[Secure-testing-team] Bug#820331: cronic: uses very predictable temporary files
Dmitry Nezhevenko
dion at dion.org.ua
Thu Apr 7 13:37:00 UTC 2016
Package: cronic
Version: 2-1
Severity: grave
Tags: security
Justification: user security hole
Hi,
It looks like cronic uses very predictable temporary files (like
/tmp/cronic.out.$$) that depends only on PID:
--
OUT=/tmp/cronic.out.$$
ERR=/tmp/cronic.err.$$
TRACE=/tmp/cronic.trace.$$
set +e
"$@" >$OUT 2>$TRACE
RESULT=$?
set -e
--
Once used in root cron job, it opens a way to write garbage to any file by
creating symlinks '/tmp/cronic.out.PID -> /etc/fstab'
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.5.0+ (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages cronic depends on:
ii bash 4.3-14+b1
cronic recommends no packages.
Versions of packages cronic suggests:
ii cron 3.0pl1-128
-- no debconf information
--
WBR, Dmitry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20160407/a650765a/attachment.sig>
More information about the Secure-testing-team
mailing list