Re: Symlinks and filesystem recursion vulnerabilities: Action needed or ignore?

["Steven M. Christey" <coley () rcf-smtp mitre org>]

Assuming I understand the issue correctly, there is precedent in CVE for 
this kind of problem, or at least the exploitation of recursive 
backup/archive programs as they process files (many seem related to 
setting insecure permissions during the copy, and only setting the secure 
permissions afterward, a la CWE-689).

CVE-2009-4411 is the only example I can easily find.

There is a "risk" of sorts to the community that a large number of these 
issues could get disclosed for different packages in a short timeframe, 
but this happens with any discovery of a new "class" of security problems 
or attacks (look at the untrusted path stuff that happened last year with 
Windows and Linux).  But IMO, better sooner rather than later.  Linux is a 
multi-user OS and should be treated as such, which means local 
file-writing/privilege attacks matter, even though they might not be as 
severe as other kinds of attacks.  Somebody audited simpler symlink 
problems in Debian packages a couple years ago, but while it must have 
been very painful and there were dozens (hundreds?) of separate issues, 
most of those problems seemed to get fixed in a relatively quick amount of 
time.

Maybe the appropriate strategy is for the community to agree on a good way 
of solving these problems before announcing all the different packages 
that are affected, but it's just a thought.  Ultimately this decision is 
up to the researcher, affected developers, and customers.

- Steve