Bug#287601: vdradmin: Vdradmin.pl script vulnerable to symlink attacks

[Darren Salt]

I demand that Thomas Schmidt may or may not have written...

> * Javier Fern=E1ndez-Sanguino Pe=F1a schrieb am 29.12.04, um 00:41 Uhr:=

>> The vdradmin.pl script does not protect itself from temporary file att=
acks
>> since it creates several temporary files in an insecure manner
>> (/tmp/vdradmin+time, /tmp/vdr.jpg). The script does not check if the
>> temporary files tries to use already exist before using them. The atta=
ched
>> patch (untested) tries to fix this issue.

> I am aware of this issue, and i allready prepared a version of vdradmin=

> with a small workaround - i moved the directory where the tmp-files are=

> stored to /var/cache/vdradmin/. I will ask my sponsor to upload it soon=
.

> Btw: I can not find your patch! ;-)

> I will also forward this to the upstream authors.

FWIW, I've posted a reference to this bug report on the VDR mailing list.=


>> I believe that the vdr sources should be reviewed to make sure that an=
 vdr
>> daemon running as root cannot compromise the whole system (there are n=
o
>> checks for symlink attacks in the fopen calls). It should be worthwhil=
e
>> trying to make the daemon work as a non-root user. I will file this as=
 a
>> separate bug referencing this one, however.

> Well, i was not aware of this issue (at least that vdr itself is affect=
ed),
> but in theory it is possible to run vdr as normal user,

s/in theory// - I'm running vdr 1.3.17 as non-root.

> it only needs a small patch to make it possible that vdr can set the
> system-time. The only problem is that changing this would require a lot=
 of
> code in the maintainer scripts - patches for this would be very wellcom=
e.

Have a look at the .diff.gz for my vdr package :-)

--=20
| Darren Salt   | nr. Ashington, | linux (or ds) at
| woody, sarge, | Northumberland | youmustbejoking
| RISC OS       | Toon Army      | demon co uk
|   Retrocomputing: a PC card in a Risc PC

Do like all smart motorists. Choose Crelm toothpaste!