Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 7 Jan 2011 11:20:33 +0000
From: Steve Kemp <steve@...ve.org.uk>
To: oss-security@...ts.openwall.com
Subject: CVE Request - pimd - Insecure file creation in /var/tmp


  We received this report recently:

-- 

Hi!

There is a simple security hole in pimd allowing a user to destroy any
file in the filesystem. On USR1, pimd will write to /var/tmp/pimd.dump
a dump of the multicast route table. Since /var/tmp is writable by any
user, a user can create a symlink to any file he wants to destroy with
the content of the multicast routing table.

Attached is a simple patch that will instruct pimd to write the dump
to /var/lib/misc which is writable by root only and seems a valid
target according to the FHS (state files that don't need a
subdirectory).

This patch may cause tools that were sending USR1 and waiting for a
/var/tmp/pimd.dump file fail. I don't have a solution for this.

The patch also applies to /var/tmp/pimd.cache which is not implemented
yet but still creates the file when receiving USR2 signal. Despite its
name, this is also a state file, not a cache. The patch also just
drops the possibility to use /usr/tmp/pimd.dump based on some C
preprocessor conditions since I don't know if the preconditions would
work correctly on Debian/kFreeBSD.



diff -Naur pimd-2.1.5/pathnames.h pimd-2.1.5-patched/pathnames.h
--- pimd-2.1.5/pathnames.h	2011-01-03 09:28:27.000000000 +0100
+++ pimd-2.1.5-patched/pathnames.h	2011-01-05 23:17:29.598581558 +0100
@@ -40,13 +40,7 @@
 #define __PIMD_PATHNAMES_H__
 
 #define _PATH_PIMD_CONF         "/etc/pimd.conf"
-
-#if (defined(BSD) && (BSD >= 199103)) || defined(__linux__)
-#define _PATH_PIMD_DUMP         "/var/tmp/pimd.dump"
-#define _PATH_PIMD_CACHE        "/var/tmp/pimd.cache"
-#else  /* Really old system ... */
-#define _PATH_PIMD_DUMP         "/usr/tmp/pimd.dump"
-#define _PATH_PIMD_CACHE        "/usr/tmp/pimd.cache"
-#endif
+#define _PATH_PIMD_DUMP         "/var/lib/misc/pimd.dump"
+#define _PATH_PIMD_CACHE        "/var/lib/misc/pimd.cache"
 
 #endif /* __PIMD_PATHNAMES_H__ */
diff -Naur pimd-2.1.5/pimd.8 pimd-2.1.5-patched/pimd.8
--- pimd-2.1.5/pimd.8	2011-01-03 09:28:27.000000000 +0100
+++ pimd-2.1.5-patched/pimd.8	2011-01-05 23:18:18.781100239 +0100
@@ -327,12 +327,12 @@
 The same as TERM.
 .It USR1
 Dumps the internal state of VIFs and multicast routing tables to
-.Pa /var/tmp/pimd.dump .
+.Pa /var/lib/misc/pimd.dump .
 See also the --show-routes option above.
 .\" Not implemented yet, still TODO
 .\" .It USR2
 .\" Dumps the internal cache tables to
-.\" .Pa /var/tmp/pimd.cache .
+.\" .Pa /var/lib/misc/pimd.cache .
 .\" Also not implemented yet, TODO
 .\" .It QUIT
 .\" Dumps the internal routing tables to stderr (only if
@@ -346,10 +346,10 @@
 .Pa /var/run/pimd.pid
 upon startup.
 .Sh FILES
-.Bl -tag -width /var/tmp/pimd.cache -compact
+.Bl -tag -width /var/lib/misc/pimd.cache -compact
 .It Pa /etc/pimd.conf
-.\" .It Pa /var/tmp/pimd.cache
-.It Pa /var/tmp/pimd.dump
+.\" .It Pa /var/lib/misc/pimd.cache
+.It Pa /var/lib/misc/pimd.dump
 .It Pa /var/run/pimd.pid
 .El
 .Sh SEE ALSO

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ