Bug#438540: marked as done (libid3-3.8.3c2a: creates insecure temporary files)

Sat, 18 Aug 2007 16:23:11 -0700 

Your message dated Sat, 18 Aug 2007 23:17:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#438540: fixed in id3lib3.8.3 3.8.3-7
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: libid3-3.8.3c2a
Version: 3.8.3-6
Severity: grave
Tags: security
Justification: user security hole

Hi, 

when tagging file $foo, a temporary copy of the file is created, and for some
reason, libid3 doesn't use mkstemp but just creates $foo.XXXXXX literally,
without any checking.  
This would silently truncate and overwrite an existing $foo.XXXXXX. 

,----[ src/tag_file.cpp ]
| 233     String filename = tag.GetFileName();
| 234     String sTmpSuffix = ".XXXXXX";
| 235     if (filename.size() + sTmpSuffix.size() > ID3_PATH_LENGTH)
| 236     {
| 237       // log this
| 238       return 0;
| 239       //ID3_THROW_DESC(ID3E_NoFile, "filename too long");
| 240     }
| 241     char sTempFile[ID3_PATH_LENGTH];
| 242     strcpy(sTempFile, filename.c_str());
| 243     strcat(sTempFile, sTmpSuffix.c_str());
| 244 
| 245 #if ((defined(__GNUC__) && __GNUC__ >= 3  ) || !defined(HAVE_MKSTEMP))
| 246     // This section is for Windows folk && gcc 3.x folk
| 247     fstream tmpOut;
| 248     createFile(sTempFile, tmpOut);
`----

HAND, 
Nikolaus

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-5-k7
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15)

Versions of packages libid3-3.8.3c2a depends on:
ii  libc6                  2.3.6.ds1-13etch2 GNU C Library: Shared libraries
ii  libgcc1                1:4.1.1-21        GCC support library
ii  libstdc++6             4.1.1-21          The GNU Standard C++ Library v3
ii  zlib1g                 1:1.2.3-13        compression library - runtime

libid3-3.8.3c2a recommends no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: id3lib3.8.3
Source-Version: 3.8.3-7

We believe that the bug you reported is fixed in the latest version of
id3lib3.8.3, which is due to be installed in the Debian FTP archive:

id3lib3.8.3_3.8.3-7.diff.gz
  to pool/main/i/id3lib3.8.3/id3lib3.8.3_3.8.3-7.diff.gz
id3lib3.8.3_3.8.3-7.dsc
  to pool/main/i/id3lib3.8.3/id3lib3.8.3_3.8.3-7.dsc
libid3-3.8.3-dev_3.8.3-7_i386.deb
  to pool/main/i/id3lib3.8.3/libid3-3.8.3-dev_3.8.3-7_i386.deb
libid3-3.8.3c2a_3.8.3-7_i386.deb
  to pool/main/i/id3lib3.8.3/libid3-3.8.3c2a_3.8.3-7_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Robert Woodcock <[EMAIL PROTECTED]> (supplier of updated id3lib3.8.3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 18 Aug 2007 15:52:52 -0700
Source: id3lib3.8.3
Binary: libid3-3.8.3-dev libid3-3.8.3c2a
Architecture: source i386
Version: 3.8.3-7
Distribution: unstable
Urgency: high
Maintainer: Robert Woodcock <[EMAIL PROTECTED]>
Changed-By: Robert Woodcock <[EMAIL PROTECTED]>
Description: 
 libid3-3.8.3-dev - ID3 Tag Library: Development Libraries and Header Files.
 libid3-3.8.3c2a - Library for manipulating ID3v1 and ID3v2 tags.
Closes: 438540
Changes: 
 id3lib3.8.3 (3.8.3-7) unstable; urgency=high
 .
   * SECURITY: Change #ifdef logic to select mkstemp() code instead of
     insecure tempfile creation code, and fix mkstemp() code to work with g++
     3.x, closes: #438540
Files: 
 84eebc97a2d04bc41e1320bcae11c86a 642 libs optional id3lib3.8.3_3.8.3-7.dsc
 c13c3a9a179a5c6548475a3f5f748a9a 135421 libs optional 
id3lib3.8.3_3.8.3-7.diff.gz
 5cf02d4ecd80a3f4414857b4cd1b0e0f 263108 libdevel optional 
libid3-3.8.3-dev_3.8.3-7_i386.deb
 598bc63b80a935e7f1c94a5cb40a0e32 176814 libs optional 
libid3-3.8.3c2a_3.8.3-7_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGx3vc9c5o62/wq/IRAusYAKCN2ScPsZNhhntc5RLVAJ1UnqfE0gCeIlhq
SoFByPRyB3Oh/YMgkpZQC1I=
=lQ9K
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to