Ubuntu
indicator-weather package

unsafe tempfile handling

Bug #720112 reported by Jamie Strandboge
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Weather Indicator
Fix Released
Low
Vadim Rutkovsky
Weather Indicator 11.03.20 "Cloudy"
indicator-weather (Ubuntu)
Fix Released
Low
Unassigned

Bug Description

Binary package hint: indicator-weather

indicator-weather does not create temp files securely and has a TOCTOU vulnerability (time of check, time of use). Essentially it does:

pidPath = "/tmp/weather-indicator.pid"
if os.path.exists(pidPath):
    ... do stuff
else:
    self.lasterror=False

if not self.lasterror:
    fp=open(pidPath, 'w')
    fp.write(str(os.getpid()))
    fp.close()

This is unsafe as someone could perform tmp file race attacks and overwrite arbitrary files under the uid that indicator-weather runs as. Now, in maverick and later, this is actually not a problem because of kernel protections, but this issue should be fixed regardless. I suggest the use of tempfile.mkstemp() followed by a os.rename() to the pidPath, and exit with error if os.rename() fails.

See original description
Jamie Strandboge (jdstrand)
description: updated
Jamie Strandboge (jdstrand)
security vulnerability: no → yes
description: updated
Revision history for this message
Vadim Rutkovsky (roignac) wrote :

Good idea, we'll use that

Changed in indicator-weather (Ubuntu):
status: New → Confirmed
Changed in weather-indicator:
assignee: nobody → Vadim Rutkovsky (roignac)
importance: Undecided → Low
milestone: none → 11.02.27
status: New → Confirmed
Vadim Rutkovsky (roignac)
Changed in weather-indicator:
status: Confirmed → Fix Committed
Vadim Rutkovsky (roignac)
Changed in weather-indicator:
status: Fix Committed → Fix Released
Andrew Starr-Bochicchio (andrewsomething)
Changed in indicator-weather (Ubuntu):
status: Confirmed → Triaged
importance: Undecided → Low
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package indicator-weather - 11.03.20+repack-0ubuntu1

---------------
indicator-weather (11.03.20+repack-0ubuntu1) natty; urgency=low

  * New upstream release.
   - Fix unsafe tempfile handling (LP: #720112).
   - Fix gconf related crashers (LP: #723557).
   - Fix TypeError in getHumidex() (LP: #730287).
   - Allow two userid's to run indicator-weather
     simultaneously (LP: #730378).
   - Fix night icon showing during daytime (LP: #715657).
   - Fix indicator invisible on first run (LP: #720030).
   - Fix AttributeError in __find_city_by_code() (LP: #733681).
   - Fix AttributeError when clicking "Forecast" if there is
     no network connection (LP: # 730193).
  * debian/control:
   - Drop depends on python-simplejson, python-gconf,
     python-pymetar, and python-gweather.
   - Add depends on python-desktopcouch-records and
     python-pywapi.
  * Drop all old patches, applied upstream.
  * 01_lp_738804.patch: Fix crash on city names with spaces.
  * debian/rules:
   - Tweak get-orig-source target for new upstream
     directory naming.
   - Don't compress AUTHORS and COPYING. Needed for
     about dialog.
  * debian/indicator-weather.install: Install AUTHORS
    and COPYING files to /usr/share/doc/indicator-weather
    to fix crash in about dialog.
  * debian/indicator-weather.lintian-overrides: Overide
    lintian warning about extra copyright file.
 -- Andrew Starr-Bochicchio <email address hidden> Sun, 20 Mar 2011 22:16:35 -0400

Changed in indicator-weather (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.