Ben Hutchings has discovered a vulnerability in netperf, which can be exploited by malicious, local users to perform certain actions with escalated privileges. The vulnerability is caused due to the file "/tmp/netperf.debug" being created insecurely during the start of "netserver". This can be exploited via symlink attacks to overwrite arbitrary files with privileges of the user running netserver. The vulnerability is confirmed in version 2.4.3. I just check the last stable version we ship (2.3) and it's also vulnerable.
That's so dirty :/ Easy to fix while we're waiting for upstream, but I would rather use syslog rather than a temporary file, what do you think netmon or security?
still upstream...
no news from upstream yet
looks like a fix or am I wrong here? svn log http://www.netperf.org/svn/netperf2/ | less r104 | raj | 2007-04-04 00:40:51 +0200 (Wed, 04 Apr 2007) | 1 line create per-child debug log files with the pid appended when netserver in debug
yes Markus, 2.4.4 fixes the initial problem. but still, even with this fix an attacker could create /tmp/netperf.debug1 /tmp/netperf.debug2 etc... He'd better to use mkstemp() instead. Security, any opinion on this?
(In reply to comment #5) > yes Markus, 2.4.4 fixes the initial problem. but still, even with this fix an > attacker could create /tmp/netperf.debug1 /tmp/netperf.debug2 etc... He'd > better to use mkstemp() instead. > Security, any opinion on this? > it doesn't fix anything from a security point of view :(
Security, do we want a maskglsa for this one? I tend to vote no.
Is the netperf.debug file created by default or only with specific options enabled?
no it's not, you have to specify the "-d" flag when running it.
Voting NO then.
voting no.
Well, I was going to remove this package but found patch submitted by Nico Golde: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=413658 and bumped the package. Now it uses mkstemp() to create debug file name. Unmasking it. I think we can close this bug now? BTW, strange but seems that debian maintainer droped that patch and uses upstream provided code based on $pid. Does anybody have any time to report that there?
I just added Nico to CC.
(In reply to comment #13) > I just added Nico to CC. Since logfiles don't really belong to /tmp but to /var/log the maintainer decided to change the log location. The patch itself is fine though.
I'll close this with NO GLSA since we voted NO for mask GLSA. Feel free to reopen if you disagree.
Bah, and now actually closing.