On Sun, Aug 24, 2008 at 08:28:32PM +0100, Neil Williams wrote: > > For example if a script uses in its work a temp file which is created > > in /tmp directory, then every user can create symlink with the same > > name in this directory in order to destroy or rewrite some system > > or user file. Symlink attack may also lead not only to the data > > desctruction but to denial of service as well.
> Not when the use of /tmp is a *suggestion in a manpage* which just > happens to be generated from POD content that is commonly embedded > within perl scripts. > =head1 > A more complex example using 'zenity' - a Gnome dialog generator. > $ pilot-qof -x data.xml --invoice-city -t 2006-11-08 | dfxml-invoice - > > /tmp/zenity > zenity --text-info --title="2006-11-08" --filename=/tmp/zenity > --width=500 --height=300 > =cut > The program does not create this file, it does not rely on this file, it > does not require any specific filename in /tmp and it does not write any > data to /tmp unless the USER specifically pipes the STDOUT to a file and > happens to use /tmp for that file. Yes, this is definitely another false positive, which is very unfortunate. However, > If the user is dumb enough to pipe the output to a file that is a > symlink to something more important *AND* which has sufficient > permissions to be a problem, then that is not the fault of the package. > It is an example, nothing more. The example *is* wrong - the example given is never safe to run, because the only way to verify beforehand that /tmp/zenity is not a symlink to something more important is by first explicitly *creating* your file funder /tmp (non-destructively), then check that it's not a symlink, and *then* run pilot-qof. Otherwise, there is always a race condition here between checking for non-existence, and outputting to the file, tha is exploitable for some ill purpose. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
