[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#496410: The possibility of attack with the help of symlinks in some Debian packages

Hi,

It looks like there are some more tempfile creation problems in the
redhat-cluster source package.

1) In rgmanager/src/daemons/main.c (line 707):

	void
	dump_internal_state(char *loc)
	{
		FILE *fp;
		fp=fopen(loc, "w+");
		dump_config_version(fp);
		dump_threads(fp);
		dump_vf_states(fp);
	#ifdef WRAP_THREADS
		dump_thread_states(fp);
	#endif
		dump_cluster_ctx(fp);
		//malloc_dump_table(fp, 1, 16384); /* Only works if alloc.c us used */
		fclose(fp);
	}
	...
	dump_internal_state("/tmp/rgmanager-dump");

This file is part of the binary clurgmgrd (package rgmanager) which is run as
root.

2) In gfs2/edit/savemeta.c (line 27):

	#define DFT_SAVE_FILE "/tmp/gfsmeta"
	...
	if (!out_fn)
                out_fn = DFT_SAVE_FILE;
        out_fd = open(out_fn, O_RDWR | O_CREAT, 0644);
        if (out_fd < 0)
                die("Can't open %s: %s\n", out_fn, strerror(errno));

        if (ftruncate(out_fd, 0))
                die("Can't truncate %s: %s\n", out_fn, strerror(errno));

This file is part of the binary gfs2_edit (package gfs2-tools) which is run as
root.

3) In ccs/ccs_tool/upgrade.c (line 223):

	sprintf(tmp_file, "/tmp/tmp_%d", getpid());

	tmp_fd = open(tmp_file, O_RDWR | O_CREAT |O_TRUNC, S_IRUSR|S_IWUSR)
	...
	unlink(tmp_file);

The filename is only depended on the PID of the process. Though, the binary
ccs_tool does not seem to be part of any package built from the redhat-cluster
source package.

Cheers, Tobias
Reply to: