Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4F848EB2.7050907@redhat.com>
Date: Tue, 10 Apr 2012 13:49:06 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com, asterix@...aule.org
Subject: Re: gajim insecure file creation when using latex

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/09/2012 09:43 PM, Nico Golde wrote:
> Hi, Gajim seems to support latex in instant messages. This is
> implemented by dumping the content to a .tex template on disk and
> converting the result to an image. To prevent security problems, it
> is at least checking the input for dangerous latex commands such as
> \input (as far as I can see nothing is missing from this list).
> 
> However, it fails to create this temporary file in a secure
> manner: From src/common/latex.py: 60 def get_tmpfile_name(): 61
> random.seed() 62         int_ = random.randint(0, 100) 63
> return os.path.join(gettempdir(), 'gajimtex_' + int_.__str__())

Sigh. And this is why people should use mkstemp().

Please use CVE-2012-2093 for this issue.



> ... 113 def latex_to_image(str_): 114         result = None 115
> exitcode = 0 116 117         try: 118                 bg_str,
> fg_str = gajim.interface.get_bg_fg_colors() 119         except: 120
> # interface may not be available when we test latext at startup 121
> bg_str, fg_str = 'rgb 1.0 1.0 1.0', 'rgb 0.0 0.0 0.0' 122 123
> # filter latex code with bad commands 124         if
> check_blacklist(str_): 125                 # we triggered the
> blacklist, immediately return None 126                 return None 
> 127 128         tmpfile = get_tmpfile_name() 130         # build
> latex string 131         write_latex(os.path.join(tmpfile +
> '.tex'), str_) and finally: 65 def write_latex(filename, str_): 66
> texstr =
> '\\documentclass[12pt]{article}\\usepackage[dvips]{graphicx}' 67
> texstr += '\\usepackage{amsmath}\\usepackage{amssymb}' 68
> texstr += '\\pagestyle{empty}' 69         texstr +=
> '\\begin{document}\\begin{large}\\begin{gather*}' 70         texstr
> += str_ 71         texstr +=
> '\\end{gather*}\\end{large}\\end{document}' 72 73         file_ =
> open(filename, "w+") 74         file_.write(texstr) 75
> file_.flush() 76         file_.close()
> 
> I think this is of pretty minor severity even though it still
> allows a local attacker to overwrite files the victim has write
> access to with latex content by using symlinks and latex IMs are
> used.
> 
> Cheers Nico


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPhI6yAAoJEBYNRVNeJnmTcD0P/ie/UZf1YOcIesLhQgjsUQq1
hCV3oQIJKVykwxObjbgpFtT9wgpcgk2zmSU2YL8hE4+uvroCTDVMT4Y9pbt1/7/8
uREQydl1svEOkWMJU72ScN9Op+wAEkz0bFLtKh6AmVqGddlfVAo1vQm9+r3A693l
xtqcVOIte5Fbi8LbpkU5KAo4J1jVoMRJyTYT1j4Qi31TcaZVXs+VvgNIWjnX3bV1
RmrBd8mkttNiGPY2r3/g2UYQtQb4w/hjaYhu6mC+foKnuxN+wsqgTS6sXOadf+Wc
bdLz2OENPkcicCHIa5yJpw5cGoc5IBgTl4IUyEKzJ8LVWQuDRb89yEmgG/wxcNnW
lhjmw29bT17oUuyTgjO/nDXrCEq71g/LHYLcYXPOvGpLK1xjYDqsciSha0nSUlq6
Qg7BoMlpj8WUWo5nml+eQ+2ErFoY7Fla9Ir61HgOG5KaJ/kq3N8PvBbeNWvX6E0v
w8WnBEihLKc05E4WFbZqu84EMTNtnh/zwnkStY9ZeY49Rs30fAIM5YOJHwac9zKy
ByB5y4ueEqPmQvp14axruIyae0Sv03HrtuJD7Nm4KsZj1wZRnmlCqTBvlOGEDgdW
O/mvUM7mNiqhQ2vl4BkqcZac2vf3z3ndz2cjILvJPMY0eE7WfpdkOjKDS+hpsRAZ
NqBB0+dfoRMLw8OLwY+n
=Yfv4
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.