possible privilege escalation via predicatable tmpfile

Bug #912762 reported by Julian Taylor
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
wakeup (Ubuntu)
Fix Released
Medium
Unassigned
Oneiric
Won't Fix
Undecided
Unassigned

Bug Description

wakeup uses temporary files insecurly in multiple places in the code.

e.g. this code in data/scripts/wakeup:67 is probably exploitable to place abitrary code into roots crontab.
            tmpfile=/tmp/wake
            eval "$dosudo crontab -l >$tmpfile"
            snoozetime=$(date -d "+$snooze min" "+%M %H %d %m %w")
            echo "$snoozetime /usr/bin/wakeup $1 $2 >/dev/null 2>&1"\
                  "#entered by setnextalarm" >>$tmpfile
            eval "$dosudo crontab $tmpfile; rm $tmpfile"

there also many uses os.system which could be a problem, but I did not check if any of them are exploitable.

affects 1.0-0ubuntu1 and 1.1-0ubuntu1.

Related branches

Julian Taylor (jtaylor)
description: updated
description: updated
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Looks like this got fixed in the following commit:

http://bazaar.launchpad.net/~dsglass/wakeup/release-1.0/revision/10

visibility: private → public
visibility: private → public
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in wakeup (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
newbuntu (dsglass) wrote :

Please see related bug #909189. There is a debdiff there for which I am waiting for a response. I can post the debdiff here as well if that is useful rather than confusing.

newbuntu (dsglass)
Changed in wakeup (Ubuntu):
status: Confirmed → Fix Committed
newbuntu (dsglass)
Changed in wakeup (Ubuntu):
status: Fix Committed → In Progress
Revision history for this message
newbuntu (dsglass) wrote :

See related bug #909189, post #18 for a new fix.

Changed in wakeup (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package wakeup - 1.2-0ubuntu1

---------------
wakeup (1.2-0ubuntu1) precise; urgency=low

  * New upstream release (LP: #909189).
   - Moved from using gksudo to using pkexec. Added policy file.
   - Changed weather source to google using python-pywapi
   - Added location.py in wakeup directory as plugin helper
   - Added plugin "Commands" which allows arbitrary user dataitems
   - Changed HebrewCalendar to use location from location.py
   - fixed problems to do with hard-coded DISPLAY variable
   - fixed issues with stopping the alarm
   - removed calls to os.system and commands.get(status)output
   - use secure temp files (LP: #912762)
   - root-owned chmod 700 playable_text file for boot alarms
   - small bug fixes
  * Updated packaging
   - replaced gksu with python-dbus in debian/control
   - Removed all perl dependencies
   - wrap-and-sort debian/
   - converted copyright to dep5 format
   - use dh_python2 instead of pysupport
 -- David Glass <email address hidden> Tue, 07 Feb 2012 10:36:30 -0800

Changed in wakeup (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
newbuntu (dsglass) wrote :

Can someone nominate this for an SRU to oneiric?

Revision history for this message
Martin Pitt (pitti) wrote :

Unsubscribing ubuntu-sru, this is a security update.

Revision history for this message
newbuntu (dsglass) wrote :
Changed in wakeup (Ubuntu Oneiric):
status: New → Fix Committed
Changed in wakeup (Ubuntu Oneiric):
status: Fix Committed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.