Hello Jens, On Mon, Sep 24, 2007 at 03:59:00PM +0200, [EMAIL PROTECTED] wrote: > Hi! > > On Sat, Jun 16, 2007 at 02:15:13AM +0200, Javier Fernández-Sanguino Peña > wrote: > > Package: po4a > > Version: 0.29-1 > > Severity: grave > > Tags: security patch > > > > If you run po4a-gettextize on contents that do not get converted to PO files > > due to some issue, the script will dump its results in > > /tmp/gettextization.failed.po. > > > > The script uses a file in the /tmp diretory but does not try to prevent a > > symlink attack. A malicious user could create a symlink named liked that in > > the temporary directory and pointing to one of the user's files so that when > > a user runs po4-gettextize (and fails) the file the symlink pointed to would > > get overwritten. > > > > The fix is, IMHO, simple: just dump the results in the local directory, > > don't > > use /tmp at all (it is, after all, unnecesary). The attached patch to > > /usr/share/perl5/Locale/Po4a/Po.pm fixes this issue. > > I don't want to reopen this bug but why is it OK to omit /tmp? The code > is still vulnerable. Just assume po4a is started in /tmp or in another > directory where an attcker has write access and the problem remains ...
It is quite common to write in a predefined file of the current firectory (e.g. gcc if you do not specify an output file, generated files by automake autoconf, ...) The risk is IMO only present when the command may eventually be run as root. The goal is hence to reduce the risk to the case where the command create the file and is run by root. Also, the file is rarely used (only created by po4a-gettextize when run (interractively) to reuse an existing translation, and when this process fails). I don't expect this use case to occur without the system being at much greater risk (i.e. the user only uses the root account). (Moreover, it would not be possible to create a safe temporary file without a possible race condition in the po4a use case.) > I agree that it is unlikely but I often work in /tmp to handle > translations ... Unless you are doing so as root, I don't think there is a risk to continue doing it. Cheers, -- Nekral
