[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages



On 13:45 Mon 11 Aug     , Joey Hess wrote:
JH> Dmitry E. Oboukhov wrote:
JH>>  os-prober_1.17                  os-prober                       /tmp/mounted-map (pipe)
JH>>                                                                  /tmp/raided-map  (pipe)

JH> os-prober writer to $OS_PROBER_TMP/{mounted-map.raided-map,etc}, which is created by:

JH> if [ -z "$OS_PROBER_TMP" ]; then
JH> if type mktemp >/dev/null 2>&1; then
JH> export OS_PROBER_TMP="$(mktemp -d /tmp/os-prober.XXXXXX)"
JH> trap "rm -rf $OS_PROBER_TMP" EXIT HUP INT QUIT TERM
JH> else
JH> export OS_PROBER_TMP=/tmp
JH> fi
JH> fi

package: os-prober_1.17_i386.deb
file: /usr/bin/os-prober

$ grep '/tmp/' bin/os-prober      
grep "^/dev/" /proc/mounts | parse_proc_mounts >/tmp/mounted-map || true
: >/tmp/raided-map
    grep "^md" /proc/mdstat | parse_proc_mdstat >/tmp/raided-map || true
    if grep -q "^$mapped" /tmp/raided-map ; then
    if ! grep -q "^$mapped " /tmp/mounted-map ; then
        mpoint=$(grep "^$mapped " /tmp/mounted-map | cut -d " " -f 2)
            type=$(grep "^$mapped " /tmp/mounted-map | cut -d " " -f 3)


Oldstable   1.04
Stable      1.17 - in my list :)
Testing     1.26
Unstable    1.27

script writes the /tmp/mounted-map and the /tmp/raided-map by pipe.

new version (1.26) writes to $OS_PROBER_TMP/raided-map :)

JH> This use of mktemp -d should be secure.

JH> mktemp is a required package, so the insecure code path should only ever run inside
JH> a d-i environment, which has no non-root users.
--
... mpd is off

. ''`. Dmitry E. Oboukhov
: :’  : unera@debian.org
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
  `- 1B23 D4F8 8EC0 D902 0555  E438 AB8C 00CF F8E2 6537

Attachment: signature.asc
Description: Digital signature


Reply to: