Bug#521107: unsafe /tmp usage

To: Debian Bugs <submit@bugs.debian.org>
Subject: Bug#521107: unsafe /tmp usage
From: Kees Cook <kees@debian.org>
Date: Tue, 24 Mar 2009 14:50:25 -0700
Message-id: <[🔎] 20090324215025.GC17595@outflux.net>
Reply-to: Kees Cook <kees@debian.org>, 521107@bugs.debian.org

Package: xfs
Version: 1:1.0.8-2.1
Severity: normal
Tags: security
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu jaunty

Hello,

There is a bug in the Ubuntu bug tracker about xfs's init script being used
in an unsafe fashion.  It seems that OpenSUSE has solved this as well:

"set_up_socket_dir moves /tmp/.font-unix to /tmp/.font-unix.$$.
Unfortunately $$ is predictable and there is no test, that
/tmp/.font-unix.$$ does not already exist. So especially symlink attacks
are possible. The attack is only possible, if /tmp/.font-unix does not
already exist. Then an attacker could create an /tmp/.font-unix file (not
directory) and create some symlinks in the form /tmp/.font-unix.XXXX (where
XXXX are possible PID numbers). The start script than moves /tmp/.font-unix
to an symlinked directory /tmp/.font-unix.XXXX."

-Kees

[1] https://bugs.launchpad.net/bugs/299560
[2] https://bugzilla.novell.com/show_bug.cgi?id=408006

-- 
Kees Cook                                            @debian.org

Reply to:

Follow-Ups:
- Bug#521107: unsafe /tmp usage
  - From: Julien Cristau <jcristau@debian.org>

Prev by Date: Bug#514304: marked as done (libglw1-mesa-dev: Broken package. have unmet dependencies.)
Next by Date: libdrm_2.4.5-1_amd64.changes ACCEPTED
Previous by thread: Bug#514304: marked as done (libglw1-mesa-dev: Broken package. have unmet dependencies.)
Next by thread: Bug#521107: unsafe /tmp usage
Index(es):
- Date
- Thread