Bug#649384: gnash creates world-readable cookies under /tmp

Alexander Kurtz kurtz.alex at googlemail.com
Sun Nov 20 18:11:10 UTC 2011

retitle 649384 gnash creates world-readable cookies under /tmp with predictable filenames

On Sun, 2011-11-20 at 18:01 +0100, Gabriele Giacone wrote:
> tags 649384 fixed-upstream
> thanks
> On Sun, Nov 20, 2011 at 03:39:36PM +0100, Alexander Kurtz wrote:
> > or create them with sane permissions (0600).
> http://git.savannah.gnu.org/gitweb/?p=gnash.git;a=commitdiff;h=fa481c116e65ccf9137c7ddc8abc3cf05dc12f55

I don't think this fixes the underlying problem: An attacker would still
be able to read the cookie if he managed to win the race-condition and
opens the file before the chmod(). If you agree, please remove the
"fixed-upstream" tag.

Furthermore, I took a quick look at the code and noticed this:

	1105     gnash::log_debug("The Cookie for %s is %s", url, ncookie);
	1106     std::ofstream cookiefile;
	1107     std::stringstream ss;
	1108     ss << "/tmp/gnash-cookies." << getpid();
	1110     cookiefile.open(ss.str().c_str(), std::ios::out | std::ios::trunc);
	1111     chmod (ss.str().c_str(), 0600);

I might be wrong, but I very strongly suspect a possible symlink attack
here which would enable an attacker to overwrite arbitrary files and
(with your patch) change their permissions.

Best regards

Alexander Kurtz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-flash-devel/attachments/20111120/55d31215/attachment.pgp>

More information about the pkg-flash-devel mailing list