[Secure-testing-team] Bug#500181: chillispot: symlink attack can be launched via postinst

[Raphael Geissert]

Package: chillispot
Version: 1.0-9
Severity: grave
Tags: security

From postinst:

8<------------------------------------------>8
# config file
CONFIGFILE=/etc/chilli.conf
# upstream config file
TEMPCONFIG=/tmp/chilli.conf
...
# unpack upstream config
zcat /usr/share/doc/chillispot/chilli.conf.gz > $TEMPCONFIG
...
         echo "NOTE:"
         echo "You have choosed to edit configuration by hand.";
         echo "A default configuration will be available on '/etc/chilli.conf'";

         if [ ! -e $CONFIGFILE ]; then
                  mv $TEMPCONFIG $CONFIGFILE
         else
                  ucf $TEMPCONFIG $CONFIGFILE
         fi
else
...
        -e "s/^(#)?uamhomepage.*/uamhomepage\ $uam_homepage/" \
        -e "s/^(#)?uamsecret.*/uamsecret\ $uam_secret/" \
                  < $TEMPCONFIG > $tempfile

         if [ ! -e $CONFIGFILE ]; then
                  mv $tempfile $CONFIGFILE
         else
                  ucf $tempfile $CONFIGFILE
         fi
8<------------------------------------------>8


Putting a symlink in place can help nuking another file's content, or even modifying the program's config file to the attacker's will.

Cheers,
-- 
Atomo64 - Raphael

Please avoid sending me Word, PowerPoint or Excel attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080925/4eb79624/attachment.pgp