[Pkg-shadow-devel] Bug#307259: Insecure mailbox generation due to incomplete open() call
Moritz Muehlenhoff
Moritz Muehlenhoff <muehlenhoff@univention.de>, 307259@bugs.debian.org
Mon, 02 May 2005 09:05:53 +0200
Package: passwd
Severity: normal
Tags: security
The 4.0.8 changelog points to a change with minor security implications:
| useradd: fixes a potential security problem when mailbox is created in
| useradd.
| Patch and comment by Koblinger Egmont <egmont@uhulinux.hu>:
| Only two arguments are passed to the open() call though it expects three
| because O_CREAT is present. Hence the permission of the file first becomes
| some random garbage found on the stack, and an attacker can perhaps open
| this file and hold it open for reading or writing before the proper
| fchmod() is executed. (Actually, we could also pass the final "mode" to
| the open() call and then save the consequent fchmod().)
Cheers,
Moritz
-- System Information:
Debian Release: 3.0
Architecture: i386
Kernel: Linux anton 2.4.29-univention.1 #1 SMP Thu Jan 27 17:08:46 CET 2005 i686
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro
Versions of packages passwd depends on:
ii libc6 2.3.2-9 GNU C Library: Shared libraries an
ii libpam-modules 0.76-14.4.200410080708 Pluggable Authentication Modules f
ii libpam0g 0.76-14.4.200410080708 Pluggable Authentication Modules l
ii login 1:4.0.3-17.6.200402110832 System login tools
-- debconf-show failed