[DebianGIS-dev] Bug#508595: CVE-2008-5380: allows local users to overwrite arbitrary files via a symlink attack
Tomas Hoger
thoger at redhat.com
Wed Dec 17 09:29:10 UTC 2008
Hi Hamish!
It seems that upstream fix for this issue is far from being ideal.
> TMP=`tempfile -d /tmp -p geo. -s .code`
[...]
> so calling this "fixed-upstream" and hoping that tempfile is somewhat
> portable beyond Debian.
Any particular reason for using Debian-specific tempfile, instead of
generally available mktemp?
Apart from the portability issues of the fix, the fix is not address
the flaw properly as well. Even though TMP file (never used, IIRC) is
created in a secure way, all other temporary files are not (STYLE,
COORDS, OUTWAY, MAP for geo-code). So when TMP is created, local user
can see its name and can create malicious symlinks
TMP.style, .coords, .way, .gif before script will attempt to use them
for the first time (or guess or brute-force TMP name in advance). You
either have to create all temporary files using mktemp, or make TMP a
temporary directory (or dot-directory in user's home dir and you do not
have to care about creating it securely at all).
There are still few other issues in geo-nearest, like:
cp "$GEOWAY" /tmp/geocaching.loc
and
filter1="tee $TMP.page"
filter2="tee $TMP.bulk"
See following bugs for the patch that is in preparation for Fedora
packages:
https://bugzilla.redhat.com/show_bug.cgi?id=470241
https://bugzilla.redhat.com/show_bug.cgi?id=475478
--
Tomas Hoger
More information about the Pkg-grass-devel
mailing list