| Summary: | net-print/mtink: Insecure file permissions | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Tavis Ormandy (RETIRED) <taviso> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | printing |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | All | ||
| Whiteboard: | B2 [glsa] jaervosz | ||
| Package list: | Runtime testing required: | --- | |
Upstream notified. Upstream will fix and release a new version in a few days. Upstream released 1.0.5 to fix the issue: http://xwtools.automatix.de/files/mtink-1.0.5.tar.gz Printing please bump. bumped to 1.0.5 and marked stable on x86 Thx Heinrich. Security please draft. I think the ebuild should chmod /var/run/mtink and /var/mtink in pkg_postinst() to fix the perms for users who are upgrading, just adding "chmod 700 /var/mtink /var/run/mtink 2>/dev/null" should be enough. good idea, added that GLSA 200411-17 |
just noticed mtinkd puts it's runtime data in it's own subdirectory of /var and /var/run, but look at this... if ( access("/var/run/mtink", O_RDONLY) == -1 ) { um = umask(0); if ( mkdir("/var/run/mtink", 0777) == -1 ) { perror("mkdir "); if ( debug ) { fprintf(stderr,"can't create directory /var/run/mtink\n"); } exit(1); } umask(um); } I don't see why he's so keen to have 0777, but anyway, that could be forgivable with some safe tmp file handling... if ( (fp = fopen(runFile, "w")) ) { fprintf(fp,"%d\n", getpid()); fclose(fp); } examples.... create a file anywhere ---------------------- $ pwd /var/run/mtink $ ln -s /etc/nologin epson $ file epson epson: broken symbolic link to `/etc/nologin' <wait for root to start mtinkd> $ file epson epson: symbolic link to `/etc/nologin' overwrite any file ------------------ $ pwd /var/run/mtink $ ln -s /etc/passwd epson ... There's probably a local root in there somewhere, and it looks like you might be able to get it to kill any process on stop, but I havnt tried. the name of the run file and fifo is the NAME variable in /etc/conf.d/mtinkd. I think the perms on the run directory should be a lot stricter, eg 0700. I don't think /var/mtink needs 777 either, perhaps 755 would be better.