Re: Bug#496429: The possibility of attack with the help of symlinks in some Debian packages
On Sun, Aug 24, 2008 at 08:28:32PM +0100, Neil Williams wrote:
> > For example if a script uses in its work a temp file which is created
> > in /tmp directory, then every user can create symlink with the same
> > name in this directory in order to destroy or rewrite some system
> > or user file. Symlink attack may also lead not only to the data
> > desctruction but to denial of service as well.
> Not when the use of /tmp is a *suggestion in a manpage* which just
> happens to be generated from POD content that is commonly embedded
> within perl scripts.
> =head1
> A more complex example using 'zenity' - a Gnome dialog generator.
> $ pilot-qof -x data.xml --invoice-city -t 2006-11-08 | dfxml-invoice -
> > /tmp/zenity
> zenity --text-info --title="2006-11-08" --filename=/tmp/zenity
> --width=500 --height=300
> =cut
> The program does not create this file, it does not rely on this file, it
> does not require any specific filename in /tmp and it does not write any
> data to /tmp unless the USER specifically pipes the STDOUT to a file and
> happens to use /tmp for that file.
Yes, this is definitely another false positive, which is very unfortunate.
However,
> If the user is dumb enough to pipe the output to a file that is a
> symlink to something more important *AND* which has sufficient
> permissions to be a problem, then that is not the fault of the package.
> It is an example, nothing more.
The example *is* wrong - the example given is never safe to run, because the
only way to verify beforehand that /tmp/zenity is not a symlink to something
more important is by first explicitly *creating* your file funder /tmp
(non-destructively), then check that it's not a symlink, and *then* run
pilot-qof. Otherwise, there is always a race condition here between
checking for non-existence, and outputting to the file, tha is exploitable
for some ill purpose.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org
Reply to: