Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 95378

Summary: net-firewall/lutelwall: Insecure temporary file creation
Product: Gentoo Security Reporter: Jean-François Brunette (RETIRED) <formula7>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: vanquirius
Priority: High    
Version: unspecified   
Hardware: All   
OS: Other   
Whiteboard: B3 [glsa] formula7
Package list:
Runtime testing required: ---

Description Jean-François Brunette (RETIRED) gentoo-dev 2005-06-07 12:32:41 UTC
The vulnerability is caused due to temporary file being created insecurely.
This can be exploited via symlink attacks to create and overwrite arbitrary files
with the privileges of the user running the affected script.

The exploitation require that the root try to update the software. 


LutelWall <= 0.97
Comment 1 Jean-François Brunette (RETIRED) gentoo-dev 2005-06-07 12:50:59 UTC
Vulnerable code :

# Prefix of temporary firewall files

new_version_check () { # Check for new version of script

 if [ "`wget -V 2>&1 >/dev/null`" ]; then
  message 3 "Warrning: Wget is required to check for updates."
  new_ver=`wget -C off -O - -q -t 1 -T 3 -w 3 -U "\`uname -a 2>&1\`"`
  if [ `echo $current_version | gawk '{ gsub("\\\.","") ; print 1$0 }'` -lt
`echo $new_ver | gawk '{ gsub("\\\.","") ; print 1$0 }'` ]; then
   echo -e "\nThere is newer version of LutelWall (${new_ver})"
   echo -n " Changes since previous version:"
   echo `wget -C off -O $tmp-newfeat -q -t 1 -T 3 -w 3${new_ver}`
   cat $tmp-newfeat
   echo "Do you want to update [y/N]? "
   read -s -t 5 -n 1 ln
   if [ "$ln" = 'y' -o "$ln" = 'Y' ]; then
    wget -O $tmp-script -q -T 3
    cat $tmp-script > $0
    rm -rf $tmp-script
    echo "Your firewall is up to date, exiting after update!"
    message 5 "Update aborted"
    message 5 "LutelWall is up-to-date"

Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-06-10 00:38:48 UTC
*** Bug 95596 has been marked as a duplicate of this bug. ***
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-06-10 00:41:17 UTC
Vanquirius: thx for the bump. 
Keywords are all set, this is ready for GLSA vote
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-06-10 04:32:38 UTC
I vote YES, I guess the update script is run by root.
Comment 5 Matthias Geerdsen (RETIRED) gentoo-dev 2005-06-10 05:14:46 UTC
agreed, there should be a GLSA
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-06-11 12:04:58 UTC
GLSA 200506-10