Re: Bug#482476: marked as done (Security: Unsafe lock file creation can be used to truncate arbitrary files)

To: team@security.debian.org
Cc: deity@lists.debian.org, debian-release@lists.debian.org
Subject: Re: Bug#482476: marked as done (Security: Unsafe lock file creation can be used to truncate arbitrary files)
From: Daniel Burrows <dburrows@debian.org>
Date: Fri, 30 May 2008 00:40:24 -0700
Message-id: <[🔎] 20080530074024.GA32083@alpaca>
Mail-followup-to: team@security.debian.org, deity@lists.debian.org, debian-release@lists.debian.org
In-reply-to: <[🔎] 87ej7lb7dr.fsf@neumann.lab.ossystems.com.br>
References: <E1K1ME9-0001BD-Tz@ries.debian.org> <20080523031907.20213.33086.reportbug@satoko.is.fushizen.net> <[🔎] handler.482476.D482476.121198463427731.ackdone@bugs.debian.org> <[🔎] 20080529025853.GA4947@alpaca> <[🔎] 87ej7lb7dr.fsf@neumann.lab.ossystems.com.br>

  Security team:

  Bryan Donlan discovered a security hole in the interaction between apt
and aptitude.  apt provides a function GetLock() as a convenient way to
obtain an exclusive lock using a lockfile.  aptitude uses this to create
a lock file controlling its own state, which since version 0.4.2-1 has
been placed in /var/lock (#160418).  The problem is that GetLock() opens
with O_TRUNC, and /var/lock is a world-writable directory.  This means
that any user can cause any file to be truncated by creating an
appropriate symlink named /var/lock/aptitude.  The same problem will
affect any other program that uses GetLock() in a similar way, of
course.

  A patch to fix the problem, suggested by Bryan, is:

--- apt-pkg/contrib/fileutl.cc.orig     2006-12-04 06:37:35.000000000 -0800
+++ apt-pkg/contrib/fileutl.cc  2008-05-29 20:51:12.000000000 -0700
@@ -73,7 +73,9 @@
    close at some time. */
 int GetLock(string File,bool Errors)
 {
-   int FD = open(File.c_str(),O_RDWR | O_CREAT | O_TRUNC,0640);
+   // GetLock() is used in aptitude on directories with public-write access
+   // Use O_NOFOLLOW here to prevent symlink traversal attacks
+   int FD = open(File.c_str(),O_RDWR | O_CREAT | O_NOFOLLOW,0640);
    if (FD < 0)
    {
       // Read only .. cant have locking problems there.





  I've created signed, fixed packages and uploaded them here:

    http://people.debian.org/~dburrows/apt-2008-05-30

  Please let me know if you need any more information.


    Thanks,
  Daniel

Reply to:

References:
- Bug#482476: marked as done (Security: Unsafe lock file creation can be used to truncate arbitrary files)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Re: Bug#482476: marked as done (Security: Unsafe lock file creation can be used to truncate arbitrary files)
  - From: Daniel Burrows <dburrows@debian.org>
- Re: Bug#482476: marked as done (Security: Unsafe lock file creation can be used to truncate arbitrary files)
  - From: Otavio Salvador <otavio@debian.org>

Prev by Date: Processed: found 482476 in 0.6.46.4-0.1
Next by Date: Interessant und Gewinnbringend
Previous by thread: Re: Bug#482476: marked as done (Security: Unsafe lock file creation can be used to truncate arbitrary files)
Next by thread: Bug#322470: marked as done (apt: String "Do you want to erase any previously downloaded .deb files?" in dselect is not translatable)
Index(es):
- Date
- Thread