oss-sec mailing list archives

Re: CVE request: unsafe use of /tmp in multiple CPAN modules

From: Solar Designer <solar () openwall com>
Date: Sat, 5 Nov 2011 14:27:54 +0400

On Fri, Nov 04, 2011 at 02:32:50PM -0500, John Lightsey wrote:

Symlink A points to foo/bar
Symlink B points to /some/real/directory

Code asks for /tmp/parent/childXXXX

Attacker hardlinks symlink A to /tmp/parent
Attacker creates /tmp/foo directory
Attacker hardlinks symlink B to /tmp/foo/bar

Now everything looks safe, but it relies on the attacker controled
/tmp/foo directory.


Yes, in the above scenario everything would look safe to the current
code with your symlink-safety.patch.  We could enhance the patch to also
check parent directories of each symlink, but even then an attack would
remain possible:

Attacker hardlinks symlink B to /tmp/parent

Then depending on what /some/real/directory actually is, this may be a
security problem - e.g., if /some/real/directory is /etc/cron.d or /bin.
And even for most other directories, there's likely a DoS and quota
bypass possibility here.

It'd probably be simplest if File::Temp::_is_safe() didn't allow any
symlinks at all.


Many systems have /tmp itself as a symlink.

Alexander

Current thread:

CVE request: unsafe use of /tmp in multiple CPAN modules John Lightsey (Nov 04)
- Re: CVE request: unsafe use of /tmp in multiple CPAN modules Kurt Seifried (Nov 04)
- Re: CVE request: unsafe use of /tmp in multiple CPAN modules Solar Designer (Nov 04)
  - Re: CVE request: unsafe use of /tmp in multiple CPAN modules John Lightsey (Nov 04)
    - Re: CVE request: unsafe use of /tmp in multiple CPAN modules John Lightsey (Nov 04)
    - Re: CVE request: unsafe use of /tmp in multiple CPAN modules Solar Designer (Nov 05)
    - Re: CVE request: unsafe use of /tmp in multiple CPAN modules Solar Designer (Nov 05)