Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
Ivan Jager wrote:
qemu-make-debian-root will continue running even if mkdir failed.
Dmitry said the script has -e set - if so the script will not continue running if mkdir failed (unless it somehow overrides the -e check, e.g. mkdir /tmp/file || true).
Also, assuming qemu-make-debian-root is running with PID 1234, an
attacker is free to change the /tmp/mount.1234 symlink during the
execution of the script. If /tmp/mount.1234 is linked to /etc/, the
script will mount the freshly created filesystem image on top of /etc,
making a lot of programs very sad.
I don't think these attacks are possible if the script aborts when mkdir
fails. mkdir won't succeed if there is a symlink.
An attacker could then change the symlink such that debbootstrap will
install anywhere he wants. (which may allow him to overwrite some
files, but I haven't looked closely at debbootstrap.)
In any case, doing something better would be good because it means an
attacker can't run a denial-of-service type attack and prevent the
script from running.