[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#649384: gnash creates world-readable cookies under /tmp



retitle 649384 gnash creates world-readable cookies under /tmp with predictable filenames
thanks

On Sun, 2011-11-20 at 18:01 +0100, Gabriele Giacone wrote:
> tags 649384 fixed-upstream
> thanks
> 
> On Sun, Nov 20, 2011 at 03:39:36PM +0100, Alexander Kurtz wrote:
> > or create them with sane permissions (0600).
> 
> http://git.savannah.gnu.org/gitweb/?p=gnash.git;a=commitdiff;h=fa481c116e65ccf9137c7ddc8abc3cf05dc12f55

I don't think this fixes the underlying problem: An attacker would still
be able to read the cookie if he managed to win the race-condition and
opens the file before the chmod(). If you agree, please remove the
"fixed-upstream" tag.

Furthermore, I took a quick look at the code and noticed this:

	1105     gnash::log_debug("The Cookie for %s is %s", url, ncookie);
	1106     std::ofstream cookiefile;
	1107     std::stringstream ss;
	1108     ss << "/tmp/gnash-cookies." << getpid();
	1109 
	1110     cookiefile.open(ss.str().c_str(), std::ios::out | std::ios::trunc);
	1111     chmod (ss.str().c_str(), 0600);

I might be wrong, but I very strongly suspect a possible symlink attack
here which would enable an attacker to overwrite arbitrary files and
(with your patch) change their permissions.

Best regards

Alexander Kurtz

Attachment: signature.asc
Description: This is a digitally signed message part


Reply to: