just noticed mtinkd puts it's runtime data in it's own subdirectory of /var and /var/run, but look at this... if ( access("/var/run/mtink", O_RDONLY) == -1 ) { um = umask(0); if ( mkdir("/var/run/mtink", 0777) == -1 ) { perror("mkdir "); if ( debug ) { fprintf(stderr,"can't create directory /var/run/mtink\n"); } exit(1); } umask(um); } I don't see why he's so keen to have 0777, but anyway, that could be forgivable with some safe tmp file handling... if ( (fp = fopen(runFile, "w")) ) { fprintf(fp,"%d\n", getpid()); fclose(fp); } examples.... create a file anywhere ---------------------- $ pwd /var/run/mtink $ ln -s /etc/nologin epson $ file epson epson: broken symbolic link to `/etc/nologin' <wait for root to start mtinkd> $ file epson epson: symbolic link to `/etc/nologin' overwrite any file ------------------ $ pwd /var/run/mtink $ ln -s /etc/passwd epson ... There's probably a local root in there somewhere, and it looks like you might be able to get it to kill any process on stop, but I havnt tried. the name of the run file and fifo is the NAME variable in /etc/conf.d/mtinkd. I think the perms on the run directory should be a lot stricter, eg 0700. I don't think /var/mtink needs 777 either, perhaps 755 would be better.
Upstream notified.
Upstream will fix and release a new version in a few days.
Upstream released 1.0.5 to fix the issue: http://xwtools.automatix.de/files/mtink-1.0.5.tar.gz Printing please bump.
bumped to 1.0.5 and marked stable on x86
Thx Heinrich. Security please draft.
I think the ebuild should chmod /var/run/mtink and /var/mtink in pkg_postinst() to fix the perms for users who are upgrading, just adding "chmod 700 /var/mtink /var/run/mtink 2>/dev/null" should be enough.
good idea, added that
GLSA 200411-17
