Re: Bug#496429: The possibility of attack with the help of symlinks in some Debian packages

To: debian-devel@lists.debian.org
Subject: Re: Bug#496429: The possibility of attack with the help of symlinks in some Debian packages
From: Steve Langasek <vorlon@debian.org>
Date: Sun, 24 Aug 2008 13:30:35 -0700
Message-id: <[🔎] 20080824203035.GK15585@dario.dodds.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 1219606112.5783.60.camel@holly.codehelp>
References: <E1KXJxw-0004Jg-Vg@nbw.dhome.lan> <[🔎] 1219606112.5783.60.camel@holly.codehelp>

On Sun, Aug 24, 2008 at 08:28:32PM +0100, Neil Williams wrote:
> > For example if a script uses in its work a temp file which is  created
> > in /tmp directory, then every user can create symlink  with  the  same
> > name in this directory in order to  destroy  or  rewrite  some  system
> > or user file.  Symlink attack may also  lead  not  only  to  the  data
> > desctruction but to denial of service as well.

> Not when the use of /tmp is a *suggestion in a manpage* which just
> happens to be generated from POD content that is commonly embedded
> within perl scripts.

> =head1
> A more complex example using 'zenity' - a Gnome dialog generator.

>  $ pilot-qof -x data.xml --invoice-city -t 2006-11-08 | dfxml-invoice -
> > /tmp/zenity
>   zenity --text-info --title="2006-11-08" --filename=/tmp/zenity
> --width=500 --height=300
> =cut

> The program does not create this file, it does not rely on this file, it
> does not require any specific filename in /tmp and it does not write any
> data to /tmp unless the USER specifically pipes the STDOUT to a file and
> happens to use /tmp for that file.

Yes, this is definitely another false positive, which is very unfortunate.

However,

> If the user is dumb enough to pipe the output to a file that is a
> symlink to something more important *AND* which has sufficient
> permissions to be a problem, then that is not the fault of the package.
> It is an example, nothing more.

The example *is* wrong - the example given is never safe to run, because the
only way to verify beforehand that /tmp/zenity is not a symlink to something
more important is by first explicitly *creating* your file funder /tmp
(non-destructively), then check that it's not a symlink, and *then* run
pilot-qof.  Otherwise, there is always a race condition here between
checking for non-existence, and outputting to the file, tha is exploitable
for some ill purpose.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Reply to:

Follow-Ups:
- Re: Bug#496429: The possibility of attack with the help of symlinks in some Debian packages
  - From: Neil Williams <codehelp@debian.org>
- Re: Bug#496429: The possibility of attack with the help of symlinks in some Debian packages
  - From: Russ Allbery <rra@debian.org>

References:
- Re: Bug#496429: The possibility of attack with the help of symlinks in some Debian packages
  - From: Neil Williams <codehelp@debian.org>

Prev by Date: Re: Bug#496386: The possibility of attack with the help of symlinks in some Debian packages
Next by Date: Re: Bug#496429: The possibility of attack with the help of symlinks in some Debian packages
Previous by thread: Re: Bug#496429: The possibility of attack with the help of symlinks in some Debian packages
Next by thread: Re: Bug#496429: The possibility of attack with the help of symlinks in some Debian packages
Index(es):
- Date
- Thread