Package: xfs Version: 1:1.0.8-2.1 Severity: normal Tags: security User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu jaunty
Hello, There is a bug in the Ubuntu bug tracker about xfs's init script being used in an unsafe fashion. It seems that OpenSUSE has solved this as well: "set_up_socket_dir moves /tmp/.font-unix to /tmp/.font-unix.$$. Unfortunately $$ is predictable and there is no test, that /tmp/.font-unix.$$ does not already exist. So especially symlink attacks are possible. The attack is only possible, if /tmp/.font-unix does not already exist. Then an attacker could create an /tmp/.font-unix file (not directory) and create some symlinks in the form /tmp/.font-unix.XXXX (where XXXX are possible PID numbers). The start script than moves /tmp/.font-unix to an symlinked directory /tmp/.font-unix.XXXX." -Kees [1] https://bugs.launchpad.net/bugs/299560 [2] https://bugzilla.novell.com/show_bug.cgi?id=408006 -- Kees Cook @debian.org -- To UNSUBSCRIBE, email to debian-x-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
