Bug#875415: predictable /tmp file vulnerability while building libreoffice
On Mon, Sep 11, 2017 at 10:55:39AM +0200, Helmut Grohne wrote:
> Source: libreoffice
> Version: 1:5.4.0-1
> Severity: important
> Tags: security upstream
>
> Looking at a sample build log
> (https://buildd.debian.org/status/fetch.php?pkg=libreoffice&arch=m68k&ver=1%3A5.4.1-1&stamp=1504466495&raw=0)
> one can see:
>
> | ... analyzing package list ...
> | ... creating log file /tmp/LibreOffice//logging/en-US/log_540_en-US.log
> | ... creating installation set in /tmp/LibreOffice//install/LibreOffice_5.4.1.2.0_Linux ...
> | ... removing old installation directories ...
>
> What looks like a predictable /tmp path turns out to be one:
>
> https://lists.freedesktop.org/archives/libreoffice/2017-August/078249.html
>
> Another local user may use this vulnerability to gain privileges of a
> user who is building libreoffice from source. I did not request a CVE
> for this issue.
JFTR, we don't treat these as security issues from jessie onwards since kernel
hardening renders these non-exploitable:
https://www.debian.org/releases/jessie/amd64/release-notes/ch-whats-new.en.html#security
Cheers,
Moritz
Reply to: