[Secure-testing-team] Bug#601229: unwritable /var/lib/noip2/noip2.conf -> DoS or arbitrary file overwrite
Jakub Wilk
jwilk at debian.org
Sun Oct 24 13:30:51 UTC 2010
Package: noip2
Version: 2.1.9-3
Severity: important
Tags: security
If:
1. /var/lib/noip2/noip2.conf is not writable by root[0] and
2. /bin/sh points to bash and
3. noip2 hasn't been started in such a weird configuration (i.e.
/dev/shm/noip2-readwrite.conf does not exist yet)
a local user can prevent noip2 from starting by making
/dev/shm/noip2-readwrite.conf a dangling symlink.
Worse still, if POSIXLY_CORRECT was set while running the init script,
the attacker would be able to overwrite arbitrary files.
[0] Why would anyone want to do that?! Please revert patch for #524020,
it doesn't make sense.
--
Jakub Wilk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20101024/bcdcddfd/attachment.pgp>
More information about the Secure-testing-team
mailing list