Bug#393846: wave at a webcam to overwrite file

Joey Hess Tue, 17 Oct 2006 19:42:20 -0700

Package: motion
Version: 3.2.3-1.1
Severity: serious
Tags: security

By default motion is configured to write snapshots to /tmp, as follows:


[pid 21228] open("/tmp/01-20061017221121-02.jpg", O_WRONLY|O_CREAT|O_TRUNC, 
0666) = 7
[pid 21228] open("/tmp/01-20061017221121-03.jpg", O_WRONLY|O_CREAT|O_TRUNC, 
0666) = 7
[pid 21228] open("/tmp/01-20061017221121-04.jpg", O_WRONLY|O_CREAT|O_TRUNC, 
0666) = 7
[pid 21228] open("/tmp/01-20061017221124-00.jpg", O_WRONLY|O_CREAT|O_TRUNC, 
0666) = 7
[pid 21228] open("/tmp/01-20061017221124-01.jpg", O_WRONLY|O_CREAT|O_TRUNC, 
0666) = 7
[pid 21228] open("/tmp/01-20061017221134-04.jpg", O_WRONLY|O_CREAT|O_TRUNC, 
0666) = 7

So if a user is running motion, here is an easy to guess time-based
sequence number for a file that is written insecurely. Just create a
bunch of symlinks to a file of the user that you want to clobber (which
could even be a different snapshot created earlier). Then wave at the
wabcam, and motion will happily follow the symlink and overwrite the
file.

The best fix would be opening the files O_EXCL, although it's also not
very good that it uses /tmp anyway, and making it write them to a directory
that only the person running motion can access seems like a better default.

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-2-k7
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages motion depends on:
ii  debconf [debconf-2.0]    1.5.5           Debian configuration management sy
ii  liba52-0.7.4             0.7.4-4         Library for decoding ATSC A/52 str
ii  libavcodec0d             0.cvs20060823-4 ffmpeg codec library
ii  libavformat0d            0.cvs20060823-4 ffmpeg file format library
ii  libc6                    2.3.6.ds1-4     GNU C Library: Shared libraries
ii  libdc1394-13             1.1.0-3+b1      high level programming interface f
ii  libgsm1                  1.0.10-13       Shared libraries for GSM speech co
ii  libjpeg62                6b-13           The Independent JPEG Group's JPEG 
ii  libmysqlclient15off      5.0.24a-5       mysql database client library
ii  libogg0                  1.1.3-2         Ogg Bitstream Library
ii  libpq4                   8.1.5-1         PostgreSQL C client library
ii  libraw1394-8             1.2.1-2         library for direct access to IEEE 
ii  libtheora0               0.0.0.alpha7-1  The Theora Video Compression Codec
ii  libvorbis0a              1.1.2-1         The Vorbis General Audio Compressi
ii  libvorbisenc2            1.1.2-1         The Vorbis General Audio Compressi
ii  zlib1g                   1:1.2.3-13      compression library - runtime

Versions of packages motion recommends:
pn  ffmpeg                        <none>     (no description available)

-- debconf information excluded

-- 
see shy jo


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#393846: wave at a webcam to overwrite file

Reply via email to