Now Scilab's Bugzilla with LDAP : if you have an account on ATOMS or fileexchange, you can log here with it!
First Last Prev Next    This bug is not in your last search results.
Note You need to log in before you can comment on or make changes to this bug.
Details
Bug # 3409
: There are a potential security issue in some of Scilab's scripts. Reported in
Status: RESOLVED FIXED
Product: Scilab software
Classification: Unclassified
Component: Unsorted
 
Reported: 2008-08-27 15:13 CEST by Sylvestre LEDRU
Modified: 2015-10-08 20:44 CEST (History)
: PC
: All OS
: 5.0 through 5.3.x
: (field not used) Critical
:
Depends on:
Blocks:
  Show dependency treegraph
See Also:
People
Reporter: Sylvestre LEDRU
Assigned To: Admin Bugzilla
3 users (show)

Detailed description of the problem 
-- Bug description --


There are a potential security issue in some of Scilab's scripts.

Reported in Debian by Dmitry E. Oboukhov:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496414

This message about the error concerns a few packages  at  once.   I've
tested all the packages (for Lenny) on my Debian mirror.  All  scripts
of packages (marked as executable) were tested.

In some packages I've discovered scripts with errors which may be used
by a user for damaging important system files or user's files.

For example if a script uses in its work a temp file which is  created
in /tmp directory, then every user can create symlink  with  the  same
name in this directory in order to  destroy  or  rewrite  some  system
or user file.  Symlink attack may also  lead  not  only  to  the  data
desctruction but to denial of service as well.

Even if you create files or directories with help of function 'RANDOM'
or pid(), then your system is not protected. Attacker can create many
symlinks in order to destroy your data or create 'denial  of  service'
for your package scripts.

Even if you make rm(dir) for files/directories, then  your  system  is
not protected. Attacker can permanently create symlinks.

This list is created with the help of script.  This list is sorted  by
hand. Howewer in some cases mistake is possible.

Many programs are touched by this security issue. For example, fwbuilder has been fixed this way:
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;filename=496411.patch;att=1;bug=496406


-- Scilab error message --





-- How to reproduce the bug --

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comments
Comment 1 François VOGEL 2008-08-27 16:04:49 CEST 
Don't you think security bugs like this one should be hidden until fixed?
Use the box "Dev team"...

Francois
Comment 2 Sylvestre LEDRU 2008-08-27 16:08:21 CEST 
This is already public on the Debian's bug tracker and Debian's mailing list.

Anyway, it is only a critical problem in very specific issues.
Comment 3 Sylvestre LEDRU 2008-09-10 14:28:04 CEST 
For Scilab 5, fixed in commit 27535
(btw this code is really crap)

For Scilab 4, fixed in the debian-science respository:
http://svn.debian.org/viewsvn/debian-science/packages/scilab/trunk/debian/patches/tmpdirsecurity.diff?rev=35206&view=markup
Comment 4 Sylvestre LEDRU 2008-11-07 10:09:30 CET 
Reported as CVE-2008-4983

http://www.security-database.com/detail.php?alert=CVE-2008-4983
Comment 5 Francois Granade 2015-10-08 20:44:43 CEST 
(originally entered in version "5.0 beta")
First Last Prev Next    This bug is not in your last search results.