Hello, In silcd/silcd.c 258 /* Dump server statistics into a file into /tmp directory */ 259 260 SILC_TASK_CALLBACK(dump_stats) 261 { 262 FILE *fdd; 263 char filename[256]; 264 265 memset(filename, 0, sizeof(filename)); 266 snprintf(filename, sizeof(filename) - 1, "/tmp/silcd.%d.stats", getpid()); 267 fdd = fopen(filename, "w+"); 268 if (!fdd) 269 return; 270 271 #define STAT_OUTPUT(fmt, stat) fprintf(fdd, fmt "\n", (int)stat); 272 273 fprintf(fdd, "SILC Server %s Statistics\n\n", silcd->server_name); 274 fprintf(fdd, "Local Stats:\n"); .... silc-server-0.9.21 is masked but silc-toolkit-0.9.12 not. This code is vulnerable to symlink attack. Regards.
what about this bug ?
It's still an Auditing bug, waiting for Tavis to push it back to Vulnerabilities :)
silc-toolkit package doesnt include the daemon, so it's safe...the silc-server does, but the only time that code is exercised is on receiving a SIGUSR1, so this is highly unlikely to ever be successfully exploited. As the server is masked there wont be a glsa for this, but upstream should be informed and a patch applied before being unmasked.
Hello, I contact upstream. Regards.
Created attachment 61573 [details, diff] use O_EXCL something like this will do the trick. tested and working.
Vendor responded, waiting for fixed version
Eric, any news of upstream release date ?
Hello, No vendor feedback since gentoo advise. Regards
Eric: I think you can consider releasing this one, maybe resend them an email first letting them know when you'll do it ?
Any news on this one?
Eric: let me know what you want to do with this one.
Public, see URL
Apparently upstream is in no hurry to fix it. net-irc: please bump with provided patch.
net-im/silc-server has been bumped.
Many thanks, Sven.