[16448] in bugtraq
More Helix Code installation problems (go-gnome)
daemon@ATHENA.MIT.EDU (peterw@usa.net)
Wed Aug 30 17:28:13 2000
Mime-Version: 1.0
Content-type: multipart/mixed;
Boundary="0__=7cgOk5HolyV1hMHPhc7Q8LD1WaospkWBVifUZdxlUmJ3EChf6pLpBxvx"
Content-Disposition: inline
Message-ID: <C125694B.00265C7A.00@gbmta01.inet.nl.abnamro.com>
Date: Tue, 29 Aug 2000 14:08:21 +0000
Reply-To: peterw@usa.net
From: peterw@usa.net
To: BUGTRAQ@SECURITYFOCUS.COM
--0__=7cgOk5HolyV1hMHPhc7Q8LD1WaospkWBVifUZdxlUmJ3EChf6pLpBxvx
Content-type: text/plain; charset=us-ascii
Content-Disposition: inline
--Product--
Helix Code Gnome "go-gnome" Web-based installation shell script.
--Background--
On Aug 19, Alan Cox disclosed problems with Helix Code's install tools.
Helix Code promptly[0] announced fixes for their installer. Presumably
this meant their compiled installer app, because their Web site still
suggests using the Lynx-source-piped-to-sh hack that uses the "go-gnome"
Bourne/awk/gzip script.[1]
--Problem--
Leaving aside, for now, the issues of using plaintext HTTP to pass data
directly to a shell interpreter,[2] the "go-gnome" shell script[1]
unsafely uses fairly predictable filenames in /tmp (for non-Debian
distributions) and can be used to overwrite any file on the system that
root can clobber with 'cat' if an attacker sets up a symbolic link (it
could be done well in advance of go-gnome being run). I.E., on most boxes,
every file is at risk. Ironically, ftp://ftp.helixcode.com/helix/ suggests
that Helix Code replaced go-gnome at the same time as the new, improved
installer binary announced on Aug 20, yet it suffers the same sort of
problems Helix Code claims to have fixed in the installer binary.[3]
--Workarounds--
1) Use the manual installation instructions at
http://www.helixcode.com/desktop/instructions.php3?distribution=manual
instead of go-gnome. Since Helix Code does not GPG sign their packages,
you may want to compare checksums with those listed in Helix Code's Aug
20th announcement.[3] Not that it buys you much, as there doesn't seem
to be any checksum/signing information embedded in, or protecting, the
XML package information files. But it's a start.
2) Apply the attached patch to the go-gnome script. This patch
was developed against the 33308 byte go-gnome script available, as of
this writing, at ftp://ftp.helixcode.com/helix/ & http://go-gnome.com/
(e.g. 'lynx -source http://go-gnome.com/ > /safe/path/go-gnome')
By the time you retrieve and patch the script, you're better off just
using the manual installation instructions. See workaround #1.
--Vendor response--
While I've publicly written about this as early as June, I only emailed
Helix Code last week about the problem, explaining the issue, and
providing the patch I have resent here. They have not so much as
acknowledged my messages, let alone discussed the problem.
--But, isn't Helix Gnome still "Beta" code?--
Usually I'm among the first to gripe about "advisories" exposing problems
in beta code. And Helix Code sometimes suggests their code is beta (the
CDs I've seen are labeled "Preview Two"). But the Helix Code Web site
boasts that their bits are "stable, up-to-date", and, more importantly,
Linux mailing list traffic suggests that a *lot* of folks are trying Helix
Code Gnome. And Nat & co. are getting their share of attention by the US
media. So it's time for Helix Code to start taking security more
seriously.
--Suggestions--
We've heard many arguments about why Microsoft Windows has historically
been more vulnerable to viruses that Unix-like systems, and some boil down
to the notion that Unix users know better. This argument weakens as Linux
use expands to the non-geek crowd. One of the main goals (and an admirable
one) of Helix Code is to make Unix and Linux desktops more usable. But the
lynx install hack trades security for a 30 second gain in installation
speed. It encourages unsafe practices. If Helix Code's target audience is
as new to computers as their site suggests ('Note that the | character
above is the "pipe" symbol, obtained by pressing SHIFT-\ on most
keyboards'[1]), then these are exactly the folks who should not be taught
such risky parlor tricks.
IMO, Helix Code ought to completely stop providing and advocating the lynx
hack. Tell people how to get the proper installer package. Show them how
to use 'md5sum' to check the package integrity. Put download information
on an https server. Start GPG signing your packages. Etc. Compared to the
effort required to make a first-rate desktop environment (and the recent
Helix Code Gnome apps I've seen do look very nice), the effort required to
improve distribution and installation security is minimal.
Safer systems & safer admins are more valuable than faster installs.
-Peter
[0] Not promptly after Alan emailed them, but after Alan publicly
disclosed the problems.
[1]
http://www.helixcode.com/desktop/instructions.php3?distribution=gognome
[2] There are many points where the `lynx -source http://go-gnome.com/`
fetch could be subverted. An https:// server would at least
authenticate the identity of "go-gnome.com" but, no. <sigh>
[3]http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-08-15&msg=200008200739.DAA25668@trna.helixcode.com
--0__=7cgOk5HolyV1hMHPhc7Q8LD1WaospkWBVifUZdxlUmJ3EChf6pLpBxvx
Content-type: application/octet-stream;
name="go-gnome.patch"
Content-Disposition: attachment; filename="go-gnome.patch"
Content-transfer-encoding: base64
LS0tIGdvLWdub21lLnNoLmN1cnJlbnQJVGh1IEF1ZyAyNCAyMTo0MToyMyAyMDAwDQorKysgZ28t
Z25vbWUuc2gJVGh1IEF1ZyAyNCAyMTo1Mzo0MCAyMDAwDQpAQCAtMTIxLDcgKzEyMSw3IEBADQog
fQ0KIA0KIG15X3V1ZGVjb2RlICgpIHsNCi0gICBfYXdrcHJvZz0iL3RtcC91dWRlY29kZS4kJC5h
d2siDQorICAgX2F3a3Byb2c9IiR7VE1QRElSfS91dWRlY29kZS4kJC5hd2siDQogICAgX3V1ZGVj
b2RlX291dD0kMQ0KIA0KICAgIHJtIC1mICR7X3V1ZGVjb2RlX291dH0NCkBAIC01NTQsNyArNTU0
LDEyIEBADQogIyBUaGUgYWN0aW9uIHN0YXJ0cyBoZXJlLg0KICMNCiANCi1jZCAvdG1wDQorIyBU
cnVzdCB0aGUgdXNlcidzIFRNUERJUi4gVGhvdWdoIGl0IG1pZ2h0IGJlIHNhZmVyIHRvIGluc2lz
dCBvbiBhIG5ldywgbW9kZSAwNzAwIGRpcg0KK2lmIFsgLXogIiR7VE1QRElSfSIgXTsgdGhlbg0K
Kwlta2RpciAtbSAwNzAwIC90bXAvaGVsaXhjb2RlLiQkIHx8IGJhaWxfZXJyb3IgIlBsZWFzZSBy
dW4gYWdhaW4uIFVuYWJsZSB0byBtYWtlIHNhZmUgdG1wIGRpciINCisJVE1QRElSPS90bXAvaGVs
aXhjb2RlLiQkDQorZmkNCitjZCAke1RNUERJUn0gfHwgYmFpbF9lcnJvciAiQ2Fubm90IGNkIHRv
ICR7VE1QRElSfSINCiANCiAjDQogIyBTdGVwIDENCkBAIC03MTAsNyArNzE1LDcgQEANCiANCiBl
Y2hvIC1uICI9PT4gRXh0cmFjdGluZyBzbmFyZi4uLiINCiANCi1TTkFSRj0iL3RtcC9zbmFyZi4k
JCINCitTTkFSRj0iJHtUTVBESVJ9L3NuYXJmLiQkIg0KIGlmIFsgJD8gLW5lIDAgXQ0KIHRoZW4N
CiAgICAgYmFpbF90ZW1wDQpAQCAtNzI4LDYgKzczMyw3IEBADQogDQogZmkNCiANCitjZCAke1RN
UERJUn0gfHwgYmFpbF9lcnJvciAiQ2Fubm90IGNkIHRvICR7VE1QRElSfSINCiBtdiAkU05BUkYg
JFNOQVJGLmd6DQogJHtfZ3VuemlwfSAkU05BUkYuZ3oNCiBjaG1vZCAreCAkU05BUkYNCkBAIC03
OTEsNyArNzk3LDcgQEANCiANCiBlY2hvIC1uICI9PT4gRmV0Y2hpbmcgdGhlIG1haW4gaW5zdGFs
bGF0aW9uIHByb2dyYW07IHBsZWFzZSBiZSBwYXRpZW50Li4uIg0KIA0KLUlOU1RBTExFUj0iL3Rt
cC9pbnN0YWxsZXIuJCQiDQorSU5TVEFMTEVSPSIke1RNUERJUn0vaW5zdGFsbGVyLiQkIg0KIA0K
IGlmIFsgJFBST0MgPSBpNjg2IC1vICRQUk9DID0gaTU4NiAtbyAkUFJPQyA9IGk0ODYgLW8gJFBS
T0MgPSBpMzg2IF0NCiB0aGVuDQpAQCAtODE3LDYgKzgyMyw3IEBADQogIyBHbywgZ28sIGdvIQ0K
ICMNCiANCitjZCAke1RNUERJUn0gfHwgYmFpbF9lcnJvciAiQ2Fubm90IGNkIHRvICR7VE1QRElS
fSINCiBtdiAtZiAkSU5TVEFMTEVSICRJTlNUQUxMRVIuZ3oNCiANCiAke19ndW56aXB9ICRJTlNU
QUxMRVIuZ3oNCkBAIC04MjksNSArODM2LDYgQEANCiBlY2hvIC1uICI9PT4gQ2xlYW5pbmcgdXAg
dGVtcG9yYXJ5IGZpbGVzLi4uIg0KIHJtIC1mICRJTlNUQUxMRVINCiBybSAtZiAkU05BUkYNCi1y
bSAtZiAvdmFyL3RtcC9ycG0tKg0KK2VjaG8gIllvdSBtYXkgd2FudCB0byBkZWxldGUgZmlsZXMg
aW4gL3Zhci90bXAgd2hvc2UgbmFtZXMgYmVnaW4gd2l0aCBycG0tIg0KKyNybSAtZiAvdmFyL3Rt
cC9ycG0tKg0KIGVjaG8gImRvbmUuIg0K
--0__=7cgOk5HolyV1hMHPhc7Q8LD1WaospkWBVifUZdxlUmJ3EChf6pLpBxvx--
