Ubuntu
autokey package

autokey: insecure use of temporary files (Data Corruption, Local Denial of Service)

Bug #538471 reported by Luke Faraone
270
This bug affects 1 person
Affects Status Importance Assigned to Milestone
autokey (Debian)
Fix Released
Undecided
Luke Faraone
autokey (Ubuntu)
Fix Released
Medium
Unassigned
Karmic
Fix Released
Medium
Unassigned

Bug Description

Binary package hint: autokey

jwilk reported to the Debian Security Team:

'''
I discovered that autokey (0.61.3-1 and possibly earlier versions) init script is prone to symlink attacks, which allow local attacker to create or overwrite arbitrary files.

How to reproduce:
1. as root: /etc/init.d/autokey stop
2. as a normal user: ln -sf /file/you/want/to/overwrite /tmp/autokey-daemon.pid
3. as root: /etc/init.d/autokey start

Please tell me if/when I can disclose this vulnerability.
'''

This affects the version of Autokey in Lucid, and probably Karmic as well.

Tags: patch
Revision history for this message
Luke Faraone (lfaraone) wrote :

Debian has decided to embargo this until March 20, 2010.

Revision history for this message
Luke Faraone (lfaraone) wrote :
Luke Faraone (lfaraone)
Changed in autokey (Debian):
status: New → Fix Released
assignee: nobody → Luke Faraone (lfaraone)
Luke Faraone (lfaraone)
visibility: private → public
Brian Murray (brian-murray)
tags: added: patch
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package autokey - 0.61.5-1ubuntu1

---------------
autokey (0.61.5-1ubuntu1) lucid; urgency=low

  * Make "autokey" a transitional package for autokey-gtk rather than -qt.

autokey (0.61.5-1) unstable; urgency=low

  * New upstream version:
     - Combine GTK and QT versions into single source tree
  * Provide "autokey" as a transitional package to autokey-common and autokey-qt
  * debian/autokey-common.postinst: call `update-python-modules -p` so that
    starting the daemon does not fail if qt4 was not fully configured.
    (LP: #543654)

autokey (0.61.3-2) unstable; urgency=high

  * SECURITY UPDATE: arbitrary file overwriting via symlinks (LP: #538471)
    - Store files for the EvDev daamon in FHS-specified locations
    - debian/autokey.init: Set pidfile path to '/var/run/autokey-daemon.pid'
    - src/lib/interface.py: Set DOMAIN_SOCKET_PATH to "/var/run/autokey-daemon"
    - CVE-2010-0398

autokey (0.61.3-1) unstable; urgency=low

  * debian/rules: call dh_installinit with --error-handler so that install
    doesn't fail if Autokey cannot be restarted during configure (LP: #479131)
  * New upstream version:
    - Merge changes to interface.py from GTK branch that were missed

autokey (0.61.2-2) unstable; urgency=low

  * Set DM-Upload-Allowed to Yes in control
  * Patch src/lib/daemon.py to handle empty or invalid PIDs (closes: #568070)
  * Fix typo in Vcs-Browser
  * Bump standards version
 -- Luke Faraone <email address hidden> Wed, 24 Mar 2010 22:06:35 -0400

Changed in autokey (Ubuntu):
status: New → Fix Released
Luke Faraone (lfaraone)
Changed in autokey (Ubuntu Karmic):
importance: Undecided → Medium
status: New → Confirmed
Revision history for this message
Kees Cook (kees) wrote :

ACK, thanks for the debdiff. (I've subscribed ubuntu-security-sponsors now.) I've uploaded this to the build queue now; it should be published shortly.

Changed in autokey (Ubuntu Karmic):
status: Confirmed → Fix Released
Kees Cook (kees)
Changed in autokey (Ubuntu Karmic):
status: Fix Released → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package autokey - 0.54.5-1ubuntu0.3

---------------
autokey (0.54.5-1ubuntu0.3) karmic-security; urgency=low

  * SECURITY UPDATE: arbitrary file overwriting via symlinks (LP: #538471)
    - Store files for the EvDev daamon in FHS-specified locations
    - debian/autokey.init: Set pidfile path to '/var/run/autokey-daemon.pid'
    - src/lib/interface.py: Set DOMAIN_SOCKET_PATH to "/var/run/autokey-daemon"
    - CVE-2010-0398
 -- Luke Faraone <email address hidden> Sat, 13 Mar 2010 17:14:24 -0500

Changed in autokey (Ubuntu Karmic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.