Bug#496410: The possibility of attack with the help of symlinks in some Debian packages
Hi,
It looks like there are some more tempfile creation problems in the
redhat-cluster source package.
1) In rgmanager/src/daemons/main.c (line 707):
void
dump_internal_state(char *loc)
{
FILE *fp;
fp=fopen(loc, "w+");
dump_config_version(fp);
dump_threads(fp);
dump_vf_states(fp);
#ifdef WRAP_THREADS
dump_thread_states(fp);
#endif
dump_cluster_ctx(fp);
//malloc_dump_table(fp, 1, 16384); /* Only works if alloc.c us used */
fclose(fp);
}
...
dump_internal_state("/tmp/rgmanager-dump");
This file is part of the binary clurgmgrd (package rgmanager) which is run as
root.
2) In gfs2/edit/savemeta.c (line 27):
#define DFT_SAVE_FILE "/tmp/gfsmeta"
...
if (!out_fn)
out_fn = DFT_SAVE_FILE;
out_fd = open(out_fn, O_RDWR | O_CREAT, 0644);
if (out_fd < 0)
die("Can't open %s: %s\n", out_fn, strerror(errno));
if (ftruncate(out_fd, 0))
die("Can't truncate %s: %s\n", out_fn, strerror(errno));
This file is part of the binary gfs2_edit (package gfs2-tools) which is run as
root.
3) In ccs/ccs_tool/upgrade.c (line 223):
sprintf(tmp_file, "/tmp/tmp_%d", getpid());
tmp_fd = open(tmp_file, O_RDWR | O_CREAT |O_TRUNC, S_IRUSR|S_IWUSR)
...
unlink(tmp_file);
The filename is only depended on the PID of the process. Though, the binary
ccs_tool does not seem to be part of any package built from the redhat-cluster
source package.
Cheers, Tobias
Reply to: