oss-sec mailing list archives
Re: gajim insecure file creation when using latex
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 10 Apr 2012 13:49:06 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/09/2012 09:43 PM, Nico Golde wrote:
Hi, Gajim seems to support latex in instant messages. This is implemented by dumping the content to a .tex template on disk and converting the result to an image. To prevent security problems, it is at least checking the input for dangerous latex commands such as \input (as far as I can see nothing is missing from this list). However, it fails to create this temporary file in a secure manner: From src/common/latex.py: 60 def get_tmpfile_name(): 61 random.seed() 62 int_ = random.randint(0, 100) 63 return os.path.join(gettempdir(), 'gajimtex_' + int_.__str__())
Sigh. And this is why people should use mkstemp(). Please use CVE-2012-2093 for this issue.
... 113 def latex_to_image(str_): 114 result = None 115 exitcode = 0 116 117 try: 118 bg_str, fg_str = gajim.interface.get_bg_fg_colors() 119 except: 120 # interface may not be available when we test latext at startup 121 bg_str, fg_str = 'rgb 1.0 1.0 1.0', 'rgb 0.0 0.0 0.0' 122 123 # filter latex code with bad commands 124 if check_blacklist(str_): 125 # we triggered the blacklist, immediately return None 126 return None 127 128 tmpfile = get_tmpfile_name() 130 # build latex string 131 write_latex(os.path.join(tmpfile + '.tex'), str_) and finally: 65 def write_latex(filename, str_): 66 texstr = '\\documentclass[12pt]{article}\\usepackage[dvips]{graphicx}' 67 texstr += '\\usepackage{amsmath}\\usepackage{amssymb}' 68 texstr += '\\pagestyle{empty}' 69 texstr += '\\begin{document}\\begin{large}\\begin{gather*}' 70 texstr += str_ 71 texstr += '\\end{gather*}\\end{large}\\end{document}' 72 73 file_ = open(filename, "w+") 74 file_.write(texstr) 75 file_.flush() 76 file_.close() I think this is of pretty minor severity even though it still allows a local attacker to overwrite files the victim has write access to with latex content by using symlinks and latex IMs are used. Cheers Nico
- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPhI6yAAoJEBYNRVNeJnmTcD0P/ie/UZf1YOcIesLhQgjsUQq1 hCV3oQIJKVykwxObjbgpFtT9wgpcgk2zmSU2YL8hE4+uvroCTDVMT4Y9pbt1/7/8 uREQydl1svEOkWMJU72ScN9Op+wAEkz0bFLtKh6AmVqGddlfVAo1vQm9+r3A693l xtqcVOIte5Fbi8LbpkU5KAo4J1jVoMRJyTYT1j4Qi31TcaZVXs+VvgNIWjnX3bV1 RmrBd8mkttNiGPY2r3/g2UYQtQb4w/hjaYhu6mC+foKnuxN+wsqgTS6sXOadf+Wc bdLz2OENPkcicCHIa5yJpw5cGoc5IBgTl4IUyEKzJ8LVWQuDRb89yEmgG/wxcNnW lhjmw29bT17oUuyTgjO/nDXrCEq71g/LHYLcYXPOvGpLK1xjYDqsciSha0nSUlq6 Qg7BoMlpj8WUWo5nml+eQ+2ErFoY7Fla9Ir61HgOG5KaJ/kq3N8PvBbeNWvX6E0v w8WnBEihLKc05E4WFbZqu84EMTNtnh/zwnkStY9ZeY49Rs30fAIM5YOJHwac9zKy ByB5y4ueEqPmQvp14axruIyae0Sv03HrtuJD7Nm4KsZj1wZRnmlCqTBvlOGEDgdW O/mvUM7mNiqhQ2vl4BkqcZac2vf3z3ndz2cjILvJPMY0eE7WfpdkOjKDS+hpsRAZ NqBB0+dfoRMLw8OLwY+n =Yfv4 -----END PGP SIGNATURE-----
Current thread:
- gajim insecure file creation when using latex Nico Golde (Apr 09)
- Re: gajim insecure file creation when using latex Kurt Seifried (Apr 10)