Bug#496361: The possibility of attack with the help of symlinks in some Debian packages
Hi,
Dmitry E. Oboukhov wrote:
> For example if a script uses in its work a temp file which is created
> in /tmp directory, then every user can create symlink with the same
> name in this directory in order to destroy or rewrite some system
> or user file. Symlink attack may also lead not only to the data
> desctruction but to denial of service as well.
>
> Even if you create files or directories with help of function 'RANDOM'
> or pid(), then your system is not protected. Attacker can create many
> symlinks in order to destroy your data or create 'denial of service'
> for your package scripts.
[...]
> Binary-package: openoffice.org-common (1:2.4.1-6)
> file: /usr/lib/openoffice/program/senddoc
I guess you mean this snippet in the mutt handling part of senddoc?
[...]
--body)
TEMPLATE="`basename $0`.mutt.XXXXXXXX"
BODY=`mktemp -q -t ${TEMPLATE}`
echo "$2" > $BODY
shift
[...]
x-terminal-emulator -e ${MAILER} \
${FROM:+-e} ${FROM:+"set from=\"${FROM}\""} \
${CC:+-c} ${CC:+"${CC}"} \
${BCC:+-b} ${BCC:+"${BCC}"} \
${SUBJECT:+-s} ${SUBJECT:+"${SUBJECT}"} \
${BODY:+-i} ${BODY:+"${BODY}"} \
${ATTACH:+-a} ${ATTACH:+"${ATTACH}"} \
${TO:+"${TO}"} &
rm -f $BODY
[...]
I so far thought mktemp was safe enough? (of course, we get
senddoc.mutt.<number>, but...
Regards,
Rene
Reply to: