Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE Request -- rpm -- Fails to remove the SUID/SGID bits on package upgrade (RH BZ#598775)
From: Vasiliy Kulikov <segoon () openwall com>
Date: Mon, 25 Jul 2011 21:30:35 +0400

Solar,

On Mon, Jul 25, 2011 at 06:08 +0400, Solar Designer wrote:
diff -urp rpm-4.2.orig/lib/fsm.c rpm-4.2/lib/fsm.c
--- rpm-4.2.orig/lib/fsm.c    2003-03-03 19:38:32 +0000
+++ rpm-4.2/lib/fsm.c 2011-07-25 01:31:24 +0000
@@ -1990,26 +1990,54 @@ if (!(fsm->mapFlags & CPIO_ALL_HARDLINKS
      /* () notreached@*/ break;
 
     case FSM_UNLINK:
-     rc = Unlink(fsm->path);
+     {
+         struct stat stb;
+         int saved_errno;
+         int saved_rc = lstat(fsm->path, &stb);
+         if (!saved_rc && !S_ISLNK(stb.st_mode))
+             saved_rc = chmod(fsm->path, 0);

If the directory containing the file was owned by nonroot, then the file
could be overwritten with a symlink.  So, there is a race between
lstat() and chmod(), which might lead to chmod'ing arbitrary files by
directory owner.

Is it possible with these orphaned files (I'm not familiar with the code
in question)?


Thanks,

-- 
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]