Re: CVE-2008-5378: possible symlink attacks
Hi,
when I started manitaining arb I noticed that the program might crash
under some seldom occurrences. To enable the users to start cleanly
another instance I enhanced the scripts provided by upstream which
basically parse a file containing the PIDs of the main arb processes.
These files are stored under
/tmp/arb_pids_${USER}_${ARB_PID}
Code:
ARBDB/adcomm.c: sprintf(filename,"/tmp/arb_pids_%s_%s",user,arb_pid);
SH/arb_fastdnaml:/bin/echo "$sig $$ \c" >>/tmp/arb_pids_${USER}_${ARB_PID}
These files are parsed in the following scripts provided by upstream:
$ grep -R arb_pids_ * | grep -v -e "\.c:" -e "debian" -e "echo"
SH/arb_clean: pidfiles=/tmp/arb_pids_$USER_*
SH/arb_clean: pidfiles=/tmp/arb_pids_${USER}_${ARB_PID}
SH/arb_panic:chooser="/tmp/arb_pids_${USER}_*"
SH/arb_panic:if [ ! -f /tmp/arb_pids_${USER}_${ARB_PID} ]; then
SH/arb_panic:for i in `cat /tmp/arb_pids_${USER}_${ARB_PID}`; do
These are most probably volunarable as well as arb_kill[1] which is
"a working version" of arb_kill basically. After quite good experiences
with recent versions of arb the issue of arb_kill became void and I
could simply drop this script to fix CVE-2008-5378 - but this would not
solve the problem with the scripts provided by upstream.
Currently I see two options:
1. Do not install arb_{clean,panic} any more in the binary package
and advise the user in the docs what to do in case of a problem.
2. Make the temp file save against symlink attacks. The question
I have for this case which should probably be prefered is: How
can I savely teach an independent script about the PIDs of a
crashed program that should be stopped. I think random file names
will not really work here or do I miss something?
Kind regards
Andreas.
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5378
--
http://fam-tille.de
Reply to: