Bug#286379: lintian: Insecure temporary directory usage

To: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>, 286379@bugs.debian.org
Cc: Javier Fern?ndez-Sanguino Pe?a <jfs@computer.org>
Subject: Bug#286379: lintian: Insecure temporary directory usage
From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Date: Mon, 20 Dec 2004 01:24:03 +0100
Message-id: <[🔎] 20041220002403.GC380@A-Eskwadraat.nl>
Reply-to: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>, 286379@bugs.debian.org
In-reply-to: <[🔎] 20041219232909.GA380@A-Eskwadraat.nl>
References: <[🔎] 20041219225832.GC9687@silicio> <[🔎] 20041219232909.GA380@A-Eskwadraat.nl>

On Mon, Dec 20, 2004 at 12:29:09AM +0100, Jeroen van Wolffelaar wrote:
> On Sun, Dec 19, 2004 at 11:58:32PM +0100, Javier Fern?ndez-Sanguino Pe?a wrote:
> > The lintian script does not protect itself from temporary directory
> > attacks since it creates the labs in an insecure manner (the process PID
> > is not suffient to avoid and attack) and does not check
> > if the temporary dir it uses exists before using them. Actually, the
> > LIB interface happily uses any directory if it's already available so
> > a symlink attack can be devised through the standard contents of
> > a lab if the user has not defined LINTIAN_LAB to go to a proper 
> > (safe) location instead of to /tmp/ (i.e. TMPDIR has not been defined)
> 
> I noticed this before, but at that time didn't think it was a security
> issue.

Argh, after looking again, I still stand by my initial assassment, I was
misleaded by the theory that the logic was bogus. The key point is:

| if (not -d "$LINTIAN_LAB" or ($lab_mode eq 'temporary'))
|     mkdir($LINTIAN_LAB,0777) or fail("cannot create lab directory $LINTIAN_LAB")

And, this is correct. If $lab_mode is not temporarily, a lab location
was specifically given to lintian, and we should assume that the invoker
of lintian in that case knows what he does. In all other cases, i.e.,
lab_mode equals temporary, the condition in the if is true (note the
'or'), and the lab dir is unconditionally tried to be made, which fails
if it already exists.

In woody's END, the lab is removed even though it might not have been
created, however. Since it only removed
$LINTIAN_LAB/{binary,source,info}, the impact is limited (one can only
have directories/files removed that are named either of those 3 names),
and it's nontrivial to exploit (the time between the mkdir failing and
remove_lab executing is extremely small), and you need to have your
symlink in place between those two moments), but it is indeed a bug.
It's completely different issue than in the bugreport though.

--Jeroen

-- 
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl

Reply to:

Follow-Ups:
- Bug#286379: lintian: Insecure temporary directory usage
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>

References:
- Bug#286379: lintian: Insecure temporary directory usage
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>
- Bug#286379: lintian: Insecure temporary directory usage
  - From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>

Prev by Date: Bug#286379: lintian: Insecure temporary directory usage
Next by Date: Why make macromedia more m0ney
Previous by thread: Bug#286379: lintian: Insecure temporary directory usage
Next by thread: Bug#286379: lintian: Insecure temporary directory usage
Index(es):
- Date
- Thread