[Pkg-virtualbox-devel] Bug#504149: Bug#504149: virtualbox-ose: symlink vulnerability due to bad /tmp handling

[Frank Mehnert]

Paul et all,

On Saturday 01 November 2008, Paul Wise wrote:
> By creating a symlink /tmp/.vbox-$USER-ipc/lock an attacker can
> overwrite any file owned by any user who starts virtualbox. Starting and
> then exiting virtualbox is enough to trigger this, you don't need to
> start any virtual machines.

Thanks for this report.

> In addition to this, it is a really stupid idea to put dotfiles in /tmp
> and this should be fixed too.

I'm not sure if this is stupid or not. At least the .vbox-* directories
are not the only .dotfile directories in /tmp.

> In addition to this, virtualbox does not clean up /tmp/.vbox-$USER-ipc/
> when exiting, which is just rude.

We will fix that later.

I hope our fix is sufficient. The changesets r13788, r13807, r13809,
r13810 should check the permissions. These changesets should apply
to 1.6.6 and 2.0 as well.

Kind regards,

Frank
-- 
Dr.-Ing. Frank Mehnert    Sun Microsystems    http://www.sun.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/pkg-virtualbox-devel/attachments/20081105/6322441e/attachment-0001.pgp