Package: jailer Version: 0.4-9 Severity: important Tags: security pending The 'updatejailer' script in jailer uses an unsafe way to create temporary file to store output:
find $JAIL -type b > /tmp/$$.updatejail
find $JAIL -type c >> /tmp/$$.updatejail
find $JAIL -type p >> /tmp/$$.updatejail
find $JAIL -type f >> /tmp/$$.updatejail
find $JAIL -type l >> /tmp/$$.updatejail
find $JAIL -type s >> /tmp/$$.updatejail
The script does not check wether the /tmp/$$.updatejail file it uses exists
or not, which can result in race conditions and symlink attacks. If an
ordinary user were to create symlinks in /tmp/ following that scheme and in
sufficient numbers (so the chance of the program's PID being one of them is
fairly high), he could have any file in the system overwritten (for example,
/etc/passwd) potentially breaking the system.
The script should use a safe mechanism to create temporary files and should
exit if an error ocurred in order to avoid this attacks.
This bug will be fixed in the next upload to sid.
Javier
signature.asc
Description: Digital signature
