Bug#287601: vdradmin: Vdradmin.pl script vulnerable to symlink attacks

Thomas Schmidt pkg-vdr-dvb-devel@lists.alioth.debian.org
Wed, 29 Dec 2004 01:22:09 +0100

Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

* Javier Fern=E1ndez-Sanguino Pe=F1a schrieb am 29.12.04, um 00:41 Uhr:
> Package: vdradmin
> Version: 0.96-2
> Priority: critical
> Tags: security sarge sid
> The vdradmin.pl script does not protect itself from temporary file attacks
> since it creates several temporary files in an insecure manner
> (/tmp/vdradmin+time, /tmp/vdr.jpg). The script does not check if the
> temporary files tries to use already exist before using them. The attache=
> patch (untested) tries to fix this issue.

I am aware of this issue, and i allready prepared a version of
vdradmin with a small workaround - i moved the directory where the
tmp-files are stored to /var/cache/vdradmin/. I will ask my sponsor to
upload it soon.=20

Btw: I can not find your patch! ;-)

I will also forward this to the upstream authors.

> I believe that the vdr sources should be reviewed to make sure that an vdr
> daemon running as root cannot compromise the whole system (there are no
> checks for symlink attacks in the fopen calls). It should be worthwhile
> trying to make the daemon work as a non-root user. I will file this as a=
> separate bug referencing this one, however.

Well, i was not aware of this issue (at least that vdr itself is
affected), but in theory it is possible to run vdr as normal user, it
only needs a small patch to make it possible that vdr can set the
system-time. The only problem is that changing this would require a
lot of code in the maintainer scripts - patches for this would be very


Thomas Schmidt

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

Version: GnuPG v1.2.5 (GNU/Linux)