[LWN Logo]
[Timeline]
Date:         Tue, 29 Aug 2000 10:08:21 -0400
From: Peter W <peterw@USA.NET>
Subject:      More Helix Code installation problems (go-gnome)
To: BUGTRAQ@SECURITYFOCUS.COM

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime@docserver.cac.washington.edu for more info.

--8323328-298211046-967504385=:9929
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.LNX.4.21.0008282044251.11211@localhost>

 --Product--

Helix Code Gnome "go-gnome" Web-based installation shell script.

 --Background--

On Aug 19, Alan Cox disclosed problems with Helix Code's install tools.
Helix Code promptly[0] announced fixes for their installer. Presumably
this meant their compiled installer app, because their Web site still
suggests using the Lynx-source-piped-to-sh hack that uses the "go-gnome"
Bourne/awk/gzip script.[1]

 --Problem--

Leaving aside, for now, the issues of using plaintext HTTP to pass data
directly to a shell interpreter,[2] the "go-gnome" shell script[1]
unsafely uses fairly predictable filenames in /tmp (for non-Debian
distributions) and can be used to overwrite any file on the system that
root can clobber with 'cat' if an attacker sets up a symbolic link (it
could be done well in advance of go-gnome being run). I.E., on most boxes,
every file is at risk. Ironically, ftp://ftp.helixcode.com/helix/ suggests
that Helix Code replaced go-gnome at the same time as the new, improved
installer binary announced on Aug 20, yet it suffers the same sort of
problems Helix Code claims to have fixed in the installer binary.[3]

 --Workarounds--

1) Use the manual installation instructions at
   http://www.helixcode.com/desktop/instructions.php3?distribution=manual
   instead of go-gnome. Since Helix Code does not GPG sign their packages,
   you may want to compare checksums with those listed in Helix Code's Aug
   20th announcement.[3] Not that it buys you much, as there doesn't seem
   to be any checksum/signing information embedded in, or protecting, the
   XML package information files. But it's a start.

2) Apply the attached patch to the go-gnome script. This patch
   was developed against the 33308 byte go-gnome script available, as of
   this writing, at ftp://ftp.helixcode.com/helix/  & http://go-gnome.com/
   (e.g. 'lynx -source http://go-gnome.com/ > /safe/path/go-gnome')
   By the time you retrieve and patch the script, you're better off just
   using the manual installation instructions. See workaround #1.

 --Vendor response--

While I've publicly written about this as early as June, I only emailed
Helix Code last week about the problem, explaining the issue, and
providing the patch I have resent here. They have not so much as
acknowledged my messages, let alone discussed the problem.

 --But, isn't Helix Gnome still "Beta" code?--

Usually I'm among the first to gripe about "advisories" exposing problems
in beta code. And Helix Code sometimes suggests their code is beta (the
CDs I've seen are labeled "Preview Two"). But the Helix Code Web site
boasts that their bits are "stable, up-to-date", and, more importantly,
Linux mailing list traffic suggests that a *lot* of folks are trying Helix
Code Gnome. And Nat & co. are getting their share of attention by the US
media. So it's time for Helix Code to start taking security more
seriously.

 --Suggestions--

We've heard many arguments about why Microsoft Windows has historically
been more vulnerable to viruses that Unix-like systems, and some boil down
to the notion that Unix users know better. This argument weakens as Linux
use expands to the non-geek crowd. One of the main goals (and an admirable
one) of Helix Code is to make Unix and Linux desktops more usable. But the
lynx install hack trades security for a 30 second gain in installation
speed. It encourages unsafe practices. If Helix Code's target audience is
as new to computers as their site suggests ('Note that the | character
above is the "pipe" symbol, obtained by pressing SHIFT-\ on most
keyboards'[1]), then these are exactly the folks who should not be taught
such risky parlor tricks.

IMO, Helix Code ought to completely stop providing and advocating the lynx
hack. Tell people how to get the proper installer package. Show them how
to use 'md5sum' to check the package integrity. Put download information
on an https server. Start GPG signing your packages. Etc. Compared to the
effort required to make a first-rate desktop environment (and the recent
Helix Code Gnome apps I've seen do look very nice), the effort required to
improve distribution and installation security is minimal.

Safer systems & safer admins are more valuable than faster installs.

-Peter


[0] Not promptly after Alan emailed them, but after Alan publicly
    disclosed the problems.

[1]
http://www.helixcode.com/desktop/instructions.php3?distribution=gognome

[2] There are many points where the `lynx -source http://go-gnome.com/`
    fetch could be subverted. An https:// server would at least
    authenticate the identity of "go-gnome.com" but, no. <sigh>

[3]http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-08-15&msg=200008200739.DAA25668@trna.helixcode.com

--8323328-298211046-967504385=:9929
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="go-gnome.patch"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.21.0008281913050.9929@localhost>
Content-Description: go-gnome.patch
Content-Disposition: ATTACHMENT; FILENAME="go-gnome.patch"

LS0tIGdvLWdub21lLnNoLmN1cnJlbnQJVGh1IEF1ZyAyNCAyMTo0MToyMyAy
MDAwDQorKysgZ28tZ25vbWUuc2gJVGh1IEF1ZyAyNCAyMTo1Mzo0MCAyMDAw
DQpAQCAtMTIxLDcgKzEyMSw3IEBADQogfQ0KIA0KIG15X3V1ZGVjb2RlICgp
IHsNCi0gICBfYXdrcHJvZz0iL3RtcC91dWRlY29kZS4kJC5hd2siDQorICAg
X2F3a3Byb2c9IiR7VE1QRElSfS91dWRlY29kZS4kJC5hd2siDQogICAgX3V1
ZGVjb2RlX291dD0kMQ0KIA0KICAgIHJtIC1mICR7X3V1ZGVjb2RlX291dH0N
CkBAIC01NTQsNyArNTU0LDEyIEBADQogIyBUaGUgYWN0aW9uIHN0YXJ0cyBo
ZXJlLg0KICMNCiANCi1jZCAvdG1wDQorIyBUcnVzdCB0aGUgdXNlcidzIFRN
UERJUi4gVGhvdWdoIGl0IG1pZ2h0IGJlIHNhZmVyIHRvIGluc2lzdCBvbiBh
IG5ldywgbW9kZSAwNzAwIGRpcg0KK2lmIFsgLXogIiR7VE1QRElSfSIgXTsg
dGhlbg0KKwlta2RpciAtbSAwNzAwIC90bXAvaGVsaXhjb2RlLiQkIHx8IGJh
aWxfZXJyb3IgIlBsZWFzZSBydW4gYWdhaW4uIFVuYWJsZSB0byBtYWtlIHNh
ZmUgdG1wIGRpciINCisJVE1QRElSPS90bXAvaGVsaXhjb2RlLiQkDQorZmkN
CitjZCAke1RNUERJUn0gfHwgYmFpbF9lcnJvciAiQ2Fubm90IGNkIHRvICR7
VE1QRElSfSINCiANCiAjDQogIyBTdGVwIDENCkBAIC03MTAsNyArNzE1LDcg
QEANCiANCiBlY2hvIC1uICI9PT4gRXh0cmFjdGluZyBzbmFyZi4uLiINCiAN
Ci1TTkFSRj0iL3RtcC9zbmFyZi4kJCINCitTTkFSRj0iJHtUTVBESVJ9L3Nu
YXJmLiQkIg0KIGlmIFsgJD8gLW5lIDAgXQ0KIHRoZW4NCiAgICAgYmFpbF90
ZW1wDQpAQCAtNzI4LDYgKzczMyw3IEBADQogDQogZmkNCiANCitjZCAke1RN
UERJUn0gfHwgYmFpbF9lcnJvciAiQ2Fubm90IGNkIHRvICR7VE1QRElSfSIN
CiBtdiAkU05BUkYgJFNOQVJGLmd6DQogJHtfZ3VuemlwfSAkU05BUkYuZ3oN
CiBjaG1vZCAreCAkU05BUkYNCkBAIC03OTEsNyArNzk3LDcgQEANCiANCiBl
Y2hvIC1uICI9PT4gRmV0Y2hpbmcgdGhlIG1haW4gaW5zdGFsbGF0aW9uIHBy
b2dyYW07IHBsZWFzZSBiZSBwYXRpZW50Li4uIg0KIA0KLUlOU1RBTExFUj0i
L3RtcC9pbnN0YWxsZXIuJCQiDQorSU5TVEFMTEVSPSIke1RNUERJUn0vaW5z
dGFsbGVyLiQkIg0KIA0KIGlmIFsgJFBST0MgPSBpNjg2IC1vICRQUk9DID0g
aTU4NiAtbyAkUFJPQyA9IGk0ODYgLW8gJFBST0MgPSBpMzg2IF0NCiB0aGVu
DQpAQCAtODE3LDYgKzgyMyw3IEBADQogIyBHbywgZ28sIGdvIQ0KICMNCiAN
CitjZCAke1RNUERJUn0gfHwgYmFpbF9lcnJvciAiQ2Fubm90IGNkIHRvICR7
VE1QRElSfSINCiBtdiAtZiAkSU5TVEFMTEVSICRJTlNUQUxMRVIuZ3oNCiAN
CiAke19ndW56aXB9ICRJTlNUQUxMRVIuZ3oNCkBAIC04MjksNSArODM2LDYg
QEANCiBlY2hvIC1uICI9PT4gQ2xlYW5pbmcgdXAgdGVtcG9yYXJ5IGZpbGVz
Li4uIg0KIHJtIC1mICRJTlNUQUxMRVINCiBybSAtZiAkU05BUkYNCi1ybSAt
ZiAvdmFyL3RtcC9ycG0tKg0KK2VjaG8gIllvdSBtYXkgd2FudCB0byBkZWxl
dGUgZmlsZXMgaW4gL3Zhci90bXAgd2hvc2UgbmFtZXMgYmVnaW4gd2l0aCBy
cG0tIg0KKyNybSAtZiAvdmFyL3RtcC9ycG0tKg0KIGVjaG8gImRvbmUuIg0K

--8323328-298211046-967504385=:9929--