Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 22 Jan 2014 19:51:45 +0100
From: Helmut Grohne <helmut@...divi.de>
To: oss-security@...ts.openwall.com
Subject: Getting tempfile/mktemp wrong

Hi,

I (re?)discovered an entertaining way to introduce tmpfile
vulnerabilities while using the right tools (tempfile/mktemp). The
general pattern is:

TEMPFILE=`tempfile`.suffix

as opposed to

TEMPFILE=`tempfile --suffix .suffix`

An attacker can monitor /tmp using inotify, wait for the relevant file
to be created and can the quickly create the corresponding
tmpfile.suffix symbolic link to escalate privileges.

This can be found in:

1) localepurge
http://bugs.debian.org/736359
$ grep tempfile -r .
./debian/postrm:    DEBREINSTALL="$(tempfile).$$"
./debian/localepurge.config:TEMPFILE=$(tempfile).$$
./debian/localepurge.config:LOCALEGEN=$(tempfile).locale.gen
$
The localepurge package is Debian-specific. The relevant runs at
installation time as root.

2) syncevolution
http://bugs.debian.org/736357
$ grep 'mktemp`\.' -r .
./src/syncevo/installcheck-local.sh:TMPFILE_CXX=`mktemp`.cxx
./src/syncevo/installcheck-local.sh:TMPFILE_O=`mktemp`.o
$
The relevant code is part of the upstream package and is executed at
build time.

3) axiom (packaging)
http://bugs.debian.org/736358
$ grep 'tempfile).' -r .
./debian/axiom-test.sh:k=$(tempfile).input
$
The relevant code is part of the Debian packaging (upstream axiom is not
affected). It can be used on Debian systems to run the test suite when
the relevant package is installed.

The Debian bug reports are the initial public mentioning of these
particular issues. Please assign CVE identifiers as needed.

Helmut

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ