Bug#287601: vdradmin: Vdradmin.pl script vulnerable to symlink attacks

Wed, 29 Dec 2004 13:17:10 +0100

--gatW/ieO32f1wygP
Content-Type: multipart/mixed; boundary="LZvS9be/3tNcYl/X"
Content-Disposition: inline


--LZvS9be/3tNcYl/X
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

* Javier Fern=E1ndez-Sanguino Pe=F1a schrieb am 29.12.04, um 12:40 Uhr:
> Well, google is your friend but I'll give you some pointers, if you try t=
o=20
> search for "symlink attack temporary race condition" you will get _lots_ =
of=20
> bug reports and advisories related to this security issue.

Thank you for the links, i will read them these days.

In the meantime i tested your patch - it did not work at the
beginning, but after changing some things it seems to work well. (I=20
attached the new version, so you can check if something is wrong with
it.)=20

(The only thing which does not work, but this does not seem to be a=20
problem, is that it ignores the suffix and the given names=20
(vdradmin-XXXXX and vdr-XXXXX), the files allways are named in this way:=20
/tmp/3Yv3EU5Xqf)

Regards,
Thomas

--=20
Thomas Schmidt
thomas.schmidt@in.stud.tu-ilmenau.de

--LZvS9be/3tNcYl/X
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="vdradmind.pl.diff2"
Content-Transfer-Encoding: quoted-printable

diff -urNad vdradmin-0.96/vdradmind.pl /tmp/dpep.HeRpDe/vdradmin-0.96/vdrad=
mind.pl

--- vdradmin-0.96/vdradmind.pl	2004-12-29 12:54:18.000000000 +0100
+++ /tmp/dpep.HeRpDe/vdradmin-0.96/vdradmind.pl	2004-12-29 12:55:06.0000000=
00 +0100
@@ -32,12 +32,15 @@
 	unshift(@INC, $BASENAME . "lib/");
 }
=20
+require File::Temp;
+
 use CGI qw(:no_debug);
 use IO::Socket;
 use HTML::Template::Expr();
 use Time::Local qw(timelocal);
 use POSIX ":sys_wait_h", qw(strftime mktime);
 use MIME::Base64();
+use File::Temp();
=20
 use strict;
 #use warnings;
@@ -659,7 +662,7 @@
=20
 sub GZip {
 	my $content =3D shift;
-  my $filename =3D "/tmp/vdradmin." . time();
+  my $filename =3D new File::Temp("vdradmin-XXXXX", UNLINK =3D> 1);
   open(PIPE, "| gzip -9 - > $filename") || die "cant open pipe to gzip ($!=
)";
   print PIPE $$content;
   close(PIPE);
@@ -3038,7 +3041,7 @@
 ##########################################################################=
###
 sub grab_picture {
 	my $size =3D $q->param("size");
-	my $file =3D "/tmp/vdr.jpg";
+	my $file =3D new File::Temp("vdr-XXXXX", UNLINK =3D> 1, SUFFIX =3D> ".jpg=
");
 	my $maxwidth =3D 768;
 	my $maxheight =3D 576;
 	my($width, $height);

--LZvS9be/3tNcYl/X--

--gatW/ieO32f1wygP
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFB0qBGc9+NqwoydlIRAgxbAJ9XRzE6qPBudpxca1AUw2FdVCyD5wCfbG2c
pRRZ5Ytlm/d1xvrJJM7XcBM=
=YgN3
-----END PGP SIGNATURE-----

--gatW/ieO32f1wygP--




