The vulnerability is caused due to temporary file being created insecurely. This can be exploited via symlink attacks to create and overwrite arbitrary files with the privileges of the user running the affected script. The exploitation require that the root try to update the software. ########## Versions: ########## LutelWall <= 0.97
Vulnerable code : ----------------- # Prefix of temporary firewall files tmp='/tmp/lutelwall' new_version_check () { # Check for new version of script if [ "`wget -V 2>&1 >/dev/null`" ]; then message 3 "Warrning: Wget is required to check for updates." else new_ver=`wget -C off -O - -q -t 1 -T 3 -w 3 -U "\`uname -a 2>&1\`" http://firewall.lutel.pl/ver` if [ `echo $current_version | gawk '{ gsub("\\\.","") ; print 1$0 }'` -lt `echo $new_ver | gawk '{ gsub("\\\.","") ; print 1$0 }'` ]; then echo -e "\nThere is newer version of LutelWall (${new_ver})" echo -n " Changes since previous version:" echo `wget -C off -O $tmp-newfeat -q -t 1 -T 3 -w 3 http://firewall.lutel.pl/FEATURES-${new_ver}` cat $tmp-newfeat echo "Do you want to update [y/N]? " read -s -t 5 -n 1 ln if [ "$ln" = 'y' -o "$ln" = 'Y' ]; then wget -O $tmp-script -q -T 3 http://firewall.lutel.pl/lutelwall cat $tmp-script > $0 rm -rf $tmp-script echo "Your firewall is up to date, exiting after update!" exit else message 5 "Update aborted" fi else message 5 "LutelWall is up-to-date" fi; fi; }
*** Bug 95596 has been marked as a duplicate of this bug. ***
Vanquirius: thx for the bump. Keywords are all set, this is ready for GLSA vote
I vote YES, I guess the update script is run by root.
agreed, there should be a GLSA
GLSA 200506-10