Bug#225692: dpkg: Allows users to stash away vulnerable versions of setuid binaries
Package: dpkg
Version: 1.9.21
Severity: grave
Tags: security
see http://lists.jammed.com/ISN/2003/12/0056.html
users can make hardlinks to root owned setuid binaries in the usual
partitioning configurations, so unlinking them is not a reliable way
to get rid of them.
with the current dpkg behaviour it's not enough to upgrade the package
before malicious local users get their hands on the exploit, since they
can stash the binary away and wait for an exploit to become available.
i think a fix for this might be to open() the binary, unlink() it,
and then use fchmod() to remove the setuid and setgid bits.
(optionally check link count to see if someone is trying this
and print a warning)
truncate() is out since running copies of the binaries
won't like it, and a normal chmod() would be racy...
-- System Information:
Debian Release: 3.0
Architecture: i386
Kernel: Linux fabulous 2.6.0 #2 Sun Dec 21 10:27:12 EET 2003 i686
Locale: LANG=C, LC_CTYPE=fi_FI
Versions of packages dpkg depends on:
ii libc6 2.3.2.ds1-10 GNU C Library: Shared libraries an
ii libncurses5 5.3.20030719-2 Shared libraries for terminal hand
ii libstdc++2.10-glibc2.2 1:2.95.4-15 The GNU stdc++ library
-- no debconf information
Reply to: