Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 90007 - app-forensics/rkhunter Insecure temp file creation
Summary: app-forensics/rkhunter Insecure temp file creation
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-04-21 22:50 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2005-04-26 12:31 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
suggested fix (rkhunter.diff,3.04 KB, patch)
2005-04-25 09:54 UTC, Tavis Ormandy (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-04-21 22:50:00 UTC
The supplied check_update.sh script creates temporary files insecurely: 

/tmp/rkhunter.upd.gz
/tmp/rkhunter.upd

At least the first one is easy to exploit.

It is executed when rkhunter --update is called.

Auditors please verify my findings.
Comment 1 Tavis Ormandy (RETIRED) gentoo-dev 2005-04-22 02:28:38 UTC
Confirmed, there are more in rkhunter:

/tmp/procmail.txt
/tmp/proftpd.txt
/tmp/openssh.txt

these are UUoC as well, i suppose author didnt know 2>&1 :)
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-04-22 05:58:43 UTC
Upstream notified.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-04-22 10:21:12 UTC
Upstream responded that he will look into it.

upstream CC'ed.
Comment 4 Tavis Ormandy (RETIRED) gentoo-dev 2005-04-25 09:54:52 UTC
Created attachment 57197 [details, diff]
suggested fix
Comment 5 Aaron Walker (RETIRED) gentoo-dev 2005-04-25 10:22:40 UTC
Looks good here.  1.2.3-r1 is in CVS pending new upstream release.  CC'd archs please mark stable.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-04-25 11:52:02 UTC
Opening the bug since the fix is incvs now
Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2005-04-25 11:59:11 UTC
sparc stable.
Comment 8 Jan Brinkmann (RETIRED) gentoo-dev 2005-04-25 12:05:22 UTC
stable on amd64
Comment 9 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-04-25 12:39:31 UTC
Stable on ppc.
Comment 10 Aaron Walker (RETIRED) gentoo-dev 2005-04-26 04:46:32 UTC
New upstream release is out, but still vulnerable (none of the suggested fixes were applied).  A patched 1.2.4 is in CVS.
Comment 11 Aaron Walker (RETIRED) gentoo-dev 2005-04-26 04:48:50 UTC
Looks like alpha stabled but never commented on the bug.  This one's ready to go.
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-04-26 12:31:28 UTC
GLSA 200504-25