Bug#496361: The possibility of attack with the help of symlinks in some Debian packages

[Rene Engelhard <rene@debian.org>]

Hi,

Dmitry E. Oboukhov wrote:
> For example if a script uses in its work a temp file which is  created
> in /tmp directory, then every user can create symlink  with  the  same
> name in this directory in order to  destroy  or  rewrite  some  system
> or user file.  Symlink attack may also  lead  not  only  to  the  data
> desctruction but to denial of service as well.
> 
> Even if you create files or directories with help of function 'RANDOM'
> or pid(), then your system is not protected. Attacker can create many
> symlinks in order to destroy your data or create 'denial  of  service'
> for your package scripts.
[...]
> Binary-package: openoffice.org-common (1:2.4.1-6)
>     file: /usr/lib/openoffice/program/senddoc

I guess you mean this snippet in the mutt handling part of senddoc?

[...]
                                --body)
                                        TEMPLATE="`basename $0`.mutt.XXXXXXXX"
                                        BODY=`mktemp -q -t ${TEMPLATE}`
                                        echo "$2" > $BODY
                                        shift
[...]
                x-terminal-emulator -e ${MAILER} \
                        ${FROM:+-e} ${FROM:+"set from=\"${FROM}\""} \
                        ${CC:+-c} ${CC:+"${CC}"} \
                        ${BCC:+-b} ${BCC:+"${BCC}"} \
                        ${SUBJECT:+-s} ${SUBJECT:+"${SUBJECT}"} \
                        ${BODY:+-i} ${BODY:+"${BODY}"} \
                        ${ATTACH:+-a} ${ATTACH:+"${ATTACH}"} \
                        ${TO:+"${TO}"} &
                rm -f $BODY
[...]

I so far thought mktemp was safe enough? (of course, we get
senddoc.mutt.<number>, but...

Regards,

Rene