[Secure-testing-team] Bug#701965: busybox mdev creates deep subdirs in /dev with 0777 permissions
Michael Tokarev
mjt at tls.msk.ru
Fri Mar 1 08:44:36 UTC 2013
Package: busybox
Version: 1:1.20.0-7
Severity: important
Tags: security patch upstream fixed-upstream pending
When device node or symlink in /dev should be created inside
2-or-deeper subdirectory (/dev/dir1/dir2.../node), the
intermediate directories are incorrectly created with mode
0777, which is an obvious security issue.
mdev is an alternative for udev, but since udev is used
almost universally, and many packages depend on it, mdev
isn't used often. Also, subdirs of more than one level
are not common, especially with mdev which, unlike udev,
has limited "language" to construct filenames/symlinks,
so often, when mdev is used, a task of creating device
nodes with complex names is implemented using an external
script instead. However it is important to fix this to
avoid surprizes.
The issue has been fixed upstream in commit
4609f477c7e043a4f6147dfe6e86b775da2ef784.
More information about the Secure-testing-team
mailing list