[Secure-testing-team] Bug#650500: unsafe use of /tmp
Ansgar Burchardt
ansgar at debian.org
Wed Nov 30 09:36:03 UTC 2011
Package: libproc-processtable-perl
Version: 0.45-1
Severity: important
Tags: security
Proc::ProcessTable can cache TTY information (not enabled by default).
For this it uses the file /tmp/TTYDEVS.
If caching is enabled, there is a race condition that allows to
overwrite arbitrary files in ProcessTable.pm:
102 if( -r $TTYDEVSFILE )
103 {
104 $_ = Storable::retrieve($TTYDEVSFILE);
[...]
107 else
108 {
[...]
112 Storable::store(\%Proc::ProcessTable::TTYDEVS, $TTYDEVSFILE);
If a symlink /tmp/TTYDEVS is created between line 102 and 112, the file the
link points to is overwritten. Alternatively wrong information can be
provided.
The relevant code path can be reached with
perl -MProc::ProcessTable -e 'my $t = Proc::ProcessTable->new(cache_ttys => 1, enable_ttys => 1); $t->table;'
Ansgar
More information about the Secure-testing-team
mailing list