248750 – Virtualbox symlink attack (CVE requested)

Bug 248750 - Virtualbox symlink attack (CVE requested)

Summary: Virtualbox symlink attack (CVE requested)

Status:	RESOLVED DUPLICATE of bug 245958

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://www.virtualbox.org/changeset?n...
Whiteboard:	B3 [ebuild]
Keywords:

Depends on:
Blocks:	debian-tempfile
	Show dependency tree

Reported:	2008-11-25 09:01 UTC by Stefan Behte (RETIRED)
Modified:	2008-11-25 11:37 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Behte (RETIRED) gentoo-dev

2008-11-25 09:01:25 UTC

From OSS-SEC:

http://www.virtualbox.org/wiki/Changelog:
VirtualBox 2.0.6
- Linux/Solaris/Darwin hosts: verify permissions in /tmp/vbox-$USER-ipc

These changes match that description:
http://www.virtualbox.org/changeset?new=trunk%2Fsrc%2Flibs%2Fxpcom18a4%2Fipc%2Fipcd%2Fdaemon%2Fsrc%2FipcdUnix.cpp%4013810&old=trunk%2Fsrc%2Flibs%2Fxpcom18a4%2Fipc%2Fipcd%2Fdaemon%2Fsrc%2FipcdUnix.cpp%407049

VirtualBox uses /tmp/vbox-$USER-ipc to store a socket and a lock
file. The lock file is truncated after a simple open call. AFAICS
creating /tmp/vbox-$USER-ipc before the victim starts VirtualBox
could therefore be exploited to create files as the victim or
truncate files of the victim.

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2008-11-25 11:37:04 UTC


*** This bug has been marked as a duplicate of bug 245958 ***