Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 68846 - app-portage/gentoolkit / qpkg: symlink attack vulnerability
Summary: app-portage/gentoolkit / qpkg: symlink attack vulnerability
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa] jaervosz
Depends on: 69147
  Show dependency tree
Reported: 2004-10-25 08:42 UTC by Florian Schilhabel (RETIRED)
Modified: 2011-10-30 22:40 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Florian Schilhabel (RETIRED) gentoo-dev 2004-10-25 08:42:25 UTC
app-portage/gentoolkit / qpkg: symlink attack vulnerability

i have found a tmpfile / symlink attack vulnerability in qpkg (part of app-portage/gentoolkit):

-- snip --

# $Header: /home/cvsroot/gentoolkit/src/qpkg/qpkg,v 1.13 2004/02/18 15:25:43 los
tlogic Exp $
ID='$Id: qpkg,v 1.13 2004/02/18 15:25:43 lostlogic Exp $'
VERSION=0.`echo ${ID} | cut -d\  -f3`

rm -rf ${TMP}
mkdir -p ${TMP}

PROG=`basename ${0}`

# Parse args

-- snip --
as you can see, qpkg creates a temporary directory in /tmp, that is highly predictable (insecure!!!), because the
directoryname is derived from the pid of the qpkg process...
an attacker could do a simple symlink from
/etc/ to /tmp/qpk-[pidnumber]
for example, and completely delete the /etc directory.
the same is possible, of course, with every directory on the system (qpkg is usually invoked a root)

an attacker is able to delete / overwrite virtually every directory (file) on the system.


create a secure temporary directory (mktemp), set up a secure umask.

best regards
florian [rootshell]
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-10-26 01:31:25 UTC
Genone, any hint on who specifically we should call to fix that ?
Comment 2 solar (RETIRED) gentoo-dev 2004-10-26 08:34:06 UTC
After looking at this bug jstubbs noticed the same symlink problems exist for portage's handling of dispatch.conf. Jason is working on a patch for that now. 
Comment 3 Marius Mauch (RETIRED) gentoo-dev 2004-10-26 15:34:49 UTC
Well, personally I'd like to just drop qpkg, but I guess we can't do that :(
I'll fix it in CVS but I'm not sure if I can make a release at this moment (as CVS currently has some experimental stuff, read: is broken), I have to check for that and report back later.
PS: I'm on the security alias, no need to CC me (unless you want to remove me from it).
Comment 4 Marius Mauch (RETIRED) gentoo-dev 2004-10-26 16:22:09 UTC
Hmm, apparently I can't access the bug when I'm not in the CC list even though I get all mails about it ...
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2004-10-30 09:32:13 UTC
Where are we now ? Was a patch written / put in CVS ? 
Comment 6 Marius Mauch (RETIRED) gentoo-dev 2004-10-30 18:14:16 UTC
added a patch for this and released pre8-r1 (arch) and pre10-r1 (~arch).
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-10-31 00:16:15 UTC
Thx Marius

Time for GLSA decision. Perhaps it should be combined with bug #69147?
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2004-10-31 02:33:13 UTC
Yes, good idea. These are all symlink vulns in portage-related tools.
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-07 10:51:08 UTC
GLSA 200411-13