Re: CVE Request -- atop: Symlink attacks via process accounting file

[Jan Lieskovsky <jlieskov () redhat com>]

Jan Lieskovsky wrote:
> Hello Josh, Steve, vendors,
>
>   atop v1.23 and earlier created process accounting file 
> (/tmp/atop.d/atop.acct)
> in an insecure way. A local attacker could use this flaw to conduct symlink
> attacks (e.g. overwrite arbitrary system files).

Looked more into this issue and seems it may not be possible to misuse this
issue. The steps are below:

tmp]# mkdir /etc/hello
tmp]# ln -s /etc/hello atop.d
tmp]# service atop start
Starting atop: [  OK  ]

But atop detects the /tmp/atop.d directory already exists (/var/log/atop/atop.log contains):
warning: no process exit detection (can not create directory /tmp/atop.d)

So doesn't seem to be exploitable => taking the CVE request back, no CVE needed.

Should have checked this earlier, sorry for the noise.

Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

> References:
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622794
> [2] http://secunia.com/advisories/44175/
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=697848
>
> Could you allocate a CVE id for this?
>
> Thanks && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team