Bug#840685: TOCTOU race condition in initscript on chown'ing JVM_TMP temporary directory (was: Re: Bug#840685: tomcat8: DSA-3670 incomplete)
Salvatore Bonaccorso
carnil at debian.org
Fri Oct 14 20:40:22 UTC 2016
Control: severity -1 normal
Control: found -1 8.0.14-1
Hi Paul,
On Sat, Oct 15, 2016 at 07:25:59AM +1100, paul.szabo at sydney.edu.au wrote:
> Dear Salvatore,
>
> > You are operating here outside of /tmp (sticky world-writable
> > directory) which the above issue for the init scripts relies on,
> > right? fs.protected_(hardlinks|symlinks) is exactly a hardening for
> > those issues:
> > https://www.kernel.org/doc/Documentation/sysctl/fs.txt
>
> I see: the kernel now treats things in /tmp (with sticky bit
> permissions) differently from other places (without "weird"
> permissions). Thanks for pointing this out for me!
> (I never noticed this change...)
>
> Then I agree that this issue is not exploitable in default Debian,
> no need for DSA. (Sorry about the noise.)
Welcome and thanks for confirming, and no problem (glad we could
elaborate together on the issue the impact).
I'm lowering the severity, and as well mark as found version for the
8.0.14-1 including up to unstable version.
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list