Re: gajim insecure file creation when using latex

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/09/2012 09:43 PM, Nico Golde wrote:
> Hi, Gajim seems to support latex in instant messages. This is
> implemented by dumping the content to a .tex template on disk and
> converting the result to an image. To prevent security problems, it
> is at least checking the input for dangerous latex commands such as
> \input (as far as I can see nothing is missing from this list).
>
> However, it fails to create this temporary file in a secure
> manner: From src/common/latex.py: 60 def get_tmpfile_name(): 61
> random.seed() 62         int_ = random.randint(0, 100) 63
> return os.path.join(gettempdir(), 'gajimtex_' + int_.__str__())

Sigh. And this is why people should use mkstemp().

Please use CVE-2012-2093 for this issue.



> ... 113 def latex_to_image(str_): 114         result = None 115
> exitcode = 0 116 117         try: 118                 bg_str,
> fg_str = gajim.interface.get_bg_fg_colors() 119         except: 120
> # interface may not be available when we test latext at startup 121
> bg_str, fg_str = 'rgb 1.0 1.0 1.0', 'rgb 0.0 0.0 0.0' 122 123
> # filter latex code with bad commands 124         if
> check_blacklist(str_): 125                 # we triggered the
> blacklist, immediately return None 126                 return None 
> 127 128         tmpfile = get_tmpfile_name() 130         # build
> latex string 131         write_latex(os.path.join(tmpfile +
> '.tex'), str_) and finally: 65 def write_latex(filename, str_): 66
> texstr =
> '\\documentclass[12pt]{article}\\usepackage[dvips]{graphicx}' 67
> texstr += '\\usepackage{amsmath}\\usepackage{amssymb}' 68
> texstr += '\\pagestyle{empty}' 69         texstr +=
> '\\begin{document}\\begin{large}\\begin{gather*}' 70         texstr
> += str_ 71         texstr +=
> '\\end{gather*}\\end{large}\\end{document}' 72 73         file_ =
> open(filename, "w+") 74         file_.write(texstr) 75
> file_.flush() 76         file_.close()
>
> I think this is of pretty minor severity even though it still
> allows a local attacker to overwrite files the victim has write
> access to with latex content by using symlinks and latex IMs are
> used.
>
> Cheers Nico


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPhI6yAAoJEBYNRVNeJnmTcD0P/ie/UZf1YOcIesLhQgjsUQq1
hCV3oQIJKVykwxObjbgpFtT9wgpcgk2zmSU2YL8hE4+uvroCTDVMT4Y9pbt1/7/8
uREQydl1svEOkWMJU72ScN9Op+wAEkz0bFLtKh6AmVqGddlfVAo1vQm9+r3A693l
xtqcVOIte5Fbi8LbpkU5KAo4J1jVoMRJyTYT1j4Qi31TcaZVXs+VvgNIWjnX3bV1
RmrBd8mkttNiGPY2r3/g2UYQtQb4w/hjaYhu6mC+foKnuxN+wsqgTS6sXOadf+Wc
bdLz2OENPkcicCHIa5yJpw5cGoc5IBgTl4IUyEKzJ8LVWQuDRb89yEmgG/wxcNnW
lhjmw29bT17oUuyTgjO/nDXrCEq71g/LHYLcYXPOvGpLK1xjYDqsciSha0nSUlq6
Qg7BoMlpj8WUWo5nml+eQ+2ErFoY7Fla9Ir61HgOG5KaJ/kq3N8PvBbeNWvX6E0v
w8WnBEihLKc05E4WFbZqu84EMTNtnh/zwnkStY9ZeY49Rs30fAIM5YOJHwac9zKy
ByB5y4ueEqPmQvp14axruIyae0Sv03HrtuJD7Nm4KsZj1wZRnmlCqTBvlOGEDgdW
O/mvUM7mNiqhQ2vl4BkqcZac2vf3z3ndz2cjILvJPMY0eE7WfpdkOjKDS+hpsRAZ
NqBB0+dfoRMLw8OLwY+n
=Yfv4
-----END PGP SIGNATURE-----