Bug#764144: powermanga: Insecure temporary file /tmp/powermanga-log.txt

Markus Koschany apo at gambaru.de
Mon Oct 6 11:37:58 UTC 2014 

Control: tags -1 moreinfo

On 05.10.2014 21:03, Josh Triplett wrote:
> Package: powermanga
> Version: 0.93-1
> Severity: grave
> Tags: security
> 
> ~$ ln -s ~/arbitrary-file /tmp/powermanga-log.txt
> ~$ ls -l /tmp/powermanga-log.txt
> lrwxrwxrwx 1 josh josh 25 Oct  4 21:14 /tmp/powermanga-log.txt -> /home/josh/arbitrary-file
> ~$ powermanga
> (II) configuration filename: /home/josh/.config/tlk-games/powermanga.conf [config_file.c:231, configfile_load]
> ~$ ls -l /tmp/powermanga-log.txt ~/arbitrary-file
> -rw-r--r-- 1 josh games 154 Oct  4 21:15 /home/josh/arbitrary-file
> lrwxrwxrwx 1 josh josh   25 Oct  4 21:14 /tmp/powermanga-log.txt -> /home/josh/arbitrary-file
> ~$ cat arbitrary-file
> 2014-10-04 21:14:55 (II) [File: config_file.c][Line: 231][Function: configfile_load] configuration filename: /home/josh/.config/tlk-games/powermanga.conf
> 
> 
> This appears to allow overwriting an arbitrary file writable by either
> the user or group games.

Hello,

I have tried to verify your scenario and I came up with the following
results:

In your example you tried to overwrite an arbitrary-file in your home
directory. I assume all files in $HOME are owned by josh:josh. Hence it
comes to no surprise that you are able to overwrite the file since the
powermanga-log.txt symlink is also owned by josh:josh. That is expected
behavior because both files are owned by your user.

However if another user with a different uid or in the same "games"
group could overwrite an arbitrary file in your home directory, I would
consider this a grave security issue. My tests on a recent Debian
unstable system with Linux Kernel 3.16 did not confirm this assumption.

Since Wheezy there is a Kernel feature activated by default that
protects users from the exploitation of such security issues. [1]
The security team treats all symlink attacks that are nullified by this
protection as non-issues. [2] (see section "Distribution hardening")

You can verify this by yourself by creating a different user with
another uid who owns the symlink in this way:

adduser test
adduser test games
ln -s /home/josh/arbitrary-file /tmp/powermanga-log.txt
chown -h test:games /tmp/powermanga-log.txt

When running the game I get this error message but it starts nonetheless.

log_recorder.c/log_initialize()fopen(/tmp/powermanga-log.txt) failed
(Permission denied)

The arbitrary-file is not overwritten.

Hence I think the severity should be downgraded and the bug report kept
open until it is no longer necessary to use a temporary file for writing
log messages.

Regards,

Markus



[1] http://www.openwall.com/lists/kernel-hardening/2012/06/19/1
[2] https://lists.debian.org/debian-devel-announce/2014/03/msg00004.html


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-games-devel/attachments/20141006/cb2cf87d/attachment.sig>

More information about the Pkg-games-devel mailing list