oss-sec mailing list archives
Re: CVE request: unsafe use of /tmp in multiple CPAN modules
From: Solar Designer <solar () openwall com>
Date: Sat, 5 Nov 2011 14:27:54 +0400
On Fri, Nov 04, 2011 at 02:32:50PM -0500, John Lightsey wrote:
Symlink A points to foo/bar Symlink B points to /some/real/directory Code asks for /tmp/parent/childXXXX Attacker hardlinks symlink A to /tmp/parent Attacker creates /tmp/foo directory Attacker hardlinks symlink B to /tmp/foo/bar Now everything looks safe, but it relies on the attacker controled /tmp/foo directory.
Yes, in the above scenario everything would look safe to the current code with your symlink-safety.patch. We could enhance the patch to also check parent directories of each symlink, but even then an attack would remain possible: Attacker hardlinks symlink B to /tmp/parent Then depending on what /some/real/directory actually is, this may be a security problem - e.g., if /some/real/directory is /etc/cron.d or /bin. And even for most other directories, there's likely a DoS and quota bypass possibility here.
It'd probably be simplest if File::Temp::_is_safe() didn't allow any symlinks at all.
Many systems have /tmp itself as a symlink. Alexander
Current thread:
- CVE request: unsafe use of /tmp in multiple CPAN modules John Lightsey (Nov 04)
- Re: CVE request: unsafe use of /tmp in multiple CPAN modules Kurt Seifried (Nov 04)
- Re: CVE request: unsafe use of /tmp in multiple CPAN modules Solar Designer (Nov 04)
- Re: CVE request: unsafe use of /tmp in multiple CPAN modules John Lightsey (Nov 04)
- Re: CVE request: unsafe use of /tmp in multiple CPAN modules John Lightsey (Nov 04)
- Re: CVE request: unsafe use of /tmp in multiple CPAN modules Solar Designer (Nov 05)
- Re: CVE request: unsafe use of /tmp in multiple CPAN modules Solar Designer (Nov 05)
- Re: CVE request: unsafe use of /tmp in multiple CPAN modules John Lightsey (Nov 04)