Bug#286379: lintian: Insecure temporary directory usage
On Sun, Dec 19, 2004 at 11:58:32PM +0100, Javier Fern?ndez-Sanguino Pe?a wrote:
> Package: lintian
> Version: 1.18.1.1-3
^^^^
There has never been a lintian version even remotely like this one...
> The lintian script does not protect itself from temporary directory
> attacks since it creates the labs in an insecure manner (the process PID
> is not suffient to avoid and attack) and does not check
> if the temporary dir it uses exists before using them. Actually, the
> LIB interface happily uses any directory if it's already available so
> a symlink attack can be devised through the standard contents of
> a lab if the user has not defined LINTIAN_LAB to go to a proper
> (safe) location instead of to /tmp/ (i.e. TMPDIR has not been defined)
I noticed this before, but at that time didn't think it was a security
issue. Directory creation would simply fail if that name is already
taken, and the cleanup afterwards is harmless. If the name is not yet
taken, no issue.
However, when re-reading, I see that this assassment was a misreading of
the sources. svn blame yields back to revision 1 (hm, I still didn't
import the old cvs stuff...), so I don't know how it's possible I
overlooked this.
FWIW, maintainers of lintian can always be mailed privately about
security issues, so that this could have been fixed in a timely matter.
I never got any mail about this issue.
--Jeroen
--
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl
Reply to: