2010/9/28 Javier Fernández-Sanguino Peña <j...@computer.org>: > On Tue, Sep 28, 2010 at 03:41:28PM -0500, Raphael Geissert wrote: >> paxtest writes to paxtest.log in $CWD, which might be abused by a local >> attacker to modify arbitrary files via a symlink or similar. > > This is hardly an important bug since paxtest does not write (by itself) to > an insecure location. The *user* has to run paxtest while in an insecure > location (/tmp/) in order for this to be exploitable.
It is arguable, yes, but the behaviour is unexpected (the man page doesn't mention it, for example.) Since a user may very well run it from /tmp (likely because it is a non-persistent dir,) there's room for an attack. > In any case, paxtest could be modified to output to $HOME/paxtest.log or > make it write into a log file only if requested to (through a command line > switch) and output the information to standard output otherwise. Ironically, > in order to do the latter it would *then* have to make use of a temporary > file. I saw you made it write to ~/paxtest.log. I would have personally made it write to stdout, but I think the way you chose is at least better than the old behaviour (I didn't verify if you documented it on the man page, though.) > I see this more as a 'normal' bug since a user cannot use 'paxtest' unless he > is in a directory he has write access to. The security team might want to > comment, but I do not think this merits a DSA. (Security hat on) it doesn't warrant a DSA ;) You may fix it via SPU if you want, but after some reconsideration I've marked it as unimportant on the tracker. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
