Package: vobcopy Version: 0.5.14-2 Severity: important Tags: security vobcopy -q opens /tmp/vobcopy.bla insecurely:
open("/tmp/vobcopy.bla", O_WRONLY|O_CREAT|O_APPEND|O_LARGEFILE, 0666) = 2
Similarly, vopbcopy -v -v opens /tmp/vobcopy_0.5.14.log insecurely:
open("/tmp/vobcopy_0.5.14.log", O_WRONLY|O_CREAT|O_APPEND|O_LARGEFILE, 0666) = 2
Since there's no O_EXCL /tmp/vobcopy.bla can already exist as a symlink
and will be followed, appending to an arbitrary file. Thankfully it is
an append, so there's no direct data loss. The log files also tend to be
empty so the best attack I can think of ATM is that If vobvopy is run as
root, it can at be used to create /etc/nologin.
The fix is simply to open the file with O_EXCL, or better, to use
a standard, safe temp file function. (Which would have the benefit of
also making it respect the TMPDIR environment variable.)
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.22-2-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages vobcopy depends on:
ii libc6 2.6.1-6 GNU C Library: Shared libraries
ii libdvdread3 0.9.7-3 library for reading DVDs
vobcopy recommends no packages.
-- no debconf information
--
see shy jo
signature.asc
Description: Digital signature
