[Bug 973687] Re: can cause root user to remove arbitrary files
Marc Deslauriers
marc.deslauriers at canonical.com
Thu Apr 12 19:51:18 UTC 2012
** Visibility changed to: Public
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to whoopsie-daisy in Ubuntu.
https://bugs.launchpad.net/bugs/973687
Title:
can cause root user to remove arbitrary files
Status in “whoopsie-daisy” package in Ubuntu:
Fix Released
Bug description:
/etc/cron.daily/whoopsie does not use NULL terminated filenames when
examining the world-writable directory /var/crash. This allows users
to inject whitespace into filenames causing "rm" to delete relative
files in the current directory (which happens to be "/" due to it
being run from cron) or the /var/crash directory. While there really
shouldn't be any _files_ in /, it could be a DoS, and at the least
allows removal of other people's crash reports.
For example:
$ touch "/var/crash/chicken monkey duck.uploaded"
$ find /var/crash -name '*.uploaded' -type f -size 0 | sed 's,\(.*\).uploaded$,\1.upload \1.uploaded,'
/var/crash/chicken monkey duck.upload /var/crash/chicken monkey duck.uploaded
/var/crash/monkey.upload /var/crash/monkey.uploaded
The above would lead to removing /var/crash/chicken and /monkey
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/whoopsie-daisy/+bug/973687/+subscriptions
More information about the foundations-bugs
mailing list