Details
Bug#: 3409
: Scilab software
: Scilab
Status: RESOLVED
Resolution: FIXED
Opened: 2008-08-27 15:13
: PC
: All OS
: 5.0 beta
: P5
: Critical
Last modified: 2008-11-07 10:09:30
:
Reproductibility: Every Times
:
:
  Show dependency tree - Show dependency graph
People
Reporter: Sylvestre LEDRU
Assigned To: super Administrator
Detailed description of the problem 
There are a potential security issue in some of Scilab's scripts.

Reported in Debian by Dmitry E. Oboukhov:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496414

This message about the error concerns a few packages  at  once.   I've
tested all the packages (for Lenny) on my Debian mirror.  All  scripts
of packages (marked as executable) were tested.

In some packages I've discovered scripts with errors which may be used
by a user for damaging important system files or user's files.

For example if a script uses in its work a temp file which is  created
in /tmp directory, then every user can create symlink  with  the  same
name in this directory in order to  destroy  or  rewrite  some  system
or user file.  Symlink attack may also  lead  not  only  to  the  data
desctruction but to denial of service as well.

Even if you create files or directories with help of function 'RANDOM'
or pid(), then your system is not protected. Attacker can create many
symlinks in order to destroy your data or create 'denial  of  service'
for your package scripts.

Even if you make rm(dir) for files/directories, then  your  system  is
not protected. Attacker can permanently create symlinks.

This list is created with the help of script.  This list is sorted  by
hand. Howewer in some cases mistake is possible.

Many programs are touched by this security issue. For example, fwbuilder has been fixed this way:
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;filename=496411.patch;att=1;bug=496406
Text of the scilab error message
Steps to reproduce the bug
------- Comment #1 From François VOGEL 2008-08-27 16:04:49 ------- 
Don't you think security bugs like this one should be hidden until fixed?
Use the box "Dev team"...

Francois
------- Comment #2 From Sylvestre LEDRU 2008-08-27 16:08:21 ------- 
This is already public on the Debian's bug tracker and Debian's mailing list.

Anyway, it is only a critical problem in very specific issues.
------- Comment #3 From Sylvestre LEDRU 2008-09-10 14:28:04 ------- 
For Scilab 5, fixed in commit 27535
(btw this code is really crap)

For Scilab 4, fixed in the debian-science respository:
http://svn.debian.org/viewsvn/debian-science/packages/scilab/trunk/debian/patches/tmpdirsecurity.diff?rev=35206&view=markup
------- Comment #4 From Sylvestre LEDRU 2008-11-07 10:09:30 ------- 
Reported as CVE-2008-4983

http://www.security-database.com/detail.php?alert=CVE-2008-4983

Attachments
Add an attachment (proposed patch, testcase, etc.)


Note

You need to log in before you can comment on or make changes to this bug.

Related actions