Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 7 Jan 2011 14:54:42 -0500 (EST)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley <coley@...re.org>
Subject: Re: CVE Request - pimd - Insecure file creation in
 /var/tmp

Please use CVE-2011-0007

Thanks.

-- 
    JB

----- Original Message -----
> We received this report recently:
> 
> --
> 
> Hi!
> 
> There is a simple security hole in pimd allowing a user to destroy any
> file in the filesystem. On USR1, pimd will write to /var/tmp/pimd.dump
> a dump of the multicast route table. Since /var/tmp is writable by any
> user, a user can create a symlink to any file he wants to destroy with
> the content of the multicast routing table.
> 
> Attached is a simple patch that will instruct pimd to write the dump
> to /var/lib/misc which is writable by root only and seems a valid
> target according to the FHS (state files that don't need a
> subdirectory).
> 
> This patch may cause tools that were sending USR1 and waiting for a
> /var/tmp/pimd.dump file fail. I don't have a solution for this.
> 
> The patch also applies to /var/tmp/pimd.cache which is not implemented
> yet but still creates the file when receiving USR2 signal. Despite its
> name, this is also a state file, not a cache. The patch also just
> drops the possibility to use /usr/tmp/pimd.dump based on some C
> preprocessor conditions since I don't know if the preconditions would
> work correctly on Debian/kFreeBSD.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.