Home page logo

oss-sec logo oss-sec mailing list archives

Re: CVE request: unsafe use of /tmp in multiple CPAN modules
From: Solar Designer <solar () openwall com>
Date: Sat, 5 Nov 2011 14:27:54 +0400

On Fri, Nov 04, 2011 at 02:32:50PM -0500, John Lightsey wrote:
Symlink A points to foo/bar
Symlink B points to /some/real/directory

Code asks for /tmp/parent/childXXXX

Attacker hardlinks symlink A to /tmp/parent
Attacker creates /tmp/foo directory
Attacker hardlinks symlink B to /tmp/foo/bar

Now everything looks safe, but it relies on the attacker controled
/tmp/foo directory.

Yes, in the above scenario everything would look safe to the current
code with your symlink-safety.patch.  We could enhance the patch to also
check parent directories of each symlink, but even then an attack would
remain possible:

Attacker hardlinks symlink B to /tmp/parent

Then depending on what /some/real/directory actually is, this may be a
security problem - e.g., if /some/real/directory is /etc/cron.d or /bin.
And even for most other directories, there's likely a DoS and quota
bypass possibility here.

It'd probably be simplest if File::Temp::_is_safe() didn't allow any
symlinks at all.

Many systems have /tmp itself as a symlink.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]