Bug#521107: unsafe /tmp usage

To: 521107@bugs.debian.org
Subject: Bug#521107: unsafe /tmp usage
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Fri, 3 Apr 2009 23:55:25 +0200
Message-id: <[🔎] 20090403215524.GA8034@galadriel.inutil.org>
Reply-to: Moritz Muehlenhoff <jmm@inutil.org>, 521107@bugs.debian.org
In-reply-to: <20090324215025.GC17595@outflux.net>
References: <20090324215025.GC17595@outflux.net>

On Tue, Mar 24, 2009 at 02:50:25PM -0700, Kees Cook wrote:
> Package: xfs
> Version: 1:1.0.8-2.1
> Severity: normal
> Tags: security
> User: ubuntu-devel@lists.ubuntu.com
> Usertags: origin-ubuntu jaunty
> 
> Hello,
> 
> There is a bug in the Ubuntu bug tracker about xfs's init script being used
> in an unsafe fashion.  It seems that OpenSUSE has solved this as well:
> 
> "set_up_socket_dir moves /tmp/.font-unix to /tmp/.font-unix.$$.
> Unfortunately $$ is predictable and there is no test, that
> /tmp/.font-unix.$$ does not already exist. So especially symlink attacks
> are possible. The attack is only possible, if /tmp/.font-unix does not
> already exist. Then an attacker could create an /tmp/.font-unix file (not
> directory) and create some symlinks in the form /tmp/.font-unix.XXXX (where
> XXXX are possible PID numbers). The start script than moves /tmp/.font-unix
> to an symlinked directory /tmp/.font-unix.XXXX."

This appears to be a re-introduction of the fix from xfs 1:1.0.4-2?

Cheers,
        Moritz

Reply to:

Prev by Date: Processed: Re: Bug#522431: /usr/bin/xrandr: when changing the screen orientation, the resolution (dpi) is messed up
Next by Date: xserver-xorg-video-nouveau: Changes to 'upstream-jaunty'
Previous by thread: Bug#522431: /usr/bin/xrandr: when changing the screen orientation, the resolution (dpi) is messed up
Next by thread: xserver-xorg-video-nouveau: Changes to 'upstream-jaunty'
Index(es):
- Date
- Thread