[Bug 642855] Re: Insecure use of temp files
Marc Deslauriers
marc.deslauriers at canonical.com
Wed Nov 13 19:28:23 UTC 2013
** Changed in: flash-kernel (Ubuntu Lucid)
Status: Confirmed => Won't Fix
** Changed in: flash-kernel (Ubuntu Lucid)
Assignee: Marc Deslauriers (mdeslaur) => (unassigned)
** Changed in: flash-kernel (Ubuntu Natty)
Assignee: Marc Deslauriers (mdeslaur) => (unassigned)
** Changed in: flash-kernel (Ubuntu Oneiric)
Assignee: Marc Deslauriers (mdeslaur) => (unassigned)
** Changed in: flash-kernel (Ubuntu Precise)
Assignee: Marc Deslauriers (mdeslaur) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to flash-kernel in Ubuntu.
https://bugs.launchpad.net/bugs/642855
Title:
Insecure use of temp files
Status in “flash-kernel” package in Ubuntu:
Fix Released
Status in “flash-kernel” source package in Lucid:
Won't Fix
Status in “flash-kernel” source package in Natty:
Won't Fix
Status in “flash-kernel” source package in Oneiric:
Won't Fix
Status in “flash-kernel” source package in Precise:
Confirmed
Status in “flash-kernel” source package in Quantal:
Fix Released
Bug description:
Binary package hint: flash-kernel
Hi folks
While reviewing a recent patch in Debian #596889, I noticed that
flash-kernel already had other instances of this apparently insecure
construct:
> + tmp=$(tempfile)
> + cat $kfile >> $tmp
> + mkimage -A arm -O linux -T kernel -C none -a 0x60008000 \
> + -e 0x60008000 -n "Linaro Kernel" -d $tmp $tmp.uboot \
> + >&2 1>/dev/null
mkimage takes the kernel from $tmp and writes it to its first arg,
$tmp.uboot. There is a window where an attacker can create a
tmp.uboot symlink pointing to a file of his choice making this a
probably low priority local denial of service vulnerability. Note
that flash-kernel is called for each kernel upgrade and runs as root
to install the new kernel.
I checked flash-kernel 1.6 and it doesn't call mkimage but is affected
by a different type of tempfile abuse:
tmp=$(tempfile)
printf "Flashing kernel: " >&2
(
sercomm_header $(expr $kfilesize + 16)
dd if=$kfile of=$tmp bs=$ksize1 count=1 2>/dev/null
nslu2_swap $tmp
sercomm_header 131072
dd if=$kfile of=$tmp ibs=$ksize1 skip=1 2>/dev/null
nslu2_swap $tmp
rm -f $tmp
) > "$kmtd" || error "failed."
echo "done." >&2
printf "Flashing initramfs: " >&2
dd if=$ifile of=$tmp ibs=$(($imtdsize - 16)) conv=sync 2>/dev/null
Note how the tempfile is created, truncated by dd, truncated by dd a
second time, removed, and then created again in this last dd call I
quoted above.
Cheers,
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/flash-kernel/+bug/642855/+subscriptions
More information about the foundations-bugs
mailing list