Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20110107112033.GA19236@steve.org.uk>
Date: Fri, 7 Jan 2011 11:20:33 +0000
From: Steve Kemp <steve@...ve.org.uk>
To: oss-security@...ts.openwall.com
Subject: CVE Request - pimd - Insecure file creation in /var/tmp


  We received this report recently:

-- 

Hi!

There is a simple security hole in pimd allowing a user to destroy any
file in the filesystem. On USR1, pimd will write to /var/tmp/pimd.dump
a dump of the multicast route table. Since /var/tmp is writable by any
user, a user can create a symlink to any file he wants to destroy with
the content of the multicast routing table.

Attached is a simple patch that will instruct pimd to write the dump
to /var/lib/misc which is writable by root only and seems a valid
target according to the FHS (state files that don't need a
subdirectory).

This patch may cause tools that were sending USR1 and waiting for a
/var/tmp/pimd.dump file fail. I don't have a solution for this.

The patch also applies to /var/tmp/pimd.cache which is not implemented
yet but still creates the file when receiving USR2 signal. Despite its
name, this is also a state file, not a cache. The patch also just
drops the possibility to use /usr/tmp/pimd.dump based on some C
preprocessor conditions since I don't know if the preconditions would
work correctly on Debian/kFreeBSD.



View attachment "pimd-insecure-file-creation.patch" of type "text/x-diff" (1807 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.