Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 70310 - net-print/mtink: Insecure file permissions
Summary: net-print/mtink: Insecure file permissions
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2004-11-06 16:09 UTC by Tavis Ormandy (RETIRED)
Modified: 2004-11-09 12:01 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tavis Ormandy (RETIRED) gentoo-dev 2004-11-06 16:09:46 UTC
just noticed mtinkd puts it's runtime data in it's own subdirectory of /var and /var/run, but look at this...

          if ( access("/var/run/mtink", O_RDONLY) == -1 )
          {
             um = umask(0);
             if ( mkdir("/var/run/mtink", 0777) == -1 )
             {
                perror("mkdir ");
                if ( debug )
                {
                   fprintf(stderr,"can't create directory /var/run/mtink\n");
                }
                exit(1);
             }
             umask(um);
          }

I don't see why he's so keen to have 0777, but anyway, that could be forgivable with some safe tmp file handling...

          if ( (fp = fopen(runFile, "w")) )
          {
              fprintf(fp,"%d\n", getpid());
              fclose(fp);
          }

examples....

create a file anywhere
----------------------

$ pwd
/var/run/mtink
$ ln -s /etc/nologin epson
$ file epson 
epson: broken symbolic link to `/etc/nologin'
<wait for root to start mtinkd>
$ file epson 
epson: symbolic link to `/etc/nologin'

overwrite any file
------------------

$ pwd
/var/run/mtink
$ ln -s /etc/passwd epson
...

There's probably a local root in there somewhere, and it looks like you might be able to get it to kill any process on stop, but I havnt tried. the name of the run file and fifo is the NAME variable in /etc/conf.d/mtinkd.

I think the perms on the run directory should be a lot stricter, eg 0700. I don't think /var/mtink needs 777 either, perhaps 755 would be better.
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2004-11-07 03:09:40 UTC
Upstream notified.
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2004-11-07 03:47:31 UTC
Upstream will fix and release a new version in a few days.
Comment 3 Sune Kloppenborg Jeppesen gentoo-dev 2004-11-07 07:30:56 UTC
Upstream released 1.0.5 to fix the issue:

http://xwtools.automatix.de/files/mtink-1.0.5.tar.gz

Printing please bump.
Comment 4 Heinrich Wendel (RETIRED) gentoo-dev 2004-11-08 03:01:59 UTC
bumped to 1.0.5 and marked stable on x86
Comment 5 Sune Kloppenborg Jeppesen gentoo-dev 2004-11-08 03:15:11 UTC
Thx Heinrich.

Security please draft.
Comment 6 Tavis Ormandy (RETIRED) gentoo-dev 2004-11-08 03:56:47 UTC
I think the ebuild should chmod /var/run/mtink and /var/mtink in pkg_postinst() to fix the perms for users who are upgrading, just adding "chmod 700 /var/mtink /var/run/mtink 2>/dev/null" should be enough.
Comment 7 Heinrich Wendel (RETIRED) gentoo-dev 2004-11-08 04:09:39 UTC
good idea, added that
Comment 8 Sune Kloppenborg Jeppesen gentoo-dev 2004-11-09 12:01:43 UTC
GLSA 200411-17