Package: alsa-utils Version: 1.0.8-1 Priority: important Tags: security upstream
While doing a security audit review of Debian packages for unsafe usage of
/tmp I've found this in alsa-utils' alsaconf:
CARDID_DB=/var/tmp/alsaconf.cards
if [ ! -r $CARDID_DB ]; then
use_modinfo_db=1
fi
(...)
if [ $use_modinfo_db = 1 ]; then
xecho "Building card database.."
build_card_db $CARDID_DB
fi
build_card_db is a function in alsaconf that starts like this:
build_card_db () {
MODDIR=/lib/modules/`uname -r`
last_driver=""
echo -n > $1
(...)
This code is prone to a race condition since the CARDID_DB file is not
created inmediately, but created later on. Since alsaconf can only be used
by root this means that a rogue local user could have root overwrite any
files through a symlink attack by exploiting that race condition. Notice,
also, that the test for CARDID_DB is [ -r ] when it should really be [ -e ]
I'm not sure how to best fix this (since CARDID_DB seems to be created
under /var/tmp so it's not removed after reboots) but it looks like it
should, at least, check if the file exists and create it inmediately
afterwards. Also, the script should use the 'noclobber' and -e options for
additional safety.
Regards
Javier
signature.asc
Description: Digital signature
