Date: Tue, 29 Aug 2000 10:08:21 -0400 From: Peter W <peterw@USA.NET> Subject: More Helix Code installation problems (go-gnome) To: BUGTRAQ@SECURITYFOCUS.COM This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --8323328-298211046-967504385=:9929 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: <Pine.LNX.4.21.0008282044251.11211@localhost> --Product-- Helix Code Gnome "go-gnome" Web-based installation shell script. --Background-- On Aug 19, Alan Cox disclosed problems with Helix Code's install tools. Helix Code promptly[0] announced fixes for their installer. Presumably this meant their compiled installer app, because their Web site still suggests using the Lynx-source-piped-to-sh hack that uses the "go-gnome" Bourne/awk/gzip script.[1] --Problem-- Leaving aside, for now, the issues of using plaintext HTTP to pass data directly to a shell interpreter,[2] the "go-gnome" shell script[1] unsafely uses fairly predictable filenames in /tmp (for non-Debian distributions) and can be used to overwrite any file on the system that root can clobber with 'cat' if an attacker sets up a symbolic link (it could be done well in advance of go-gnome being run). I.E., on most boxes, every file is at risk. Ironically, ftp://ftp.helixcode.com/helix/ suggests that Helix Code replaced go-gnome at the same time as the new, improved installer binary announced on Aug 20, yet it suffers the same sort of problems Helix Code claims to have fixed in the installer binary.[3] --Workarounds-- 1) Use the manual installation instructions at http://www.helixcode.com/desktop/instructions.php3?distribution=manual instead of go-gnome. Since Helix Code does not GPG sign their packages, you may want to compare checksums with those listed in Helix Code's Aug 20th announcement.[3] Not that it buys you much, as there doesn't seem to be any checksum/signing information embedded in, or protecting, the XML package information files. But it's a start. 2) Apply the attached patch to the go-gnome script. This patch was developed against the 33308 byte go-gnome script available, as of this writing, at ftp://ftp.helixcode.com/helix/ & http://go-gnome.com/ (e.g. 'lynx -source http://go-gnome.com/ > /safe/path/go-gnome') By the time you retrieve and patch the script, you're better off just using the manual installation instructions. See workaround #1. --Vendor response-- While I've publicly written about this as early as June, I only emailed Helix Code last week about the problem, explaining the issue, and providing the patch I have resent here. They have not so much as acknowledged my messages, let alone discussed the problem. --But, isn't Helix Gnome still "Beta" code?-- Usually I'm among the first to gripe about "advisories" exposing problems in beta code. And Helix Code sometimes suggests their code is beta (the CDs I've seen are labeled "Preview Two"). But the Helix Code Web site boasts that their bits are "stable, up-to-date", and, more importantly, Linux mailing list traffic suggests that a *lot* of folks are trying Helix Code Gnome. And Nat & co. are getting their share of attention by the US media. So it's time for Helix Code to start taking security more seriously. --Suggestions-- We've heard many arguments about why Microsoft Windows has historically been more vulnerable to viruses that Unix-like systems, and some boil down to the notion that Unix users know better. This argument weakens as Linux use expands to the non-geek crowd. One of the main goals (and an admirable one) of Helix Code is to make Unix and Linux desktops more usable. But the lynx install hack trades security for a 30 second gain in installation speed. It encourages unsafe practices. If Helix Code's target audience is as new to computers as their site suggests ('Note that the | character above is the "pipe" symbol, obtained by pressing SHIFT-\ on most keyboards'[1]), then these are exactly the folks who should not be taught such risky parlor tricks. IMO, Helix Code ought to completely stop providing and advocating the lynx hack. Tell people how to get the proper installer package. Show them how to use 'md5sum' to check the package integrity. Put download information on an https server. Start GPG signing your packages. Etc. Compared to the effort required to make a first-rate desktop environment (and the recent Helix Code Gnome apps I've seen do look very nice), the effort required to improve distribution and installation security is minimal. Safer systems & safer admins are more valuable than faster installs. -Peter [0] Not promptly after Alan emailed them, but after Alan publicly disclosed the problems. [1] http://www.helixcode.com/desktop/instructions.php3?distribution=gognome [2] There are many points where the `lynx -source http://go-gnome.com/` fetch could be subverted. An https:// server would at least authenticate the identity of "go-gnome.com" but, no. <sigh> [3]http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-08-15&msg=200008200739.DAA25668@trna.helixcode.com --8323328-298211046-967504385=:9929 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="go-gnome.patch" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.LNX.4.21.0008281913050.9929@localhost> Content-Description: go-gnome.patch Content-Disposition: ATTACHMENT; FILENAME="go-gnome.patch" LS0tIGdvLWdub21lLnNoLmN1cnJlbnQJVGh1IEF1ZyAyNCAyMTo0MToyMyAy MDAwDQorKysgZ28tZ25vbWUuc2gJVGh1IEF1ZyAyNCAyMTo1Mzo0MCAyMDAw DQpAQCAtMTIxLDcgKzEyMSw3IEBADQogfQ0KIA0KIG15X3V1ZGVjb2RlICgp IHsNCi0gICBfYXdrcHJvZz0iL3RtcC91dWRlY29kZS4kJC5hd2siDQorICAg X2F3a3Byb2c9IiR7VE1QRElSfS91dWRlY29kZS4kJC5hd2siDQogICAgX3V1 ZGVjb2RlX291dD0kMQ0KIA0KICAgIHJtIC1mICR7X3V1ZGVjb2RlX291dH0N CkBAIC01NTQsNyArNTU0LDEyIEBADQogIyBUaGUgYWN0aW9uIHN0YXJ0cyBo ZXJlLg0KICMNCiANCi1jZCAvdG1wDQorIyBUcnVzdCB0aGUgdXNlcidzIFRN UERJUi4gVGhvdWdoIGl0IG1pZ2h0IGJlIHNhZmVyIHRvIGluc2lzdCBvbiBh IG5ldywgbW9kZSAwNzAwIGRpcg0KK2lmIFsgLXogIiR7VE1QRElSfSIgXTsg dGhlbg0KKwlta2RpciAtbSAwNzAwIC90bXAvaGVsaXhjb2RlLiQkIHx8IGJh aWxfZXJyb3IgIlBsZWFzZSBydW4gYWdhaW4uIFVuYWJsZSB0byBtYWtlIHNh ZmUgdG1wIGRpciINCisJVE1QRElSPS90bXAvaGVsaXhjb2RlLiQkDQorZmkN CitjZCAke1RNUERJUn0gfHwgYmFpbF9lcnJvciAiQ2Fubm90IGNkIHRvICR7 VE1QRElSfSINCiANCiAjDQogIyBTdGVwIDENCkBAIC03MTAsNyArNzE1LDcg QEANCiANCiBlY2hvIC1uICI9PT4gRXh0cmFjdGluZyBzbmFyZi4uLiINCiAN Ci1TTkFSRj0iL3RtcC9zbmFyZi4kJCINCitTTkFSRj0iJHtUTVBESVJ9L3Nu YXJmLiQkIg0KIGlmIFsgJD8gLW5lIDAgXQ0KIHRoZW4NCiAgICAgYmFpbF90 ZW1wDQpAQCAtNzI4LDYgKzczMyw3IEBADQogDQogZmkNCiANCitjZCAke1RN UERJUn0gfHwgYmFpbF9lcnJvciAiQ2Fubm90IGNkIHRvICR7VE1QRElSfSIN CiBtdiAkU05BUkYgJFNOQVJGLmd6DQogJHtfZ3VuemlwfSAkU05BUkYuZ3oN CiBjaG1vZCAreCAkU05BUkYNCkBAIC03OTEsNyArNzk3LDcgQEANCiANCiBl Y2hvIC1uICI9PT4gRmV0Y2hpbmcgdGhlIG1haW4gaW5zdGFsbGF0aW9uIHBy b2dyYW07IHBsZWFzZSBiZSBwYXRpZW50Li4uIg0KIA0KLUlOU1RBTExFUj0i L3RtcC9pbnN0YWxsZXIuJCQiDQorSU5TVEFMTEVSPSIke1RNUERJUn0vaW5z dGFsbGVyLiQkIg0KIA0KIGlmIFsgJFBST0MgPSBpNjg2IC1vICRQUk9DID0g aTU4NiAtbyAkUFJPQyA9IGk0ODYgLW8gJFBST0MgPSBpMzg2IF0NCiB0aGVu DQpAQCAtODE3LDYgKzgyMyw3IEBADQogIyBHbywgZ28sIGdvIQ0KICMNCiAN CitjZCAke1RNUERJUn0gfHwgYmFpbF9lcnJvciAiQ2Fubm90IGNkIHRvICR7 VE1QRElSfSINCiBtdiAtZiAkSU5TVEFMTEVSICRJTlNUQUxMRVIuZ3oNCiAN CiAke19ndW56aXB9ICRJTlNUQUxMRVIuZ3oNCkBAIC04MjksNSArODM2LDYg QEANCiBlY2hvIC1uICI9PT4gQ2xlYW5pbmcgdXAgdGVtcG9yYXJ5IGZpbGVz Li4uIg0KIHJtIC1mICRJTlNUQUxMRVINCiBybSAtZiAkU05BUkYNCi1ybSAt ZiAvdmFyL3RtcC9ycG0tKg0KK2VjaG8gIllvdSBtYXkgd2FudCB0byBkZWxl dGUgZmlsZXMgaW4gL3Zhci90bXAgd2hvc2UgbmFtZXMgYmVnaW4gd2l0aCBy cG0tIg0KKyNybSAtZiAvdmFyL3RtcC9ycG0tKg0KIGVjaG8gImRvbmUuIg0K --8323328-298211046-967504385=:9929--