Bug#287601: vdradmin: Vdradmin.pl script vulnerable to symlink attacks

Thomas Schmidt pkg-vdr-dvb-devel@lists.alioth.debian.org
Wed, 29 Dec 2004 12:22:50 +0100

Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

* Javier Fern=E1ndez-Sanguino Pe=F1a schrieb am 29.12.04, um 08:38 Uhr:
> > I am aware of this issue, and i allready prepared a version of
> > vdradmin with a small workaround - i moved the directory where the
> > tmp-files are stored to /var/cache/vdradmin/. I will ask my sponsor to
> > upload it soon.=20
> What mode is /var/cache/vdradmin/? Is it 0777?

No, is 0755.

> > Btw: I can not find your patch! ;-)
> Sorry, attached.

Thank you very much, i allready forwarded it to upstream, and i will
test it in a few minutes.

> > Well, i was not aware of this issue (at least that vdr itself is
> > affected), but in theory it is possible to run vdr as normal user, it
> > only needs a small patch to make it possible that vdr can set the
> > system-time. The only problem is that changing this would require a
> > lot of code in the maintainer scripts - patches for this would be very
> > wellcome.
> It looks to me like the vdr program will take any files given as argument
> to the command and overwrite them blissfully since no checks seem to be
> done before they are fopened() at least in dvbdevice.c
> (cDvbDevice::GrabImage), in recording.c (cRecording::WriteSummary) and in
> some other functions, there also seem to be available commands to delete
> files that make no checks whatsoever. From a cursory look it SVDRP=20
> (implemented in svdrp.c) seems to have no authentication at all, which=20
> means that a remote rogue user could issue commands to overwrite/delete=
> files using the dvr daemon.

Yes, SVDRP does not have authentication at all, the only thing which
limits the problem somehow is that the usage of SVDRP is limited to
localhost in the default installation.

> I still need to check it further and do some tests before I open up the
> bug...

Thank you very much for your help, it would be very nice, if you could
write some patches to resolve this problem, because it is the first
time that i am confronted with such a problem, and i do not really know
how to make these functions secure.


Thomas Schmidt

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

Version: GnuPG v1.2.5 (GNU/Linux)