oss-sec mailing list archives

CVE Request: thermald

From: Seth Arnold <seth.arnold () canonical com>
Date: Fri, 7 Mar 2014 19:00:17 -0800

Hello,

I discovered that the thermald temperature management daemon opens a file
with predictable filename in /tmp unsafely. Please assign a CVE number for
this issue:

https://github.com/01org/thermal_daemon/blob/master/src/android_main.cpp#L117


In short:

int main(int argc, char *argv[]) {
        /* ... */
        if (!no_daemon) {
                daemonize((char *) "/tmp/", (char *) "/tmp/thermald.pid");
        } else

/* ... */

static void daemonize(char *rundir, char *pidfile) {
        /* ... */

        pid_file_handle = open(pidfile, O_RDWR | O_CREAT, 0600);


thermald runs as root; on systems that lack the Openwall-inspired symlink
and hardlink protections in world-writable directories this can be used to
write the process's pid to a file of the attacker's choosing.

Note that this affects only the main() function provided in the
android_main.cpp file; the main() routine in main.cpp does not have this
issue.

Thanks

Attachment: signature.asc
Description: Digital signature

Current thread:

CVE Request: thermald Seth Arnold (Mar 07)
- Re: CVE Request: thermald cve-assign (Mar 08)