Bug#521107: unsafe /tmp usage

To: Kees Cook <kees@debian.org>, 521107@bugs.debian.org
Subject: Bug#521107: unsafe /tmp usage
From: Julien Cristau <jcristau@debian.org>
Date: Wed, 25 Mar 2009 14:03:14 +0100
Message-id: <[🔎] 1237986194.29802.214.camel@radis.liafa.jussieu.fr>
Reply-to: Julien Cristau <jcristau@debian.org>, 521107@bugs.debian.org
In-reply-to: <[🔎] 20090324215025.GC17595@outflux.net>
References: <[🔎] 20090324215025.GC17595@outflux.net>

On Tue, 2009-03-24 at 14:50 -0700, Kees Cook wrote:
> There is a bug in the Ubuntu bug tracker about xfs's init script being used
> in an unsafe fashion.  It seems that OpenSUSE has solved this as well:
> 
> "set_up_socket_dir moves /tmp/.font-unix to /tmp/.font-unix.$$.
> Unfortunately $$ is predictable and there is no test, that
> /tmp/.font-unix.$$ does not already exist. So especially symlink attacks
> are possible. The attack is only possible, if /tmp/.font-unix does not
> already exist. Then an attacker could create an /tmp/.font-unix file (not
> directory) and create some symlinks in the form /tmp/.font-unix.XXXX (where
> XXXX are possible PID numbers). The start script than moves /tmp/.font-unix
> to an symlinked directory /tmp/.font-unix.XXXX."

Do we want to keep shipping xfs in squeeze?  What are its use cases
these days?

Cheers,
Julien

Reply to:

Follow-Ups:
- Bug#521107: unsafe /tmp usage
  - From: Kees Cook <kees@debian.org>

References:
- Bug#521107: unsafe /tmp usage
  - From: Kees Cook <kees@debian.org>

Prev by Date: mesa override disparity
Next by Date: Bug#521107: unsafe /tmp usage
Previous by thread: Bug#521107: unsafe /tmp usage
Next by thread: Bug#521107: unsafe /tmp usage
Index(es):
- Date
- Thread