Nico Golde writes: While searching for a cool calendar software I tried out wyrd and noticed a wyrd file in /tmp that didn't look very random. Looking at the source code it turns out that wyrd dumps its configuration if you press ? (help) in the ui. It then stores a file named wyrd-tmp.<userid> in /tmp. rcfile.ml: 139 let tmpfile = "/tmp/wyrd-tmp." ^ (string_of_int (Unix.getuid ())) An attacker only needs to look up the userid in /etc/passwd and create a symlink from /home/victim/someimportantfile /tmp/wyrd-tmp.uid and this will overwrite the content with the wyrd configuration.
tove, ml, please advise.
here's the patch from Nico Golde : http://people.debian.org/~nion/nmu-diff/wyrd-1.4.3b-3_1.4.3b-3.1.patch maintainers, please bump.
The patched version quits [Sys_error("Bad file descriptor")] the second time help is called here. Upstream told me that a fixed version will be released really soon.
(In reply to comment #3) > The patched version quits [Sys_error("Bad file descriptor")] the second time > help is called here. > > Upstream told me that a fixed version will be released really soon. Thanks for spotting this. The reason is the vulnerable version just operates on the filename and writes to it and thus always assigns a new fd and closing it afterwards while the fixed version has a global fd to make sure the file does not change in the meantime. Fixed this by moving the file descriptor close to the same place as removing the file (tested) and flushing the output after writing to it.
wyrd-1.4.4 is in the tree. |2008-02-21 Released 1.4.4. | | Fixed an instance of insecure tempfile creation. This | addresses a security vulnerability that had the potential to | cause data loss.
thanks, closing.
