[DebianGIS-dev] Bug#508595: Bug#508595: CVE-2008-5380: allows local users to overwrite arbitrary files via a symlink attack

[Francesco P. Lovergine]

On Wed, Dec 17, 2008 at 10:29:10AM +0100, Tomas Hoger wrote:
> Hi Hamish!
> 
> It seems that upstream fix for this issue is far from being ideal.
> 
> > TMP=`tempfile -d /tmp -p geo. -s .code`
> 
> [...]
> 
> > so calling this "fixed-upstream" and hoping that tempfile is somewhat
> > portable beyond Debian.
> 
> Any particular reason for using Debian-specific tempfile, instead of
> generally available mktemp?
> 
> Apart from the portability issues of the fix, the fix is not address
> the flaw properly as well.  Even though TMP file (never used, IIRC) is
> created in a secure way, all other temporary files are not (STYLE,
> COORDS, OUTWAY, MAP for geo-code).  So when TMP is created, local user
> can see its name and can create malicious symlinks
> TMP.style, .coords, .way, .gif before script will attempt to use them
> for the first time (or guess or brute-force TMP name in advance).  You
> either have to create all temporary files using mktemp, or make TMP a
> temporary directory (or dot-directory in user's home dir and you do not
> have to care about creating it securely at all).
> 
> There are still few other issues in geo-nearest, like:
> 
>   cp "$GEOWAY" /tmp/geocaching.loc

A proper fix should use mkdtemp(3) and create there all relevant files.
Finally all files could be moved in place by prechecking type, attributes
and existence of the target files.

-- 
Francesco P. Lovergine