Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 90007

Summary: app-forensics/rkhunter Insecure temp file creation
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: ka0ttic, michael
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: B3 [glsa] jaervosz
Package list:
Runtime testing required: ---
Attachments:
Description Flags
suggested fix none

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-04-21 22:50:00 UTC 
The supplied check_update.sh script creates temporary files insecurely: 

/tmp/rkhunter.upd.gz
/tmp/rkhunter.upd

At least the first one is easy to exploit.

It is executed when rkhunter --update is called.

Auditors please verify my findings.
Comment 1 Tavis Ormandy (RETIRED) gentoo-dev 2005-04-22 02:28:38 UTC 
Confirmed, there are more in rkhunter:

/tmp/procmail.txt
/tmp/proftpd.txt
/tmp/openssh.txt

these are UUoC as well, i suppose author didnt know 2>&1 :)
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-04-22 05:58:43 UTC 
Upstream notified.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-04-22 10:21:12 UTC 
Upstream responded that he will look into it.

upstream CC'ed.
Comment 4 Tavis Ormandy (RETIRED) gentoo-dev 2005-04-25 09:54:52 UTC 
Created attachment 57197 [details, diff]
suggested fix
Comment 5 Aaron Walker (RETIRED) gentoo-dev 2005-04-25 10:22:40 UTC 
Looks good here.  1.2.3-r1 is in CVS pending new upstream release.  CC'd archs please mark stable.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-04-25 11:52:02 UTC 
Opening the bug since the fix is incvs now
Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2005-04-25 11:59:11 UTC 
sparc stable.
Comment 8 Jan Brinkmann (RETIRED) gentoo-dev 2005-04-25 12:05:22 UTC 
stable on amd64
Comment 9 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-04-25 12:39:31 UTC 
Stable on ppc.
Comment 10 Aaron Walker (RETIRED) gentoo-dev 2005-04-26 04:46:32 UTC 
New upstream release is out, but still vulnerable (none of the suggested fixes were applied).  A patched 1.2.4 is in CVS.
Comment 11 Aaron Walker (RETIRED) gentoo-dev 2005-04-26 04:48:50 UTC 
Looks like alpha stabled but never commented on the bug.  This one's ready to go.
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-04-26 12:31:28 UTC 
GLSA 200504-25