Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20140308030017.GA31505@hunt>
Date: Fri, 7 Mar 2014 19:00:17 -0800
From: Seth Arnold <seth.arnold@...onical.com>
To: oss-security@...ts.openwall.com
Cc: security@...ntu.com
Subject: CVE Request: thermald

Hello,

I discovered that the thermald temperature management daemon opens a file
with predictable filename in /tmp unsafely. Please assign a CVE number for
this issue:

https://github.com/01org/thermal_daemon/blob/master/src/android_main.cpp#L117


In short:

int main(int argc, char *argv[]) {
	/* ... */
	if (!no_daemon) {
		daemonize((char *) "/tmp/", (char *) "/tmp/thermald.pid");
	} else

/* ... */

static void daemonize(char *rundir, char *pidfile) {
	/* ... */

	pid_file_handle = open(pidfile, O_RDWR | O_CREAT, 0600);


thermald runs as root; on systems that lack the Openwall-inspired symlink
and hardlink protections in world-writable directories this can be used to
write the process's pid to a file of the attacker's choosing.

Note that this affects only the main() function provided in the
android_main.cpp file; the main() routine in main.cpp does not have this
issue.

Thanks

Download attachment "signature.asc" of type "application/pgp-signature" (491 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.