[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#496429: The possibility of attack with the help of symlinks in some Debian packages

On Sun, Aug 24, 2008 at 08:28:32PM +0100, Neil Williams wrote:
> > For example if a script uses in its work a temp file which is  created
> > in /tmp directory, then every user can create symlink  with  the  same
> > name in this directory in order to  destroy  or  rewrite  some  system
> > or user file.  Symlink attack may also  lead  not  only  to  the  data
> > desctruction but to denial of service as well.

> Not when the use of /tmp is a *suggestion in a manpage* which just
> happens to be generated from POD content that is commonly embedded
> within perl scripts.

> =head1
> A more complex example using 'zenity' - a Gnome dialog generator.

>  $ pilot-qof -x data.xml --invoice-city -t 2006-11-08 | dfxml-invoice -
> > /tmp/zenity
>   zenity --text-info --title="2006-11-08" --filename=/tmp/zenity
> --width=500 --height=300
> =cut

> The program does not create this file, it does not rely on this file, it
> does not require any specific filename in /tmp and it does not write any
> data to /tmp unless the USER specifically pipes the STDOUT to a file and
> happens to use /tmp for that file.

Yes, this is definitely another false positive, which is very unfortunate.


> If the user is dumb enough to pipe the output to a file that is a
> symlink to something more important *AND* which has sufficient
> permissions to be a problem, then that is not the fault of the package.
> It is an example, nothing more.

The example *is* wrong - the example given is never safe to run, because the
only way to verify beforehand that /tmp/zenity is not a symlink to something
more important is by first explicitly *creating* your file funder /tmp
(non-destructively), then check that it's not a symlink, and *then* run
pilot-qof.  Otherwise, there is always a race condition here between
checking for non-existence, and outputting to the file, tha is exploitable
for some ill purpose.

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Reply to: