tags 482476 + patch security
thanks
I have made a patch to prevent GetLock() from following symlinks. For
added measure I've also removed O_TRUNC; since the lock file should be
empty anyway, there's no need to truncate it again. Applies cleanly
against 0.4.11 and 0.4.13.
diff -Naur apt-0.7.11.orig/apt-pkg/contrib/fileutl.cc apt-0.7.11/apt-pkg/contrib/fileutl.cc
--- apt-0.7.11.orig/apt-pkg/contrib/fileutl.cc 2008-01-08 16:07:36.000000000 -0500
+++ apt-0.7.11/apt-pkg/contrib/fileutl.cc 2008-05-23 00:48:03.000000000 -0400
@@ -138,7 +138,9 @@
close at some time. */
int GetLock(string File,bool Errors)
{
- int FD = open(File.c_str(),O_RDWR | O_CREAT | O_TRUNC,0640);
+ // GetLock() is used in aptitude on directories with public-write access
+ // Use O_NOFOLLOW here to prevent symlink traversal attacks
+ int FD = open(File.c_str(),O_RDWR | O_CREAT | O_NOFOLLOW,0640);
if (FD < 0)
{
// Read only .. cant have locking problems there.
Attachment:
signature.asc
Description: Digital signature