Lionel Elie Mamane
2009-Feb-07 14:29 UTC
[Secure-testing-team] Bug#514428: galeon: world-readable temporary files when using helper app
Package: galeon Version: 2.0.6-2.1 Severity: grave Tags: security patch Justification: user security hole When opening an URL with a helper app, the file is created with the user''s umask (so usually world-readable), and often survives closing the helper app and galeon. This leaks which documents have been read from the web by the user to all users of the machine. The document is also downloaded under its original filename, which is also a partial information leak. Very precisely, the file is downloaded securely (made-up name and mode 0600), but then renamed to the name it had in the URL and chmod''ed to the user''s umask, minus the x bits. As a side-effect, the download fails (the download progress UI just freezes) if the filename already exists and is not deletable / writable by the user. (If it exists and is writable, it will silently overwrite it.) The attached patch mostly fixes the security problem by changing the temporary directory to a mode 0700 subdirectory. It still leaves the filename in the command line of the helper app. It also does not clean up the created temporary directory. The root cause is this in this code in GProgressListener::Init in line 208 of mozilla/ProgressListener.cpp: /* HACK, stop mozilla from opening the application, we * do it ourselves */ aMIMEInfo->SetPreferredAction(nsIMIMEInfo::saveToDisk); This causes xulrunner to not only opening the application, but also forcibly renaming the file to its "suggested name" (because it assumes that it comes from the "Save File" dialog, where the user was asked to confirm any overwrite) and chmod''ing to the user''s umask (calling "FixPermissions" line 1804 of uriloader/exthandler/nsExternalHelperAppService.cpp, in function nsExternalAppHandler::ExecuteDesiredAction). Hmmm... I wonder if this does not in itself introduce a rather long race condition between the download (in a temporary name) and the rename, when the download is made in a directory that is writable by other users, and where that other user can arrange for the file not to be deletable by the user (directory owned by that other user?) (I''m thinkging of a symlink attack, that kind of thing). Opinions? -- System Information: Debian Release: 5.0 APT prefers unstable APT policy: (500, ''unstable''), (1, ''experimental'') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_LU.UTF-8, LC_CTYPE=fr_LU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages galeon depends on: ii galeon-common 2.0.6-2.1 GNOME web browser for advanced use ii gconf2 2.22.0-1 GNOME configuration database syste ii libbonobo2-0 2.22.0-1 Bonobo CORBA interfaces library ii libbonoboui2-0 2.22.0-1 The Bonobo UI library ii libc6 2.7-18 GNU C Library: Shared libraries ii libgcc1 1:4.3.3-3 GCC support library ii libgconf2-4 2.22.0-1 GNOME configuration database syste ii libglade2-0 1:2.6.3-1 library to load .glade files at ru ii libglib2.0-0 2.16.6-1 The GLib library of C routines ii libgnome-desktop-2 2.22.3-2 Utility library for loading .deskt ii libgnome2-0 2.20.1.1-2 The GNOME 2 library - runtime file ii libgnomeui-0 2.20.1.1-2 The GNOME 2 libraries (User Interf ii libgnomevfs2-0 1:2.22.0-5 GNOME Virtual File System (runtime ii libgtk2.0-0 2.12.11-4 The GTK+ graphical user interface ii libnspr4-0d 4.7.1-4 NetScape Portable Runtime Library ii liborbit2 1:2.14.16-0.1 libraries for ORBit2 - a CORBA ORB ii libpango1.0-0 1.20.5-3 Layout and rendering of internatio ii libpopt0 1.14-4 lib for parsing cmdline parameters ii libstdc++6 4.3.3-3 The GNU Standard C++ Library v3 ii libx11-6 2:1.1.5-2 X11 client-side library ii libxml2 2.6.32.dfsg-5 GNOME XML library ii procps 1:3.2.7-11 /proc file system utilities ii xulrunner-1.9 1.9.0.6-1 XUL + XPCOM application runner Versions of packages galeon recommends: ii gnome-control-center 1:2.22.2.1-2 utilities to configure the GNOME d ii gnome-icon-theme 2.22.0-1 GNOME Desktop icon theme ii iso-codes 3.6-1 ISO language, territory, currency, ii scrollkeeper 0.3.14-16 A free electronic cataloging syste ii yelp 2.22.1-8+b1 Help browser for GNOME 2 Versions of packages galeon suggests: pn mozplugger <none> (no description available) -- no debconf information -------------- next part -------------- A non-text attachment was scrubbed... Name: galeon_tmpdir.patch Type: text/x-diff Size: 1755 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090207/37ea98e4/attachment.patch