On Tue, Feb 28, 2012 at 18:31:02 +0100, vladz wrote: > Package: x11-common > Version: 1:7.5+8 > Tags: security > > > The init script "x11-common" creates directories "/tmp/.X11-unix" and > "/tmp/.ICE-unix" in insecure manners. > > $ cat -n /etc/init.d/x11-common > [...] > 33 if [ -e $SOCKET_DIR ] && [ ! -d $SOCKET_DIR ]; then > 34 mv $SOCKET_DIR $SOCKET_DIR.$$ > 35 fi > 36 mkdir -p $SOCKET_DIR > 37 chown root:root $SOCKET_DIR > 38 chmod 1777 $SOCKET_DIR > [...] > 47 if [ -e $ICE_DIR ] && [ ! -d $ICE_DIR ]; then > 48 mv $ICE_DIR $ICE_DIR.$$ > 49 fi > 50 mkdir -p $ICE_DIR > 51 chown root:root $ICE_DIR > 52 chmod 1777 $ICE_DIR > > If a local user is able to place a symlink before the service starts > (for example before the package installation process), he could gain > root privileges. > > For example, the symlink would point to an arbitrary directory (/etc), > so it won't match the conditions (lines 33 and 47) and the arbitrary > directory will get its permissions changed (lines 38 and 52). > > As a solution, I would suggest to take care of the "mkdir" return codes > (line 36 and 50). To do not change permissions on failures. > This script is set -e AFAICT, which means it already does care about the mkdir return code.
Cheers, Julien -- To UNSUBSCRIBE, email to debian-x-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120228174257.ga28...@crater2.logilab.fr
