Package: bzip2
Version: 1.0.5-6
Tags: security
This issue affects every binaries compressed with the /bin/bzexe
utility.
$ cat -n /bin/bzexe
[...]
128 if /bin/ln $tmpfile "/tmp/$prog" 2>/dev/null; then
129 trap '/bin/rm -f $tmpfile "/tmp/$prog"; exit $res' 0
130 (/bin/sleep 5; /bin/rm -f $tmpfile "/tmp/$prog") 2>/dev/null &
131 /tmp/"$prog" ${1+"$@"}; res=$?
[...]
While a binary uncompress itself, it creates a temporary file
"/tmp/$prog" in an insecure manner (line #128). Indeed, if "/tmp/$prog"
already exists AND is a directory controlled by someone else, hard link
creation won't fail and "/tmp/$prog" will be executed (line 131). In
some cases, usage of race condition can lead to a root exploit.
At line #128, I would suggest to use the "-T" option instead:
/bin/ln -T $tmpfile "/tmp/$prog"
I'm using Debian 6.0.2, kernel 2.6.32-5-amd64, libc6 2.11.2-10.
--
http://vladz.devzero.fr
PGP key 8F7E2D3C from pgp.mit.edu
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
