Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <abn6kAVrLGHG6kpo@mertle>
Date: Tue, 17 Mar 2026 21:06:24 -0400
From: Michael Orlitzky <michael@...itzky.com>
To: oss-security@...ts.openwall.com
Cc: qsa@...lys.com
Subject: Re: snap-confine + systemd-tmpfiles = root
 (CVE-2026-3888)

On 2026-03-17 13:58:17, Michal Zalewski wrote:
> Nice work... flashbacks from 2002
> (https://lcamtuf.coredump.cx/tmp_paper.txt). It's frankly somewhat
> mind-boggling that distros keep a world-writable /tmp this day and
> age. Whatever questionable benefits it has, it also contributed to
> plenty of pointless and easily avoidable vulns.

It's required by POSIX which, funny enough, forbids /tmp from being
used the way snap-confine is using it. I wouldn't expect either of
these projects to care about POSIX, but the same description was
copied & pasted into the FHS. And to its credit, systemd has a
page full of documentation on how to avoid this exact problem.

1. https://pubs.opengroup.org/onlinepubs/9799919799/basedefs/V1_chap10.html
2. https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch03s18.html
3. https://systemd.io/TEMPORARY_DIRECTORIES/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.