Project

General

Profile

Actions

Bug #413

closed

symlink attack vulnerability

Added by Adrian Friedli over 13 years ago. Updated over 13 years ago.

Status:
Closed
Priority:
High
Assignee:
Category:
libyzis
Target version:
Start date:
11/06/2008
Due date:
% Done:

100%

Estimated time:

Description

Hi

libyzis is vulnerable to a symlink attack.

YDebugBackend writes to "/tmp/yzisdebug-$USER.log". If a malicious user creates a symlink there, he will be able to overwrite files owned by the user running yzis.

In 1.0-alpha1 yzis will exit with a segfault after overwriting the file with a file of zero length.
In latest hg sources yzis will continue working after overwriting the file with a file of zero length.

Cheers, Adi

Actions #1

Updated by Loïc P. over 13 years ago

  • Status changed from New to Closed
  • Assignee set to Loïc P.
  • Target version set to 1.0-alpha2
  • % Done changed from 0 to 100

thanks for reporting this.
fixed by commit:8e660b55efdf

Actions #2

Updated by Adrian Friedli over 13 years ago

Hi,

The return value of the file deletion is not being checked, so yzis goes happily on as before if the file can't be deleted. This is the case when the symlink doesn't belong to the user running yzis.

And maybe there is still a race condition [1], because there is a very small time between the deletion of the old file and the creation of the new file. You should have a look at QTemporaryFile and it's function setAutoRemove. But this has the problem that you get one new file everytime you run yzis.

The original bug reporter [2] suggested to not create a logfile at all. This is what I did in the Debian package for a short-term fix.

Cheers, Adi

[1] http://en.wikipedia.org/wiki/Symlink_race
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504680

Actions #3

Updated by Loïc P. over 13 years ago

  • Status changed from Closed to Assigned
  • Assignee deleted (Loïc P.)
  • Priority changed from Normal to High

ok, will investigate later.
thx!

Actions #4

Updated by Loïc P. over 13 years ago

  • Assignee set to Loïc P.

I reworked a bit the debug manager (commit:3daf11bb08e1) :
- if compiled with CMAKE_BUILD_TYPE=debug, we use a (persistant) log file managed by QTemporaryFile (named /tmp/yzis-$USER-XXXXXX.log)
- else no log file is created.

Logging may be always enabled through command line using --level=debug|warning|error|fatal and --debug-output=stderr|stdout|filename options.

Actions #5

Updated by Loïc P. over 13 years ago

  • Status changed from Assigned to Closed
Actions

Also available in: Atom PDF