Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 112061 - app-portage/eix <= 0.3.0-r1 insecure tmp file handling
Summary: app-portage/eix <= 0.3.0-r1 insecure tmp file handling
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2005-11-10 02:43 UTC by Romang
Modified: 2006-03-23 19:51 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Romang 2005-11-10 02:43:17 UTC
Hello,

Take a look at src/eix-sync.in :

46 cp /var/cache/eix /tmp/eix.$$.sync || die "Error while copying cache-file to
a save location        ."
diff-eix /tmp/eix.$$.sync          || die "Error while diffing."

Regards.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-11 01:14:19 UTC
Auditors please confirm. 
Comment 2 Tavis Ormandy (RETIRED) gentoo-dev 2005-11-11 01:49:46 UTC
confirmed, but it's not a race condition, it's a second order insecure temporary 
file handling issue.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-11-13 10:15:52 UTC
ccing maintainer.
Comment 4 Benedikt Böhm (RETIRED) gentoo-dev 2005-11-17 07:01:04 UTC
can someone explain what's the problem with this? 
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-11-17 07:20:54 UTC
A local attacker can watch the process list and determine what $$ is while the
"emerge --sync" part is running, then create a link at the corresponding tmpfile
to a system file, say /etc/passwd... and bring down the host.

The fact that this runs as root and may be part of a cron job makes things even
worse. 

Doing a mktemp before the emerge --sync to safely create a random file that you
will use afterwards to hold your temporary contents would be much better.
Comment 6 Benedikt Böhm (RETIRED) gentoo-dev 2005-11-17 15:55:02 UTC
ok, it's fixed with 0.3.0-r2 and also in upstream svn for 0.5.0 
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-11-18 05:06:08 UTC
Thx Benedikt,

Arches please test 0.3.0-r2 and mark stable :
Target KEYWORDS="alpha amd64 ia64 ~mips ppc sparc x86"
Comment 8 Gustavo Zacarias (RETIRED) gentoo-dev 2005-11-18 05:56:21 UTC
sparc stable.
Comment 9 Andrej Kacian (RETIRED) gentoo-dev 2005-11-18 07:25:07 UTC
x86 happy
Comment 10 Luis Medinas (RETIRED) gentoo-dev 2005-11-18 17:24:37 UTC
stable on amd64
Comment 11 Fernando J. Pereda (RETIRED) gentoo-dev 2005-11-19 07:39:45 UTC
alpha'lized

Cheers,
Ferdy
Comment 12 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-11-19 11:04:00 UTC
Stable on ppc.
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-20 04:15:15 UTC
This one is ready for GLSA decision. I vote YES. 
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2005-11-21 01:10:46 UTC
I vote yes too. This is easy to exploit, and can be run as root as part of
normal operations.
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2005-11-21 01:14:30 UTC
The ppc keyword was never applied, apparently.
Comment 16 Joe Jezak (RETIRED) gentoo-dev 2005-11-21 11:22:15 UTC
hansmi marked it ppc stable today, removing ppc.
Comment 17 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-22 14:48:52 UTC
GLSA 200511-19 
 
ia64 don't forget to mark stable to benifit from the GLSA.