Package: php-pear
Version: 5.4.4-14+deb7u14
Tags: security
PEAR commands such as "pear install [...]" writes cache data into
predictable filenames located in "/tmp/". Unprivileged local users
could use symlinks to clobber arbitrary files.
Temporary filenames ("$cachefile" and "$cacheidfile") ar
ine 192 (yes, the user's file
descriptor won't be affected by this action).
Anyway, I suggest to force a umask value to 077 before this file is
created.
I have a trivial PoC if needed.
Thanks,
vladz.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
On Fri, Mar 02, 2012 at 02:29:33PM +0100, Julien Cristau wrote:
> I'm not convinced the chown can be removed. And 'mkdir -m 1777 foo' is
> not any more atomic than 'mkdir foo && chmod 1777 foo'.
The command "mkdir -m" calls the mkdir() syscall, and its second
argument seems to be the mode.
Oops, I forgot "then" in my last post:
- if [ ! -O $SOCKET_DIR ];
+ if [ ! -O $SOCKET_DIR ]; then
I have attached a patch. Hope this helps.
--- a/debian/x11-common.init 2010-09-04 19:26:52.0 +0200
+++ b/debian/x11-common.init 2012-03-02 13:37:29.0 +0100
@@ -26,16 +26,26 @@
f
Julien, thank you for putting me back in CC. ;)
On Thu, Mar 01, 2012 at 09:48:47PM +0100, Julien Cristau wrote:
> On Thu, Mar 1, 2012 at 12:39:41 -0800, Tim wrote:
> > > > Note that the "chown root:root $SOCKET_DIR" also seems redundant to me
> > > > (if we didn't already own it, we would have b
CVE-2012-1093 has been assigned for this issue.
On Tue, Feb 28, 2012 at 08:21:39PM +0100, Julien Cristau wrote:
> Right, makes sense. I can drop the -p, I guess. Not sure what impact
> that would have on things assuming they can use /tmp/.X11-unix (I
> wouldn't really like to fix this just to ha
On Tue, Feb 28, 2012 at 06:42:59PM +0100, Julien Cristau wrote:
> > As a solution, I would suggest to take care of the "mkdir" return codes
> > (line 36 and 50). To do not change permissions on failures.
And as a solution, I suggested to check the return code of "mkdir" (ran
without -p)
On Tue, Feb 28, 2012 at 06:42:59PM +0100, Julien Cristau wrote:
> > As a solution, I would suggest to take care of the "mkdir" return codes
> > (line 36 and 50). To do not change permissions on failures.
> >
> This script is set -e AFAICT, which means it already does care about the
> mk
Package: x11-common
Version: 1:7.5+8
Tags: security
The init script "x11-common" creates directories "/tmp/.X11-unix" and
"/tmp/.ICE-unix" in insecure manners.
$ cat -n /etc/init.d/x11-common
[...]
33if [ -e $SOCKET_DIR ] && [ ! -d $SOCKET_DIR ]; then
34 mv $SOCKET_DIR $SO
the X server. This
file also needs to be readable by the user.
For instance, files "/dev/tty" and "/dev/ptmx" match those conditions:
$ ls -l /dev/tty /dev/ptmx
crw-rw-rw- 1 root root 5, 2 14 déc. 18:43 /dev/ptmx
crw-rw-rw- 1 root root 5, 0 12 déc. 23:03 /dev/tty
Here
ent on Oct 9th 2011).
I never get any feedback.
Is secur...@debian.org still the good way to report vulnerabilities?
Regards,
vladz.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Package: bzip2
Version: 1.0.5-6
Tags: security
This issue affects every binaries compressed with the /bin/bzexe
utility.
$ cat -n /bin/bzexe
[...]
128 if /bin/ln $tmpfile "/tmp/$prog" 2>/dev/null; then
129 trap '/bin/rm -f $tmpfile "/tmp/$prog"; exit $res' 0
130 (/bin/sleep
Package: libvte9
Version: 1:0.24.3-2
Severity: important
When passing a huge value to the "insert-blank-characters" capability
(defined in caps.c), gnome-terminal crashes (and maybe other terminals
that depend on libvte9).
$ cat -n vte-0.24.3/src/caps.c:
[...]
418 {CSI "%d@", "ins
Package: lpr
Version: 1:2008.05.17
I am using Debian squeeze/sid.
According to the lprm's source code, this command (which is setuid-root on
squeeze/sid) can be used with the "-w" option in order to specify a timeout
value. But the program exits with SIGSEGV signal when using this option:
$
Hi,
On Fri, Jun 11, 2010 at 09:09:44PM +0200, Christian Kastner wrote:
> Say you want to run a program that requires those chars as input at some
> point. If we refuse '\r' and '\b', then there would be no way to feed
> those to that program.
Ok, I see what you mean and you're right.
> I need
On Fri, Jun 11, 2010 at 06:30:29PM +0200, Christian Kastner wrote:
> I may be wrong, but I consider this only a minor problem.
Yes it is.
> 1) the job is still logged to syslog
> 2) the user does not have elevated permissions
Right, I was just thinking of someone who want to keep the control
Package: cron
Version: 3.0pl1-105
It is possible to hide scheduled tasks inside a cron table by using control
characters '\r' and '\b', example:
$ crontab -l
no crontab for alice
$ printf "* * * * * >/tmp/x;\rno crontab for alice\n" | crontab -
// new task (">/tmp/x") is hidden because of
17 matches
Mail list logo
