mailing list archives
From: dube0866 () EUROBRETAGNE FR (Nicolas Dubee)
Date: Sun, 3 Aug 1997 00:53:54 +0200
plaguez security advisory n. 9
RedHat rpm vulnerability
Program: rpm(8), the RedHat Package Manager
Version: 2.3.11 current (shipped with RedHat Linux 4.2)
older ones as well.
OS: RedHat Linux specific.
Problem: temporary files.
Impact: can be exploited to overwrite arbitrary files
on the system.
Adding fuel to the temp. file discussion, here is yet another problem
with temporary file checking.
RPM (Redhat Package Manager) has many useful features. One of these
features is to retrieve a file off of the net and install it all in
one step. When RPM is used this way, the file RPM is retrieving is
temporarily stored in /var/tmp. The file mask RPM uses is
rpm-ftp-$no-$pid.tmp whereas $no is the number of the package in the
Unfortunatly, rpm does not properly check if the temporary file
already exists, and will follow symlinks. As rpm is often ran by
root, it is then possible to overwrite any file on the system,
regardless of access permissions.
Apply the following temporary patch below to url.c in the rpm
source directory. RedHat should soon come with the proper fix.
< fd = creat(dest, 0600);
// fd = creat(dest, 0600);
See you next week,
dube0866 () eurobretagne fr
INND causes cancer in laboratory rats (fwd) Dan Fleisher (Aug 01)
Vulnerability in 4.4BSD rfork() implementation Thomas H. Ptacek (Aug 03)
Linux clone() looks safe (Re: Vulnerability in 4.4BSD rfork() Jeff Epler (Aug 03)
Re: Linux clone() looks safe (Re: Vulnerability in 4.4BSD rfork() Marc Slemko (Aug 03)
Re: sendmail -C: Known? Patches? (AIX 4.1.5) Eric Allman (Aug 06)
Re: sendmail -C: Known? Patches? (AIX 4.1.5) Eric Allman (Aug 07)
- Re: Small problem in AIX write command: Executes shell, (continued)