Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 55424 - app-portage/esearch-0.6, fairly obvious insecure temp file handling.
Summary: app-portage/esearch-0.6, fairly obvious insecure temp file handling.
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa]
Depends on:
Reported: 2004-06-28 07:26 UTC by Tavis Ormandy (RETIRED)
Modified: 2011-10-30 22:37 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Tavis Ormandy (RETIRED) gentoo-dev 2004-06-28 07:26:21 UTC
from eupdatedb:
tmpfile =       "/tmp/"
if exists(tmpfile):
    print red("Error: "), " there is probably another eupdatedb running already."
dbfile = open(tmpfile, "w")
dbfile.write("db = (")

obvious race condition there, but you dont have to try to beat it to make a nuisance of yourself :) You can make a file anywhere you like by making a broken symlink to it waiting for root to run eupdatedb...

for example, as a non-privileged user run:

ln -s /etc/nologin /tmp/

wait for root to run eupdatedb, and you just stopped everyone logging in :)

Reproducible: Always
Steps to Reproduce:
1. as normal user, run ln -s /etc/nologin /tmp/
2. wait for root to eupdatedb
3. DoS!
4. (race condition as well)

Actual Results:  
eupdatedb has insecure temp file handling procedure.
Comment 1 Kurt Lieber (RETIRED) gentoo-dev 2004-06-28 07:37:24 UTC
David --

Can you review/patch as appropriate?
Comment 2 David Peter 2004-06-28 13:10:29 UTC

Thanks a lot for the bug report. I didn't know this problem. What would be the most reasonable way to fix this bug?

1. Delete /tmp/, Open new file and write

If I use this solution, I have to find an other way to check if there is an instance of eupdatedb running.

2. Check if /tmp/ is a symlink -> delete or create

3. Other ways? Use a file in an other directory?

Comment 3 Tavis Ormandy (RETIRED) gentoo-dev 2004-06-28 13:59:00 UTC
Thanks for a great utility btw David, regarding comment #2 , it looks like python's open() supports O_EXCL and O_CREAT, could you use these flags when opening the tmpfile (and check for failure)?
Comment 4 Tavis Ormandy (RETIRED) gentoo-dev 2004-06-28 16:03:04 UTC
I'm not really a python programmer, so forgive me if this is considered very poor :)

but, for example:

$ diff -u
---   2004-06-29 00:00:03.148734752 +0100
+++        2004-06-29 00:01:29.184655304 +0100
@@ -15,6 +15,7 @@
 from output import red, darkgreen, green, bold, nocolor
 from os import stat, unlink, environ
+from os import O_EXCL, O_CREAT, O_WRONLY, open, fdopen
 from os.path import exists
 from shutil import copyfile
 from getopt import *
@@ -133,7 +134,12 @@
     print "         If you're sure there is no other process, remove", tmpfile
     print ""
-dbfile = open(tmpfile, "w")
+    dbfd = open(tmpfile, O_CREAT | O_EXCL | O_WRONLY, 0600)
+except OSError:
+    print red("Error: "), " failed to open temporary file."
+    sys.exit(1)
+dbfile = fdopen(dbfd, "w")
 dbfile.write("db = (")
 if not verbose:
Comment 5 SpanKY gentoo-dev 2004-06-28 18:34:16 UTC
another way to 'fix' this would be to manage the file in ${PORTAGE_TMPDIR} since that isnt a world writable directory

then you'd just have to 'worry' about attacks from other root users ;)
Comment 6 David Peter 2004-06-29 13:48:10 UTC
Thanks for your comments and the patch,
I will release esearch-0.6.2 with the fixed bug tomorrow.

Comment 7 Marius Mauch (RETIRED) gentoo-dev 2004-06-30 15:15:53 UTC
esearch-0.6.2 committed, I was so free to mark it stable for everyone.
Comment 8 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-06-30 17:07:22 UTC
GLSA is drafted.
Comment 9 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-07-01 11:02:09 UTC
GLSA 200407-01.