Bug#291376: cdrtools: Unsafe recommendation (and implementation) of debugging in rscsi

Thu, 20 Jan 2005 04:08:28 -0800 

Package: cdrtools
Version: 4:2.01+01a01-2
Priority: minor
Tags: security patch

Cdrtools has some code (and default configuration) that suggests users that 
want to debug its behaviour to open up a can of worms associate to insecure 
temporary files usage. The Debug file defined in the configuration will 
just be fopened() without any checks and is thus vulnerable to symlink 
attacks.

The attached patch tries to fix this minor bug (not many users will really 
enabled DEBUG) by introducing a check in rscsi.c to avoid being vulnerable 
to symlink attacks and by modifying the provided config file telling users 
to use safe locations for debug files. The patch introduces a DoS condition 
(if somebody has created the file the program will exit) and that's why 
users are suggested (in the comments of the configuration file) to use a 
safe location (not /tmp) for debugging.

Regards

Javier

diff -Nru cdrtools-2.01+01a01.old/rscsi/rscsi.c 
cdrtools-2.01+01a01/rscsi/rscsi.c
--- cdrtools-2.01+01a01.old/rscsi/rscsi.c       2003-11-26 01:28:27.000000000 
+0100
+++ cdrtools-2.01+01a01/rscsi/rscsi.c   2005-01-20 12:41:21.000000000 +0100
@@ -163,8 +163,19 @@
                debug_name = *argv;
 #endif
 
-       if (debug_name != NULL)
-               debug_file = fopen(debug_name, "w");
+       if (debug_name != NULL) {
+               /* Try to be careful when opening debug files, might be
+                * created in an unsafe location 
+                * */
+               int fd = open(debug_name, O_CREAT | O_EXCL | O_TRUNC | O_RDWR, 
0600);
+               if (fd > -1) 
+                       debug_file = fdopen(fd, "w");
+               else {
+                       rscsirespond(-1, geterrno());
+                       exit(EX_BAD);
+               }
+       }
+
                
        if (argc > 0) {
                if (debug_file == 0) {
diff -Nru cdrtools-2.01+01a01.old/rscsi/rscsi.dfl 
cdrtools-2.01+01a01/rscsi/rscsi.dfl
--- cdrtools-2.01+01a01.old/rscsi/rscsi.dfl     2000-11-14 02:24:03.000000000 
+0100
+++ cdrtools-2.01+01a01/rscsi/rscsi.dfl 2005-01-20 12:42:57.000000000 +0100
@@ -9,10 +9,11 @@
 
 # 
 # The file where debug info should go to.
-# If you don't like debugging (e.g. for speed) comment out
-# the this line.
+# This is commented out by default to speed up the program.
+# If you enable it make sure you substitute SAFE_DIR to a safe directory
+# to debug to.
 #
-#DEBUG=/tmp/RSCSI
+#DEBUG=SAFE_DIR/rscsi.dbg
 
 #
 # Each USER= entry adds the listed user to the users who may run rscsi

Attachment: signature.asc
Description: Digital signature

Reply via email to