Re: Bug#482476: marked as done (Security: Unsafe lock file creation can be used to truncate arbitrary files)
Security team:
Bryan Donlan discovered a security hole in the interaction between apt
and aptitude. apt provides a function GetLock() as a convenient way to
obtain an exclusive lock using a lockfile. aptitude uses this to create
a lock file controlling its own state, which since version 0.4.2-1 has
been placed in /var/lock (#160418). The problem is that GetLock() opens
with O_TRUNC, and /var/lock is a world-writable directory. This means
that any user can cause any file to be truncated by creating an
appropriate symlink named /var/lock/aptitude. The same problem will
affect any other program that uses GetLock() in a similar way, of
course.
A patch to fix the problem, suggested by Bryan, is:
--- apt-pkg/contrib/fileutl.cc.orig 2006-12-04 06:37:35.000000000 -0800
+++ apt-pkg/contrib/fileutl.cc 2008-05-29 20:51:12.000000000 -0700
@@ -73,7 +73,9 @@
close at some time. */
int GetLock(string File,bool Errors)
{
- int FD = open(File.c_str(),O_RDWR | O_CREAT | O_TRUNC,0640);
+ // GetLock() is used in aptitude on directories with public-write access
+ // Use O_NOFOLLOW here to prevent symlink traversal attacks
+ int FD = open(File.c_str(),O_RDWR | O_CREAT | O_NOFOLLOW,0640);
if (FD < 0)
{
// Read only .. cant have locking problems there.
I've created signed, fixed packages and uploaded them here:
http://people.debian.org/~dburrows/apt-2008-05-30
Please let me know if you need any more information.
Thanks,
Daniel
Reply to: