[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#482476: marked as done (Security: Unsafe lock file creation can be used to truncate arbitrary files)

  Security team:

  Bryan Donlan discovered a security hole in the interaction between apt
and aptitude.  apt provides a function GetLock() as a convenient way to
obtain an exclusive lock using a lockfile.  aptitude uses this to create
a lock file controlling its own state, which since version 0.4.2-1 has
been placed in /var/lock (#160418).  The problem is that GetLock() opens
with O_TRUNC, and /var/lock is a world-writable directory.  This means
that any user can cause any file to be truncated by creating an
appropriate symlink named /var/lock/aptitude.  The same problem will
affect any other program that uses GetLock() in a similar way, of

  A patch to fix the problem, suggested by Bryan, is:

--- apt-pkg/contrib/fileutl.cc.orig     2006-12-04 06:37:35.000000000 -0800
+++ apt-pkg/contrib/fileutl.cc  2008-05-29 20:51:12.000000000 -0700
@@ -73,7 +73,9 @@
    close at some time. */
 int GetLock(string File,bool Errors)
-   int FD = open(File.c_str(),O_RDWR | O_CREAT | O_TRUNC,0640);
+   // GetLock() is used in aptitude on directories with public-write access
+   // Use O_NOFOLLOW here to prevent symlink traversal attacks
+   int FD = open(File.c_str(),O_RDWR | O_CREAT | O_NOFOLLOW,0640);
    if (FD < 0)
       // Read only .. cant have locking problems there.

  I've created signed, fixed packages and uploaded them here:


  Please let me know if you need any more information.


Reply to: