Bug#840685: tomcat8: DSA-3670 incomplete

paul.szabo at sydney.edu.au paul.szabo at sydney.edu.au
Fri Oct 14 08:07:52 UTC 2016 

Dear Salvatore,

> ... if the attacher created a symlink between the rm and the mkdir
> then mkdir will still fail with -p on a symlink.  (Or do I miss
> something?). ...

Yes, you missed a simple test:

$ mkdir mydir
$ ln -s mydir mylink
$ ls -ld my*
drwx------ 2 psz amstaff 4096 Oct 14 18:46 mydir
lrwxrwxrwx 1 psz amstaff    5 Oct 14 18:46 mylink -> mydir
$ mkdir -p mylink || echo failed
$ mkdir -p mylink; echo $?
0
$ mkdir mylink || echo failed
mkdir: cannot create directory `mylink': File exists
failed
$ mkdir mylink; echo $?
mkdir: cannot create directory `mylink': File exists
1
$ ls -ld my*
drwx------ 2 psz amstaff 4096 Oct 14 18:46 mydir
lrwxrwxrwx 1 psz amstaff    5 Oct 14 18:46 mylink -> mydir
$ 

showing that "mkdir -p" does not fail (but plain mkdir does).

> On the practicality for Debian systems though this is mitigated by the
> Kernel hardenings which are enabled by default:
> 
> fs.protected_hardlinks=1
> fs.protected_symlink=1
> 
> which will prevent that the target of the symlink in /tmp will be
> changed on the chown call.

Another missing test (besides: who is changing anything?):

# grep . /proc/sys/fs/prot*
/proc/sys/fs/protected_hardlinks:1
/proc/sys/fs/protected_symlinks:1
# cd ~psz
# ls -ld my*
drwx------ 2 psz amstaff 4096 Oct 14 18:46 mydir
lrwxrwxrwx 1 psz amstaff    5 Oct 14 18:46 mylink -> mydir
# chown mike mylink
# ls -ld my*
drwx------ 2 mike amstaff 4096 Oct 14 18:46 mydir
lrwxrwxrwx 1 psz  amstaff    5 Oct 14 18:46 mylink -> mydir
# 

> So while I think it should be fixed, this would not warrant a DSA,
> since mitigated by default in Debian.

No mitigation: fix and DSA, please!

---

What response time should I have expected of team at security? You had
close to a whole day... compared to that, Markus replied within the
hour to the Debian bug. (But he did not yet reply to my next, private
bug/message... seems public messaging works best!)

Cheers, Paul

Paul Szabo   psz at maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

More information about the pkg-java-maintainers mailing list