Package: aptlinex Severity: normal Tags: security Hi, looking at the code of aptlinex because of #476572 I stumbled over another security issue:
Insecure temporary file usage in ModMain.module:
90 IF User.Name <> "root" THEN
91 'EXEC [graphicalSu(), "gambas-apt.gambas", User.Name, Buf] WAIT
92 PRINT graphicalSu() & " gambas-apt.gambas " & user.Name & " " & Buf
93 SHELL graphicalSu() & " gambas-apt.gambas " & user.Name & " " & Buf WAIT
94 IF Exist("/tmp/gambas-apt-exec") THEN sExec =
File.Load("/tmp/gambas-apt-exec")
95 TRY EXEC [sExec] WAIT
96 RETURN
97 END IF
98
99 TRY File.Save("/tmp/gambas-apt.lock", Application.Id)
Adding a symlink /tmp/gambas-apt.lock -> someimportant file an attacker could
overwrite any file on the system with the process id of aptline since this
process
runs as root.
The code before that looks like this would load gambas code from a file called
/tmp/gambas-apt-exec
and then execute it but I am not sure cause I have no real idea about gambas.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpsfrzrZN1IS.pgp
Description: PGP signature
