tags 482476 + patch security thanks I have made a patch to prevent GetLock() from following symlinks. For added measure I've also removed O_TRUNC; since the lock file should be empty anyway, there's no need to truncate it again. Applies cleanly against 0.4.11 and 0.4.13. diff -Naur apt-0.7.11.orig/apt-pkg/contrib/fileutl.cc apt-0.7.11/apt-pkg/contrib/fileutl.cc --- apt-0.7.11.orig/apt-pkg/contrib/fileutl.cc 2008-01-08 16:07:36.000000000 -0500 +++ apt-0.7.11/apt-pkg/contrib/fileutl.cc 2008-05-23 00:48:03.000000000 -0400 @@ -138,7 +138,9 @@ close at some time. */ int GetLock(string File,bool Errors) { - int FD = open(File.c_str(),O_RDWR | O_CREAT | O_TRUNC,0640); + // GetLock() is used in aptitude on directories with public-write access + // Use O_NOFOLLOW here to prevent symlink traversal attacks + int FD = open(File.c_str(),O_RDWR | O_CREAT | O_NOFOLLOW,0640); if (FD < 0) { // Read only .. cant have locking problems there.
Attachment:
signature.asc
Description: Digital signature