Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages

To: debian-devel@lists.debian.org
Subject: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
From: "Dmitry E. Oboukhov" <dimka@uvw.ru>
Date: Mon, 11 Aug 2008 10:57:56 +0400
Message-id: <[🔎] E1KSRLo-0005hY-Fe@apache.rbscorp.ru>

Package: mplayer nws ppp twiki
Severity: grave
Tags: security

This message about the error concerns a few packages  at  once.   I've
tested all the packages on my Debian mirror.  (post|pre)(inst|rm)  and
config scripts were tested.

In some packages I've discovered scripts with errors which may be used
by a user for damaging important system files.

For example if a script uses in its work a temp file which is  created
in /tmp directory, then every user can create symlink  with  the  same
name in this directory in order to  destroy  or  rewrite  some	system
file.

I set Severity into grave for  this  bug.   The  table	of  discovered
problems is below.

+------------------+-----------------+----------------------------------
|    package       |  script         | file for attack
+------------------+-----------------+----------------------------------
| mplayer-1.0~rc2  |  config         | /tmp/HACK (pipe)
|                  |                 |
| nws-2.13         |  postinst       | /tmp/nws.debug (cp)
|                  |                 |
| ppp-2.4.4rel     |  postinst       | /tmp/probe-finished (rm -f, pipe)
|                  |  postinst       | /tmp/ppp-errors (rm -f, pipe)
|   ppp-udeb       |  /etc/ppp/ip-up | /tmp/resolv.conf.tmp (cp)
|                  |                 |
| twiki-4.1.2      |  postinst       | /tmp/twiki  (chmod 1777, chown)
+------------------+-----------------+----------------------------------

Reply to:

Follow-Ups:
- Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
  - From: Steve Kemp <skx@debian.org>
- Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
  - From: "Dmitry E. Oboukhov" <unera@debian.org>
- Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
  - From: "Dmitry E. Oboukhov" <unera@debian.org>
- Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
  - From: Sam Morris <sam@robots.org.uk>
- Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
  - From: "Dmitry E. Oboukhov" <unera@debian.org>
- Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
  - From: "Dmitry E. Oboukhov" <unera@debian.org>
- Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
  - From: "Dmitry E. Oboukhov" <unera@debian.org>
- Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
  - From: "Dmitry E. Oboukhov" <unera@debian.org>

Prev by Date: Re: Can a package modify slapd.conf in its maintainer script?
Next by Date: Re: Can a package modify slapd.conf in its maintainer script?
Previous by thread: Re: Possible mass bug filing: embedding perl hangs on hppa without PERL_SYS_INIT3
Next by thread: Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
Index(es):
- Date
- Thread