Package: rpcbind Version: 0.2.0-4 Severity: serious Tags: security Hi!
The rpcbind daemon, which runs as root, uses /tmp/portmap.xdr and /tmp/rpcbind.xdr for doing warm starts as what seems to be a way to preserve state between invokations. It parses (through libtirpc) and removes them on start. It creates them before exiting. So first off, *any* user can craft those two files before the daemon has started for the first time, which the daemon will parse. This might be ok, depending on the checks done on parse, I'd still be very wary of letting a user be able to craft such files at will. The second problem is that those files get created by the daemon on shutdown, and they *do* follow symlinks. So a user can drop two symlinks there while the daemon is running and overwrite any file on the file system on shutdown. The fix would consist of passing to configure something like “--with-statedir=/var/cache/rpcbind”, and make sure the daemon creates such directory if missing on exit in src/warmstart.c:write_struct(), which it does not seem to be doing currently. In addition it would be wise to notify upstream to change the default statedir to something else than /tmp. thanks, guillem -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
