Bug#286379: Lintian insecure removal bug (#286379)

To: team@security.debian.org
Cc: 286379@bugs.debian.org
Subject: Bug#286379: Lintian insecure removal bug (#286379)
From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Date: Mon, 20 Dec 2004 20:31:26 +0100
Message-id: <[🔎] 20041220193126.GF380@A-Eskwadraat.nl>
Reply-to: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>, 286379@bugs.debian.org

Should we prepare a security upload for woody for this issue? Do you
agree or not that this is a security bug in woody that should be fixed?

It involves a symlink attack where lintian is fooled into cleaning up
its not-self-created temporary lab in /tmp. Files/directories/whatever
called either of "binary", "source" or "info" run the risk of being
removed by the user invoking lintian. The code boils down to:

if not mkdir /tmp/lintian-lab.$$ {
	# a few light commands
	if -d /tmp/lintian-lab.$$ and -d /tmp/lintian-lab.$$/binary {
		rm -rf /tmp/lintian-lab.$$/{binary,source,info}
		# and udeb, in the case of sarge/sid
	}
}

So an attack would be:
- create a real directory with a conflicting name
- just before the rm -rf is invoked, but after the -d test on the lab
  dir, replace the dir with a symlink to the directory that contains
  'binary', 'source' or 'info' and you want to have removed. I'm
  assuming rm -rf is safe against symlink attacks during its execution.

--Jeroen

----- Forwarded message from Jeroen van Wolffelaar <jeroen@wolffelaar.nl> -----

Subject: Bug#286379: lintian: Insecure temporary directory usage
Reply-To: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>,
	286379@bugs.debian.org
Resent-From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Date: Mon, 20 Dec 2004 01:24:03 +0100
To: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>,
	286379@bugs.debian.org
Cc: Javier Fern?ndez-Sanguino Pe?a <jfs@computer.org>
From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>

In woody's END, the lab is removed even though it might not have been
created, however. Since it only removes
$LINTIAN_LAB/{binary,source,info}, the impact is limited (one can only
have directories/files removed that are named either of those 3 names),
and it's nontrivial to exploit (the time between the mkdir failing and
remove_lab executing is extremely small), and you need to have your
symlink in place between those two moments), but it is indeed a bug.
It's completely different issue than in the bugreport though.

----- End forwarded message -----

-- 
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl

Reply to:

Follow-Ups:
- Bug#286379: Lintian insecure removal bug (#286379)
  - From: Martin Schulze <joey@infodrom.org>

Prev by Date: Why make macromedia more m0ney
Next by Date: Bug#286379: Lintian insecure removal bug (#286379)
Previous by thread: Why make macromedia more m0ney
Next by thread: Bug#286379: Lintian insecure removal bug (#286379)
Index(es):
- Date
- Thread