Bug#286379: Lintian insecure removal bug (#286379)
Should we prepare a security upload for woody for this issue? Do you
agree or not that this is a security bug in woody that should be fixed?
It involves a symlink attack where lintian is fooled into cleaning up
its not-self-created temporary lab in /tmp. Files/directories/whatever
called either of "binary", "source" or "info" run the risk of being
removed by the user invoking lintian. The code boils down to:
if not mkdir /tmp/lintian-lab.$$ {
# a few light commands
if -d /tmp/lintian-lab.$$ and -d /tmp/lintian-lab.$$/binary {
rm -rf /tmp/lintian-lab.$$/{binary,source,info}
# and udeb, in the case of sarge/sid
}
}
So an attack would be:
- create a real directory with a conflicting name
- just before the rm -rf is invoked, but after the -d test on the lab
dir, replace the dir with a symlink to the directory that contains
'binary', 'source' or 'info' and you want to have removed. I'm
assuming rm -rf is safe against symlink attacks during its execution.
--Jeroen
----- Forwarded message from Jeroen van Wolffelaar <jeroen@wolffelaar.nl> -----
Subject: Bug#286379: lintian: Insecure temporary directory usage
Reply-To: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>,
286379@bugs.debian.org
Resent-From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Date: Mon, 20 Dec 2004 01:24:03 +0100
To: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>,
286379@bugs.debian.org
Cc: Javier Fern?ndez-Sanguino Pe?a <jfs@computer.org>
From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
In woody's END, the lab is removed even though it might not have been
created, however. Since it only removes
$LINTIAN_LAB/{binary,source,info}, the impact is limited (one can only
have directories/files removed that are named either of those 3 names),
and it's nontrivial to exploit (the time between the mkdir failing and
remove_lab executing is extremely small), and you need to have your
symlink in place between those two moments), but it is indeed a bug.
It's completely different issue than in the bugreport though.
----- End forwarded message -----
--
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl
Reply to: