Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 7 Jan 2011 14:54:42 -0500 (EST)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley <coley@...re.org>
Subject: Re: CVE Request - pimd - Insecure file creation in
 /var/tmp

Please use CVE-2011-0007

Thanks.

-- 
    JB

----- Original Message -----
> We received this report recently:
> 
> --
> 
> Hi!
> 
> There is a simple security hole in pimd allowing a user to destroy any
> file in the filesystem. On USR1, pimd will write to /var/tmp/pimd.dump
> a dump of the multicast route table. Since /var/tmp is writable by any
> user, a user can create a symlink to any file he wants to destroy with
> the content of the multicast routing table.
> 
> Attached is a simple patch that will instruct pimd to write the dump
> to /var/lib/misc which is writable by root only and seems a valid
> target according to the FHS (state files that don't need a
> subdirectory).
> 
> This patch may cause tools that were sending USR1 and waiting for a
> /var/tmp/pimd.dump file fail. I don't have a solution for this.
> 
> The patch also applies to /var/tmp/pimd.cache which is not implemented
> yet but still creates the file when receiving USR2 signal. Despite its
> name, this is also a state file, not a cache. The patch also just
> drops the possibility to use /usr/tmp/pimd.dump based on some C
> preprocessor conditions since I don't know if the preconditions would
> work correctly on Debian/kFreeBSD.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ