Bug 4058 - security issue in conky: CVE-2011-3616
Summary: security issue in conky: CVE-2011-3616
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 1
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard:
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2012-01-07 17:45 CET by Florian Hubold
Modified: 2012-01-14 15:37 CET (History)
5 users (show)

See Also:
Source RPM:
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Florian Hubold 2012-01-07 17:45:51 CET 
There is now conky-1.8.1-1.1.mga1 in core/updates_testing to validate
-------------------------------------------------------


Suggested advisory:
-------------------
This update addresses the following CVE:

- CVE-2011-3616

The getSkillname function in the eve module in Conky 1.8.1 and earlier allows local users to overwrite arbitrary files via a symlink attack on /tmp/.cesf. 
In the getSkillname() function of the Eve plugin, there
is a race condition between when the plugin checks for the existence of
/tmp/.cesf and when it writes to the file, easily beaten because
getXmlFromAPI() is called in between (which can take time due to network
latency, etc.).  If a user were able to beat the race and create a symlink of
/tmp/.cesf to any file the user running conky had write access to, they could
overwrite the contents of that file.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3616
https://bugzilla.redhat.com/show_bug.cgi?id=676367


-------------------------------------------------------
Steps to reproduce:

- install/update to update candidate
Florian Hubold 2012-01-07 17:47:25 CET

Status: NEW => ASSIGNED
CC: (none) => doktor5000
Assignee: bugsquad => qa-bugs

Comment 1 Dave Hodgins 2012-01-08 03:43:40 CET 
Testing complete on i586 for the srpm
conky-1.8.1-1.1.mga1.src.rpm

Running under strace confirms the /tmp.cesf file is no longer used.

CC: (none) => davidwhodgins

Comment 2 Florian Hubold 2012-01-12 20:47:33 CET 
Can someone please test this for x86_64?
Comment 3 David GEIGER 2012-01-12 20:53:09 CET 
I have installed the srpm conky-1.8.1-1.1.mga1.src.rpm but I don't know what
to do with this one.

CC: (none) => geiger.david68210

Comment 4 Dave Hodgins 2012-01-12 21:42:44 CET 
Run conky.  Click on the show desktop icon, and the system monitor will be
visible on the desktop.  Confirm the /tmp.cesf file does not exist.
Comment 5 David GEIGER 2012-01-12 21:52:55 CET 
Testing complete on Mageia release 1 (Official) for x86_64 ,works for me too.

http://www.siteduzero.com/tutoriel-3-215060-installer-et-configurer-conky.html

I can confirm the /tmp.cesf file doesn't exist .

Thank you Dave.
Comment 6 Dave Hodgins 2012-01-13 01:04:54 CET 
Validating the update.

Could someone from the sysadmin team push the srpm
conky-1.8.1-1.1.mga1.src.rpm
from Core Updates Testing to Core Updates.

Advisory:
This security update for conky addresses CVE-2011-3616

The getSkillname function in the eve module in Conky 1.8.1 and earlier allows
local users to overwrite arbitrary files via a symlink attack on /tmp/.cesf. 
In the getSkillname() function of the Eve plugin, there
is a race condition between when the plugin checks for the existence of
/tmp/.cesf and when it writes to the file, easily beaten because
getXmlFromAPI() is called in between (which can take time due to network
latency, etc.).  If a user were able to beat the race and create a symlink of
/tmp/.cesf to any file the user running conky had write access to, they could
overwrite the contents of that file.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3616
https://bugzilla.redhat.com/show_bug.cgi?id=676367

https://bugs.mageia.org/show_bug.cgi?id=4058

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Thomas Backlund 2012-01-14 15:37:49 CET 
update pushed

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.