
4 users (show)
dveditz: blocking1.7.13+
dveditz: blocking‑aviary1.0.8+
mtschrep: blocking1.8b5+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
Suggested fix for this issue (1.51 KB, patch)
2005-08-11 08:53 PDT, Josh Bressers
dveditz: review+
dbaron: superreview-
asa: approval1.8b5+
Details | Diff | Review

Description Josh Bressers 2005-08-11 08:52:38 PDT
An Ubuntu security advisory fixed a temporary file vulnerability in the
run-mozilla.sh script when run in debug mode.

The run-mozilla.sh script passes gdb arguments from a temporary file which is
named in a manner that makes it fairly easy to guess.  The temporary file should
be created using the mktemp program to ensure proper file permissions and a
unique filename.
Comment 1 Josh Bressers 2005-08-11 08:53:13 PDT
Created attachment 192382 [details] [diff] [review]
Suggested fix for this issue
Comment 2 Frederic Crozat 2005-09-15 05:11:14 PDT
Different patch was originally submitted by the author of the original bug :

http://bugs.debian.org/cgi-bin/bugreport.cgi/mozilla-thunderbird-1.0.diff?bug=306893;msg=5;att=1
Comment 3 Daniel Veditz [:dveditz] 2005-09-15 12:07:16 PDT
Nominating for a closer look based on Frederic's mail.
Comment 4 Mike Schroepfer 2005-09-23 12:29:40 PDT
Is the patch effective? Running out of time for 1.5b2 . .. 
Comment 5 Mike Schroepfer 2005-09-28 11:09:22 PDT
DBaron - need SR here.
Comment 6 David Baron :dbaron: ⌚️UTC-7 (review requests must explain patch) 2005-09-28 12:05:23 PDT
Comment on attachment 192382 [details] [diff] [review]
Suggested fix for this issue

This patch doesn't actually work because of the spaces around the equals sign
in this line:

>+        mozargs_temp = `mktemp /tmp/mozargs.XXXXXX`

If you fix that, then it works, so sr=dbaron, conditional on removing those two
spaces.
Comment 7 David Baron :dbaron: ⌚️UTC-7 (review requests must explain patch) 2005-09-28 12:09:40 PDT
That said, I think the patch in comment 2 is preferable (except with the
whitespace cleaned up), both because it uses mktemp -t and because it removes
the temporary file under more conditions.
Comment 8 Asa Dotzler [:asa] 2005-09-29 11:21:19 PDT
Comment on attachment 192382 [details] [diff] [review]
Suggested fix for this issue

please re-request approval when you've got a fully reviewed patch.
Comment 9 Asa Dotzler [:asa] 2005-09-30 11:38:42 PDT
Dbaron, can you get that earlier patch in? This bug is stalled and we seem to
want it for beta2.
Comment 10 Daniel Veditz [:dveditz] 2005-09-30 11:53:52 PDT
(In reply to comment #9)
> Dbaron, can you get that earlier patch in? This bug is stalled and we seem to
> want it for beta2.

I was actually about to check this in
Comment 11 Daniel Veditz [:dveditz] 2005-09-30 12:17:35 PDT
fix checked into trunk
Comment 12 neil@parkwaycc.co.uk 2005-09-30 17:39:49 PDT
Note: RH7.3 doesn't have mktemp -t
Comment 13 Daniel Veditz [:dveditz] 2005-09-30 22:37:54 PDT
dropped -t and went back to mktemp /tmp/mozargs.XXXXXX

fix checked into the 1.8 branch
Comment 14 Frederic Crozat 2005-10-03 07:09:15 PDT
Any hope to get it landed on on 1.0.x aviary branch too ?

Note You need to log in before you can comment on or make changes to this bug.