[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2008-5378: possible symlink attacks


when I started manitaining arb I noticed that the program might crash
under some seldom occurrences.  To enable the users to start cleanly
another instance I enhanced the scripts provided by upstream which
basically parse a file containing the PIDs of the main arb processes.
These files are stored under


  ARBDB/adcomm.c:    sprintf(filename,"/tmp/arb_pids_%s_%s",user,arb_pid);
  SH/arb_fastdnaml:/bin/echo "$sig $$ \c" >>/tmp/arb_pids_${USER}_${ARB_PID}

These files are parsed in the following scripts provided by upstream:

$ grep -R arb_pids_ * | grep -v -e "\.c:" -e "debian" -e "echo"
SH/arb_clean:   pidfiles=/tmp/arb_pids_$USER_*
SH/arb_clean:   pidfiles=/tmp/arb_pids_${USER}_${ARB_PID}
SH/arb_panic:if [ ! -f /tmp/arb_pids_${USER}_${ARB_PID} ]; then
SH/arb_panic:for i in `cat /tmp/arb_pids_${USER}_${ARB_PID}`; do

These are most probably volunarable as well as arb_kill[1] which is
"a working version" of arb_kill basically.  After quite good experiences
with recent versions of arb the issue of arb_kill became void and I
could simply drop this script to fix CVE-2008-5378 - but this would not
solve the problem with the scripts provided by upstream.

Currently I see two options:

  1. Do not install arb_{clean,panic} any more in the binary package
     and advise the user in the docs what to do in case of a problem.
  2. Make the temp file save against symlink attacks.  The question
     I have for this case which should probably be prefered is: How
     can I savely teach an independent script about the PIDs of a
     crashed program that should be stopped.  I think random file names
     will not really work here or do I miss something?

Kind regards


[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5378


Reply to: