Ubuntu
hugin package

[CVE-2007-5200] hugin allows local users to overwrite arbitrary files via a symlink attack on a temporary file.

Bug #162602 reported by Stephan Rügamer
258
Affects Status Importance Assigned to Milestone
hugin (Debian)
Fix Released
Unknown
hugin (Fedora)
Fix Released
Medium
hugin (Ubuntu)
Fix Released
Undecided
William Grant
Edgy
Fix Released
Undecided
Stephan Rügamer
Feisty
Fix Released
Undecided
Stephan Rügamer
Gutsy
Fix Released
Undecided
Stephan Rügamer
Hardy
Fix Released
Undecided
William Grant

Bug Description

Binary package hint: hugin

Dear Colleagues,

according to the CVE hugin allows local users to overwrite arbitrary files via a symlink attack on a temporary file.

Please find attached debdiffs for edgy, feisty and gutsy, which will fix this issue.

Regards,

\sh

Related branches

lp:ubuntu/karmic/hugin

CVE References

Revision history for this message
In , Tomas (tomas-redhat-bugs) wrote :

Hugin was reported to create temporary / debug files in unsafe manner. During
the optimizer run, it creates debug output file with pre-defined name:
/tmp/hugin_debug_optim_results.txt . If file was already created by other user,
hugin gives an error message.

This problem can be abused by malicious local user to perform symlink attack
against user running hugin, which will result in overwrite of arbitrary file
writable by user running hugin with panorama optimizer output.

There does not seem to be any upstream patch at the moment. Updated package was
released for openSuSE, which resolves this problem by disabling creation of
debug file.

Revision history for this message
In , Bruno (bruno-redhat-bugs) wrote :

There isn't an upstream patch because nobody at opensuse bothered to contact
upstream before creating a CVE. The fix however is a simple one-liner:

  sed -i 's/define DEBUG_WRITE_OPTIM_OUTPUT$/undef DEBUG_WRITE_OPTIM_OUTPUT/' \
  src/Panorama/PTOptimise.cpp

Though currently hugin isn't buildable for either f7 or f8 due to #295521 so
this one is stucked.

Revision history for this message
In , Tomas (tomas-redhat-bugs) wrote :

Yes, this is probably the easiest way to fix this. However, upstream may want
to develop other fix, which does not sacrifice some functionality (I'm not
trying to say fix above is wrong ;).

According to comments in huginApp.cpp, there is some intention to fix temp file
usage:

  // FIXME, make secure against some symlink attacks

Revision history for this message
In , Bruno (bruno-redhat-bugs) wrote :

Created attachment 236541
Patch to fix CVE-2007-5200

This is the upstream patch to fix this and another similar bug. Note that
releasing a new hugin still depends on bug #295521

Revision history for this message
In , Lubomir (lubomir-redhat-bugs) wrote :

This is well over a month and still not resolved. Do you need any help other
than oneliner fix in rebuilding wxGTK?

Revision history for this message
In , Bruno (bruno-redhat-bugs) wrote :

The patch and updated hugin.spec files for FC-6, F-7, F-8 and devel are in CVS.
 I can't actually run `make tag` so I'm giving up on this one:

[bruno@moo FC-6]$ cd ../F-7
[bruno@moo F-7]$ make tag
cvs tag -c hugin-0_6_1-11_fc7
cvs tag: Tagging .
T .cvsignore
T Makefile
T branch
T hugin-0.6.1-CVE-2007-5200.patch
T hugin.spec
T sources
Tagged with: hugin-0_6_1-11_fc7

[bruno@moo F-7]$ cd ../F-8/
[bruno@moo F-8]$ make tag
error: Macro %dist has empty body
error: Macro %dist has empty body
error: Macro % has illegal name (%define)
error: Macro % has illegal name (%define)
error: Macro %dist has empty body
error: Macro %dist has empty body
error: Macro % has illegal name (%define)
error: Macro % has illegal name (%define)
error: Macro %dist has empty body
error: Macro %dist has empty body
error: Macro % has illegal name (%define)
error: Macro % has illegal name (%define)
error: Macro %dist has empty body
error: Macro %dist has empty body
error: Macro % has illegal name (%define)
error: Macro % has illegal name (%define)
error: Macro %dist has empty body
error: Macro %dist has empty body
error: Macro % has illegal name (%define)
error: Macro % has illegal name (%define)
error: Macro %dist has empty body
error: Macro %dist has empty body
error: Macro % has illegal name (%define)
error: Macro % has illegal name (%define)
error: Macro %dist has empty body
error: Macro %dist has empty body
error: Macro % has illegal name (%define)
error: Macro % has illegal name (%define)
error: Macro %dist has empty body
error: Macro %dist has empty body
error: Macro % has illegal name (%define)
error: Macro % has illegal name (%define)
cvs tag -c hugin-0_6_1-11_fc7
ERROR: The tag hugin-0_6_1-11_fc7 is already applied on a different branch
ERROR: You can not forcibly move tags between branches
hugin-0_6_1-5_fc6:devel:bpostle:1174424717
hugin-0_6_1-5_fc5:FC-5:bpostle:1174425164
hugin-0_6_1-6_fc7:devel:bpostle:1174425968
hugin-0_6_1-6_fc5:FC-5:bpostle:1174425980
hugin-0_6_1-6_fc6:FC-6:bpostle:1174425991
hugin-0_6_1-7_fc7:F-7:bpostle:1187035915
hugin-0_6_1-7_fc8:devel:bpostle:1187035930
hugin-0_6_1-8_fc8:devel:bpostle:1187730420
hugin-0_6_1-9_fc8:devel:bpostle:1187814430
hugin-0_6_1-10_fc8:devel:bpostle:1194300775
hugin-0_6_1-10_fc7:F-8:bpostle:1194300791
hugin-0_6_1-11_fc6:FC-6:bpostle:1194301109
hugin-0_6_1-11_fc7:F-7:bpostle:1194301120
cvs tag: Pre-tag check failed
cvs [tag aborted]: correct the above errors first!
make: *** [tag] Error 1

Revision history for this message
In , Lubomir (lubomir-redhat-bugs) wrote :

Bruno: No idea what your issue was (you had up-to date CVS checked out?), but
seems like there were no changes to Makefiles. Anyways, thanks for the patch I
was able to successfully tag and build all affected branches.

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

hugin-0.6.1-11.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.

Revision history for this message
In , Bruno (bruno-redhat-bugs) wrote :

(In reply to comment #7)
> Bruno: No idea what your issue was (you had up-to date CVS checked out?)

I hadn't updated 'common', this has happened to me before...

> I was able to successfully tag and build all affected branches.

Thanks, there was no wxGTK release, is bug #295521 local to my system only?

Revision history for this message
In , Lubomir (lubomir-redhat-bugs) wrote :

(In reply to comment #9)

> > I was able to successfully tag and build all affected branches.
> Thanks, there was no wxGTK release, is bug #295521 local to my system only?

Huh, I even forgot about that :) Anyways, as you can see, the package built.
That can mean that either some other build root change (gcc or whatever) solved
that or it is really specific to your configuration. Which version do you run,
are you completly up-to-date?

Revision history for this message
In , Bruno (bruno-redhat-bugs) wrote :

I am/was up to date, the system is x86_64. I can switch between the two wxGTK
packages and reproduce, though it looks like I need to try this in mock and
update the bug report as necessary.

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

hugin-0.6.1-11.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.

Revision history for this message
Stephan Rügamer (sruegamer) wrote :
Revision history for this message
Stephan Rügamer (sruegamer) wrote :
Revision history for this message
Stephan Rügamer (sruegamer) wrote :
Stephan Rügamer (sruegamer)
Changed in hugin:
assignee: nobody → shermann
status: New → In Progress
William Grant (wgrant)
Changed in hugin:
assignee: nobody → fujitsu
status: New → In Progress
assignee: nobody → shermann
status: New → In Progress
assignee: fujitsu → shermann
assignee: nobody → shermann
status: New → In Progress
William Grant (wgrant)
Changed in hugin:
assignee: shermann → fujitsu
Revision history for this message
William Grant (wgrant) wrote :

hugin (0.7~beta4-0ubuntu4) hardy; urgency=low

  * SECURITY UPDATE: overwriting of arbitrary files via symlink attack
    (LP: #162602)
  * src/Panorama/PTOptimise.cpp, src/hugin/AutoCtrlPointCreator.cpp:
    Remove insecure temporary file usage. Patch from Fedora.
  * References:
    CVE-2007-5200

 -- William Grant <email address hidden> Sun, 18 Nov 2007 16:22:20 +1100

Changed in hugin:
status: In Progress → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in hugin:
status: Unknown → Fix Released
Revision history for this message
Kees Cook (kees) wrote :

Thanks for the work on this. I've uploaded it to the security queue. Updates should be published shortly.

Changed in hugin:
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
Kees Cook (kees)
Changed in hugin:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in hugin:
status: Unknown → New
Bug Watch Updater (bug-watch-updater)
Changed in hugin:
status: New → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in hugin (Fedora):
importance: Unknown → Medium
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.