oss-sec mailing list archives
CVE Request - pimd - Insecure file creation in /var/tmp
From: Steve Kemp <steve () steve org uk>
Date: Fri, 7 Jan 2011 11:20:33 +0000
We received this report recently: -- Hi! There is a simple security hole in pimd allowing a user to destroy any file in the filesystem. On USR1, pimd will write to /var/tmp/pimd.dump a dump of the multicast route table. Since /var/tmp is writable by any user, a user can create a symlink to any file he wants to destroy with the content of the multicast routing table. Attached is a simple patch that will instruct pimd to write the dump to /var/lib/misc which is writable by root only and seems a valid target according to the FHS (state files that don't need a subdirectory). This patch may cause tools that were sending USR1 and waiting for a /var/tmp/pimd.dump file fail. I don't have a solution for this. The patch also applies to /var/tmp/pimd.cache which is not implemented yet but still creates the file when receiving USR2 signal. Despite its name, this is also a state file, not a cache. The patch also just drops the possibility to use /usr/tmp/pimd.dump based on some C preprocessor conditions since I don't know if the preconditions would work correctly on Debian/kFreeBSD.
Attachment:
pimd-insecure-file-creation.patch
Description:
Current thread:
- CVE Request - pimd - Insecure file creation in /var/tmp Steve Kemp (Jan 07)
- Re: CVE Request - pimd - Insecure file creation in /var/tmp Josh Bressers (Jan 07)