Hello, On Fri, Aug 31, 2007 at 05:39:47PM +0200, Moritz Muehlenhoff wrote: > > Which enduser tools use the affected code and which operations trigger the > vulnerability? > > Given that there's apparently no regularly scheduled execution (e.g. in > comparison to a server cron job), that the .pm doesn't run with elevated > privileges, that po4a is exotic and apparently uncommon in a multi user > environment with shared /tmp I'm for now inclined to consider this not > grave enough for a DSA. (However, this depends on the information I'm > asking for)
The vulnerability is a symlink attack which does not involve a race condition (the link could be installed a long time before). po4a is a development tool, used as a build dependency for some Debian packages. My opinion is that it should not be used by root. The vulnerability occurs in po4a-gettextize when it is used to import an existing translation and convert it to a PO file usable for latter operations by the po4a tools (and by translators). The file is written in /tmp only if this process fails. This usage of po4a-gettextize is intended to be interactive (with the user fixing errors reported by each runs of po4a-gettextize) in the early stage of building a translation framework. Thus I don't expect this vulnerability to occur (there should be no erros and the file should not be written) in a build system or to be triggered by admins using "make && make install" as root with a non malicious software. If eventually this results in overwriting a file, this file will be a PO file. This will result in a DOS if /etc/shadow is overwritten. I don't expect any line matching a valid shadow entry (i.e. the first field will contain a space or will start with " or #). Kind Regards, -- Nekral -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
