On Tue, Oct 10, 2017 at 01:17:54PM +0200, Vincent Lefevre wrote:
> Package: muttprint
> Version: 0.73-8
> Severity: grave
> Tags: security upstream
> Justification: user security hole
>
> The muttprint Perl script contains:
>
> my $logf = "/tmp/muttprint.log";
>
> if (-e $logf)
> { ## 2008-12-24 -- Lukas Ruf
> # close CVE-2008-5368 -- muttprint vulnerable to symlink
> attack
> # ensure "/tmp/muttprint.log" adheres to the following
> constraints
> # - owner is current user
> # - only real files are allowed
> # if any of these fail, create a temporary file by use of
> tempfile()
> [...]
>
> So, it first tests whether /tmp/muttprint.log exists, and potentially
> use an alternate pathname if it does. But if a /tmp/muttprint.log
> symlink is created between the test (which returns false) and the
> time this file is created, there's a security issue.
>
> It would be sufficient to use a secure temporary file unconditionally
> (and this is probably better, as more predictable).
>
> BTW, using a hardcoded /tmp for temporary files is a bad idea anyway.
This is neutralised by kernel hardening starting with stretch, see release
notes:
https://www.debian.org/releases/jessie/amd64/release-notes/ch-whats-new.en.html#security
Cheers,
Moritz
