Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20140122185144.GA12136@alf.mars>
Date: Wed, 22 Jan 2014 19:51:45 +0100
From: Helmut Grohne <helmut@...divi.de>
To: oss-security@...ts.openwall.com
Subject: Getting tempfile/mktemp wrong

Hi,

I (re?)discovered an entertaining way to introduce tmpfile
vulnerabilities while using the right tools (tempfile/mktemp). The
general pattern is:

TEMPFILE=`tempfile`.suffix

as opposed to

TEMPFILE=`tempfile --suffix .suffix`

An attacker can monitor /tmp using inotify, wait for the relevant file
to be created and can the quickly create the corresponding
tmpfile.suffix symbolic link to escalate privileges.

This can be found in:

1) localepurge
http://bugs.debian.org/736359
$ grep tempfile -r .
./debian/postrm:    DEBREINSTALL="$(tempfile).$$"
./debian/localepurge.config:TEMPFILE=$(tempfile).$$
./debian/localepurge.config:LOCALEGEN=$(tempfile).locale.gen
$
The localepurge package is Debian-specific. The relevant runs at
installation time as root.

2) syncevolution
http://bugs.debian.org/736357
$ grep 'mktemp`\.' -r .
./src/syncevo/installcheck-local.sh:TMPFILE_CXX=`mktemp`.cxx
./src/syncevo/installcheck-local.sh:TMPFILE_O=`mktemp`.o
$
The relevant code is part of the upstream package and is executed at
build time.

3) axiom (packaging)
http://bugs.debian.org/736358
$ grep 'tempfile).' -r .
./debian/axiom-test.sh:k=$(tempfile).input
$
The relevant code is part of the Debian packaging (upstream axiom is not
affected). It can be used on Debian systems to run the test suite when
the relevant package is installed.

The Debian bug reports are the initial public mentioning of these
particular issues. Please assign CVE identifiers as needed.

Helmut

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.