[Bug 299598] [NEW] Insecure start/stop script /etc/init.d/xfs
Launchpad Bug Tracker
299598 at bugs.launchpad.net
Wed Nov 26 17:41:16 UTC 2008
*** This bug is a security vulnerability ***
You have been subscribed to a public security bug by Jamie Strandboge (jdstrand):
The xfs start/stop script /etc/init.d/xfs is insecure. There is a
problematic function set_up_socket_dir in this script:
SOCKET_DIR=/tmp/.font-unix
[...]
set_up_socket_dir () {
echo -n "Setting up X font server socket directory $SOCKET_DIR..."
if [ -e $SOCKET_DIR ] && ! [ -d $SOCKET_DIR ]; then
mv $SOCKET_DIR $SOCKET_DIR.$$
fi
if ! [ -d $SOCKET_DIR ]; then
mkdir -m 1777 $SOCKET_DIR || :
do_restorecon $SOCKET_DIR || :
fi
echo "done."
}
This function moves /tmp/.font-unix to /tmp/.font-unix.$$. Unfortunately
$$ is predictable and there is no test, that /tmp/.font-unix.$$ does not
already exist. So especially symlink attacks are possible. The attack is
only possible, if /tmp/.font-unix does not already exist. Then an
attacker could create an /tmp/.font-unix file (not directory) and create
some symlinks in the form /tmp/.font-unix.XXXX (where XXXX are possible
PID numbers). The start script than moves /tmp/.font-unix to an
symlinked directory /tmp/.font-unix.XXXX.
I suggest to delete the contents of /tmp/.font-unix is this file is not
a directory. For instance "rm -rf /tmp/.font-unix" should be ok ("rm"
from coreutils should be safe). A possible fix is also described here:
https://bugzilla.novell.com/show_bug.cgi?id=408006
The problem was found in Ubuntu 8.04 (xfs-1:1.0.5-2). An exploit idea is
attached.
** Affects: xfs (Ubuntu)
Importance: Undecided
Status: New
--
Insecure start/stop script /etc/init.d/xfs
https://bugs.launchpad.net/bugs/299598
You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber.
--
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
More information about the universe-bugs
mailing list