Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 95378 - net-firewall/lutelwall: Insecure temporary file creation
Summary: net-firewall/lutelwall: Insecure temporary file creation
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Other
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.zataz.net/adviso/lutelwall...
Whiteboard: B3 [glsa] formula7
Keywords:
: 95596 (view as bug list)
Depends on:
Blocks:
 
Reported: 2005-06-07 12:32 UTC by Jean-François Brunette (RETIRED)
Modified: 2005-06-11 12:04 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jean-François Brunette (RETIRED) gentoo-dev 2005-06-07 12:32:41 UTC
The vulnerability is caused due to temporary file being created insecurely.
This can be exploited via symlink attacks to create and overwrite arbitrary files
with the privileges of the user running the affected script.

The exploitation require that the root try to update the software. 

##########
Versions:
##########

LutelWall <= 0.97
Comment 1 Jean-François Brunette (RETIRED) gentoo-dev 2005-06-07 12:50:59 UTC
Vulnerable code :
-----------------

# Prefix of temporary firewall files
tmp='/tmp/lutelwall'

new_version_check () { # Check for new version of script

 if [ "`wget -V 2>&1 >/dev/null`" ]; then
  message 3 "Warrning: Wget is required to check for updates."
 else
  new_ver=`wget -C off -O - -q -t 1 -T 3 -w 3 -U "\`uname -a 2>&1\`"
http://firewall.lutel.pl/ver`
  if [ `echo $current_version | gawk '{ gsub("\\\.","") ; print 1$0 }'` -lt
`echo $new_ver | gawk '{ gsub("\\\.","") ; print 1$0 }'` ]; then
   echo -e "\nThere is newer version of LutelWall (${new_ver})"
   echo -n " Changes since previous version:"
   echo `wget -C off -O $tmp-newfeat -q -t 1 -T 3 -w 3
http://firewall.lutel.pl/FEATURES-${new_ver}`
   cat $tmp-newfeat
   echo "Do you want to update [y/N]? "
   read -s -t 5 -n 1 ln
   if [ "$ln" = 'y' -o "$ln" = 'Y' ]; then
    wget -O $tmp-script -q -T 3 http://firewall.lutel.pl/lutelwall
    cat $tmp-script > $0
    rm -rf $tmp-script
    echo "Your firewall is up to date, exiting after update!"
    exit
   else
    message 5 "Update aborted"
   fi
  else
    message 5 "LutelWall is up-to-date"
  fi;
 fi;

}
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-06-10 00:38:48 UTC
*** Bug 95596 has been marked as a duplicate of this bug. ***
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-06-10 00:41:17 UTC
Vanquirius: thx for the bump. 
Keywords are all set, this is ready for GLSA vote
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-06-10 04:32:38 UTC
I vote YES, I guess the update script is run by root.
Comment 5 Matthias Geerdsen (RETIRED) gentoo-dev 2005-06-10 05:14:46 UTC
agreed, there should be a GLSA
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-06-11 12:04:58 UTC
GLSA 200506-10