Summary: | net-firewall/firehol: Insecure Temporary File Creation Vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Jean-François Brunette (RETIRED) <formula7> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | centic, costa |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
URL: | http://secunia.com/advisories/13970/ | ||
Whiteboard: | A3 [glsa] lewk | ||
Package list: | Runtime testing required: | --- |
Description
Jean-François Brunette (RETIRED)
2005-01-24 06:47:45 UTC
Debian has a fix for this in unstable, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=291680 The diff that Debian uses against plain 1.214 is available at http://ftp.debian.org/debian/pool/main/f/firehol/firehol_1.214-2.diff.gz This contains some additional Debian-Specifc changes. Hi, I have released v1.224 to fix the issue. Thanks. Costa Tsaousis centic, please bump. There is some difference in the way version 1.224 tries to fix the problem compared to how debian did it. firehol-1.224: # Remove any old directories that might be there. if [ -d "${FIREHOL_DIR}" ] then "${RM_CMD}" -rf "${FIREHOL_DIR}" if [ $? -ne 0 -o -e "${FIREHOL_DIR}" ] then echo >&2 echo >&2 echo >&2 "Cannot clean temporary directory '${FIREHOL_DIR}'." echo >&2 exit 1 fi fi "${MKDIR_CMD}" -p "${FIREHOL_DIR}" || exit 1 "${MKDIR_CMD}" -p "${FIREHOL_CHAINS_DIR}" || exit 1 Debian: +#prevent symlink attacks +umask 077 +mkdir "${FIREHOL_DIR}" || (echo "Creating ${FIREHOL_DIR} failed. Please remove it if it already exists." ; exit 1) I'm not a security expert, therefore I would like to have some confirmation if the first way of solving this is apropriate. There seems to still be a slight chance of getting the directory created underneath between the rm and the mkdir, right? Additionally I also saw the following code in firehol.sh: KERNEL_CONFIG="/proc/config" ${CAT_CMD} /proc/config >/tmp/kcfg.$$ source /tmp/kcfg.$$ ${RM_CMD} -f /tmp/kcfg.$$ Isn't that another thing that can be exploited quite easily? Especially as there is a "source" of the temp-file? Hi, I have changed the firehol temporary directory name to include the variable $RANDOM twice. I hope this will make the directory name completely unpredictable. I have also made sure FireHOL does not create any files outside its temporary directory (including the mentioned kcfg). All these in v1.225. Get it from http://firehol.sf.net/firehol.tar.gz I hope both these have solved all the threads of temporary file creation. If there are no other concerns, I'll release it asap. Costa I also removed all -p from all mkdirs to make them fail if the directory already exists. In v1.226, same URL. Costa centic: v 1.226 looks right to me. Please bump to that. The complete package for 226 is not yet available, only one for 224. Therefore I have added Version 1.224 plus a patch that adds the diff from cvs of rev. 225 and 226. x86: please test 1.224 and mark stable Released v1.226. Thank you all. Costa centic: if you tested on x86 please mark it stable. Sorry for the delay, this is my first security-bug, so I am not sure which actions the developer should perform and what is done by the security team. 1.224 is marked stable on x86 now. I will upgrade to 1.226 with normal procedures as the proper security fix is contained in 1.224 already. Thanks Dominik. If you have any questions wrt security bugs please join #gentoo-security or drop me a line. This one is ready for GLSA. GLSA 200502-01 thanks everyone |