Bugtraq mailing list archives
SSH LocalForward
From: dube0866 () EUROBRETAGNE FR (Nicolas Dubee)
Date: Sun, 3 Aug 1997 00:53:54 +0200
plaguez security advisory n. 9 RedHat rpm vulnerability Program: rpm(8), the RedHat Package Manager Version: 2.3.11 current (shipped with RedHat Linux 4.2) older ones as well. OS: RedHat Linux specific. Problem: temporary files. Impact: can be exploited to overwrite arbitrary files on the system. Hello, Adding fuel to the temp. file discussion, here is yet another problem with temporary file checking. RPM (Redhat Package Manager) has many useful features. One of these features is to retrieve a file off of the net and install it all in one step. When RPM is used this way, the file RPM is retrieving is temporarily stored in /var/tmp. The file mask RPM uses is rpm-ftp-$no-$pid.tmp whereas $no is the number of the package in the queue (0,1,2,...). Unfortunatly, rpm does not properly check if the temporary file already exists, and will follow symlinks. As rpm is often ran by root, it is then possible to overwrite any file on the system, regardless of access permissions. Fix: ---- Apply the following temporary patch below to url.c in the rpm source directory. RedHat should soon come with the proper fix. 196c196,201 < fd = creat(dest, 0600); ---
// fd = creat(dest, 0600); if(-1==(fd=open(dest,O_CREAT|O_EXCL|O_RDWR,0600))) { perror(dest); exit(1); }
See you next week, -plaguez ------------------------ plaguez dube0866 () eurobretagne fr http://www.innu.org ------------------------
Current thread:
- Re: Small problem in AIX write command: Executes shell, (continued)
- Re: Small problem in AIX write command: Executes shell David Holland (Aug 01)
- comp.sys.sgi.bugs: YET another security alert (sigh) Arthur Hagen (Aug 04)
- comp.sys.sgi.bugs: Re: YET another security alert (sigh) Forwarded by Kari Hurtta (Aug 05)
- CPSR #8: identd Denial of Service Corinne Posse Releases (Aug 04)
- Re: CPSR #8: identd Denial of Service Curt Sampson (Aug 04)
- Re: Small problem in AIX write command: Executes shell David Holland (Aug 01)
- INND causes cancer in laboratory rats (fwd) Dan Fleisher (Aug 01)
- Re: INND causes cancer in laboratory rats (fwd) thoth () PURPLEFROG COM (Aug 01)
- Bugs in Debian Linux's ircd package Matt (Aug 01)
- SSH LocalForward Kristof Van Damme (Aug 02)
- Security hole in rusers client David Holland (Aug 02)
- SSH LocalForward Nicolas Dubee (Aug 02)
- Re: your mail Erik Troan (Aug 10)
- Sun Security Bulletin #00149 Aleph One (Aug 13)
- Sun Security Bulletin #00150 Aleph One (Aug 13)
- Possible fixed identd Phillip R. Jaenke (Aug 13)
- CERT Advisory CA-97.22 - BIND - the Berkeley Internet Name Daemon Aleph One (Aug 14)
- Vulnerability in 4.4BSD rfork() implementation Thomas H. Ptacek (Aug 02)
- Linux clone() looks safe (Re: Vulnerability in 4.4BSD rfork() Jeff Epler (Aug 02)
- Re: Linux clone() looks safe (Re: Vulnerability in 4.4BSD rfork() Marc Slemko (Aug 03)