retitle 649384 gnash creates world-readable cookies under /tmp with predictable filenames
thanks
On Sun, 2011-11-20 at 18:01 +0100, Gabriele Giacone wrote:
> tags 649384 fixed-upstream
> thanks
>
> On Sun, Nov 20, 2011 at 03:39:36PM +0100, Alexander Kurtz wrote:
> > or create them with sane permissions (0600).
>
> http://git.savannah.gnu.org/gitweb/?p=gnash.git;a=commitdiff;h=fa481c116e65ccf9137c7ddc8abc3cf05dc12f55
I don't think this fixes the underlying problem: An attacker would still
be able to read the cookie if he managed to win the race-condition and
opens the file before the chmod(). If you agree, please remove the
"fixed-upstream" tag.
Furthermore, I took a quick look at the code and noticed this:
1105 gnash::log_debug("The Cookie for %s is %s", url, ncookie);
1106 std::ofstream cookiefile;
1107 std::stringstream ss;
1108 ss << "/tmp/gnash-cookies." << getpid();
1109
1110 cookiefile.open(ss.str().c_str(), std::ios::out | std::ios::trunc);
1111 chmod (ss.str().c_str(), 0600);
I might be wrong, but I very strongly suspect a possible symlink attack
here which would enable an attacker to overwrite arbitrary files and
(with your patch) change their permissions.
Best regards
Alexander Kurtz
Attachment:
signature.asc
Description: This is a digitally signed message part