[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#795600: /usr/lib/apt/solvers/dump: insecure use of /tmp



Control: severity -1 minor
Control: tags -1 + newcomer
Control: found -1 0.8.16~exp2

On Sat, Aug 15, 2015 at 05:34:20PM +0200, Jakub Wilk wrote:
> Package: apt
> Version: 1.0.10.1
> Tags: security
> 
> * David Kalnischkies <david@kalnischkies.de>, 2015-08-14, 10:14:
> >For the record: /usr/lib/apt/solvers/dump is the solver, just pipe in
> >whatever you want and it will be written to /tmp/edsp.dump
> 
> That doesn't sound very secure.

Well, given the requirements (runable as user, pre-known location)
combined with the immensive userbase of an external solver which fails
all the time, that it is a silly shortcut to get the EDSP protocol data
and that the only documentation this thing has – its help message
– points out that it drops a file into /tmp I think most people will
manage for a while so mark it newcomer.

I guess it could be patched to require an environment variable to be set
to a file location to write to as our usual option to provide an option
isn't available. Its probably going to annoy its only real user in the
universe (me) in the long run, but well, for security! ;)

So, lets see who wants to get ever lasting fame by fixing a security bug
in apt; its up for grabs and I will even help if asked to.

btw: If it is run as root, it will even drop its privileges to user _apt
in the /experimental version, so all the interesting things you could do
if someone would run it as root, can't even be done, but I guess not
everyone is using /experimental…

Best regards

David Kalnischkies

Attachment: signature.asc
Description: Digital signature


Reply to: