[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] [Notification] CVE-2012-3500 - rpmdevtools, devscripts: TOCTOU race condition in
From:       Jakub Wilk <jwilk () debian ! org>
Date:       2012-08-31 18:23:32
Message-ID: 20120831182332.GA2125 () jwilk ! net
[Download RAW message or body]

* Jan Lieskovsky <jlieskov@redhat.com>, 2012-08-31, 11:22:
>A TOCTOU race condition was found in the way 'annotate-output' (used to 
>execute a program annotating the output linewise with time and stream) 
>tool of rpmdevtools, a suite of scripts and (X)Emacs support files to 
>aid in development of RPM packages, performed management of its 
>temporary files used for standard output and standard error output. A 
>local attacker could use this flaw to conduct symbolic link attacks, 
>possibly leading to their ability in an unauthorized way to alter files 
>belonging to the user running the 'annotate-output' tool.

The vulnerable code appears to be:

OUT=`mktemp --tmpdir annotate.XXXXXX` || exit 1
ERR=`mktemp --tmpdir annotate.XXXXXX` || exit 1
rm -f $OUT $ERR
mkfifo $OUT $ERR || exit 1

But mkfifo will never create a FIFO over a symlink; the underlying 
library function fails with EEXISTS when "pathname already exists. This 
includes the case where pathname is a symbolic link, dangling or not." 
So AFAICS it's just a DoS, not something giving the attacker "ability in 
an unauthorized way to alter files".

-- 
Jakub Wilk
[prev in list] [next in list] [prev in thread] [next in thread]