Date: Fri, 7 Jan 2011 14:54:42 -0500 (EST) From: Josh Bressers <bressers@...hat.com> To: oss-security@...ts.openwall.com Cc: coley <coley@...re.org> Subject: Re: CVE Request - pimd - Insecure file creation in /var/tmp Please use CVE-2011-0007 Thanks. -- JB ----- Original Message ----- > We received this report recently: > > -- > > Hi! > > There is a simple security hole in pimd allowing a user to destroy any > file in the filesystem. On USR1, pimd will write to /var/tmp/pimd.dump > a dump of the multicast route table. Since /var/tmp is writable by any > user, a user can create a symlink to any file he wants to destroy with > the content of the multicast routing table. > > Attached is a simple patch that will instruct pimd to write the dump > to /var/lib/misc which is writable by root only and seems a valid > target according to the FHS (state files that don't need a > subdirectory). > > This patch may cause tools that were sending USR1 and waiting for a > /var/tmp/pimd.dump file fail. I don't have a solution for this. > > The patch also applies to /var/tmp/pimd.cache which is not implemented > yet but still creates the file when receiving USR2 signal. Despite its > name, this is also a state file, not a cache. The patch also just > drops the possibility to use /usr/tmp/pimd.dump based on some C > preprocessor conditions since I don't know if the preconditions would > work correctly on Debian/kFreeBSD.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ