Bug#496410: The possibility of attack with the help of symlinks in some Debian packages
severity 496410 important
thanks
On Sun, Aug 24, 2008 at 10:05:29PM +0400, Dmitry E. Oboukhov wrote:
> Package: cman
> Severity: grave
> Binary-package: cman (2.20080629-1)
> file: /usr/sbin/fence_egenera
The broken usage is:
local *egen_log;
open(egen_log,">/tmp/eglog");
[...]
print egen_log "shutdown: $trys $status\n";
[...]
print egen_log "shutdown: crash dump being performed. Waiting\n";
[...]
print egen_log "shutdown: $cmd being called, before open3\n";
[...]
print egen_log "shutdown: after calling open3\n";
[...]
print egen_log "shutdown: Open3 result: ", @outlines, "\n";
[...]
print egen_log "shutdown: Returning from pserver_shutdown with return code $rtrn\n";
This is, of course, wrong, and subject to symlink attack. However, I don't
see any way that this can be exploitable for privilege escalation, which is
the standard for 'grave' severity security bugs: it doesn't allow arbitrary
output to the file, only a finite set of strings which are not valid shell,
cron entries, password/shadow entries, or any other config file that I know
of.
So at best this appears to be a DoS symlink attack; therefore downgrading.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org
Reply to: