oss-sec mailing list archives
Re: CVE Request -- rpm -- Fails to remove the SUID/SGID bits on package upgrade (RH BZ#598775)
From: Vasiliy Kulikov <segoon () openwall com>
Date: Mon, 25 Jul 2011 21:30:35 +0400
Solar, On Mon, Jul 25, 2011 at 06:08 +0400, Solar Designer wrote:
diff -urp rpm-4.2.orig/lib/fsm.c rpm-4.2/lib/fsm.c
--- rpm-4.2.orig/lib/fsm.c 2003-03-03 19:38:32 +0000
+++ rpm-4.2/lib/fsm.c 2011-07-25 01:31:24 +0000
@@ -1990,26 +1990,54 @@ if (!(fsm->mapFlags & CPIO_ALL_HARDLINKS
/*@notreached@*/ break;
case FSM_UNLINK:
- rc = Unlink(fsm->path);
+ {
+ struct stat stb;
+ int saved_errno;
+ int saved_rc = lstat(fsm->path, &stb);
+ if (!saved_rc && !S_ISLNK(stb.st_mode))
+ saved_rc = chmod(fsm->path, 0);
If the directory containing the file was owned by nonroot, then the file could be overwritten with a symlink. So, there is a race between lstat() and chmod(), which might lead to chmod'ing arbitrary files by directory owner. Is it possible with these orphaned files (I'm not familiar with the code in question)? Thanks, -- Vasiliy Kulikov http://www.openwall.com - bringing security into open computing environments
Current thread:
- Re: CVE Request -- rpm -- Fails to remove the SUID/SGID bits on package upgrade (RH BZ#598775) Solar Designer (Jul 24)
- Re: CVE Request -- rpm -- Fails to remove the SUID/SGID bits on package upgrade (RH BZ#598775) Vasiliy Kulikov (Jul 25)
- Re: CVE Request -- rpm -- Fails to remove the SUID/SGID bits on package upgrade (RH BZ#598775) Solar Designer (Jul 25)
- <Possible follow-ups>
- Re: CVE Request -- rpm -- Fails to remove the SUID/SGID bits on package upgrade (RH BZ#598775) Jeff Johnson (Jul 25)
- Re: CVE Request -- rpm -- Fails to remove the SUID/SGID bits on package upgrade (RH BZ#598775) Solar Designer (Jul 25)
- Re: CVE Request -- rpm -- Fails to remove the SUID/SGID bits on package upgrade (RH BZ#598775) Vasiliy Kulikov (Jul 25)